Commit db0315d1 authored by Krasimir Angelov's avatar Krasimir Angelov

Render special references for release entities

Provide current user when generating release entity json representation
so that we can render special references if they have enough access.

Related to https://gitlab.com/gitlab-org/gitlab/issues/32882.
parent 1b8aa183
---
title: Render special references for releases
merge_request: 26554
author:
type: fixed
...@@ -11,7 +11,7 @@ module API ...@@ -11,7 +11,7 @@ module API
expose :tag, as: :tag_name, if: ->(_, _) { can_download_code? } expose :tag, as: :tag_name, if: ->(_, _) { can_download_code? }
expose :description expose :description
expose :description_html do |entity| expose :description_html do |entity|
MarkupHelper.markdown_field(entity, :description) MarkupHelper.markdown_field(entity, :description, current_user: options[:current_user])
end end
expose :created_at expose :created_at
expose :released_at expose :released_at
......
...@@ -4,13 +4,14 @@ require 'spec_helper' ...@@ -4,13 +4,14 @@ require 'spec_helper'
describe API::Entities::Release do describe API::Entities::Release do
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project) }
let_it_be(:release) { create(:release, :with_evidence, project: project) } let_it_be(:user) { create(:user) }
let(:user) { create(:user) }
let(:entity) { described_class.new(release, current_user: user) } let(:entity) { described_class.new(release, current_user: user) }
subject { entity.as_json }
describe 'evidence' do describe 'evidence' do
let(:release) { create(:release, :with_evidence, project: project) }
subject { entity.as_json }
context 'when the current user can download code' do context 'when the current user can download code' do
it 'exposes the evidence sha and the json path' do it 'exposes the evidence sha and the json path' do
allow(Ability).to receive(:allowed?).and_call_original allow(Ability).to receive(:allowed?).and_call_original
...@@ -37,4 +38,27 @@ describe API::Entities::Release do ...@@ -37,4 +38,27 @@ describe API::Entities::Release do
end end
end end
end end
describe 'description_html' do
let(:issue) { create(:issue, :confidential, project: project) }
let(:issue_path) { Gitlab::Routing.url_helpers.project_issue_path(project, issue) }
let(:issue_title) { 'title="%s"' % issue.title }
let(:release) { create(:release, project: project, description: "Now shipping #{issue.to_reference}") }
subject(:description_html) { entity.as_json[:description_html] }
it 'renders special references if current user has access' do
project.add_reporter(user)
expect(description_html).to include(issue_path)
expect(description_html).to include(issue_title)
end
it 'does not render special references if current user has no access' do
project.add_guest(user)
expect(description_html).not_to include(issue_path)
expect(description_html).not_to include(issue_title)
end
end
end end
...@@ -233,31 +233,6 @@ describe API::Releases do ...@@ -233,31 +233,6 @@ describe API::Releases do
.to match_array(release.sources.map(&:url)) .to match_array(release.sources.map(&:url))
end end
context "when release description contains confidential issue's link" do
let(:confidential_issue) do
create(:issue,
:confidential,
project: project,
title: 'A vulnerability')
end
let!(:release) do
create(:release,
project: project,
tag: 'v0.1',
sha: commit.id,
author: maintainer,
description: "This is confidential #{confidential_issue.to_reference}")
end
it "does not expose confidential issue's title" do
get api("/projects/#{project.id}/releases/v0.1", maintainer)
expect(json_response['description_html']).to include(confidential_issue.to_reference)
expect(json_response['description_html']).not_to include('A vulnerability')
end
end
context 'when release has link asset' do context 'when release has link asset' do
let!(:link) do let!(:link) do
create(:release_link, create(:release_link,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment