Merge branch 'security-12717-fix-confidential-issue-assignee-visible-to-guests' into 'master'

Display only participants that user has permission to see See merge request gitlab/gitlabhq!3401

Merge branch 'security-12717-fix-confidential-issue-assignee-visible-to-guests' into 'master'
Display only participants that user has permission to see See merge request gitlab/gitlabhq!3401
dff4e3c7 · GitLab Release Tools Bot · 80c28e9f · 021353dd · dff4e3c7 · dff4e3c7
Commit dff4e3c7 authored Sep 27, 2019 by GitLab Release Tools Bot
3 changed files
--- a/app/controllers/concerns/milestone_actions.rb
+++ b/app/controllers/concerns/milestone_actions.rb
@@ -20,7 +20,7 @@ module MilestoneActions
      format.html { redirect_to milestone_redirect_path }
      format.json do
        render json: tabs_json("shared/milestones/_participants_tab", {
-          users: @milestone.participants # rubocop:disable Gitlab/ModuleWithInstanceVariables
+          users: @milestone.issue_participants_visible_by_user(current_user) # rubocop:disable Gitlab/ModuleWithInstanceVariables
        })
      end
    end

--- a/changelogs/unreleased/security-12717-fix-confidential-issue-assignee-visible-to-guests.yml
+++ b/changelogs/unreleased/security-12717-fix-confidential-issue-assignee-visible-to-guests.yml
+---
+title: Display only participants that user has permission to see on milestone page
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects/milestones_controller_spec.rb
+++ b/spec/controllers/projects/milestones_controller_spec.rb
@@ -244,4 +244,45 @@ describe Projects::MilestonesController do
      end
    end
  end
+
+  context '#participants' do
+    render_views
+
+    context "when guest user" do
+      let(:issue_assignee) { create(:user) }
+      let(:guest_user) { create(:user) }
+
+      before do
+        project.add_guest(guest_user)
+        sign_in(guest_user)
+        issue.update(assignee_ids: issue_assignee.id)
+      end
+
+      context "when issue is not confidential" do
+        it 'shows milestone participants' do
+          params = { namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid, format: :json }
+          get :participants, params: params
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response.content_type).to eq 'application/json'
+          expect(json_response['html']).to include(issue_assignee.name)
+        end
+      end
+
+      context "when issue is confidential" do
+        before do
+          issue.update(confidential: true)
+        end
+
+        it 'shows no milestone participants' do
+          params = { namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid, format: :json }
+          get :participants, params: params
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response.content_type).to eq 'application/json'
+          expect(json_response['html']).not_to include(issue_assignee.name)
+        end
+      end
+    end
+  end
 end