Check access when sending TODOs related to merge requests

e6c70a58 · Nick Thomas · 3fb39b58 · e6c70a58 · e6c70a58 · e6c70a58
Commit e6c70a58 authored Jun 22, 2020 by Nick Thomas
3 changed files
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -518,7 +518,7 @@ class MergeRequest < ApplicationRecord
      participants << merge_user
    end

-    participants
+    participants.select { |participant| Ability.allowed?(participant, :read_merge_request, self) }
  end

  def first_commit

--- a/changelogs/unreleased/security-215175-filter-merge-participants.yml
+++ b/changelogs/unreleased/security-215175-filter-merge-participants.yml
+---
+title: Check access when sending TODOs related to merge requests
+merge_request:
+author:
+type: security
--- a/spec/models/merge_request_spec.rb
+++ b/spec/models/merge_request_spec.rb
@@ -3661,7 +3661,7 @@ describe MergeRequest do

  describe '#merge_participants' do
    it 'contains author' do
-      expect(subject.merge_participants).to eq([subject.author])
+      expect(subject.merge_participants).to contain_exactly(subject.author)
    end

    describe 'when merge_when_pipeline_succeeds? is true' do
@@ -3675,8 +3675,20 @@ describe MergeRequest do
                 author: user)
        end

-        it 'contains author only' do
-          expect(subject.merge_participants).to eq([subject.author])
+        context 'author is not a project member' do
+          it 'is empty' do
+            expect(subject.merge_participants).to be_empty
+          end
+        end
+
+        context 'author is a project member' do
+          before do
+            subject.project.team.add_reporter(user)
+          end
+
+          it 'contains author only' do
+            expect(subject.merge_participants).to contain_exactly(subject.author)
+          end
        end
      end

@@ -3689,8 +3701,24 @@ describe MergeRequest do
                 merge_user: merge_user)
        end

-        it 'contains author and merge user' do
-          expect(subject.merge_participants).to eq([subject.author, merge_user])
+        before do
+          subject.project.team.add_reporter(subject.author)
+        end
+
+        context 'merge user is not a member' do
+          it 'contains author only' do
+            expect(subject.merge_participants).to contain_exactly(subject.author)
+          end
+        end
+
+        context 'both author and merge users are project members' do
+          before do
+            subject.project.team.add_reporter(merge_user)
+          end
+
+          it 'contains author and merge user' do
+            expect(subject.merge_participants).to contain_exactly(subject.author, merge_user)
+          end
        end
      end
    end