Filter confidential issues from milestones API if user does not have access

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579

Filter confidential issues from milestones API if user does not have access
03ae2cdb · Stan Hu · Rémy Coutable · 793a7664 · 03ae2cdb · 03ae2cdb
Commit 03ae2cdb authored Apr 24, 2016 by Stan Hu Committed by Rémy Coutable Apr 25, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 50 additions and 2 deletions

CHANGELOG CHANGELOG +2 -0

milestones.rb lib/api/milestones.rb +9 -1

milestones_spec.rb spec/requests/api/milestones_spec.rb +39 -1

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -8,6 +8,8 @@ v 8.7.1 (unreleased)
  - Fix license detection to detect all license files, not only known licenses. !3878
  - Use the `can?` helper instead of `current_user.can?`. !3882
  - Prevent users from deleting Webhooks via API they do not own
+  - Use the `can?` helper instead of `current_user.can?`
+  - Filter confidential issues from milestones API if user does not have access

 v 8.7.0
  - Gitlab::GitAccess and Gitlab::GitAccessWiki are now instrumented

--- a/lib/api/milestones.rb
+++ b/lib/api/milestones.rb
@@ -105,7 +105,15 @@ module API
        authorize! :read_milestone, user_project

        @milestone = user_project.milestones.find(params[:milestone_id])
-        present paginate(@milestone.issues), with: Entities::Issue, current_user: current_user
+
+        finder_params = {
+          project_id: user_project.id,
+          milestone_title: @milestone.title,
+          state: 'all'
+        }
+
+        issues = IssuesFinder.new(current_user, finder_params).execute
+        present paginate(issues), with: Entities::Issue, current_user: current_user
      end

    end

--- a/spec/requests/api/milestones_spec.rb
+++ b/spec/requests/api/milestones_spec.rb
@@ -127,7 +127,7 @@ describe API::API, api: true  do

  describe 'GET /projects/:id/milestones/:milestone_id/issues' do
    before do
-      milestone.issues << create(:issue)
+      milestone.issues << create(:issue, project: project)
    end
    it 'should return project issues for a particular milestone' do
      get api("/projects/#{project.id}/milestones/#{milestone.id}/issues", user)
@@ -141,4 +141,42 @@ describe API::API, api: true  do
      expect(response.status).to eq(401)
    end
  end
+
+  describe 'confidential issues' do
+    it 'should return confidential issues to team members' do
+      public_project = create(:project, :public)
+      user = create(:user)
+      milestone = create(:milestone, project: public_project)
+      issue = create(:issue, project: public_project)
+      confidential_issue = create(:issue, confidential: true, project: public_project)
+      public_project.team << [user, :developer]
+      milestone.issues << issue
+      milestone.issues << confidential_issue
+
+      get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", user)
+
+      expect(response.status).to eq(200)
+      expect(json_response).to be_an Array
+      expect(json_response.size).to eq(2)
+      expect(json_response.map { |issue| issue['id'] }).to include(issue.id, confidential_issue.id)
+    end
+
+    it 'should not return confidential issues to regular users' do
+      public_project = create(:project, :public)
+      normal_user = create(:user)
+      milestone = create(:milestone, project: public_project)
+      issue = create(:issue, project: public_project)
+      confidential_issue = create(:issue, confidential: true, project: public_project)
+      public_project.team << [user, :developer]
+      milestone.issues << issue
+      milestone.issues << confidential_issue
+
+      get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", normal_user)
+
+      expect(response.status).to eq(200)
+      expect(json_response).to be_an Array
+      expect(json_response.size).to eq(1)
+      expect(json_response.map { |issue| issue['id'] }).to include(issue.id)
+    end
+  end
 end