BigW Consortium Gitlab

Fix visibility of private project snippets for members when searching

parent 8f9b64c7
...@@ -135,10 +135,16 @@ class Snippet < ActiveRecord::Base ...@@ -135,10 +135,16 @@ class Snippet < ActiveRecord::Base
end end
def accessible_to(user) def accessible_to(user)
visibility_levels = [Snippet::PUBLIC] return are_public unless user.present?
visibility_levels << Snippet::INTERNAL if user return all if user.admin?
where('visibility_level IN (?) OR author_id = ?', visibility_levels, user) where(
'visibility_level IN (:visibility_levels)
OR author_id = :author_id
OR project_id IN (:project_ids)',
visibility_levels: [Snippet::PUBLIC, Snippet::INTERNAL],
author_id: user.id,
project_ids: user.authorized_projects.select(:id))
end end
end end
end end
...@@ -89,22 +89,42 @@ describe Snippet, models: true do ...@@ -89,22 +89,42 @@ describe Snippet, models: true do
end end
describe '.accessible_to' do describe '.accessible_to' do
let(:author) { create(:author) } let(:author) { create(:author) }
let(:user) { create(:user) } let(:project) { create(:empty_project) }
let!(:public_snippet) { create(:snippet, :public) } let!(:public_snippet) { create(:snippet, :public) }
let!(:internal_snippet) { create(:snippet, :internal) } let!(:internal_snippet) { create(:snippet, :internal) }
let!(:private_snippet) { create(:snippet, :private, author: author) } let!(:private_snippet) { create(:snippet, :private, author: author) }
it 'returns only public snippets when user is nil' do let!(:project_public_snippet) { create(:snippet, :public, project: project) }
expect(described_class.accessible_to(nil)).to eq [public_snippet] let!(:project_internal_snippet) { create(:snippet, :internal, project: project) }
let!(:project_private_snippet) { create(:snippet, :private, project: project) }
it 'returns only public snippets when user is blank' do
expect(described_class.accessible_to(nil)).to match_array [public_snippet, project_public_snippet]
end
it 'returns only public, and internal snippets for regular users' do
user = create(:user)
expect(described_class.accessible_to(user)).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet]
end end
it 'returns only public, and internal snippets when user is not nil' do it 'returns public, internal snippets and project private snippets for project members' do
expect(described_class.accessible_to(user)).to match_array [public_snippet, internal_snippet] member = create(:user)
project.team << [member, :developer]
expect(described_class.accessible_to(member)).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
end end
it 'returns snippets where the user is the author' do it 'returns private snippets where the user is the author' do
expect(described_class.accessible_to(author)).to match_array [public_snippet, internal_snippet, private_snippet] expect(described_class.accessible_to(author)).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet]
end
it 'returns all snippets when for admins' do
admin = create(:admin)
expect(described_class.accessible_to(admin)).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
end end
end end
......
...@@ -2,35 +2,57 @@ require 'spec_helper' ...@@ -2,35 +2,57 @@ require 'spec_helper'
describe Search::SnippetService, services: true do describe Search::SnippetService, services: true do
let(:author) { create(:author) } let(:author) { create(:author) }
let(:internal_user) { create(:user) } let(:project) { create(:empty_project) }
let!(:public_snippet) { create(:snippet, :public, content: 'password: XXX') } let!(:public_snippet) { create(:snippet, :public, content: 'password: XXX') }
let!(:internal_snippet) { create(:snippet, :internal, content: 'password: XXX') } let!(:internal_snippet) { create(:snippet, :internal, content: 'password: XXX') }
let!(:private_snippet) { create(:snippet, :private, content: 'password: XXX', author: author) } let!(:private_snippet) { create(:snippet, :private, content: 'password: XXX', author: author) }
let!(:project_public_snippet) { create(:snippet, :public, project: project, content: 'password: XXX') }
let!(:project_internal_snippet) { create(:snippet, :internal, project: project, content: 'password: XXX') }
let!(:project_private_snippet) { create(:snippet, :private, project: project, content: 'password: XXX') }
describe '#execute' do describe '#execute' do
context 'unauthenticated' do context 'unauthenticated' do
it 'should return public snippets only' do it 'returns public snippets only' do
search = described_class.new(nil, search: 'password') search = described_class.new(nil, search: 'password')
results = search.execute results = search.execute
expect(results.objects('snippet_blobs')).to match_array [public_snippet] expect(results.objects('snippet_blobs')).to match_array [public_snippet, project_public_snippet]
end end
end end
context 'authenticated' do context 'authenticated' do
it 'should return only public & internal snippets' do it 'returns only public & internal snippets for regular users' do
search = described_class.new(internal_user, search: 'password') user = create(:user)
search = described_class.new(user, search: 'password')
results = search.execute
expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet]
end
it 'returns public, internal snippets and project private snippets for project members' do
member = create(:user)
project.team << [member, :developer]
search = described_class.new(member, search: 'password')
results = search.execute results = search.execute
expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet] expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
end end
it 'should return public, internal and private snippets for author' do it 'returns public, internal and private snippets where user is the author' do
search = described_class.new(author, search: 'password') search = described_class.new(author, search: 'password')
results = search.execute results = search.execute
expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet] expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet]
end
it 'returns all snippets when user is admin' do
admin = create(:admin)
search = described_class.new(admin, search: 'password')
results = search.execute
expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
end end
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment