Add permission checking to UserReferenceFilter

29604ff2 · Robert Speicher · 189c5347 · 29604ff2 · 29604ff2
Commit 29604ff2 authored Apr 13, 2015 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 7 deletions

user_reference_filter.rb lib/gitlab/markdown/user_reference_filter.rb +12 -3

user_reference_filter_spec.rb spec/lib/gitlab/markdown/user_reference_filter_spec.rb +14 -4

No files found.
--- a/lib/gitlab/markdown/user_reference_filter.rb
+++ b/lib/gitlab/markdown/user_reference_filter.rb
@@ -78,12 +78,16 @@ module Gitlab
            %(<a href="#{url}" class="#{klass}">@#{user}</a>)
          elsif namespace = Namespace.find_by(path: user)
            if namespace.is_a?(Group)
-              url = group_url(user, only_path: context[:only_path])
+              if user_can_read_group?(namespace)
+                url = group_url(user, only_path: context[:only_path])
+                %(<a href="#{url}" class="#{klass}">@#{user}</a>)
+              else
+                match
+              end
            else
              url = user_url(user, only_path: context[:only_path])
+              %(<a href="#{url}" class="#{klass}">@#{user}</a>)
            end
-
-            %(<a href="#{url}" class="#{klass}">@#{user}</a>)
          else
            match
          end
@@ -112,6 +116,11 @@ module Gitlab
        h.namespace_project_url(project.namespace, project,
                                only_path: context[:only_path])
      end
+
+      def user_can_read_group?(group)
+        return false if context[:current_user].blank?
+        Ability.abilities.allowed?(context[:current_user], :read_group, group)
+      end
    end
  end
 end
--- a/spec/lib/gitlab/markdown/user_reference_filter_spec.rb
+++ b/spec/lib/gitlab/markdown/user_reference_filter_spec.rb
@@ -47,11 +47,21 @@ module Gitlab::Markdown
      end
    end

-    it 'links to a Group' do
-      group = create(:group)
+    context 'mentioning a group' do
+      let(:group) { create(:group) }
+      let(:user)  { create(:user) }

-      doc = filter("Hey @#{group.name}")
-      expect(doc.css('a').first.attr('href')).to eq urls.group_url(group)
+      it 'links to a Group that the current user can read' do
+        group.add_user(user, Gitlab::Access::DEVELOPER)
+
+        doc = filter("Hey @#{group.name}", current_user: user)
+        expect(doc.css('a').first.attr('href')).to eq urls.group_url(group)
+      end
+
+      it 'ignores references to a Group that the current user cannot read' do
+        doc = filter("Hey @#{group.name}", current_user: user)
+        expect(doc.to_html).to eq "Hey @#{group.name}"
+      end
    end

    it 'links with adjacent text' do