Merge branch '15579-filter-milestone-confidential-issues-api' into 'master'

Prevent information disclosure via milestone API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579 See merge request !1961

Merge branch '15579-filter-milestone-confidential-issues-api' into 'master'
29a23a44 · Robert Speicher · 8cc20f92 · 97bd3491 · 29a23a44 · 29a23a44
Commit 29a23a44 authored Apr 26, 2016 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 2 deletions

milestones.rb lib/api/milestones.rb +9 -1

milestones_spec.rb spec/requests/api/milestones_spec.rb +30 -1

No files found.
--- a/lib/api/milestones.rb
+++ b/lib/api/milestones.rb
@@ -105,7 +105,15 @@ module API
        authorize! :read_milestone, user_project

        @milestone = user_project.milestones.find(params[:milestone_id])
-        present paginate(@milestone.issues), with: Entities::Issue, current_user: current_user
+
+        finder_params = {
+          project_id: user_project.id,
+          milestone_title: @milestone.title,
+          state: 'all'
+        }
+
+        issues = IssuesFinder.new(current_user, finder_params).execute
+        present paginate(issues), with: Entities::Issue, current_user: current_user
      end

    end

--- a/spec/requests/api/milestones_spec.rb
+++ b/spec/requests/api/milestones_spec.rb
@@ -127,7 +127,7 @@ describe API::API, api: true  do

  describe 'GET /projects/:id/milestones/:milestone_id/issues' do
    before do
-      milestone.issues << create(:issue)
+      milestone.issues << create(:issue, project: project)
    end
    it 'should return project issues for a particular milestone' do
      get api("/projects/#{project.id}/milestones/#{milestone.id}/issues", user)
@@ -140,5 +140,34 @@ describe API::API, api: true  do
      get api("/projects/#{project.id}/milestones/#{milestone.id}/issues")
      expect(response.status).to eq(401)
    end
+
+    describe 'confidential issues' do
+      let(:public_project) { create(:project, :public) }
+      let(:milestone) { create(:milestone, project: public_project) }
+      let(:issue) { create(:issue, project: public_project) }
+      let(:confidential_issue) { create(:issue, confidential: true, project: public_project) }
+      before do
+        public_project.team << [user, :developer]
+        milestone.issues << issue << confidential_issue
+      end
+
+      it 'returns confidential issues to team members' do
+        get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", user)
+
+        expect(response.status).to eq(200)
+        expect(json_response).to be_an Array
+        expect(json_response.size).to eq(2)
+        expect(json_response.map { |issue| issue['id'] }).to include(issue.id, confidential_issue.id)
+      end
+
+      it 'does not return confidential issues to regular users' do
+        get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", create(:user))
+
+        expect(response.status).to eq(200)
+        expect(json_response).to be_an Array
+        expect(json_response.size).to eq(1)
+        expect(json_response.map { |issue| issue['id'] }).to include(issue.id)
+      end
+    end
  end
 end