Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
projects.thm.de
GitLab
Commits
456320b0
Commit
456320b0
authored
Mar 11, 2019
by
Mark Chao
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Hide related branches when user does not have permission
Guest user of a project should not see branches
parent
8436b72f
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
47 additions
and
4 deletions
+47
-4
app/assets/javascripts/issue.js
app/assets/javascripts/issue.js
+3
-1
app/controllers/projects/issues_controller.rb
app/controllers/projects/issues_controller.rb
+1
-0
app/views/projects/issues/show.html.haml
app/views/projects/issues/show.html.haml
+3
-2
changelogs/unreleased/security-56224.yml
changelogs/unreleased/security-56224.yml
+5
-0
spec/features/issues/user_creates_branch_and_merge_request_spec.rb
...ures/issues/user_creates_branch_and_merge_request_spec.rb
+35
-1
No files found.
app/assets/javascripts/issue.js
View file @
456320b0
...
...
@@ -16,7 +16,9 @@ export default class Issue {
Issue
.
createMrDropdownWrap
=
document
.
querySelector
(
'
.create-mr-dropdown-wrap
'
);
Issue
.
initMergeRequests
();
Issue
.
initRelatedBranches
();
if
(
document
.
querySelector
(
'
#related-branches
'
))
{
Issue
.
initRelatedBranches
();
}
this
.
closeButtons
=
$
(
'
a.btn-close
'
);
this
.
reopenButtons
=
$
(
'
a.btn-reopen
'
);
...
...
app/controllers/projects/issues_controller.rb
View file @
456320b0
...
...
@@ -39,6 +39,7 @@ def self.set_issuables_index_only_actions
before_action
:authorize_create_merge_request_from!
,
only:
[
:create_merge_request
]
before_action
:authorize_import_issues!
,
only:
[
:import_csv
]
before_action
:authorize_download_code!
,
only:
[
:related_branches
]
before_action
:set_suggested_issues_feature_flags
,
only:
[
:new
]
...
...
app/views/projects/issues/show.html.haml
View file @
456320b0
...
...
@@ -80,8 +80,9 @@
#merge-requests
{
data:
{
url:
referenced_merge_requests_project_issue_path
(
@project
,
@issue
)
}
}
// This element is filled in using JavaScript.
#related-branches
{
data:
{
url:
related_branches_project_issue_path
(
@project
,
@issue
)
}
}
// This element is filled in using JavaScript.
-
if
can?
(
current_user
,
:download_code
,
@project
)
#related-branches
{
data:
{
url:
related_branches_project_issue_path
(
@project
,
@issue
)
}
}
// This element is filled in using JavaScript.
.content-block.emoji-block.emoji-block-sticky
.row
...
...
changelogs/unreleased/security-56224.yml
0 → 100644
View file @
456320b0
---
title
:
Hide "related branches" when user does not have permission
merge_request
:
author
:
type
:
security
spec/features/issues/user_creates_branch_and_merge_request_spec.rb
View file @
456320b0
require
'rails_helper'
describe
'User creates branch and merge request on issue page'
,
:js
do
let
(
:membership_level
)
{
:developer
}
let
(
:user
)
{
create
(
:user
)
}
let!
(
:project
)
{
create
(
:project
,
:repository
)
}
let
(
:issue
)
{
create
(
:issue
,
project:
project
,
title:
'Cherry-Coloured Funk'
)
}
...
...
@@ -17,7 +18,7 @@
context
'when signed in'
do
before
do
project
.
add_
developer
(
user
)
project
.
add_
user
(
user
,
membership_level
)
sign_in
(
user
)
end
...
...
@@ -167,6 +168,39 @@
expect
(
page
).
not_to
have_css
(
'.create-mr-dropdown-wrap'
)
end
end
context
'when related branch exists'
do
let!
(
:project
)
{
create
(
:project
,
:repository
,
:private
)
}
let
(
:branch_name
)
{
"
#{
issue
.
iid
}
-foo"
}
before
do
project
.
repository
.
create_branch
(
branch_name
,
'master'
)
visit
project_issue_path
(
project
,
issue
)
end
context
'when user is developer'
do
it
'shows related branches'
do
expect
(
page
).
to
have_css
(
'#related-branches'
)
wait_for_requests
expect
(
page
).
to
have_content
(
branch_name
)
end
end
context
'when user is guest'
do
let
(
:membership_level
)
{
:guest
}
it
'does not show related branches'
do
expect
(
page
).
not_to
have_css
(
'#related-branches'
)
wait_for_requests
expect
(
page
).
not_to
have_content
(
branch_name
)
end
end
end
end
private
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment