GitLab wird am Donnerstag, den 27. Januar, zwischen 08:00 und 12:00 Uhr wegen wichtigen Wartungsarbeiten nicht zur Verfügung stehen.

Commit abc34af5 authored by Alexandru Croitor's avatar Alexandru Croitor
Browse files

Hide disabled project milestones in project settings on group level

parent 4be19d5f
......@@ -3,14 +3,13 @@
class Groups::MilestonesController < Groups::ApplicationController
include MilestoneActions
before_action :group_projects
before_action :milestone, only: [:edit, :show, :update, :merge_requests, :participants, :labels, :destroy]
before_action :authorize_admin_milestones!, only: [:edit, :new, :create, :update, :destroy]
def index
respond_to do |format|
format.html do
@milestone_states = Milestone.states_count(group_projects, [group])
@milestone_states = Milestone.states_count(group_projects_with_access, [group])
@milestones = Kaminari.paginate_array(milestones).page(params[:page])
end
format.json do
......@@ -100,13 +99,18 @@ def milestones
end
def legacy_milestones
GroupMilestone.build_collection(group, group_projects, params)
GroupMilestone.build_collection(group, group_projects_with_access, params)
end
def group_projects_with_access
group_projects.with_issues_available_for_user(current_user)
.or(group_projects.with_merge_requests_available_for_user(current_user))
end
def milestone
@milestone =
if params[:title]
GroupMilestone.build(group, group_projects, params[:title])
GroupMilestone.build(group, group_projects_with_access, params[:title])
else
group.milestones.find_by_iid(params[:id])
end
......
---
title: Do not disclose project milestones on group milestones page when project milestones
access is disabled in project settings
merge_request:
author:
type: security
......@@ -3,8 +3,8 @@
require 'spec_helper'
describe Groups::MilestonesController do
let(:group) { create(:group) }
let!(:project) { create(:project, group: group) }
let(:group) { create(:group, :public) }
let!(:project) { create(:project, :public, group: group) }
let!(:project2) { create(:project, group: group) }
let(:user) { create(:user) }
let(:title) { '肯定不是中文的问题' }
......@@ -63,6 +63,73 @@
expect(response.body).to include(group_milestone.title)
expect(response.body).not_to include(milestone.title)
end
context 'when anonymous user' do
before do
sign_out(user)
end
it 'shows group milestones page' do
milestone
get :index, params: { group_id: group.to_param }
expect(response).to have_gitlab_http_status(200)
expect(response.body).to include(milestone.title)
end
end
context 'when issues and merge requests are disabled in public project' do
shared_examples 'milestone not accessible' do
it 'does not return milestone' do
get :index, params: { group_id: public_group.to_param }
expect(response).to have_gitlab_http_status(200)
expect(response.body).not_to include(private_milestone.title)
end
end
let!(:public_group) { create(:group, :public) }
let!(:public_project_with_private_issues_and_mrs) do
create(:project, :public, :issues_private, :merge_requests_private, group: public_group)
end
let!(:private_milestone) { create(:milestone, project: public_project_with_private_issues_and_mrs, title: 'project milestone') }
context 'when anonymous user' do
before do
sign_out(user)
end
it_behaves_like 'milestone not accessible'
end
context 'when non project or group member user' do
let(:non_member) { create(:user) }
before do
sign_in(non_member)
end
it_behaves_like 'milestone not accessible'
end
context 'when group member user' do
let(:member) { create(:user) }
before do
sign_in(member)
public_group.add_guest(member)
end
it 'returns the milestone' do
get :index, params: { group_id: public_group.to_param }
expect(response).to have_gitlab_http_status(200)
expect(response.body).to include(private_milestone.title)
end
end
end
end
context 'as JSON' do
......
require 'spec_helper'
describe Groups::MilestonesController do
context 'N+1 DB queries' do
let(:user) { create(:user) }
let!(:public_group) { create(:group, :public) }
let!(:public_project_with_private_issues_and_mrs) do
create(:project, :public, :issues_private, :merge_requests_private, group: public_group)
end
let!(:private_milestone) { create(:milestone, project: public_project_with_private_issues_and_mrs, title: 'project milestone') }
it 'avoids N+1 database queries' do
public_project = create(:project, :public, :merge_requests_enabled, :issues_enabled, group: public_group)
create(:milestone, project: public_project)
control_count = ActiveRecord::QueryRecorder.new(skip_cached: false) { get "/groups/#{public_group.to_param}/-/milestones.json" }.count
projects = create_list(:project, 2, :public, :merge_requests_enabled, :issues_enabled, group: public_group)
projects.each do |project|
create(:milestone, project: project)
end
expect { get "/groups/#{public_group.to_param}/-/milestones.json" }.not_to exceed_all_query_limit(control_count)
expect(response).to have_http_status(200)
milestones = json_response
expect(milestones.count).to eq(3)
expect(milestones.map {|x| x['title']}).not_to include(private_milestone.title)
end
end
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment