Commit 7f47e86e authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-fix-user-email-tag-push-leak-11-5' into 'security-11-5'

[11.5] Security fix user email tag push leak

See merge request gitlab/gitlabhq!2807

(cherry picked from commit a6a32e22eea76d202dbe1bd6343041d9c7726039)

ccb25775 Prefer build() rather than create()
d4945872 Fix private user email being visible in tag webhooks
parent 54232dfe
---
title: Fix private user email being visible in push (and tag push) webhooks
merge_request:
author:
type: security
......@@ -85,7 +85,7 @@ module Gitlab
user_id: user.id,
user_name: user.name,
user_username: user.username,
user_email: user.email,
user_email: user.public_email,
user_avatar: user.avatar_url(only_path: false),
project_id: project.id,
project: project.hook_attrs,
......
......@@ -2,7 +2,7 @@ require 'spec_helper'
describe Gitlab::DataBuilder::Push do
let(:project) { create(:project, :repository) }
let(:user) { create(:user) }
let(:user) { build(:user, public_email: 'public-email@example.com') }
describe '.build_sample' do
let(:data) { described_class.build_sample(project, user) }
......@@ -36,7 +36,7 @@ describe Gitlab::DataBuilder::Push do
it { expect(data[:user_id]).to eq(user.id) }
it { expect(data[:user_name]).to eq(user.name) }
it { expect(data[:user_username]).to eq(user.username) }
it { expect(data[:user_email]).to eq(user.email) }
it { expect(data[:user_email]).to eq(user.public_email) }
it { expect(data[:user_avatar]).to eq(user.avatar_url) }
it { expect(data[:project_id]).to eq(project.id) }
it { expect(data[:project]).to be_a(Hash) }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment