Do not show moved issue ids for user not authorized

Do not show moved issue id for users that cannot read issue

Do not show moved issue ids for user not authorized
Do not show moved issue id for users that cannot read issue
43830eca · Felipe Artur · 0cd59a75 · 43830eca · 43830eca · 43830eca
3 changed file
--- a/app/serializers/issue_entity.rb
+++ b/app/serializers/issue_entity.rb
@@ -16,9 +16,14 @@ class IssueEntity < IssuableEntity
  expose :discussion_locked
  expose :assignees, using: API::Entities::UserBasic
  expose :due_date
-  expose :moved_to_id
  expose :project_id

+  expose :moved_to_id do |issue|
+    if issue.moved_to_id.present? && can?(request.current_user, :read_issue, issue.moved_to)
+      issue.moved_to_id
+    end
+  end
+
  expose :web_url do |issue|
    project_issue_path(issue.project, issue)
  end

--- a/changelogs/unreleased/security-hide_moved_issue_id.yml
+++ b/changelogs/unreleased/security-hide_moved_issue_id.yml
+---
+title: Do not show moved issue id for users that cannot read issue
+merge_request:
+author:
+type: security
--- a/spec/serializers/issue_entity_spec.rb
+++ b/spec/serializers/issue_entity_spec.rb
@@ -17,4 +17,37 @@ describe IssueEntity do
  it 'has time estimation attributes' do
    expect(subject).to include(:time_estimate, :total_time_spent, :human_time_estimate, :human_total_time_spent)
  end
+
+  context 'when issue got moved' do
+    let(:public_project) { create(:project, :public) }
+    let(:member) { create(:user) }
+    let(:non_member) { create(:user) }
+    let(:issue) { create(:issue, project: public_project) }
+
+    before do
+      project.add_developer(member)
+      public_project.add_developer(member)
+      Issues::MoveService.new(public_project, member).execute(issue, project)
+    end
+
+    context 'when user cannot read target project' do
+      it 'does not return moved_to_id' do
+        request = double('request', current_user: non_member)
+
+        response = described_class.new(issue, request: request).as_json
+
+        expect(response[:moved_to_id]).to be_nil
+      end
+    end
+
+    context 'when user can read target project' do
+      it 'returns moved moved_to_id' do
+        request = double('request', current_user: member)
+
+        response = described_class.new(issue, request: request).as_json
+
+        expect(response[:moved_to_id]).to eq(issue.moved_to_id)
+      end
+    end
+  end
 end