Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
43830eca
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
43830eca
编写于
7月 10, 2019
作者:
F
Felipe Artur
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Do not show moved issue ids for user not authorized
Do not show moved issue id for users that cannot read issue
上级
0cd59a75
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
44 addition
and
1 deletion
+44
-1
app/serializers/issue_entity.rb
app/serializers/issue_entity.rb
+6
-1
changelogs/unreleased/security-hide_moved_issue_id.yml
changelogs/unreleased/security-hide_moved_issue_id.yml
+5
-0
spec/serializers/issue_entity_spec.rb
spec/serializers/issue_entity_spec.rb
+33
-0
未找到文件。
app/serializers/issue_entity.rb
浏览文件 @
43830eca
...
...
@@ -16,9 +16,14 @@ class IssueEntity < IssuableEntity
expose
:discussion_locked
expose
:assignees
,
using:
API
::
Entities
::
UserBasic
expose
:due_date
expose
:moved_to_id
expose
:project_id
expose
:moved_to_id
do
|
issue
|
if
issue
.
moved_to_id
.
present?
&&
can?
(
request
.
current_user
,
:read_issue
,
issue
.
moved_to
)
issue
.
moved_to_id
end
end
expose
:web_url
do
|
issue
|
project_issue_path
(
issue
.
project
,
issue
)
end
...
...
changelogs/unreleased/security-hide_moved_issue_id.yml
0 → 100644
浏览文件 @
43830eca
---
title
:
Do not show moved issue id for users that cannot read issue
merge_request
:
author
:
type
:
security
spec/serializers/issue_entity_spec.rb
浏览文件 @
43830eca
...
...
@@ -17,4 +17,37 @@ describe IssueEntity do
it
'has time estimation attributes'
do
expect
(
subject
).
to
include
(
:time_estimate
,
:total_time_spent
,
:human_time_estimate
,
:human_total_time_spent
)
end
context
'when issue got moved'
do
let
(
:public_project
)
{
create
(
:project
,
:public
)
}
let
(
:member
)
{
create
(
:user
)
}
let
(
:non_member
)
{
create
(
:user
)
}
let
(
:issue
)
{
create
(
:issue
,
project:
public_project
)
}
before
do
project
.
add_developer
(
member
)
public_project
.
add_developer
(
member
)
Issues
::
MoveService
.
new
(
public_project
,
member
).
execute
(
issue
,
project
)
end
context
'when user cannot read target project'
do
it
'does not return moved_to_id'
do
request
=
double
(
'request'
,
current_user:
non_member
)
response
=
described_class
.
new
(
issue
,
request:
request
).
as_json
expect
(
response
[
:moved_to_id
]).
to
be_nil
end
end
context
'when user can read target project'
do
it
'returns moved moved_to_id'
do
request
=
double
(
'request'
,
current_user:
member
)
response
=
described_class
.
new
(
issue
,
request:
request
).
as_json
expect
(
response
[
:moved_to_id
]).
to
eq
(
issue
.
moved_to_id
)
end
end
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录