Check for project read permissions in cross-references

2015-04-14 16:04:37 -04:00 · 2015-04-14 16:04:37 -04:00 · a803cd51eb
parent 470b0c2508
commit a803cd51eb
2 changed files with 50 additions and 13 deletions
--- a/lib/gitlab/markdown/cross_project_reference.rb
+++ b/lib/gitlab/markdown/cross_project_reference.rb
@ -8,19 +8,29 @@ module Gitlab

      # Given a cross-project reference string, get the Project record
      #
-      # If no valid reference is given, returns the `:project` value for the
-      # current context.
+      # Defaults to value of `context[:project]` if:
+      # - No reference is given
+      # - Reference given doesn't exist
+      # - Reference given can't be read by the current user
      #
      # ref - String reference.
      #
      # Returns a Project
      def project_from_ref(ref)
        if ref && other = Project.find_with_namespace(ref)
-          other
+          if user_can_reference_project?(other)
+            other
+          else
+            context[:project]
+          end
        else
          context[:project]
        end
      end
+
+      def user_can_reference_project?(project, user = context[:current_user])
+        user && Ability.abilities.allowed?(user, :read_project, project)
+      end
    end
  end
 end
--- a/spec/lib/gitlab/markdown/cross_project_reference_spec.rb
+++ b/spec/lib/gitlab/markdown/cross_project_reference_spec.rb
@ -2,21 +2,48 @@ require 'spec_helper'

 module Gitlab::Markdown
  describe CrossProjectReference do
-    include CrossProjectReference
+    # context in the html-pipeline sense, not in the rspec sense
+    let(:context) do
+      {
+        current_user: double('user'),
+        project: double('project')
+      }
+    end
+
+    include described_class

    describe '#project_from_ref' do
-      let(:project) { double('project') }
-
-      it 'returns a project from a valid reference' do
-        expect(Project).to receive(:find_with_namespace).with('cross-reference/foo').and_return(project)
-
-        expect(project_from_ref('cross-reference/foo')).to eq project
+      context 'when referenced project does not exist' do
+        it 'returns the project from context' do
+          expect(project_from_ref('invalid/reference')).to eq context[:project]
+        end
      end

-      it 'returns the project from context when reference is invalid' do
-        expect(self).to receive(:context).and_return({project: project})
+      context 'when referenced project exists' do
+        let(:project2) { double('referenced project') }

-        expect(project_from_ref('invalid/reference')).to eq project
+        before do
+          expect(Project).to receive(:find_with_namespace).
+            with('cross/reference').and_return(project2)
+        end
+
+        context 'and the user has permission to read it' do
+          it 'returns the referenced project' do
+            expect(self).to receive(:user_can_reference_project?).
+              with(project2).and_return(true)
+
+            expect(project_from_ref('cross/reference')).to eq project2
+          end
+        end
+
+        context 'and the user does not have permission to read it' do
+          it 'returns the project from context' do
+            expect(self).to receive(:user_can_reference_project?).
+              with(project2).and_return(false)
+
+            expect(project_from_ref('cross/reference')).to eq context[:project]
+          end
+        end
      end
    end
  end