Loading ee/app/finders/packages/group_packages_finder.rb +2 −0 Original line number Diff line number Diff line Loading @@ -25,6 +25,8 @@ def group_projects_visible_to_current_user ::Project .in_namespace(group.self_and_descendants.select(:id)) .public_or_visible_to_user(current_user, Gitlab::Access::REPORTER) .with_project_feature .select { |project| Ability.allowed?(current_user, :read_package, project) } end end end ee/changelogs/unreleased/security-filter-member-only-packages-master.yml 0 → 100644 +5 −0 Original line number Diff line number Diff line --- title: Filter out packages the user does'nt have permission to see at group level merge_request: author: type: security ee/spec/finders/packages/group_packages_finder_spec.rb +35 −0 Original line number Diff line number Diff line Loading @@ -38,5 +38,40 @@ expect(finder.execute).to be_empty end end context 'when project is public' do set(:other_user) { create(:user) } let(:finder) { described_class.new(other_user, group) } before do project.update!(visibility_level: ProjectFeature::ENABLED) end context 'when packages are public' do before do project.project_feature.update!( builds_access_level: ProjectFeature::PRIVATE, merge_requests_access_level: ProjectFeature::PRIVATE, repository_access_level: ProjectFeature::ENABLED) end it 'returns group packages' do expect(finder.execute).to match_array([package1, package2]) end end context 'packages are members only' do before do project.project_feature.update!( builds_access_level: ProjectFeature::PRIVATE, merge_requests_access_level: ProjectFeature::PRIVATE, repository_access_level: ProjectFeature::PRIVATE) end it 'filters out the project if the user doesn\'t have permission' do expect(finder.execute).to be_empty end end end end end Loading
ee/app/finders/packages/group_packages_finder.rb +2 −0 Original line number Diff line number Diff line Loading @@ -25,6 +25,8 @@ def group_projects_visible_to_current_user ::Project .in_namespace(group.self_and_descendants.select(:id)) .public_or_visible_to_user(current_user, Gitlab::Access::REPORTER) .with_project_feature .select { |project| Ability.allowed?(current_user, :read_package, project) } end end end
ee/changelogs/unreleased/security-filter-member-only-packages-master.yml 0 → 100644 +5 −0 Original line number Diff line number Diff line --- title: Filter out packages the user does'nt have permission to see at group level merge_request: author: type: security
ee/spec/finders/packages/group_packages_finder_spec.rb +35 −0 Original line number Diff line number Diff line Loading @@ -38,5 +38,40 @@ expect(finder.execute).to be_empty end end context 'when project is public' do set(:other_user) { create(:user) } let(:finder) { described_class.new(other_user, group) } before do project.update!(visibility_level: ProjectFeature::ENABLED) end context 'when packages are public' do before do project.project_feature.update!( builds_access_level: ProjectFeature::PRIVATE, merge_requests_access_level: ProjectFeature::PRIVATE, repository_access_level: ProjectFeature::ENABLED) end it 'returns group packages' do expect(finder.execute).to match_array([package1, package2]) end end context 'packages are members only' do before do project.project_feature.update!( builds_access_level: ProjectFeature::PRIVATE, merge_requests_access_level: ProjectFeature::PRIVATE, repository_access_level: ProjectFeature::PRIVATE) end it 'filters out the project if the user doesn\'t have permission' do expect(finder.execute).to be_empty end end end end end
