---
title: Hide commit counts from guest users in Cycle Analytics.
merge_request:
author:
type: security
...@@ -10,13 +10,29 @@ module Gitlab ...@@ -10,13 +10,29 @@ module Gitlab
end end
def data def data
[serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user)), summary = [issue_stats]
serialize(Summary::Commit.new(project: @project, from: @from)), summary << commit_stats if user_has_sufficient_access?
serialize(Summary::Deploy.new(project: @project, from: @from))] summary << deploy_stats
end end
private private
def issue_stats
serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user))
end
def commit_stats
serialize(Summary::Commit.new(project: @project, from: @from))
end
def deploy_stats
serialize(Summary::Deploy.new(project: @project, from: @from))
end
def user_has_sufficient_access?
@project.team.member?(@current_user, Gitlab::Access::REPORTER)
end
def serialize(summary_object) def serialize(summary_object)
AnalyticsSummarySerializer.new.represent(summary_object) AnalyticsSummarySerializer.new.represent(summary_object)
end end
... ...
......
...@@ -108,6 +108,10 @@ describe 'Cycle Analytics', :js do ...@@ -108,6 +108,10 @@ describe 'Cycle Analytics', :js do
wait_for_requests wait_for_requests
end end
it 'does not show the commit stats' do
expect(page).to have_no_selector(:xpath, commits_counter_selector)
end
it 'needs permissions to see restricted stages' do it 'needs permissions to see restricted stages' do
expect(find('.stage-events')).to have_content(issue.title) expect(find('.stage-events')).to have_content(issue.title)
...@@ -123,8 +127,12 @@ describe 'Cycle Analytics', :js do ...@@ -123,8 +127,12 @@ describe 'Cycle Analytics', :js do
find(:xpath, "//p[contains(text(),'New Issue')]/preceding-sibling::h3") find(:xpath, "//p[contains(text(),'New Issue')]/preceding-sibling::h3")
end end
def commits_counter_selector
"//p[contains(text(),'Commits')]/preceding-sibling::h3"
end
def commits_counter def commits_counter
find(:xpath, "//p[contains(text(),'Commits')]/preceding-sibling::h3") find(:xpath, commits_counter_selector)
end end
def deploys_counter def deploys_counter
... ...
......
...@@ -8,6 +8,10 @@ describe Gitlab::CycleAnalytics::StageSummary do ...@@ -8,6 +8,10 @@ describe Gitlab::CycleAnalytics::StageSummary do
let(:user) { create(:user, :admin) } let(:user) { create(:user, :admin) }
subject { described_class.new(project, from: Time.now, current_user: user).data } subject { described_class.new(project, from: Time.now, current_user: user).data }
before do
project.add_maintainer(user)
end
describe "#new_issues" do describe "#new_issues" do
it "finds the number of issues created after the 'from date'" do it "finds the number of issues created after the 'from date'" do
Timecop.freeze(5.days.ago) { create(:issue, project: project) } Timecop.freeze(5.days.ago) { create(:issue, project: project) }
...@@ -42,6 +46,23 @@ describe Gitlab::CycleAnalytics::StageSummary do ...@@ -42,6 +46,23 @@ describe Gitlab::CycleAnalytics::StageSummary do
expect(subject.second[:value]).to eq(100) expect(subject.second[:value]).to eq(100)
end end
context 'when a guest user is signed in' do
let(:guest_user) { create(:user) }
before do
project.add_guest(guest_user)
end
it 'does not include commit stats' do
data = described_class.new(project, from: from, current_user: guest_user).data
expect(includes_commits?(data)).to be_falsy
end
def includes_commits?(data)
data.any? { |h| h["title"] == 'Commits' }
end
end
end end
describe "#deploys" do describe "#deploys" do
... ...
......