...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
.issuable-status-box.status-box.status-box-issue-closed{ class: issue_button_visibility(@issue, false) } .issuable-status-box.status-box.status-box-issue-closed{ class: issue_button_visibility(@issue, false) }
= sprite_icon('mobile-issue-close', size: 16, css_class: 'd-block d-sm-none') = sprite_icon('mobile-issue-close', size: 16, css_class: 'd-block d-sm-none')
.d-none.d-sm-block .d-none.d-sm-block
- if @issue.moved? - if @issue.moved? && can?(current_user, :read_issue, @issue.moved_to)
- moved_link_start = "<a href=\"#{issue_path(@issue.moved_to)}\" class=\"text-white text-underline\">".html_safe - moved_link_start = "<a href=\"#{issue_path(@issue.moved_to)}\" class=\"text-white text-underline\">".html_safe
- moved_link_end = '</a>'.html_safe - moved_link_end = '</a>'.html_safe
= s_('IssuableStatus|Closed (%{moved_link_start}moved%{moved_link_end})').html_safe % {moved_link_start: moved_link_start, = s_('IssuableStatus|Closed (%{moved_link_start}moved%{moved_link_end})').html_safe % {moved_link_start: moved_link_start,
... ...
......
---
title: 'Resolve: moving an issue to private repo leaks namespace and project name'
merge_request:
author:
type: security
...@@ -19,6 +19,7 @@ describe 'projects/issues/show' do ...@@ -19,6 +19,7 @@ describe 'projects/issues/show' do
context 'when the issue is closed' do context 'when the issue is closed' do
before do before do
allow(issue).to receive(:closed?).and_return(true) allow(issue).to receive(:closed?).and_return(true)
allow(view).to receive(:current_user).and_return(user)
end end
context 'when the issue was moved' do context 'when the issue was moved' do
...@@ -28,6 +29,11 @@ describe 'projects/issues/show' do ...@@ -28,6 +29,11 @@ describe 'projects/issues/show' do
issue.moved_to = new_issue issue.moved_to = new_issue
end end
context 'when user can see the moved issue' do
before do
project.add_developer(user)
end
it 'shows "Closed (moved)" if an issue has been moved' do it 'shows "Closed (moved)" if an issue has been moved' do
render render
...@@ -41,6 +47,15 @@ describe 'projects/issues/show' do ...@@ -41,6 +47,15 @@ describe 'projects/issues/show' do
end end
end end
context 'when user cannot see moved issue' do
it 'does not show moved issue link' do
render
expect(rendered).not_to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved')
end
end
end
it 'shows "Closed" if an issue has not been moved' do it 'shows "Closed" if an issue has not been moved' do
render render
... ...
......