From 98559adf710eb2142ba072f2ac91a1db9d0578cf Mon Sep 17 00:00:00 2001
From: Felipe Artur <felipefac@gmail.com>
Date: Mon, 19 Sep 2016 17:21:58 -0300
Subject: [PATCH] Test if issue authors can access private projects

---
 CHANGELOG                            |  1 +
 spec/policies/project_policy_spec.rb | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/CHANGELOG b/CHANGELOG
index a1217673c1236..d87a1c303b288 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -41,6 +41,7 @@ v 8.12.0 (unreleased)
   - Expose `sha` and `merge_commit_sha` in merge request API (Ben Boeckel)
   - Set path for all JavaScript cookies to honor GitLab's subdirectory setting !5627 (Mike Greiling)
   - Fix blame table layout width
+  - Spec testing if issue authors can read issues on private projects
   - Fix bug where pagination is still displayed despite all todos marked as done (ClemMakesApps)
   - Request only the LDAP attributes we need !6187
   - Center build stage columns in pipeline overview (ClemMakesApps)
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index eda1cafd65e46..a7a06744428bd 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -33,4 +33,17 @@
   it 'returns increasing permissions for each level' do
     expect(users_permissions).to eq(users_permissions.sort.uniq)
   end
+
+  it 'does not include the read_issue permission when the issue author is not a member of the private project' do
+    project = create(:project, :private)
+    issue   = create(:issue, project: project)
+    user    = issue.author
+
+    expect(project.team.member?(issue.author)).to eq(false)
+
+    expect(BasePolicy.class_for(project).abilities(user, project).can_set).
+      not_to include(:read_issue)
+
+    expect(Ability.allowed?(user, :read_issue, project)).to be_falsy
+  end
 end
-- 
GitLab