diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-01 11:56:29 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-01 11:56:34 +0000 |
| commit | b3904b36e0302c177eec99ee0fa35eeacfbe79f4 (patch) | |
| tree | c5eecfd3a8034d32134db5125ee605397eca9fed | |
| parent | f12386aa9acf19877161bfc77e55572f40509cc4 (diff) | |
| download | gitlab-ce-b3904b36e0302c177eec99ee0fa35eeacfbe79f4.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@15-5-stable-ee
| -rw-r--r-- | lib/api/award_emoji.rb | 2 | ||||
| -rw-r--r-- | spec/models/note_spec.rb | 16 | ||||
| -rw-r--r-- | spec/requests/api/award_emoji_spec.rb | 30 |
3 files changed, 47 insertions, 1 deletions
diff --git a/lib/api/award_emoji.rb b/lib/api/award_emoji.rb index fd36b364d56..e419a025508 100644 --- a/lib/api/award_emoji.rb +++ b/lib/api/award_emoji.rb @@ -100,7 +100,7 @@ module API def read_ability(awardable) case awardable when Note - read_ability(awardable.noteable) + awardable.issuable_ability_name when Snippet, ProjectSnippet :read_snippet else diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb index 670a6237788..1b44da75c40 100644 --- a/spec/models/note_spec.rb +++ b/spec/models/note_spec.rb @@ -1888,4 +1888,20 @@ RSpec.describe Note do end end end + + describe '#issuable_ability_name' do + subject { note.issuable_ability_name } + + context 'when not confidential note' do + let(:note) { build(:note) } + + it { is_expected.to eq :read_note } + end + + context 'when confidential note' do + let(:note) { build(:note, :confidential) } + + it { is_expected.to eq :read_internal_note } + end + end end diff --git a/spec/requests/api/award_emoji_spec.rb b/spec/requests/api/award_emoji_spec.rb index 67ddaf2fda5..bb563f93bfe 100644 --- a/spec/requests/api/award_emoji_spec.rb +++ b/spec/requests/api/award_emoji_spec.rb @@ -191,6 +191,36 @@ RSpec.describe API::AwardEmoji do expect(json_response['name']).to eq(rocket.name) end + context 'when a confidential note' do + subject(:perform_request) { get api(request_path, current_user) } + + let_it_be(:group) { create(:group) } + let_it_be(:project) { create(:project, :public, namespace: group) } + let_it_be(:issue) { create(:issue, project: project) } + let_it_be(:note) { create(:note, :confidential, project: project, noteable: issue, author: user) } + + context 'with sufficient persmissions' do + let(:current_user) { user } + + it 'returns an award emoji' do + perform_request + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['name']).to eq(rocket.name) + end + end + + context 'with insufficient permissions' do + let(:current_user) { nil } + + it 'returns 404' do + perform_request + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end + it_behaves_like 'unauthenticated request to public awardable' it_behaves_like 'request with insufficient permissions', :get end |