Merge branch 'sh-fix-board-user-assigns' into 'master'

Fix 403 errors when adding an assignee list in project boards

Closes gitlab-ee#9727

See merge request gitlab-org/gitlab-ce!25263

4 files changed, 79 insertions, 1 deletions

diff --git a/app/models/board.rb b/app/models/board.rb
index a137863456c..758a71d6903 100644
--- a/app/models/board.rb
+++ b/app/models/board.rb
@@ -21,6 +21,10 @@ class Board < ActiveRecord::Base
     group_id.present?
   end
 
+  def project_board?
+    project_id.present?
+  end
+
   def backlog_list
     lists.merge(List.backlog).take
   end
diff --git a/app/policies/board_policy.rb b/app/policies/board_policy.rb
index 46db008421f..4bf1e7bd3e1 100644
--- a/app/policies/board_policy.rb
+++ b/app/policies/board_policy.rb
@@ -4,10 +4,12 @@ class BoardPolicy < BasePolicy
   delegate { @subject.parent }
 
   condition(:is_group_board) { @subject.group_board? }
+  condition(:is_project_board) { @subject.project_board? }
 
-  rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent
+  rule { is_project_board & can?(:read_project) }.enable :read_parent
 
   rule { is_group_board & can?(:read_group) }.policy do
+    enable :read_parent
     enable :read_milestone
     enable :read_issue
   end
diff --git a/changelogs/unreleased/sh-fix-board-user-assigns.yml b/changelogs/unreleased/sh-fix-board-user-assigns.yml
new file mode 100644
index 00000000000..89c228107f0
--- /dev/null
+++ b/changelogs/unreleased/sh-fix-board-user-assigns.yml
@@ -0,0 +1,5 @@
+---
+title: Fix 403 errors when adding an assignee list in project boards
+merge_request: 25263
+author:
+type: fixed
diff --git a/spec/policies/board_policy_spec.rb b/spec/policies/board_policy_spec.rb
new file mode 100644
index 00000000000..4b76d65ef69
--- /dev/null
+++ b/spec/policies/board_policy_spec.rb
@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe BoardPolicy do
+  let(:user) { create(:user) }
+  let(:project) { create(:project, :private) }
+  let(:group) { create(:group, :private) }
+  let(:group_board) { create(:board, group: group) }
+  let(:project_board) { create(:board, project: project) }
+
+  let(:board_permissions) do
+    [
+      :read_parent,
+      :read_milestone,
+      :read_issue
+    ]
+  end
+
+  def expect_allowed(*permissions)
+    permissions.each { |p| is_expected.to be_allowed(p) }
+  end
+
+  def expect_disallowed(*permissions)
+    permissions.each { |p| is_expected.not_to be_allowed(p) }
+  end
+
+  context 'group board' do
+    subject { described_class.new(user, group_board) }
+
+    context 'user has access' do
+      before do
+        group.add_developer(user)
+      end
+
+      it do
+        expect_allowed(*board_permissions)
+      end
+    end
+
+    context 'user does not have access' do
+      it do
+        expect_disallowed(*board_permissions)
+      end
+    end
+  end
+
+  context 'project board' do
+    subject { described_class.new(user, project_board) }
+
+    context 'user has access' do
+      before do
+        project.add_developer(user)
+      end
+
+      it do
+        expect_allowed(*board_permissions)
+      end
+    end
+
+    context 'user does not have access' do
+      it do
+        expect_disallowed(*board_permissions)
+      end
+    end
+  end
+end