diff options
| author | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2016-04-05 13:29:48 +0200 |
|---|---|---|
| committer | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2016-04-05 13:32:28 +0200 |
| commit | b248ee93814e8521fa0c73c82ec9ed113698b945 (patch) | |
| tree | 2ff67b4755e09c47f737f0c0ec2fec976ed854fe | |
| parent | 8a0a802ee960a21145995661c3751bbe8cde9e5c (diff) | |
| download | gitlab-ce-b248ee93814e8521fa0c73c82ec9ed113698b945.tar.gz | |
Check permissions when importing project members
Closes #14899
| -rw-r--r-- | CHANGELOG | 3 | ||||
| -rw-r--r-- | app/controllers/projects/project_members_controller.rb | 9 | ||||
| -rw-r--r-- | spec/controllers/projects/project_members_controller_spec.rb | 49 |
3 files changed, 59 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG index 39239bebcfb..362a571bb4f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -20,6 +20,9 @@ v 8.7.0 (unreleased) - Fall back to `In-Reply-To` and `References` headers when sub-addressing is not available (David Padilla) - Remove "Congratulations!" tweet button on newly-created project. (Connor Shea) +v 8.6.5 (unreleased) + - Check permissions when user attempts to import members from another project + v 8.6.4 - Don't attempt to fetch any tags from a forked repo (Stan Hu) diff --git a/app/controllers/projects/project_members_controller.rb b/app/controllers/projects/project_members_controller.rb index e7bddc4a6f1..cd984f03c6b 100644 --- a/app/controllers/projects/project_members_controller.rb +++ b/app/controllers/projects/project_members_controller.rb @@ -95,8 +95,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController def apply_import giver = Project.find(params[:source_project_id]) - status = @project.team.import(giver, current_user) - notice = status ? "Successfully imported" : "Import failed" + + if current_user.can?(:read_project_member, giver) + status = @project.team.import(giver, current_user) + notice = status ? "Successfully imported" : "Import failed" + else + notice = 'You are not authorized to import members from this project' + end redirect_to(namespace_project_project_members_path(project.namespace, project), notice: notice) diff --git a/spec/controllers/projects/project_members_controller_spec.rb b/spec/controllers/projects/project_members_controller_spec.rb new file mode 100644 index 00000000000..6d1df8d9fbe --- /dev/null +++ b/spec/controllers/projects/project_members_controller_spec.rb @@ -0,0 +1,49 @@ +require('spec_helper') + +describe Projects::ProjectMembersController do + let(:project) { create(:project) } + let(:another_project) { create(:project, :private) } + let(:user) { create(:user) } + let(:member) { create(:user) } + + before do + project.team << [user, :master] + another_project.team << [member, :guest] + sign_in(user) + end + + describe '#apply_import' do + shared_context 'import applied' do + before do + post(:apply_import, namespace_id: project.namespace.to_param, + project_id: project.to_param, + source_project_id: another_project.id) + end + end + + context 'when user can access source project members' do + before { another_project.team << [user, :guest] } + include_context 'import applied' + + it 'imports source project members' do + expect(project.team_members).to include member + expect(response).to set_flash.to 'Successfully imported' + expect(response).to redirect_to( + namespace_project_project_members_path(project.namespace, project) + ) + end + end + + context 'when user is not member of a source project' do + include_context 'import applied' + + it 'does not import team members' do + expect(project.team_members).to_not include member + end + + it 'notifies about invalid permissions' do + expect(response).to set_flash.to /not authorized/ + end + end + end +end |