diff options
| author | Jarka Kadlecová <jarka@gitlab.com> | 2018-07-17 16:16:46 +0200 |
|---|---|---|
| committer | Jarka Kadlecová <jarka@gitlab.com> | 2018-07-17 16:16:46 +0200 |
| commit | 36a5ab9492786a64b45f62dfbd2aa39be70d25ce (patch) | |
| tree | c525369998793379810b00dad935398f21c10ebf | |
| parent | 936625da368f077ecf06fb3c341e21dfc151499e (diff) | |
| download | gitlab-ce-group-todos.tar.gz | |
Don’t do authorisation checks for todosgroup-todos
| -rw-r--r-- | app/finders/todos_finder.rb | 19 | ||||
| -rw-r--r-- | spec/finders/todos_finder_spec.rb | 26 |
2 files changed, 0 insertions, 45 deletions
diff --git a/app/finders/todos_finder.rb b/app/finders/todos_finder.rb index 2156413fb26..c505a5cc8d5 100644 --- a/app/finders/todos_finder.rb +++ b/app/finders/todos_finder.rb @@ -39,7 +39,6 @@ class TodosFinder # Filtering by project HAS TO be the last because we use # the project IDs yielded by the todos query thus far items = by_project(items) - items = visible_to_user(items) sort(items) end @@ -96,10 +95,6 @@ class TodosFinder @project = Project.find(params[:project_id]) @project = nil if @project.pending_delete? - - unless Ability.allowed?(current_user, :read_project, @project) - @project = nil - end else @project = nil end @@ -170,20 +165,6 @@ class TodosFinder items end - def visible_to_user(items) - projects = Project.public_or_visible_to_user(current_user) - groups = Group.public_or_visible_to_user(current_user) - - items - .joins('LEFT JOIN namespaces ON namespaces.id = todos.group_id') - .joins('LEFT JOIN projects ON projects.id = todos.project_id') - .where( - 'project_id IN (?) OR group_id IN (?)', - projects.select(:id), - groups.select(:id) - ) - end - def by_state(items) case params[:state].to_s when 'done' diff --git a/spec/finders/todos_finder_spec.rb b/spec/finders/todos_finder_spec.rb index 6061021d3b0..7f7cfb2cb98 100644 --- a/spec/finders/todos_finder_spec.rb +++ b/spec/finders/todos_finder_spec.rb @@ -14,32 +14,6 @@ describe TodosFinder do end describe '#execute' do - context 'visibility' do - let(:private_group_access) { create(:group, :private) } - let(:private_group_hidden) { create(:group, :private) } - let(:public_project) { create(:project, :public) } - let(:private_project_hidden) { create(:project) } - let(:public_group) { create(:group) } - - let!(:todo1) { create(:todo, user: user, project: project, group: nil) } - let!(:todo2) { create(:todo, user: user, project: public_project, group: nil) } - let!(:todo3) { create(:todo, user: user, project: private_project_hidden, group: nil) } - let!(:todo4) { create(:todo, user: user, project: nil, group: group) } - let!(:todo5) { create(:todo, user: user, project: nil, group: private_group_access) } - let!(:todo6) { create(:todo, user: user, project: nil, group: private_group_hidden) } - let!(:todo7) { create(:todo, user: user, project: nil, group: public_group) } - - before do - private_group_access.add_developer(user) - end - - it 'returns only todos with a target a user has access to' do - todos = finder.new(user).execute - - expect(todos).to match_array([todo1, todo2, todo4, todo5, todo7]) - end - end - context 'filtering' do let!(:todo1) { create(:todo, user: user, project: project, target: issue) } let!(:todo2) { create(:todo, user: user, group: group, target: merge_request) } |