diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2016-09-20 19:37:47 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2016-09-20 19:37:47 +0000 |
commit | 0c7f38bd5b59458a94a9637e06287c8bbbaec82d (patch) | |
tree | 6a1e169e0cc960f5d7e16a35c9c2ad7e95f4b2bc | |
parent | f683349723dd30b7721d283ea20ce9788f2d16b9 (diff) | |
parent | 98559adf710eb2142ba072f2ac91a1db9d0578cf (diff) | |
download | gitlab-ce-0c7f38bd5b59458a94a9637e06287c8bbbaec82d.tar.gz |
Merge branch 'issue_20078' into 'master'
Test if issue authors can access private projects
See merge request !6419
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 13 |
2 files changed, 14 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG index 62b7b2d51d1..51411e1d7f3 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -49,6 +49,7 @@ v 8.12.0 (unreleased) - Expose `sha` and `merge_commit_sha` in merge request API (Ben Boeckel) - Set path for all JavaScript cookies to honor GitLab's subdirectory setting !5627 (Mike Greiling) - Fix blame table layout width + - Spec testing if issue authors can read issues on private projects - Fix bug where pagination is still displayed despite all todos marked as done (ClemMakesApps) - Request only the LDAP attributes we need !6187 - Center build stage columns in pipeline overview (ClemMakesApps) diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index eda1cafd65e..a7a06744428 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -33,4 +33,17 @@ describe ProjectPolicy, models: true do it 'returns increasing permissions for each level' do expect(users_permissions).to eq(users_permissions.sort.uniq) end + + it 'does not include the read_issue permission when the issue author is not a member of the private project' do + project = create(:project, :private) + issue = create(:issue, project: project) + user = issue.author + + expect(project.team.member?(issue.author)).to eq(false) + + expect(BasePolicy.class_for(project).abilities(user, project).can_set). + not_to include(:read_issue) + + expect(Ability.allowed?(user, :read_issue, project)).to be_falsy + end end |