diff options
author | Stan Hu <stanhu@gmail.com> | 2019-02-14 13:19:59 -0800 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2019-02-14 13:41:43 -0800 |
commit | b2da8042b4d11db246a26b63eebc78a3c0660b08 (patch) | |
tree | 69feead682ebd9c7ab55c569bab523f67bd03679 | |
parent | c470a77937c79169f3ba78a31c249bd71b5c6070 (diff) | |
download | gitlab-ce-b2da8042b4d11db246a26b63eebc78a3c0660b08.tar.gz |
Fix 403 errors when adding an assignee list in project boards
Due to a bug in `BoardPolicy`, users were getting back a 403 error when
trying to assign users to an assignee list and seeing "Something went
wrong while fetching assignees list". For some reason, the declarative
policy runtime was ignoring the ternary condition.
To work around the issue, we make the project board an explicit
condition check.
Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/9727
-rw-r--r-- | app/models/board.rb | 4 | ||||
-rw-r--r-- | app/policies/board_policy.rb | 4 | ||||
-rw-r--r-- | changelogs/unreleased/sh-fix-board-user-assigns.yml | 5 | ||||
-rw-r--r-- | spec/policies/board_policy_spec.rb | 67 |
4 files changed, 79 insertions, 1 deletions
diff --git a/app/models/board.rb b/app/models/board.rb index a137863456c..758a71d6903 100644 --- a/app/models/board.rb +++ b/app/models/board.rb @@ -21,6 +21,10 @@ class Board < ActiveRecord::Base group_id.present? end + def project_board? + project_id.present? + end + def backlog_list lists.merge(List.backlog).take end diff --git a/app/policies/board_policy.rb b/app/policies/board_policy.rb index 46db008421f..4bf1e7bd3e1 100644 --- a/app/policies/board_policy.rb +++ b/app/policies/board_policy.rb @@ -4,10 +4,12 @@ class BoardPolicy < BasePolicy delegate { @subject.parent } condition(:is_group_board) { @subject.group_board? } + condition(:is_project_board) { @subject.project_board? } - rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent + rule { is_project_board & can?(:read_project) }.enable :read_parent rule { is_group_board & can?(:read_group) }.policy do + enable :read_parent enable :read_milestone enable :read_issue end diff --git a/changelogs/unreleased/sh-fix-board-user-assigns.yml b/changelogs/unreleased/sh-fix-board-user-assigns.yml new file mode 100644 index 00000000000..89c228107f0 --- /dev/null +++ b/changelogs/unreleased/sh-fix-board-user-assigns.yml @@ -0,0 +1,5 @@ +--- +title: Fix 403 errors when adding an assignee list in project boards +merge_request: 25263 +author: +type: fixed diff --git a/spec/policies/board_policy_spec.rb b/spec/policies/board_policy_spec.rb new file mode 100644 index 00000000000..4b76d65ef69 --- /dev/null +++ b/spec/policies/board_policy_spec.rb @@ -0,0 +1,67 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe BoardPolicy do + let(:user) { create(:user) } + let(:project) { create(:project, :private) } + let(:group) { create(:group, :private) } + let(:group_board) { create(:board, group: group) } + let(:project_board) { create(:board, project: project) } + + let(:board_permissions) do + [ + :read_parent, + :read_milestone, + :read_issue + ] + end + + def expect_allowed(*permissions) + permissions.each { |p| is_expected.to be_allowed(p) } + end + + def expect_disallowed(*permissions) + permissions.each { |p| is_expected.not_to be_allowed(p) } + end + + context 'group board' do + subject { described_class.new(user, group_board) } + + context 'user has access' do + before do + group.add_developer(user) + end + + it do + expect_allowed(*board_permissions) + end + end + + context 'user does not have access' do + it do + expect_disallowed(*board_permissions) + end + end + end + + context 'project board' do + subject { described_class.new(user, project_board) } + + context 'user has access' do + before do + project.add_developer(user) + end + + it do + expect_allowed(*board_permissions) + end + end + + context 'user does not have access' do + it do + expect_disallowed(*board_permissions) + end + end + end +end |