summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGrzegorz Bizon <grzesiek.bizon@gmail.com>2016-04-30 21:14:40 +0200
committerGrzegorz Bizon <grzesiek.bizon@gmail.com>2016-04-30 21:28:40 +0200
commitc9577711cee5f9eec699711d39196480f400a746 (patch)
treed65422af8bbb0d5d6d4362028deaaa508dc56168
parentb8f28628f59b38136aba5704d3feb84af3eaa567 (diff)
downloadgitlab-ce-c9577711cee5f9eec699711d39196480f400a746.tar.gz
Handle issue move access instead of raising errorfix/handle-issue-move-access
Closes #15533
-rw-r--r--app/controllers/projects/issues_controller.rb2
-rw-r--r--spec/controllers/projects/issues_controller_spec.rb39
2 files changed, 41 insertions, 0 deletions
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index 9face235baa..016f5dd0005 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -96,6 +96,8 @@ class Projects::IssuesController < Projects::ApplicationController
if params[:move_to_project_id].to_i > 0
new_project = Project.find(params[:move_to_project_id])
+ return render_404 unless issue.can_move?(current_user, new_project)
+
move_service = Issues::MoveService.new(project, current_user)
@issue = move_service.execute(@issue, new_project)
end
diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb
index d6e4cd71ce6..2b2ad3b9412 100644
--- a/spec/controllers/projects/issues_controller_spec.rb
+++ b/spec/controllers/projects/issues_controller_spec.rb
@@ -40,6 +40,45 @@ describe Projects::IssuesController do
end
end
+ describe 'PUT #update' do
+ context 'when moving issue to another private project' do
+ let(:another_project) { create(:project, :private) }
+
+ before do
+ sign_in(user)
+ project.team << [user, :developer]
+ end
+
+ context 'when user has access to move issue' do
+ before { another_project.team << [user, :reporter] }
+
+ it 'moves issue to another project' do
+ move_issue
+
+ expect(response).to have_http_status :found
+ expect(another_project.issues).to_not be_empty
+ end
+ end
+
+ context 'when user does not have access to move issue' do
+ it 'responds with 404' do
+ move_issue
+
+ expect(response).to have_http_status :not_found
+ end
+ end
+
+ def move_issue
+ put :update,
+ namespace_id: project.namespace.to_param,
+ project_id: project.to_param,
+ id: issue.iid,
+ issue: { title: 'New title' },
+ move_to_project_id: another_project.id
+ end
+ end
+ end
+
describe 'Confidential Issues' do
let(:project) { create(:project_empty_repo, :public) }
let(:assignee) { create(:assignee) }