diff options
author | Mario de la Ossa <mariodelaossa@gmail.com> | 2019-01-17 11:40:37 -0600 |
---|---|---|
committer | Mario de la Ossa <mariodelaossa@gmail.com> | 2019-01-18 12:43:46 -0600 |
commit | 54994762ffd45e55cc9c000fbfb382382c69ad5d (patch) | |
tree | 1613e95fcae03b3ee8e4ad99be7b2bfefccd4023 | |
parent | c46b8e968ba926745418738cb8855f0ca23b97cd (diff) | |
download | gitlab-ce-54994762ffd45e55cc9c000fbfb382382c69ad5d.tar.gz |
Backport of 54385-board-policy
-rw-r--r-- | app/controllers/concerns/boards_responses.rb | 10 | ||||
-rw-r--r-- | app/policies/board_policy.rb | 14 | ||||
-rw-r--r-- | spec/controllers/boards/issues_controller_spec.rb | 10 | ||||
-rw-r--r-- | spec/controllers/boards/lists_controller_spec.rb | 7 |
4 files changed, 22 insertions, 19 deletions
diff --git a/app/controllers/concerns/boards_responses.rb b/app/controllers/concerns/boards_responses.rb index 3cdf4ddf8bb..8b191c86397 100644 --- a/app/controllers/concerns/boards_responses.rb +++ b/app/controllers/concerns/boards_responses.rb @@ -34,15 +34,11 @@ module BoardsResponses end def authorize_read_list - ability = board.group_board? ? :read_group : :read_list - - authorize_action_for!(board.parent, ability) + authorize_action_for!(board, :read_list) end def authorize_read_issue - ability = board.group_board? ? :read_group : :read_issue - - authorize_action_for!(board.parent, ability) + authorize_action_for!(board, :read_issue) end def authorize_update_issue @@ -57,7 +53,7 @@ module BoardsResponses end def authorize_admin_list - authorize_action_for!(board.parent, :admin_list) + authorize_action_for!(board, :admin_list) end def authorize_action_for!(resource, ability) diff --git a/app/policies/board_policy.rb b/app/policies/board_policy.rb new file mode 100644 index 00000000000..46db008421f --- /dev/null +++ b/app/policies/board_policy.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +class BoardPolicy < BasePolicy + delegate { @subject.parent } + + condition(:is_group_board) { @subject.group_board? } + + rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent + + rule { is_group_board & can?(:read_group) }.policy do + enable :read_milestone + enable :read_issue + end +end diff --git a/spec/controllers/boards/issues_controller_spec.rb b/spec/controllers/boards/issues_controller_spec.rb index 8657fc2ebc0..725ea2bf1ab 100644 --- a/spec/controllers/boards/issues_controller_spec.rb +++ b/spec/controllers/boards/issues_controller_spec.rb @@ -1,7 +1,7 @@ require 'spec_helper' describe Boards::IssuesController do - let(:project) { create(:project) } + let(:project) { create(:project, :private) } let(:board) { create(:board, project: project) } let(:user) { create(:user) } let(:guest) { create(:user) } @@ -127,14 +127,10 @@ describe Boards::IssuesController do end context 'with unauthorized user' do - before do - allow(Ability).to receive(:allowed?).and_call_original - allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true) - allow(Ability).to receive(:allowed?).with(user, :read_issue, project).and_return(false) - end + let(:unauth_user) { create(:user) } it 'returns a forbidden 403 response' do - list_issues user: user, board: board, list: list2 + list_issues user: unauth_user, board: board, list: list2 expect(response).to have_gitlab_http_status(403) end diff --git a/spec/controllers/boards/lists_controller_spec.rb b/spec/controllers/boards/lists_controller_spec.rb index 70033857168..e5b8aa2e678 100644 --- a/spec/controllers/boards/lists_controller_spec.rb +++ b/spec/controllers/boards/lists_controller_spec.rb @@ -31,13 +31,10 @@ describe Boards::ListsController do end context 'with unauthorized user' do - before do - allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true) - allow(Ability).to receive(:allowed?).with(user, :read_list, project).and_return(false) - end + let(:unauth_user) { create(:user) } it 'returns a forbidden 403 response' do - read_board_list user: user, board: board + read_board_list user: unauth_user, board: board expect(response).to have_gitlab_http_status(403) end |