Make it harder to delete issuables accidentally

Previously submitting a DELETE request to an issuable URL would be enough to destroy it, but this should require human confirmation. We now require that the `destroy_confirm` parameter is set to a truthy value before this can complete. In addition, we log a Sentry error if a deletion arrived without confirmation. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/62387
author: Stan Hu <stanhu@gmail.com> 2019-08-28 21:57:54 -0700
committer: Stan Hu <stanhu@gmail.com> 2019-08-29 12:54:19 -0700
commit: f6c7e38040492db018943e537e30a7dd10e46120 (patch)
tree: af6f64104403475d080c5a867e5dee715e4520d1 /spec/controllers/projects/merge_requests_controller_spec.rb
parent: f7e3693435307b56e4da8d8584c6af01459e4813 (diff)
download: gitlab-ce-f6c7e38040492db018943e537e30a7dd10e46120.tar.gz
1 files changed, 20 insertions, 2 deletions
diff --git a/spec/controllers/projects/merge_requests_controller_spec.rb b/spec/controllers/projects/merge_requests_controller_spec.rb
index 11b1eaf11b7..80f54dd258d 100644
--- a/spec/controllers/projects/merge_requests_controller_spec.rb
+++ b/spec/controllers/projects/merge_requests_controller_spec.rb
@@ -573,16 +573,34 @@ describe Projects::MergeRequestsController do
       end
 
       it "deletes the merge request" do
-        delete :destroy, params: { namespace_id: project.namespace, project_id: project, id: merge_request.iid }
+        delete :destroy, params: { namespace_id: project.namespace, project_id: project, id: merge_request.iid, destroy_confirm: true }
 
         expect(response).to have_gitlab_http_status(302)
         expect(controller).to set_flash[:notice].to(/The merge request was successfully deleted\./)
       end
 
+      it "prevents deletion if destroy_confirm is not set" do
+        expect(Gitlab::Sentry).to receive(:track_acceptable_exception).and_call_original
+
+        delete :destroy, params: { namespace_id: project.namespace, project_id: project, id: merge_request.iid }
+
+        expect(response).to have_gitlab_http_status(302)
+        expect(controller).to set_flash[:notice].to('Destroy confirmation not provided for merge request')
+      end
+
+      it "prevents deletion in JSON format if destroy_confirm is not set" do
+        expect(Gitlab::Sentry).to receive(:track_acceptable_exception).and_call_original
+
+        delete :destroy, params: { namespace_id: project.namespace, project_id: project, id: merge_request.iid, format: 'json' }
+
+        expect(response).to have_gitlab_http_status(422)
+        expect(json_response).to eq({ 'errors' => 'Destroy confirmation not provided for merge request' })
+      end
+
       it 'delegates the update of the todos count cache to TodoService' do
         expect_any_instance_of(TodoService).to receive(:destroy_target).with(merge_request).once
 
-        delete :destroy, params: { namespace_id: project.namespace, project_id: project, id: merge_request.iid }
+        delete :destroy, params: { namespace_id: project.namespace, project_id: project, id: merge_request.iid, destroy_confirm: true }
       end
     end
   end
author	Stan Hu <stanhu@gmail.com>	2019-08-28 21:57:54 -0700
committer	Stan Hu <stanhu@gmail.com>	2019-08-29 12:54:19 -0700
commit	f6c7e38040492db018943e537e30a7dd10e46120 (patch)
tree	af6f64104403475d080c5a867e5dee715e4520d1 /spec/controllers/projects/merge_requests_controller_spec.rb
parent	f7e3693435307b56e4da8d8584c6af01459e4813 (diff)
download	gitlab-ce-f6c7e38040492db018943e537e30a7dd10e46120.tar.gz