Merge branch 'issue_22664' into 'master'

Check if user can read project before being assigned to issue

Closes #22664

See merge request !7980

3 files changed, 107 insertions, 1 deletions

diff --git a/spec/support/services/issuable_create_service_shared_examples.rb b/spec/support/services/issuable_create_service_shared_examples.rb
new file mode 100644
index 00000000000..93c0267d2db
--- /dev/null
+++ b/spec/support/services/issuable_create_service_shared_examples.rb
@@ -0,0 +1,52 @@
+shared_examples 'issuable create service' do
+  context 'asssignee_id' do
+    let(:assignee) { create(:user) }
+
+    before { project.team << [user, :master] }
+
+    it 'removes assignee_id when user id is invalid' do
+      opts = { title: 'Title', description: 'Description', assignee_id: -1 }
+
+      issuable = described_class.new(project, user, opts).execute
+
+      expect(issuable.assignee_id).to be_nil
+    end
+
+    it 'removes assignee_id when user id is 0' do
+      opts = { title: 'Title', description: 'Description',  assignee_id: 0 }
+
+      issuable = described_class.new(project, user, opts).execute
+
+      expect(issuable.assignee_id).to be_nil
+    end
+
+    it 'saves assignee when user id is valid' do
+      project.team << [assignee, :master]
+      opts = { title: 'Title', description: 'Description', assignee_id: assignee.id }
+
+      issuable = described_class.new(project, user, opts).execute
+
+      expect(issuable.assignee_id).to eq(assignee.id)
+    end
+
+    context "when issuable feature is private" do
+      before do
+        project.project_feature.update(issues_access_level: ProjectFeature::PRIVATE)
+        project.project_feature.update(merge_requests_access_level: ProjectFeature::PRIVATE)
+      end
+
+      levels = [Gitlab::VisibilityLevel::INTERNAL, Gitlab::VisibilityLevel::PUBLIC]
+
+      levels.each do |level|
+        it "removes not authorized assignee when project is #{Gitlab::VisibilityLevel.level_name(level)}" do
+          project.update(visibility_level: level)
+          opts = { title: 'Title', description: 'Description', assignee_id: assignee.id }
+
+          issuable = described_class.new(project, user, opts).execute
+
+          expect(issuable.assignee_id).to be_nil
+        end
+      end
+    end
+  end
+end
diff --git a/spec/support/services/issuable_create_service_slash_commands_shared_examples.rb b/spec/support/services/issuable_create_service_slash_commands_shared_examples.rb
index 5f9645ed44f..dd54b0addda 100644
--- a/spec/support/services/issuable_create_service_slash_commands_shared_examples.rb
+++ b/spec/support/services/issuable_create_service_slash_commands_shared_examples.rb
@@ -11,6 +11,8 @@ shared_examples 'new issuable record that supports slash commands' do
   let(:params) { base_params.merge(defined?(default_params) ? default_params : {}).merge(example_params) }
   let(:issuable) { described_class.new(project, user, params).execute }
 
+  before { project.team << [assignee, :master ] }
+
   context 'with labels in command only' do
     let(:example_params) do
       {
@@ -55,7 +57,7 @@ shared_examples 'new issuable record that supports slash commands' do
   context 'with assignee and milestone in params and command' do
     let(:example_params) do
       {
-        assignee: build_stubbed(:user),
+        assignee: create(:user),
         milestone_id: double(:milestone),
         description: %(/assign @#{assignee.username}\n/milestone %"#{milestone.name}")
       }
diff --git a/spec/support/services/issuable_update_service_shared_examples.rb b/spec/support/services/issuable_update_service_shared_examples.rb
index a3336755773..49cea1e608c 100644
--- a/spec/support/services/issuable_update_service_shared_examples.rb
+++ b/spec/support/services/issuable_update_service_shared_examples.rb
@@ -1,4 +1,8 @@
 shared_examples 'issuable update service' do
+  def update_issuable(opts)
+    described_class.new(project, user, opts).execute(open_issuable)
+  end
+
   context 'changing state' do
     before { expect(project).to receive(:execute_hooks).once }
 
@@ -14,4 +18,52 @@ shared_examples 'issuable update service' do
       end
     end
   end
+
+  context 'asssignee_id' do
+    it 'does not update assignee when assignee_id is invalid' do
+      open_issuable.update(assignee_id: user.id)
+
+      update_issuable(assignee_id: -1)
+
+      expect(open_issuable.reload.assignee).to eq(user)
+    end
+
+    it 'unassigns assignee when user id is 0' do
+      open_issuable.update(assignee_id: user.id)
+
+      update_issuable(assignee_id: 0)
+
+      expect(open_issuable.assignee_id).to be_nil
+    end
+
+    it 'saves assignee when user id is valid' do
+      update_issuable(assignee_id: user.id)
+
+      expect(open_issuable.assignee_id).to eq(user.id)
+    end
+
+    it 'does not update assignee_id when user cannot read issue' do
+      non_member        = create(:user)
+      original_assignee = open_issuable.assignee
+
+      update_issuable(assignee_id: non_member.id)
+
+      expect(open_issuable.assignee_id).to eq(original_assignee.id)
+    end
+
+    context "when issuable feature is private" do
+      levels = [Gitlab::VisibilityLevel::INTERNAL, Gitlab::VisibilityLevel::PUBLIC]
+
+      levels.each do |level|
+        it "does not update with unauthorized assignee when project is #{Gitlab::VisibilityLevel.level_name(level)}" do
+          assignee = create(:user)
+          project.update(visibility_level: level)
+          feature_visibility_attr = :"#{open_issuable.model_name.plural}_access_level"
+          project.project_feature.update_attribute(feature_visibility_attr, ProjectFeature::PRIVATE)
+
+          expect{ update_issuable(assignee_id: assignee) }.not_to change{ open_issuable.assignee }
+        end
+      end
+    end
+  end
 end