summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--app/controllers/projects/discussions_controller.rb4
-rw-r--r--changelogs/unreleased/osw-44295-adjust-authorization-for-discussions-show.yml5
-rw-r--r--spec/controllers/projects/discussions_controller_spec.rb47
3 files changed, 54 insertions, 2 deletions
diff --git a/app/controllers/projects/discussions_controller.rb b/app/controllers/projects/discussions_controller.rb
index 7bc16214010..8e86af43fee 100644
--- a/app/controllers/projects/discussions_controller.rb
+++ b/app/controllers/projects/discussions_controller.rb
@@ -4,8 +4,8 @@ class Projects::DiscussionsController < Projects::ApplicationController
before_action :check_merge_requests_available!
before_action :merge_request
- before_action :discussion
- before_action :authorize_resolve_discussion!
+ before_action :discussion, only: [:resolve, :unresolve]
+ before_action :authorize_resolve_discussion!, only: [:resolve, :unresolve]
def resolve
Discussions::ResolveService.new(project, current_user, merge_request: merge_request).execute(discussion)
diff --git a/changelogs/unreleased/osw-44295-adjust-authorization-for-discussions-show.yml b/changelogs/unreleased/osw-44295-adjust-authorization-for-discussions-show.yml
new file mode 100644
index 00000000000..978c5468bb1
--- /dev/null
+++ b/changelogs/unreleased/osw-44295-adjust-authorization-for-discussions-show.yml
@@ -0,0 +1,5 @@
+---
+title: Adjust 404's for LegacyDiffNote discussion rendering
+merge_request: 18201
+author:
+type: fixed
diff --git a/spec/controllers/projects/discussions_controller_spec.rb b/spec/controllers/projects/discussions_controller_spec.rb
index fcb0c2f28c8..53647749a60 100644
--- a/spec/controllers/projects/discussions_controller_spec.rb
+++ b/spec/controllers/projects/discussions_controller_spec.rb
@@ -16,6 +16,53 @@ describe Projects::DiscussionsController do
}
end
+ describe 'GET show' do
+ before do
+ sign_in user
+ end
+
+ context 'when user is not authorized to read the MR' do
+ it 'returns 404' do
+ get :show, request_params, format: :json
+
+ expect(response).to have_gitlab_http_status(404)
+ end
+ end
+
+ context 'when user is authorized to read the MR' do
+ before do
+ project.add_reporter(user)
+ end
+
+ it 'returns status 200' do
+ get :show, request_params, format: :json
+
+ expect(response).to have_gitlab_http_status(200)
+ end
+
+ it 'returns status 404 if MR does not exists' do
+ merge_request.destroy!
+
+ get :show, request_params, format: :json
+
+ expect(response).to have_gitlab_http_status(404)
+ end
+ end
+
+ context 'when user is authorized but note is LegacyDiffNote' do
+ before do
+ project.add_developer(user)
+ note.update!(type: 'LegacyDiffNote')
+ end
+
+ it 'returns status 200' do
+ get :show, request_params, format: :json
+
+ expect(response).to have_gitlab_http_status(200)
+ end
+ end
+ end
+
describe 'POST resolve' do
before do
sign_in user
View Lorry Controller Status