summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/graphql/mutations/issues/set_severity.rb2
-rw-r--r--app/services/issuable_base_service.rb1
-rw-r--r--lib/gitlab/import_export/project/import_export.yml3
-rw-r--r--lib/gitlab/import_export/project/relation_factory.rb5
-rw-r--r--spec/graphql/mutations/issues/set_severity_spec.rb54
-rw-r--r--spec/lib/gitlab/import_export/project/relation_factory_spec.rb29
-rw-r--r--spec/lib/gitlab/import_export/project/tree_restorer_spec.rb2
-rw-r--r--spec/lib/gitlab/import_export/safe_model_attributes.yml1
-rw-r--r--spec/services/issues/update_service_spec.rb36
9 files changed, 106 insertions, 27 deletions
diff --git a/app/graphql/mutations/issues/set_severity.rb b/app/graphql/mutations/issues/set_severity.rb
index 778563ba053..872a0e7b33d 100644
--- a/app/graphql/mutations/issues/set_severity.rb
+++ b/app/graphql/mutations/issues/set_severity.rb
@@ -8,6 +8,8 @@ module Mutations
argument :severity, Types::IssuableSeverityEnum, required: true,
description: 'Set the incident severity level.'
+ authorize :admin_issue
+
def resolve(project_path:, iid:, severity:)
issue = authorized_find!(project_path: project_path, iid: iid)
project = issue.project
diff --git a/app/services/issuable_base_service.rb b/app/services/issuable_base_service.rb
index 59e521853de..2daf098b94a 100644
--- a/app/services/issuable_base_service.rb
+++ b/app/services/issuable_base_service.rb
@@ -142,6 +142,7 @@ class IssuableBaseService < ::BaseProjectService
def filter_severity(issuable)
severity = params.delete(:severity)
return unless severity && issuable.supports_severity?
+ return unless can_admin_issuable?(issuable)
severity = IssuableSeverity::DEFAULT unless IssuableSeverity.severities.key?(severity)
return if severity == issuable.severity
diff --git a/lib/gitlab/import_export/project/import_export.yml b/lib/gitlab/import_export/project/import_export.yml
index 86fd11cc336..c962e0f677b 100644
--- a/lib/gitlab/import_export/project/import_export.yml
+++ b/lib/gitlab/import_export/project/import_export.yml
@@ -328,6 +328,7 @@ excluded_attributes:
- :services
- :exported_protected_branches
- :repository_size_limit
+ - :external_webhook_token
namespaces:
- :runners_token
- :runners_token_encrypted
@@ -536,6 +537,8 @@ excluded_attributes:
system_note_metadata:
- :description_version_id
- :note_id
+ pipeline_schedules:
+ - :active
methods:
notes:
- :type
diff --git a/lib/gitlab/import_export/project/relation_factory.rb b/lib/gitlab/import_export/project/relation_factory.rb
index 102fcedd2fc..888a5a10f2c 100644
--- a/lib/gitlab/import_export/project/relation_factory.rb
+++ b/lib/gitlab/import_export/project/relation_factory.rb
@@ -84,6 +84,7 @@ module Gitlab
when :'Ci::Pipeline' then setup_pipeline
when *BUILD_MODELS then setup_build
when :issues then setup_issue
+ when :'Ci::PipelineSchedule' then setup_pipeline_schedule
end
update_project_references
@@ -143,6 +144,10 @@ module Gitlab
@relation_hash['relative_position'] = compute_relative_position
end
+ def setup_pipeline_schedule
+ @relation_hash['active'] = false
+ end
+
def compute_relative_position
return unless max_relative_position
diff --git a/spec/graphql/mutations/issues/set_severity_spec.rb b/spec/graphql/mutations/issues/set_severity_spec.rb
index 7ce9c7f6621..84736fe7ee6 100644
--- a/spec/graphql/mutations/issues/set_severity_spec.rb
+++ b/spec/graphql/mutations/issues/set_severity_spec.rb
@@ -3,26 +3,58 @@
require 'spec_helper'
RSpec.describe Mutations::Issues::SetSeverity do
- let_it_be(:user) { create(:user) }
- let_it_be(:issue) { create(:incident) }
+ let_it_be(:project) { create(:project) }
+ let_it_be(:guest) { create(:user) }
+ let_it_be(:reporter) { create(:user) }
+ let_it_be(:issue) { create(:incident, project: project) }
let(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
- specify { expect(described_class).to require_graphql_authorizations(:update_issue) }
+ specify { expect(described_class).to require_graphql_authorizations(:update_issue, :admin_issue) }
+
+ before_all do
+ project.add_guest(guest)
+ project.add_reporter(reporter)
+ end
describe '#resolve' do
let(:severity) { 'critical' }
- let(:mutated_incident) { subject[:issue] }
- subject(:resolve) { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, severity: severity) }
+ subject(:resolve) do
+ mutation.resolve(
+ project_path: issue.project.full_path,
+ iid: issue.iid,
+ severity: severity
+ )
+ end
- it_behaves_like 'permission level for issue mutation is correctly verified'
+ context 'as guest' do
+ let(:user) { guest }
- context 'when the user can update the issue' do
- before do
- issue.project.add_developer(user)
+ it 'raises an error' do
+ expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+ end
+
+ context 'and also author' do
+ let!(:issue) { create(:incident, project: project, author: user) }
+
+ it 'raises an error' do
+ expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+ end
end
+ context 'and also assignee' do
+ let!(:issue) { create(:incident, project: project, assignee_ids: [user.id]) }
+
+ it 'raises an error' do
+ expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+ end
+ end
+ end
+
+ context 'as reporter' do
+ let(:user) { reporter }
+
context 'when issue type is incident' do
context 'when severity has a correct value' do
it 'updates severity' do
@@ -48,9 +80,9 @@ RSpec.describe Mutations::Issues::SetSeverity do
end
context 'when issue type is not incident' do
- let!(:issue) { create(:issue) }
+ let!(:issue) { create(:issue, project: project) }
- it 'does not updates the issue' do
+ it 'does not update the issue' do
expect { resolve }.not_to change { issue.updated_at }
end
end
diff --git a/spec/lib/gitlab/import_export/project/relation_factory_spec.rb b/spec/lib/gitlab/import_export/project/relation_factory_spec.rb
index 88bd71d3d64..49df2313924 100644
--- a/spec/lib/gitlab/import_export/project/relation_factory_spec.rb
+++ b/spec/lib/gitlab/import_export/project/relation_factory_spec.rb
@@ -267,6 +267,35 @@ RSpec.describe Gitlab::ImportExport::Project::RelationFactory, :use_clean_rails_
end
end
+ context 'pipeline_schedule' do
+ let(:relation_sym) { :pipeline_schedules }
+ let(:relation_hash) do
+ {
+ "id": 3,
+ "created_at": "2016-07-22T08:55:44.161Z",
+ "updated_at": "2016-07-22T08:55:44.161Z",
+ "description": "pipeline schedule",
+ "ref": "main",
+ "cron": "0 4 * * 0",
+ "cron_timezone": "UTC",
+ "active": value,
+ "project_id": project.id
+ }
+ end
+
+ subject { created_object.active }
+
+ [true, false].each do |v|
+ context "when relation_hash has active set to #{v}" do
+ let(:value) { v }
+
+ it "the created object is not active" do
+ expect(created_object.active).to eq(false)
+ end
+ end
+ end
+ end
+
# `project_id`, `described_class.USER_REFERENCES`, noteable_id, target_id, and some project IDs are already
# re-assigned by described_class.
context 'Potentially hazardous foreign keys' do
diff --git a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
index 518a9337826..f512f49764d 100644
--- a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
+++ b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
@@ -376,7 +376,7 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do
expect(pipeline_schedule.ref).to eq('master')
expect(pipeline_schedule.cron).to eq('0 4 * * 0')
expect(pipeline_schedule.cron_timezone).to eq('UTC')
- expect(pipeline_schedule.active).to eq(true)
+ expect(pipeline_schedule.active).to eq(false)
end
end
diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml
index 287be24d11f..4b125cab49b 100644
--- a/spec/lib/gitlab/import_export/safe_model_attributes.yml
+++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml
@@ -556,7 +556,6 @@ Project:
- merge_requests_rebase_enabled
- jobs_cache_index
- external_authorization_classification_label
-- external_webhook_token
- pages_https_only
- merge_requests_disable_committers_approval
- require_password_to_approve
diff --git a/spec/services/issues/update_service_spec.rb b/spec/services/issues/update_service_spec.rb
index 331cf291f21..83c17f051eb 100644
--- a/spec/services/issues/update_service_spec.rb
+++ b/spec/services/issues/update_service_spec.rb
@@ -6,6 +6,7 @@ RSpec.describe Issues::UpdateService, :mailer do
let_it_be(:user) { create(:user) }
let_it_be(:user2) { create(:user) }
let_it_be(:user3) { create(:user) }
+ let_it_be(:guest) { create(:user) }
let_it_be(:group) { create(:group, :public) }
let_it_be(:project, reload: true) { create(:project, :repository, group: group) }
let_it_be(:label) { create(:label, project: project) }
@@ -24,6 +25,7 @@ RSpec.describe Issues::UpdateService, :mailer do
project.add_maintainer(user)
project.add_developer(user2)
project.add_developer(user3)
+ project.add_guest(guest)
end
describe 'execute' do
@@ -95,9 +97,7 @@ RSpec.describe Issues::UpdateService, :mailer do
end
context 'user is a guest' do
- before do
- project.add_guest(user)
- end
+ let(:user) { guest }
it 'does not assign the sentry error' do
update_issue(opts)
@@ -258,11 +258,7 @@ RSpec.describe Issues::UpdateService, :mailer do
context 'from issue to restricted issue types' do
context 'without sufficient permissions' do
- let(:user) { create(:user) }
-
- before do
- project.add_guest(user)
- end
+ let(:user) { guest }
it 'does nothing to the labels' do
expect { update_issue(issue_type: 'issue') }.not_to change(issue.labels, :count)
@@ -407,12 +403,6 @@ RSpec.describe Issues::UpdateService, :mailer do
end
context 'when current user cannot admin issues in the project' do
- let(:guest) { create(:user) }
-
- before do
- project.add_guest(guest)
- end
-
it 'filters out params that cannot be set without the :admin_issue permission' do
described_class.new(
project: project, current_user: guest, params: opts.merge(
@@ -1113,6 +1103,24 @@ RSpec.describe Issues::UpdateService, :mailer do
it_behaves_like 'does not change the severity'
end
+
+ context 'as guest' do
+ let(:user) { guest }
+
+ it_behaves_like 'does not change the severity'
+
+ context 'and also author' do
+ let(:issue) { create(:incident, project: project, author: user) }
+
+ it_behaves_like 'does not change the severity'
+ end
+
+ context 'and also assignee' do
+ let(:issue) { create(:incident, project: project, assignee_ids: [user.id]) }
+
+ it_behaves_like 'does not change the severity'
+ end
+ end
end
context 'when severity has been set before' do