From 4adfd501a5d31abd16bccf08586bf8a125b03450 Mon Sep 17 00:00:00 2001
From: Grzegorz Bizon <grzesiek.bizon@gmail.com>
Date: Thu, 21 Apr 2016 12:20:05 +0200
Subject: Verify label affiliation before assigning to issue

This also verify if milestone belongs to correct project before creating
a new issue.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439
---
 app/services/issuable_base_service.rb       | 28 ++++++++++++++++++++++++++--
 spec/services/issues/create_service_spec.rb | 28 ++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/app/services/issuable_base_service.rb b/app/services/issuable_base_service.rb
index 18f76d3f650..ab110001f91 100644
--- a/app/services/issuable_base_service.rb
+++ b/app/services/issuable_base_service.rb
@@ -37,8 +37,9 @@ class IssuableBaseService < BaseService
   end
 
   def filter_params(issuable_ability_name = :issue)
-    params[:assignee_id]  = "" if params[:assignee_id] == IssuableFinder::NONE
-    params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE
+    filter_assignee
+    filter_milestone
+    filter_labels
 
     ability = :"admin_#{issuable_ability_name}"
 
@@ -49,6 +50,29 @@ class IssuableBaseService < BaseService
     end
   end
 
+  def filter_assignee
+    if params[:assignee_id] == IssuableFinder::NONE
+      params[:assignee_id] = ''
+    end
+  end
+
+  def filter_milestone
+    return unless params[:milestone_id]
+
+    if params[:milestone_id] == IssuableFinder::NONE ||
+        Milestone.find(params[:milestone_id]).try(:project) != project
+      params[:milestone_id] = ''
+    end
+  end
+
+  def filter_labels
+    return if params[:label_ids].to_a.empty?
+
+    params[:label_ids].select! do |label_id|
+      Label.find(label_id).try(:project) == project
+    end
+  end
+
   def update(issuable)
     change_state(issuable)
     filter_params
diff --git a/spec/services/issues/create_service_spec.rb b/spec/services/issues/create_service_spec.rb
index 5e7915db7e1..d11c45df8ff 100644
--- a/spec/services/issues/create_service_spec.rb
+++ b/spec/services/issues/create_service_spec.rb
@@ -37,6 +37,34 @@ describe Issues::CreateService, services: true do
 
         expect(Todo.where(attributes).count).to eq 1
       end
+
+      context 'label that belongs to different project' do
+        let(:issue) { Issues::CreateService.new(project, user, opts).execute }
+        let(:label) { create(:label) }
+        let(:opts) do
+          { title: 'Title',
+            description: 'Description',
+            label_ids: [label.id] }
+        end
+
+        it 'does not assign label'do
+          expect(issue.labels).to_not include label
+        end
+      end
+
+      context 'milestone that belongs to different project' do
+        let(:issue) { Issues::CreateService.new(project, user, opts).execute }
+        let(:milestone) { create(:milestone) }
+        let(:opts) do
+          { title: 'Title',
+            description: 'Description',
+            milestone_id: milestone.id }
+        end
+
+        it 'does not assign label' do
+          expect(issue.milestone).to_not eq milestone
+        end
+      end
     end
   end
 end
-- 
cgit v1.2.1