Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
0162c132
Commit
0162c132
authored
Oct 28, 2016
by
blackst0ne
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Stop unauthorized users dragging on milestone page
parent
66870960
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
90 additions
and
2 deletions
+90
-2
CHANGELOG.md
CHANGELOG.md
+1
-0
app/assets/stylesheets/framework/lists.scss
app/assets/stylesheets/framework/lists.scss
+1
-1
app/views/shared/milestones/_issuable.html.haml
app/views/shared/milestones/_issuable.html.haml
+2
-1
spec/features/milestones/milestones_spec.rb
spec/features/milestones/milestones_spec.rb
+86
-0
No files found.
CHANGELOG.md
View file @
0162c132
...
@@ -12,6 +12,7 @@ Please view this file on the master branch, on stable branches it's out of date.
...
@@ -12,6 +12,7 @@ Please view this file on the master branch, on stable branches it's out of date.
-
Add hover to trash icon in notes !7008 (blackst0ne)
-
Add hover to trash icon in notes !7008 (blackst0ne)
-
Fix sidekiq stats in admin area (blackst0ne)
-
Fix sidekiq stats in admin area (blackst0ne)
-
Removed delete branch tooltip !6954
-
Removed delete branch tooltip !6954
-
Stop unauthorized users dragging on milestone page (blackst0ne)
-
Escape ref and path for relative links !6050 (winniehell)
-
Escape ref and path for relative links !6050 (winniehell)
-
Fixed link typo on /help/ui to Alerts section. !6915 (Sam Rose)
-
Fixed link typo on /help/ui to Alerts section. !6915 (Sam Rose)
-
Fix filtering of milestones with quotes in title (airatshigapov)
-
Fix filtering of milestones with quotes in title (airatshigapov)
...
...
app/assets/stylesheets/framework/lists.scss
View file @
0162c132
...
@@ -38,7 +38,7 @@
...
@@ -38,7 +38,7 @@
&
.smoke
{
background-color
:
$background-color
;
}
&
.smoke
{
background-color
:
$background-color
;
}
&
:hover
{
&
:
not
(
.ui-sort-disabled
)
:
hover
{
background
:
$row-hover
;
background
:
$row-hover
;
}
}
...
...
app/views/shared/milestones/_issuable.html.haml
View file @
0162c132
...
@@ -3,8 +3,9 @@
...
@@ -3,8 +3,9 @@
-
assignee
=
issuable
.
assignee
-
assignee
=
issuable
.
assignee
-
issuable_type
=
issuable
.
class
.
table_name
-
issuable_type
=
issuable
.
class
.
table_name
-
base_url_args
=
[
project
.
namespace
.
becomes
(
Namespace
),
project
,
issuable_type
]
-
base_url_args
=
[
project
.
namespace
.
becomes
(
Namespace
),
project
,
issuable_type
]
-
can_update
=
can?
(
current_user
,
:"update_
#{
issuable
.
to_ability_name
}
"
,
issuable
)
%li
{
id:
dom_id
(
issuable
,
'sortable'
),
class:
"issuable-row"
,
'data-iid'
=>
issuable
.
iid
,
'data-url'
=>
polymorphic_path
(
issuable
)
}
%li
{
id:
dom_id
(
issuable
,
'sortable'
),
class:
"issuable-row
#{'ui-sort-disabled' unless can_update}
"
,
'data-iid'
=>
issuable
.
iid
,
'data-url'
=>
polymorphic_path
(
issuable
)
}
%span
%span
-
if
show_project_name
-
if
show_project_name
%strong
#{
project
.
name
}
·
%strong
#{
project
.
name
}
·
...
...
spec/features/milestones/milestones_spec.rb
0 → 100644
View file @
0162c132
require
'rails_helper'
describe
'Milestone draggable'
,
feature:
true
,
js:
true
do
let
(
:milestone
)
{
create
(
:milestone
,
project:
project
,
title:
8.14
)
}
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
let
(
:user
)
{
create
(
:user
)
}
context
'issues'
do
let
(
:issue
)
{
page
.
find_by_id
(
'issues-list-unassigned'
).
find
(
'li'
)
}
let
(
:issue_target
)
{
page
.
find_by_id
(
'issues-list-ongoing'
)
}
it
'does not allow guest to drag issue'
do
create_and_drag_issue
expect
(
issue_target
).
not_to
have_selector
(
'.issuable-row'
)
end
it
'does not allow authorized user to drag issue'
do
login_as
(
user
)
create_and_drag_issue
expect
(
issue_target
).
not_to
have_selector
(
'.issuable-row'
)
end
it
'allows author to drag issue'
do
login_as
(
user
)
create_and_drag_issue
(
author:
user
)
expect
(
issue_target
).
to
have_selector
(
'.issuable-row'
)
end
it
'allows admin to drag issue'
do
login_as
(
:admin
)
create_and_drag_issue
expect
(
issue_target
).
to
have_selector
(
'.issuable-row'
)
end
end
context
'merge requests'
do
let
(
:merge_request
)
{
page
.
find_by_id
(
'merge_requests-list-unassigned'
).
find
(
'li'
)
}
let
(
:merge_request_target
)
{
page
.
find_by_id
(
'merge_requests-list-ongoing'
)
}
it
'does not allow guest to drag merge request'
do
create_and_drag_merge_request
expect
(
merge_request_target
).
not_to
have_selector
(
'.issuable-row'
)
end
it
'does not allow authorized user to drag merge request'
do
login_as
(
user
)
create_and_drag_merge_request
expect
(
merge_request_target
).
not_to
have_selector
(
'.issuable-row'
)
end
it
'allows author to drag merge request'
do
login_as
(
user
)
create_and_drag_merge_request
(
author:
user
)
expect
(
merge_request_target
).
to
have_selector
(
'.issuable-row'
)
end
it
'allows admin to drag merge request'
do
login_as
(
:admin
)
create_and_drag_merge_request
expect
(
merge_request_target
).
to
have_selector
(
'.issuable-row'
)
end
end
def
create_and_drag_issue
(
params
=
{})
create
(
:issue
,
params
.
merge
(
title:
'Foo'
,
project:
project
,
milestone:
milestone
))
visit
namespace_project_milestone_path
(
project
.
namespace
,
project
,
milestone
)
issue
.
drag_to
(
issue_target
)
end
def
create_and_drag_merge_request
(
params
=
{})
create
(
:merge_request
,
params
.
merge
(
title:
'Foo'
,
source_project:
project
,
target_project:
project
,
milestone:
milestone
))
visit
namespace_project_milestone_path
(
project
.
namespace
,
project
,
milestone
)
page
.
find
(
"a[href='#tab-merge-requests']"
).
click
merge_request
.
drag_to
(
merge_request_target
)
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment