Commit b2da8042 authored by Stan Hu's avatar Stan Hu

Fix 403 errors when adding an assignee list in project boards

Due to a bug in `BoardPolicy`, users were getting back a 403 error when
trying to assign users to an assignee list and seeing "Something went
wrong while fetching assignees list". For some reason, the declarative
policy runtime was ignoring the ternary condition.

To work around the issue, we make the project board an explicit
condition check.

Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/9727
parent c470a779
...@@ -21,6 +21,10 @@ class Board < ActiveRecord::Base ...@@ -21,6 +21,10 @@ class Board < ActiveRecord::Base
group_id.present? group_id.present?
end end
def project_board?
project_id.present?
end
def backlog_list def backlog_list
lists.merge(List.backlog).take lists.merge(List.backlog).take
end end
......
...@@ -4,10 +4,12 @@ class BoardPolicy < BasePolicy ...@@ -4,10 +4,12 @@ class BoardPolicy < BasePolicy
delegate { @subject.parent } delegate { @subject.parent }
condition(:is_group_board) { @subject.group_board? } condition(:is_group_board) { @subject.group_board? }
condition(:is_project_board) { @subject.project_board? }
rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent rule { is_project_board & can?(:read_project) }.enable :read_parent
rule { is_group_board & can?(:read_group) }.policy do rule { is_group_board & can?(:read_group) }.policy do
enable :read_parent
enable :read_milestone enable :read_milestone
enable :read_issue enable :read_issue
end end
......
---
title: Fix 403 errors when adding an assignee list in project boards
merge_request: 25263
author:
type: fixed
# frozen_string_literal: true
require 'spec_helper'
describe BoardPolicy do
let(:user) { create(:user) }
let(:project) { create(:project, :private) }
let(:group) { create(:group, :private) }
let(:group_board) { create(:board, group: group) }
let(:project_board) { create(:board, project: project) }
let(:board_permissions) do
[
:read_parent,
:read_milestone,
:read_issue
]
end
def expect_allowed(*permissions)
permissions.each { |p| is_expected.to be_allowed(p) }
end
def expect_disallowed(*permissions)
permissions.each { |p| is_expected.not_to be_allowed(p) }
end
context 'group board' do
subject { described_class.new(user, group_board) }
context 'user has access' do
before do
group.add_developer(user)
end
it do
expect_allowed(*board_permissions)
end
end
context 'user does not have access' do
it do
expect_disallowed(*board_permissions)
end
end
end
context 'project board' do
subject { described_class.new(user, project_board) }
context 'user has access' do
before do
project.add_developer(user)
end
it do
expect_allowed(*board_permissions)
end
end
context 'user does not have access' do
it do
expect_disallowed(*board_permissions)
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment