Made suggested content changes based on MR Review

Changed the authentication method for removing fork through API Reflected changes to new auth method in API specs

Made suggested content changes based on MR Review
Changed the authentication method for removing fork through API Reflected changes to new auth method in API specs
0bea5ced · Han Loong Liauw · 520d8509 · 0bea5ced · 0bea5ced · 0bea5ced
Commit 0bea5ced authored Oct 14, 2015 by Han Loong Liauw
8 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -46,7 +46,7 @@ v 8.1.0 (unreleased)
  - Fix bug where Emojis in Markdown would truncate remaining text (Sakata Sinji)
  - Persist filters when sorting on admin user page (Jerry Lukins)
  - Adds ability to remove the forked relationship from project settings
-  screen. #2578 (Han Loong Liauw)
+  screen. (Han Loong Liauw)
  - Add spellcheck=false to certain input fields
  - Invalidate stored service password if the endpoint URL is changed


--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -5,7 +5,7 @@ class ProjectsController < ApplicationController
  before_action :repository, except: [:new, :create]

  # Authorize
-  before_action :authorize_admin_project!, only: [:edit, :update, :destroy, :transfer, :archive, :unarchive, :remove_fork]
+  before_action :authorize_admin_project!, only: [:edit, :update]
  before_action :event_filter, only: [:show, :activity]

  layout :determine_layout
@@ -56,6 +56,8 @@ class ProjectsController < ApplicationController
  end

  def transfer
+    return access_denied! unless can?(current_user, :change_namespace, @project)
+
    namespace = Namespace.find_by(id: params[:new_namespace_id])
    ::Projects::TransferService.new(project, current_user).execute(namespace)

@@ -65,6 +67,8 @@ class ProjectsController < ApplicationController
  end

  def remove_fork
+    return access_denied! unless can?(current_user, :remove_fork_project, @project)
+
    if @project.forked?
      @project.forked_project_link.destroy
      flash[:notice] = 'Fork relationship has been removed.'

--- a/app/views/projects/edit.html.haml
+++ b/app/views/projects/edit.html.haml
@@ -190,17 +190,17 @@
        .nothing-here-block Only the project owner can transfer a project

      - if @project.forked? && can?(current_user, :remove_fork_project, @project)
-        = form_for([@project.namespace.becomes(Namespace), @project], url: remove_fork_namespace_project_path(@project.namespace, @project), method: :put, remote: true, html: { class: 'transfer-project form-horizontal' }) do |f|
+        = form_for([@project.namespace.becomes(Namespace), @project], url: remove_fork_namespace_project_path(@project.namespace, @project), method: :delete, remote: true, html: { class: 'transfer-project form-horizontal' }) do |f|
          .panel.panel-default.panel.panel-danger
-            .panel-heading Remove forked relationship
+            .panel-heading Remove fork relationship
            .panel-body
              %p
                This will remove the relationship to the source project from
                = link_to project_path(@project.forked_from_project) do
                  = @project.forked_from_project.namespace.try(:name)
                %br
-                %strong Once removed it cannot be reversed through this interface
-              = button_to 'Remove forked relationship', '#', class: "btn btn-remove js-confirm-danger", data: { "confirm-danger-message" => remove_fork_project_message(@project) }
+                %strong Once removed it cannot be reversed through this interface.
+              = button_to 'Remove fork relationship', '#', class: "btn btn-remove js-confirm-danger", data: { "confirm-danger-message" => remove_fork_project_message(@project) }
      - elsif @project.forked?
        .nothing-here-block Only the project owner can remove the fork relationship


--- a/config/routes.rb
+++ b/config/routes.rb
@@ -378,7 +378,7 @@ Gitlab::Application.routes.draw do
              [:new, :create, :index], path: "/") do
      member do
        put :transfer
-        put :remove_fork
+        delete :remove_fork
        post :archive
        post :unarchive
        post :toggle_star

--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -246,7 +246,7 @@ module API
      # Example Request:
      #  DELETE /projects/:id/fork
      delete ":id/fork" do
-        authenticated_as_admin!
+        authorize! :remove_fork_project, user_project
        if user_project.forked?
          user_project.forked_project_link.destroy
        end

--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -72,9 +72,12 @@ describe ProjectsController do
      context 'with forked project' do
        let(:project_fork) { create(:project, namespace: user.namespace) }

-        it 'should remove fork from project' do
+        before do
          create(:forked_project_link, forked_to_project: project_fork)
-          put(:remove_fork,
+        end
+
+        it 'should remove fork from project' do
+          delete(:remove_fork,
              namespace_id: project_fork.namespace.to_param,
              id: project_fork.to_param, format: :js)

@@ -84,9 +87,11 @@ describe ProjectsController do
        end
      end

+      context 'when project not forked' do
+        let(:unforked_project) { create(:project, namespace: user.namespace) }
+
        it 'should do nothing if project was not forked' do
-        unforked_project = create(:project, namespace: user.namespace)
-        put(:remove_fork,
+          delete(:remove_fork,
              namespace_id: unforked_project.namespace.to_param,
              id: unforked_project.to_param, format: :js)

@@ -94,9 +99,10 @@ describe ProjectsController do
          expect(response).to render_template(:remove_fork)
        end
      end
+    end

    it "does nothing if user is not signed in" do
-      put(:remove_fork,
+      delete(:remove_fork,
          namespace_id: project.namespace.to_param,
          id: project.to_param, format: :js)
      expect(response.status).to eq(401)

--- a/spec/features/projects_spec.rb
+++ b/spec/features/projects_spec.rb
@@ -45,13 +45,13 @@ feature 'Project', feature: true do
    end

    it 'should remove fork' do
-      expect(page).to have_content 'Remove forked relationship'
+      expect(page).to have_content 'Remove fork relationship'

-      remove_with_confirm('Remove forked relationship', project.path)
+      remove_with_confirm('Remove fork relationship', project.path)

      expect(page).to have_content 'Fork relationship has been removed.'
      expect(project.forked?).to be_falsey
-      expect(page).not_to have_content 'Remove forked relationship'
+      expect(page).not_to have_content 'Remove fork relationship'
    end
  end


--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -606,8 +606,21 @@ describe API::API, api: true  do

    describe 'DELETE /projects/:id/fork' do

-      it "shouldn't available for non admin users" do
+      it "shouldn't be visible to users outside group" do
        delete api("/projects/#{project_fork_target.id}/fork", user)
+        expect(response.status).to eq(404)
+      end
+
+      context 'when users belong to project group' do
+        let(:project_fork_target) { create(:project, group: create(:group)) }
+
+        before do
+          project_fork_target.group.add_owner user
+          project_fork_target.group.add_developer user2
+        end
+
+        it 'should be forbidden to non-owner users' do
+          delete api("/projects/#{project_fork_target.id}/fork", user2)
          expect(response.status).to eq(403)
        end

@@ -631,6 +644,7 @@ describe API::API, api: true  do
        end
      end
    end
+  end

  describe 'GET /projects/search/:query' do
    let!(:query) { 'query'}