Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
54994762
Commit
54994762
authored
Jan 17, 2019
by
Mario de la Ossa
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Backport of 54385-board-policy
parent
c46b8e96
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
22 additions
and
19 deletions
+22
-19
app/controllers/concerns/boards_responses.rb
app/controllers/concerns/boards_responses.rb
+3
-7
app/policies/board_policy.rb
app/policies/board_policy.rb
+14
-0
spec/controllers/boards/issues_controller_spec.rb
spec/controllers/boards/issues_controller_spec.rb
+3
-7
spec/controllers/boards/lists_controller_spec.rb
spec/controllers/boards/lists_controller_spec.rb
+2
-5
No files found.
app/controllers/concerns/boards_responses.rb
View file @
54994762
...
@@ -34,15 +34,11 @@ module BoardsResponses
...
@@ -34,15 +34,11 @@ module BoardsResponses
end
end
def
authorize_read_list
def
authorize_read_list
ability
=
board
.
group_board?
?
:read_group
:
:read_list
authorize_action_for!
(
board
,
:read_list
)
authorize_action_for!
(
board
.
parent
,
ability
)
end
end
def
authorize_read_issue
def
authorize_read_issue
ability
=
board
.
group_board?
?
:read_group
:
:read_issue
authorize_action_for!
(
board
,
:read_issue
)
authorize_action_for!
(
board
.
parent
,
ability
)
end
end
def
authorize_update_issue
def
authorize_update_issue
...
@@ -57,7 +53,7 @@ module BoardsResponses
...
@@ -57,7 +53,7 @@ module BoardsResponses
end
end
def
authorize_admin_list
def
authorize_admin_list
authorize_action_for!
(
board
.
parent
,
:admin_list
)
authorize_action_for!
(
board
,
:admin_list
)
end
end
def
authorize_action_for!
(
resource
,
ability
)
def
authorize_action_for!
(
resource
,
ability
)
...
...
app/policies/board_policy.rb
0 → 100644
View file @
54994762
# frozen_string_literal: true
class
BoardPolicy
<
BasePolicy
delegate
{
@subject
.
parent
}
condition
(
:is_group_board
)
{
@subject
.
group_board?
}
rule
{
is_group_board
?
can?
(
:read_group
)
:
can?
(
:read_project
)
}.
enable
:read_parent
rule
{
is_group_board
&
can?
(
:read_group
)
}.
policy
do
enable
:read_milestone
enable
:read_issue
end
end
spec/controllers/boards/issues_controller_spec.rb
View file @
54994762
require
'spec_helper'
require
'spec_helper'
describe
Boards
::
IssuesController
do
describe
Boards
::
IssuesController
do
let
(
:project
)
{
create
(
:project
)
}
let
(
:project
)
{
create
(
:project
,
:private
)
}
let
(
:board
)
{
create
(
:board
,
project:
project
)
}
let
(
:board
)
{
create
(
:board
,
project:
project
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:guest
)
{
create
(
:user
)
}
let
(
:guest
)
{
create
(
:user
)
}
...
@@ -127,14 +127,10 @@ describe Boards::IssuesController do
...
@@ -127,14 +127,10 @@ describe Boards::IssuesController do
end
end
context
'with unauthorized user'
do
context
'with unauthorized user'
do
before
do
let
(
:unauth_user
)
{
create
(
:user
)
}
allow
(
Ability
).
to
receive
(
:allowed?
).
and_call_original
allow
(
Ability
).
to
receive
(
:allowed?
).
with
(
user
,
:read_project
,
project
).
and_return
(
true
)
allow
(
Ability
).
to
receive
(
:allowed?
).
with
(
user
,
:read_issue
,
project
).
and_return
(
false
)
end
it
'returns a forbidden 403 response'
do
it
'returns a forbidden 403 response'
do
list_issues
user:
user
,
board:
board
,
list:
list2
list_issues
user:
u
nauth_u
ser
,
board:
board
,
list:
list2
expect
(
response
).
to
have_gitlab_http_status
(
403
)
expect
(
response
).
to
have_gitlab_http_status
(
403
)
end
end
...
...
spec/controllers/boards/lists_controller_spec.rb
View file @
54994762
...
@@ -31,13 +31,10 @@ describe Boards::ListsController do
...
@@ -31,13 +31,10 @@ describe Boards::ListsController do
end
end
context
'with unauthorized user'
do
context
'with unauthorized user'
do
before
do
let
(
:unauth_user
)
{
create
(
:user
)
}
allow
(
Ability
).
to
receive
(
:allowed?
).
with
(
user
,
:read_project
,
project
).
and_return
(
true
)
allow
(
Ability
).
to
receive
(
:allowed?
).
with
(
user
,
:read_list
,
project
).
and_return
(
false
)
end
it
'returns a forbidden 403 response'
do
it
'returns a forbidden 403 response'
do
read_board_list
user:
user
,
board:
board
read_board_list
user:
u
nauth_u
ser
,
board:
board
expect
(
response
).
to
have_gitlab_http_status
(
403
)
expect
(
response
).
to
have_gitlab_http_status
(
403
)
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment