Fix permission checking when for epic todos

Since we support confidential epics, it's not sufficient to check user can read the epic's group, we should check that user can read the epic itself.

Fix permission checking when for epic todos
Since we support confidential epics, it's not sufficient to check user can read the epic's group, we should check that user can read the epic itself.
2bbf3528 · Jan Provaznik · George Koltsov · 146067c1 · 2bbf3528 · 2bbf3528
Commit 2bbf3528 authored Jul 10, 2020 by Jan Provaznik Committed by George Koltsov Jul 13, 2020
Showing with 47 additions and 6 deletions

ee/app/controllers/groups/todos_controller.rb ee/app/controllers/groups/todos_controller.rb +1 -1

ee/spec/controllers/groups/todos_controller_spec.rb ee/spec/controllers/groups/todos_controller_spec.rb +46 -5

No files found.
--- a/ee/app/controllers/groups/todos_controller.rb
+++ b/ee/app/controllers/groups/todos_controller.rb
@@ -13,7 +13,7 @@ class Groups::TodosController < Groups::ApplicationController
    strong_memoize(:epic) do
      next if params[:issuable_type] != 'epic'
-      @group.epics.find_by(id: params[:issuable_id])
+      EpicsFinder.new(current_user, group_id: @group.id).find(params[:issuable_id])
    end
  end
  # rubocop: enable CodeReuse/ActiveRecord

--- a/ee/spec/controllers/groups/todos_controller_spec.rb
+++ b/ee/spec/controllers/groups/todos_controller_spec.rb
@@ -3,10 +3,7 @@
 require 'spec_helper'
 RSpec.describe Groups::TodosController do
-  let(:user)   { create(:user) }
+  let_it_be(:user) { create(:user) }
-  let(:group)  { create(:group, :private) }
-  let(:epic)   { create(:epic, group: group) }
-  let(:parent) { group }
  describe 'POST create' do
    def post_create
@@ -19,6 +16,50 @@ RSpec.describe Groups::TodosController do
        format: :json
    end
-    it_behaves_like 'todos actions'
+    shared_examples_for 'todo for inaccessible resource' do
+      it 'does not create todo because resource can not be found' do
+        sign_in(user)
+        expect do
+          post_create
+        end.to change { user.todos.count }.by(0)
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+    context 'when epic is not confidential' do
+      let_it_be(:group) { create(:group, :private) }
+      let_it_be(:epic) { create(:epic, group: group) }
+      let(:parent) { group }
+      context 'when epics are available' do
+        before do
+          stub_licensed_features(epics: true)
+        end
+        it_behaves_like 'todos actions'
+      end
+      context 'when epics are not available' do
+        before do
+          stub_licensed_features(epics: false)
+          group.add_developer(user)
+        end
+        it_behaves_like 'todo for inaccessible resource'
+      end
+    end
+    context 'when the user can not access confidential epic in public group' do
+      let_it_be(:group) { create(:group) }
+      let_it_be(:epic) { create(:epic, :confidential, group: group) }
+      before do
+        stub_licensed_features(epics: true)
+      end
+      it_behaves_like 'todo for inaccessible resource'
+    end
  end
 end