Commit 5dc047dc authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Disable board policies when issues are disabled

Board list policies are also included
parent e927833b
No related merge requests found
......@@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy
rule { issues_disabled }.policy do
prevent(*create_read_update_admin_destroy(:issue))
prevent(*create_read_update_admin_destroy(:board))
prevent(*create_read_update_admin_destroy(:list))
end
rule { merge_requests_disabled | repository_disabled }.policy do
......
---
title: Disable issue boards API when issues are disabled
merge_request:
author:
type: security
......@@ -130,22 +130,26 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) }
context 'when the feature is disabled' do
it 'does not include the issues permissions' do
before do
project.issues_enabled = false
project.save!
end
it 'does not include the issues permissions' do
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
end
end
context 'when the feature is disabled and external tracker configured' do
it 'does not include the issues permissions' do
create(:jira_service, project: project)
it 'disables boards and lists permissions' do
expect_disallowed :read_board, :create_board, :update_board, :admin_board
expect_disallowed :read_list, :create_list, :update_list, :admin_list
end
project.issues_enabled = false
project.save!
context 'when external tracker configured' do
it 'does not include the issues permissions' do
create(:jira_service, project: project)
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
end
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment