Commit 73ee63b0 authored by Alan (Maciej) Paruszewski's avatar Alan (Maciej) Paruszewski Committed by James Fargher

Present only issues visible to user in Vulnerabilitiy Issue Links API

parent 6f1b899d
---
title: Present only issues visible to user in Vulnerabilitiy Issue Links API
merge_request: 36987
author:
type: fixed
......@@ -33,10 +33,8 @@ module API
end
get ':id/issue_links' do
vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
present vulnerability
.related_issues
.with_api_entity_associations
.with_vulnerability_links,
related_issues = vulnerability.related_issues.with_api_entity_associations.with_vulnerability_links
present Ability.issues_readable_by_user(related_issues, current_user),
with: EE::API::Entities::VulnerabilityRelatedIssue
end
......
......@@ -78,7 +78,7 @@ FactoryBot.define do
trait :with_issue_links do
after(:create) do |vulnerability|
create_list(:issue, 2).each do |issue|
create_list(:issue, 2, project: vulnerability.project).each do |issue|
create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: issue)
end
end
......
......@@ -24,15 +24,51 @@ RSpec.describe API::VulnerabilityIssueLinks do
project.add_developer(user)
end
it 'gets the list of vulnerabilities' do
get_issue_links
expect(response).to have_gitlab_http_status(:ok)
expect(response).to match_response_schema('public_api/v4/vulnerability_related_issues', dir: 'ee')
expect(json_response.map { |link| link['id'] }).to match_array(vulnerability.related_issues.map(&:id))
expect(json_response.map { |link| link['vulnerability_link_id'] }).to(
match_array(vulnerability.issue_links.map(&:id)))
expect(json_response.map { |link| link['vulnerability_link_type'] }).to all eq 'related'
shared_examples "responds with list of only visible issue links" do
it 'gets the list of visible issue links', :aggregate_failures do
get_issue_links
expect(response).to have_gitlab_http_status(:ok)
expect(response).to match_response_schema('public_api/v4/vulnerability_related_issues', dir: 'ee')
expect(json_response.map { |link| link['id'] }).to match_array(vulnerability.related_issues.map(&:id))
expect(json_response.map { |link| link['vulnerability_link_id'] }).to(
match_array(vulnerability.issue_links.map(&:id)))
expect(json_response.map { |link| link['vulnerability_link_type'] }).to all eq 'related'
end
end
context 'when linked issue is not confidential and available for the user' do
include_examples 'responds with list of only visible issue links'
end
context 'when there is an additional confidential issue linked' do
let_it_be(:public_project) { create(:project, :public) }
let_it_be(:confidential_issue) { create(:issue, :confidential, project: public_project) }
let_it_be(:confidential_issue_link) { create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: confidential_issue) }
include_examples 'responds with list of only visible issue links'
it 'does not return confidential issue in the response' do
get_issue_links
expect(json_response.map { |link| link['id'] }).not_to include(confidential_issue.id)
expect(json_response.map { |link| link['vulnerability_link_id'] }).not_to include(confidential_issue_link.id)
end
end
context 'when link is created to issue in the inaccessible project' do
let_it_be(:private_project) { create(:project, :private) }
let_it_be(:private_issue) { create(:issue, :confidential, project: private_project) }
let_it_be(:private_issue_link) { create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: private_issue) }
include_examples 'responds with list of only visible issue links'
it 'does not return issue from inaccessible project' do
get_issue_links
expect(json_response.map { |link| link['id'] }).not_to include(private_issue.id)
expect(json_response.map { |link| link['vulnerability_link_id'] }).not_to include(private_issue_link.id)
end
end
it_behaves_like 'responds with "not found" for an unknown vulnerability ID'
......@@ -81,7 +117,7 @@ RSpec.describe API::VulnerabilityIssueLinks do
end
end
context 'with valid target_project_id and target_issue_iid params' do
context 'when issue is from different project' do
let_it_be(:other_issue) { create(:issue) }
let(:target_project_id) { other_issue.project_id }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment