Commit 8a7bd7ec authored by Robert Speicher's avatar Robert Speicher

Only include the user's ID in the time_spent command's update hash

Previously, this would include the entire User record in the update
hash, which was rendered in the response using `to_json`, erroneously
exposing every attribute of that record, including their (now removed)
private token.

Now we only include the user ID, and perform the lookup on-demand.
parent 198aa993
...@@ -24,7 +24,7 @@ module TimeTrackable ...@@ -24,7 +24,7 @@ module TimeTrackable
# rubocop:disable Gitlab/ModuleWithInstanceVariables # rubocop:disable Gitlab/ModuleWithInstanceVariables
def spend_time(options) def spend_time(options)
@time_spent = options[:duration] @time_spent = options[:duration]
@time_spent_user = options[:user] @time_spent_user = User.find(options[:user_id])
@spent_at = options[:spent_at] @spent_at = options[:spent_at]
@original_total_time_spent = nil @original_total_time_spent = nil
......
...@@ -406,7 +406,7 @@ module QuickActions ...@@ -406,7 +406,7 @@ module QuickActions
if time_spent if time_spent
@updates[:spend_time] = { @updates[:spend_time] = {
duration: time_spent, duration: time_spent,
user: current_user, user_id: current_user.id,
spent_at: time_spent_date spent_at: time_spent_date
} }
end end
...@@ -429,7 +429,7 @@ module QuickActions ...@@ -429,7 +429,7 @@ module QuickActions
current_user.can?(:"admin_#{issuable.to_ability_name}", project) current_user.can?(:"admin_#{issuable.to_ability_name}", project)
end end
command :remove_time_spent do command :remove_time_spent do
@updates[:spend_time] = { duration: :reset, user: current_user } @updates[:spend_time] = { duration: :reset, user_id: current_user.id }
end end
desc "Append the comment with #{SHRUG}" desc "Append the comment with #{SHRUG}"
......
...@@ -85,7 +85,7 @@ module API ...@@ -85,7 +85,7 @@ module API
update_issuable(spend_time: { update_issuable(spend_time: {
duration: Gitlab::TimeTrackingFormatter.parse(params.delete(:duration)), duration: Gitlab::TimeTrackingFormatter.parse(params.delete(:duration)),
user: current_user user_id: current_user.id
}) })
end end
...@@ -97,7 +97,7 @@ module API ...@@ -97,7 +97,7 @@ module API
authorize! update_issuable_key, load_issuable authorize! update_issuable_key, load_issuable
status :ok status :ok
update_issuable(spend_time: { duration: :reset, user: current_user }) update_issuable(spend_time: { duration: :reset, user_id: current_user.id })
end end
desc "Show time stats for a project #{issuable_name}" desc "Show time stats for a project #{issuable_name}"
......
...@@ -86,7 +86,7 @@ module API ...@@ -86,7 +86,7 @@ module API
update_issuable(spend_time: { update_issuable(spend_time: {
duration: Gitlab::TimeTrackingFormatter.parse(params.delete(:duration)), duration: Gitlab::TimeTrackingFormatter.parse(params.delete(:duration)),
user: current_user user_id: current_user.id
}) })
end end
...@@ -98,7 +98,7 @@ module API ...@@ -98,7 +98,7 @@ module API
authorize! update_issuable_key, load_issuable authorize! update_issuable_key, load_issuable
status :ok status :ok
update_issuable(spend_time: { duration: :reset, user: current_user }) update_issuable(spend_time: { duration: :reset, user_id: current_user.id })
end end
desc "Show time stats for a project #{issuable_name}" desc "Show time stats for a project #{issuable_name}"
......
...@@ -82,9 +82,9 @@ feature 'Milestone' do ...@@ -82,9 +82,9 @@ feature 'Milestone' do
milestone = create(:milestone, project: project, title: 8.7) milestone = create(:milestone, project: project, title: 8.7)
issue1 = create(:issue, project: project, milestone: milestone) issue1 = create(:issue, project: project, milestone: milestone)
issue2 = create(:issue, project: project, milestone: milestone) issue2 = create(:issue, project: project, milestone: milestone)
issue1.spend_time(duration: 3600, user: user) issue1.spend_time(duration: 3600, user_id: user.id)
issue1.save! issue1.save!
issue2.spend_time(duration: 7200, user: user) issue2.spend_time(duration: 7200, user_id: user.id)
issue2.save! issue2.save!
visit project_milestone_path(project, milestone) visit project_milestone_path(project, milestone)
......
...@@ -308,7 +308,7 @@ describe Issuable do ...@@ -308,7 +308,7 @@ describe Issuable do
context 'total_time_spent is updated' do context 'total_time_spent is updated' do
before do before do
issue.spend_time(duration: 2, user: user, spent_at: Time.now) issue.spend_time(duration: 2, user_id: user.id, spent_at: Time.now)
issue.save issue.save
expect(Gitlab::HookData::IssuableBuilder) expect(Gitlab::HookData::IssuableBuilder)
.to receive(:new).with(issue).and_return(builder) .to receive(:new).with(issue).and_return(builder)
...@@ -519,7 +519,7 @@ describe Issuable do ...@@ -519,7 +519,7 @@ describe Issuable do
let(:issue) { create(:issue) } let(:issue) { create(:issue) }
def spend_time(seconds) def spend_time(seconds)
issue.spend_time(duration: seconds, user: user) issue.spend_time(duration: seconds, user_id: user.id)
issue.save! issue.save!
end end
......
...@@ -189,9 +189,9 @@ describe Milestone, 'Milestoneish' do ...@@ -189,9 +189,9 @@ describe Milestone, 'Milestoneish' do
describe '#total_issue_time_spent' do describe '#total_issue_time_spent' do
it 'calculates total issue time spent' do it 'calculates total issue time spent' do
closed_issue_1.spend_time(duration: 300, user: author) closed_issue_1.spend_time(duration: 300, user_id: author.id)
closed_issue_1.save! closed_issue_1.save!
closed_issue_2.spend_time(duration: 600, user: assignee) closed_issue_2.spend_time(duration: 600, user_id: assignee.id)
closed_issue_2.save! closed_issue_2.save!
expect(milestone.total_issue_time_spent).to eq(900) expect(milestone.total_issue_time_spent).to eq(900)
......
...@@ -211,7 +211,7 @@ describe QuickActions::InterpretService do ...@@ -211,7 +211,7 @@ describe QuickActions::InterpretService do
expect(updates).to eq(spend_time: { expect(updates).to eq(spend_time: {
duration: 3600, duration: 3600,
user: developer, user_id: developer.id,
spent_at: DateTime.now.to_date spent_at: DateTime.now.to_date
}) })
end end
...@@ -223,7 +223,7 @@ describe QuickActions::InterpretService do ...@@ -223,7 +223,7 @@ describe QuickActions::InterpretService do
expect(updates).to eq(spend_time: { expect(updates).to eq(spend_time: {
duration: -1800, duration: -1800,
user: developer, user_id: developer.id,
spent_at: DateTime.now.to_date spent_at: DateTime.now.to_date
}) })
end end
...@@ -235,7 +235,7 @@ describe QuickActions::InterpretService do ...@@ -235,7 +235,7 @@ describe QuickActions::InterpretService do
expect(updates).to eq(spend_time: { expect(updates).to eq(spend_time: {
duration: 1800, duration: 1800,
user: developer, user_id: developer.id,
spent_at: Date.parse(date) spent_at: Date.parse(date)
}) })
end end
...@@ -269,7 +269,7 @@ describe QuickActions::InterpretService do ...@@ -269,7 +269,7 @@ describe QuickActions::InterpretService do
it 'populates spend_time: :reset if content contains /remove_time_spent' do it 'populates spend_time: :reset if content contains /remove_time_spent' do
_, updates = service.execute(content, issuable) _, updates = service.execute(content, issuable)
expect(updates).to eq(spend_time: { duration: :reset, user: developer }) expect(updates).to eq(spend_time: { duration: :reset, user_id: developer.id })
end end
end end
......
...@@ -1060,7 +1060,7 @@ describe SystemNoteService do ...@@ -1060,7 +1060,7 @@ describe SystemNoteService do
# We need a custom noteable in order to the shared examples to be green. # We need a custom noteable in order to the shared examples to be green.
let(:noteable) do let(:noteable) do
mr = create(:merge_request, source_project: project) mr = create(:merge_request, source_project: project)
mr.spend_time(duration: 360000, user: author) mr.spend_time(duration: 360000, user_id: author.id)
mr.save! mr.save!
mr mr
end end
...@@ -1098,7 +1098,7 @@ describe SystemNoteService do ...@@ -1098,7 +1098,7 @@ describe SystemNoteService do
end end
def spend_time!(seconds) def spend_time!(seconds)
noteable.spend_time(duration: seconds, user: author) noteable.spend_time(duration: seconds, user_id: author.id)
noteable.save! noteable.save!
end end
end end
......
...@@ -79,7 +79,7 @@ shared_examples 'time tracking endpoints' do |issuable_name| ...@@ -79,7 +79,7 @@ shared_examples 'time tracking endpoints' do |issuable_name|
context 'when subtracting time' do context 'when subtracting time' do
it 'subtracts time of the total spent time' do it 'subtracts time of the total spent time' do
issuable.update_attributes!(spend_time: { duration: 7200, user: user }) issuable.update_attributes!(spend_time: { duration: 7200, user_id: user.id })
post api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.iid}/add_spent_time", user), post api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.iid}/add_spent_time", user),
duration: '-1h' duration: '-1h'
...@@ -91,7 +91,7 @@ shared_examples 'time tracking endpoints' do |issuable_name| ...@@ -91,7 +91,7 @@ shared_examples 'time tracking endpoints' do |issuable_name|
context 'when time to subtract is greater than the total spent time' do context 'when time to subtract is greater than the total spent time' do
it 'does not modify the total time spent' do it 'does not modify the total time spent' do
issuable.update_attributes!(spend_time: { duration: 7200, user: user }) issuable.update_attributes!(spend_time: { duration: 7200, user_id: user.id })
post api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.iid}/add_spent_time", user), post api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.iid}/add_spent_time", user),
duration: '-1w' duration: '-1w'
...@@ -119,7 +119,7 @@ shared_examples 'time tracking endpoints' do |issuable_name| ...@@ -119,7 +119,7 @@ shared_examples 'time tracking endpoints' do |issuable_name|
describe "GET /projects/:id/#{issuable_collection_name}/:#{issuable_name}_id/time_stats" do describe "GET /projects/:id/#{issuable_collection_name}/:#{issuable_name}_id/time_stats" do
it "returns the time stats for #{issuable_name}" do it "returns the time stats for #{issuable_name}" do
issuable.update_attributes!(spend_time: { duration: 1800, user: user }, issuable.update_attributes!(spend_time: { duration: 1800, user_id: user.id },
time_estimate: 3600) time_estimate: 3600)
get api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.iid}/time_stats", user) get api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.iid}/time_stats", user)
......
...@@ -75,7 +75,7 @@ shared_examples 'V3 time tracking endpoints' do |issuable_name| ...@@ -75,7 +75,7 @@ shared_examples 'V3 time tracking endpoints' do |issuable_name|
context 'when subtracting time' do context 'when subtracting time' do
it 'subtracts time of the total spent time' do it 'subtracts time of the total spent time' do
issuable.update_attributes!(spend_time: { duration: 7200, user: user }) issuable.update_attributes!(spend_time: { duration: 7200, user_id: user.id })
post v3_api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.id}/add_spent_time", user), post v3_api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.id}/add_spent_time", user),
duration: '-1h' duration: '-1h'
...@@ -87,7 +87,7 @@ shared_examples 'V3 time tracking endpoints' do |issuable_name| ...@@ -87,7 +87,7 @@ shared_examples 'V3 time tracking endpoints' do |issuable_name|
context 'when time to subtract is greater than the total spent time' do context 'when time to subtract is greater than the total spent time' do
it 'does not modify the total time spent' do it 'does not modify the total time spent' do
issuable.update_attributes!(spend_time: { duration: 7200, user: user }) issuable.update_attributes!(spend_time: { duration: 7200, user_id: user.id })
post v3_api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.id}/add_spent_time", user), post v3_api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.id}/add_spent_time", user),
duration: '-1w' duration: '-1w'
...@@ -115,7 +115,7 @@ shared_examples 'V3 time tracking endpoints' do |issuable_name| ...@@ -115,7 +115,7 @@ shared_examples 'V3 time tracking endpoints' do |issuable_name|
describe "GET /projects/:id/#{issuable_collection_name}/:#{issuable_name}_id/time_stats" do describe "GET /projects/:id/#{issuable_collection_name}/:#{issuable_name}_id/time_stats" do
it "returns the time stats for #{issuable_name}" do it "returns the time stats for #{issuable_name}" do
issuable.update_attributes!(spend_time: { duration: 1800, user: user }, issuable.update_attributes!(spend_time: { duration: 1800, user_id: user.id },
time_estimate: 3600) time_estimate: 3600)
get v3_api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.id}/time_stats", user) get v3_api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.id}/time_stats", user)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment