Merge Request: Close JIRA issues when issues are disabled

We close external issues even when the user is not authorized by DeclarativePolicy framework.

Merge Request: Close JIRA issues when issues are disabled
We close external issues even when the user is not authorized by DeclarativePolicy framework.
a7f89757 · Arturo Herrero · 25918ea2 · a7f89757 · a7f89757 · a7f89757
Commit a7f89757 authored Sep 25, 2019 by Arturo Herrero
4 changed files
--- a/app/services/issues/close_service.rb
+++ b/app/services/issues/close_service.rb
@@ -4,7 +4,7 @@ module Issues
  class CloseService < Issues::BaseService
    # Closes the supplied issue if the current user is able to do so.
    def execute(issue, commit: nil, notifications: true, system_note: true)
-      return issue unless can?(current_user, :update_issue, issue)
+      return issue unless can?(current_user, :update_issue, issue) || issue.is_a?(ExternalIssue)
      close_issue(issue,
                  closed_via: commit,

--- a/app/services/merge_requests/post_merge_service.rb
+++ b/app/services/merge_requests/post_merge_service.rb
@@ -29,9 +29,7 @@ module MergeRequests
      closed_issues = merge_request.visible_closing_issues_for(current_user)
      closed_issues.each do |issue|
-        if can?(current_user, :update_issue, issue)
+        Issues::CloseService.new(project, current_user).execute(issue, commit: merge_request)
-          Issues::CloseService.new(project, current_user, {}).execute(issue, commit: merge_request)
-        end
      end
    end

--- a/spec/services/issues/close_service_spec.rb
+++ b/spec/services/issues/close_service_spec.rb
@@ -8,6 +8,7 @@ describe Issues::CloseService do
  let(:user2) { create(:user, email: "user2@example.com") }
  let(:guest) { create(:user) }
  let(:issue) { create(:issue, title: "My issue", project: project, assignees: [user2], author: create(:user)) }
+  let(:external_issue) { ExternalIssue.new('JIRA-123', project) }
  let(:closing_merge_request) { create(:merge_request, source_project: project) }
  let(:closing_commit) { create(:commit, project: project) }
  let!(:todo) { create(:todo, :assigned, user: user, project: project, target: issue, author: user2) }
@@ -36,6 +37,16 @@ describe Issues::CloseService do
      expect(service.execute(issue)).to eq(issue)
    end
+    it 'closes the external issue even when the user is not authorized to do so' do
+      allow(service).to receive(:can?).with(user, :update_issue, external_issue)
+        .and_return(false)
+      expect(service).to receive(:close_issue)
+        .with(external_issue, closed_via: nil, notifications: true, system_note: true)
+      service.execute(external_issue)
+    end
    it 'closes the issue when the user is authorized to do so' do
      allow(service).to receive(:can?).with(user, :update_issue, issue)
        .and_return(true)

--- a/spec/services/merge_requests/post_merge_service_spec.rb
+++ b/spec/services/merge_requests/post_merge_service_spec.rb
@@ -56,9 +56,10 @@ describe MergeRequests::PostMergeService do
      issue = create(:issue, project: project)
      allow(merge_request).to receive(:visible_closing_issues_for).and_return([issue])
-      allow_any_instance_of(Issues::CloseService).to receive(:execute).with(issue, commit: merge_request).and_raise
+      allow_any_instance_of(Issues::CloseService).to receive(:execute)
+        .with(issue, commit: merge_request).and_raise(RuntimeError)
-      expect { described_class.new(project, user, {}).execute(merge_request) }.to raise_error
+      expect { described_class.new(project, user).execute(merge_request) }.to raise_error(RuntimeError)
      expect(merge_request.reload).to be_merged
    end