Commit b9b0b37b authored by Rubén Dávila's avatar Rubén Dávila

Add check for access to Namespace

parent 6f03ddcd
...@@ -20,7 +20,10 @@ class ProjectsController < Projects::ApplicationController ...@@ -20,7 +20,10 @@ class ProjectsController < Projects::ApplicationController
end end
def new def new
@project ||= Project.new(params.permit(:namespace_id)) namespace = Namespace.find_by(id: params[:namespace_id]) if params[:namespace_id]
return access_denied! if namespace && !can?(current_user, :create_projects, namespace)
@project = Project.new(namespace_id: namespace&.id)
end end
def edit def edit
......
...@@ -45,8 +45,8 @@ module NamespacesHelper ...@@ -45,8 +45,8 @@ module NamespacesHelper
visibility_level: n.visibility_level_value, visibility_level: n.visibility_level_value,
visibility: n.visibility, visibility: n.visibility,
name: n.name, name: n.name,
show_path: n.is_a?(Group) ? group_path(n) : user_path(n), show_path: (type == 'group') ? group_path(n) : user_path(n),
edit_path: n.is_a?(Group) ? edit_group_path(n) : nil edit_path: (type == 'group') ? edit_group_path(n) : nil
}] }]
end end
......
...@@ -7,6 +7,38 @@ describe ProjectsController do ...@@ -7,6 +7,38 @@ describe ProjectsController do
let(:jpg) { fixture_file_upload(Rails.root + 'spec/fixtures/rails_sample.jpg', 'image/jpg') } let(:jpg) { fixture_file_upload(Rails.root + 'spec/fixtures/rails_sample.jpg', 'image/jpg') }
let(:txt) { fixture_file_upload(Rails.root + 'spec/fixtures/doc_sample.txt', 'text/plain') } let(:txt) { fixture_file_upload(Rails.root + 'spec/fixtures/doc_sample.txt', 'text/plain') }
describe 'GET new' do
context 'with an authenticated user' do
let(:group) { create(:group) }
before do
sign_in(user)
end
context 'when namespace_id param is present' do
context 'when user has access to the namespace' do
it 'renders the template' do
group.add_owner(user)
get :new, namespace_id: group.id
expect(response).to have_http_status(200)
expect(response).to render_template('new')
end
end
context 'when user does not have access to the namespace' do
it 'responds with status 404' do
get :new, namespace_id: group.id
expect(response).to have_http_status(404)
expect(response).not_to render_template('new')
end
end
end
end
end
describe 'GET index' do describe 'GET index' do
context 'as a user' do context 'as a user' do
it 'redirects to root page' do it 'redirects to root page' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment