Merge branch '26019-restriction-on-evidence' into 'master'

Evidence - Added restriction for guest on Release page Closes #26019 See merge request gitlab-org/gitlab!21102

Merge branch '26019-restriction-on-evidence' into 'master'
Evidence - Added restriction for guest on Release page Closes #26019 See merge request gitlab-org/gitlab!21102
ca41861e · Bob Van Landuyt · 6e191adb · 72d0a0ad · ca41861e · ca41861e
Commit ca41861e authored Dec 05, 2019 by Bob Van Landuyt
5 changed files
--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -10,6 +10,7 @@ class Projects::ReleasesController < Projects::ApplicationController
    push_frontend_feature_flag(:release_evidence_collection, project)
  end
  before_action :authorize_update_release!, only: %i[edit update]
+  before_action :authorize_download_code!, only: [:evidence]

  def index
    respond_to do |format|

--- a/changelogs/unreleased/26019-restriction-on-evidence.yml
+++ b/changelogs/unreleased/26019-restriction-on-evidence.yml
+---
+title: Evidence - Added restriction for guest on Release page
+merge_request: 21102
+author:
+type: changed
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -1319,7 +1319,7 @@ module API
      expose :milestones, using: Entities::Milestone, if: -> (release, _) { release.milestones.present? }
      expose :commit_path, expose_nil: false
      expose :tag_path, expose_nil: false
-      expose :evidence_sha, expose_nil: false
+      expose :evidence_sha, expose_nil: false, if: ->(_, _) { can_download_code? }
      expose :assets do
        expose :assets_count, as: :count do |release, _|
          assets_to_exclude = can_download_code? ? [] : [:sources]
@@ -1329,7 +1329,7 @@ module API
        expose :links, using: Entities::Releases::Link do |release, options|
          release.links.sorted
        end
-        expose :evidence_file_path, expose_nil: false
+        expose :evidence_file_path, expose_nil: false, if: ->(_, _) { can_download_code? }
      end
      expose :_links do
        expose :merge_requests_url, expose_nil: false

--- a/spec/controllers/projects/releases_controller_spec.rb
+++ b/spec/controllers/projects/releases_controller_spec.rb
@@ -184,19 +184,39 @@ describe Projects::ReleasesController do
      sign_in(user)
    end

-    it 'returns the correct evidence summary as a json' do
-      subject
+    context 'when the user is a developer' do
+      it 'returns the correct evidence summary as a json' do
+        subject
+
+        expect(json_response).to eq(release.evidence.summary)
+      end

-      expect(json_response).to eq(release.evidence.summary)
+      context 'when the release was created before evidence existed' do
+        before do
+          release.evidence.destroy
+        end
+
+        it 'returns an empty json' do
+          subject
+
+          expect(json_response).to eq({})
+        end
+      end
    end

-    context 'when the release was created before evidence existed' do
-      it 'returns an empty json' do
-        release.evidence.destroy
+    context 'when the user is a guest for the project' do
+      before do
+        project.add_guest(user)
+      end

-        subject
+      context 'when the project is private' do
+        let(:project) { private_project }
+
+        it_behaves_like 'not found'
+      end

-        expect(json_response).to eq({})
+      context 'when the project is public' do
+        it_behaves_like 'successful request'
      end
    end
  end

--- a/spec/lib/api/entities/release_spec.rb
+++ b/spec/lib/api/entities/release_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe API::Entities::Release do
+  let_it_be(:project) { create(:project) }
+  let_it_be(:release) { create(:release, :with_evidence, project: project) }
+  let(:user) { create(:user) }
+  let(:entity) { described_class.new(release, current_user: user) }
+
+  subject { entity.as_json }
+
+  describe 'evidence' do
+    context 'when the current user can download code' do
+      it 'exposes the evidence sha and the json path' do
+        allow(Ability).to receive(:allowed?).and_call_original
+        allow(Ability).to receive(:allowed?)
+          .with(user, :download_code, project).and_return(true)
+
+        expect(subject[:evidence_sha]).to eq(release.evidence_sha)
+        expect(subject[:assets][:evidence_file_path]).to eq(
+          Gitlab::Routing.url_helpers.evidence_project_release_url(project,
+                                                                   release.tag,
+                                                                   format: :json)
+        )
+      end
+    end
+
+    context 'when the current user cannot download code' do
+      it 'does not expose any evidence data' do
+        allow(Ability).to receive(:allowed?).and_call_original
+        allow(Ability).to receive(:allowed?)
+          .with(user, :download_code, project).and_return(false)
+
+        expect(subject.keys).not_to include(:evidence_sha)
+        expect(subject[:assets].keys).not_to include(:evidence_file_path)
+      end
+    end
+  end
+end