Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
cd53478b
Commit
cd53478b
authored
Jun 02, 2020
by
Eugenia Grieff
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update permissions for time tracking endpoints
parent
76e12073
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
25 additions
and
6 deletions
+25
-6
changelogs/unreleased/security-fix-time-tracking-permissions-api.yml
...unreleased/security-fix-time-tracking-permissions-api.yml
+5
-0
lib/api/time_tracking_endpoints.rb
lib/api/time_tracking_endpoints.rb
+6
-6
spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb
...ed_examples/requests/api/time_tracking_shared_examples.rb
+14
-0
No files found.
changelogs/unreleased/security-fix-time-tracking-permissions-api.yml
0 → 100644
View file @
cd53478b
---
title
:
Update permissions for time tracking endpoints
merge_request
:
author
:
type
:
security
lib/api/time_tracking_endpoints.rb
View file @
cd53478b
...
...
@@ -14,8 +14,8 @@ module API
"
#{
issuable_name
}
_iid"
.
to_sym
end
def
update
_issuable_key
"
update
_
#{
issuable_name
}
"
.
to_sym
def
admin
_issuable_key
"
admin
_
#{
issuable_name
}
"
.
to_sym
end
def
read_issuable_key
...
...
@@ -60,7 +60,7 @@ module API
requires
:duration
,
type:
String
,
desc:
'The duration to be parsed'
end
post
":id/
#{
issuable_collection_name
}
/:
#{
issuable_key
}
/time_estimate"
do
authorize!
update
_issuable_key
,
load_issuable
authorize!
admin
_issuable_key
,
load_issuable
status
:ok
update_issuable
(
time_estimate:
Gitlab
::
TimeTrackingFormatter
.
parse
(
params
.
delete
(
:duration
)))
...
...
@@ -71,7 +71,7 @@ module API
requires
issuable_key
,
type:
Integer
,
desc:
"The ID of a project
#{
issuable_name
}
"
end
post
":id/
#{
issuable_collection_name
}
/:
#{
issuable_key
}
/reset_time_estimate"
do
authorize!
update
_issuable_key
,
load_issuable
authorize!
admin
_issuable_key
,
load_issuable
status
:ok
update_issuable
(
time_estimate:
0
)
...
...
@@ -83,7 +83,7 @@ module API
requires
:duration
,
type:
String
,
desc:
'The duration to be parsed'
end
post
":id/
#{
issuable_collection_name
}
/:
#{
issuable_key
}
/add_spent_time"
do
authorize!
update
_issuable_key
,
load_issuable
authorize!
admin
_issuable_key
,
load_issuable
update_issuable
(
spend_time:
{
duration:
Gitlab
::
TimeTrackingFormatter
.
parse
(
params
.
delete
(
:duration
)),
...
...
@@ -96,7 +96,7 @@ module API
requires
issuable_key
,
type:
Integer
,
desc:
"The ID of a project
#{
issuable_name
}
"
end
post
":id/
#{
issuable_collection_name
}
/:
#{
issuable_key
}
/reset_spent_time"
do
authorize!
update
_issuable_key
,
load_issuable
authorize!
admin
_issuable_key
,
load_issuable
status
:ok
update_issuable
(
spend_time:
{
duration: :reset
,
user_id:
current_user
.
id
})
...
...
spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb
View file @
cd53478b
...
...
@@ -4,6 +4,16 @@ RSpec.shared_examples 'an unauthorized API user' do
it
{
is_expected
.
to
eq
(
403
)
}
end
RSpec
.
shared_examples
'API user with insufficient permissions'
do
context
'with non member that is the author'
do
before
do
issuable
.
update!
(
author:
non_member
)
# an external author can't admin issuable
end
it_behaves_like
'an unauthorized API user'
end
end
RSpec
.
shared_examples
'time tracking endpoints'
do
|
issuable_name
|
let
(
:non_member
)
{
create
(
:user
)
}
...
...
@@ -14,6 +24,7 @@ RSpec.shared_examples 'time tracking endpoints' do |issuable_name|
subject
{
post
(
api
(
"/projects/
#{
project
.
id
}
/
#{
issuable_collection_name
}
/
#{
issuable
.
iid
}
/time_estimate"
,
non_member
),
params:
{
duration:
'1w'
})
}
it_behaves_like
'an unauthorized API user'
it_behaves_like
'API user with insufficient permissions'
end
it
"sets the time estimate for
#{
issuable_name
}
"
do
...
...
@@ -53,6 +64,7 @@ RSpec.shared_examples 'time tracking endpoints' do |issuable_name|
subject
{
post
(
api
(
"/projects/
#{
project
.
id
}
/
#{
issuable_collection_name
}
/
#{
issuable
.
iid
}
/reset_time_estimate"
,
non_member
))
}
it_behaves_like
'an unauthorized API user'
it_behaves_like
'API user with insufficient permissions'
end
it
"resets the time estimate for
#{
issuable_name
}
"
do
...
...
@@ -70,6 +82,7 @@ RSpec.shared_examples 'time tracking endpoints' do |issuable_name|
end
it_behaves_like
'an unauthorized API user'
it_behaves_like
'API user with insufficient permissions'
end
it
"add spent time for
#{
issuable_name
}
"
do
...
...
@@ -119,6 +132,7 @@ RSpec.shared_examples 'time tracking endpoints' do |issuable_name|
subject
{
post
(
api
(
"/projects/
#{
project
.
id
}
/
#{
issuable_collection_name
}
/
#{
issuable
.
iid
}
/reset_spent_time"
,
non_member
))
}
it_behaves_like
'an unauthorized API user'
it_behaves_like
'API user with insufficient permissions'
end
it
"resets spent time for
#{
issuable_name
}
"
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
