Add check for read epic permissions

- Update specs

Add check for read epic permissions
- Update specs
db2b6c9b · Eugenia Grieff · 6e152662 · db2b6c9b · db2b6c9b · db2b6c9b
Commit db2b6c9b authored Oct 20, 2021 by Eugenia Grieff
7 changed files
--- a/ee/app/graphql/mutations/issues/set_epic.rb
+++ b/ee/app/graphql/mutations/issues/set_epic.rb
@@ -16,7 +16,7 @@ module Mutations
        issue = authorized_find!(project_path: project_path, iid: iid)
        project = issue.project

-        authorize_admin_rights!(issue)
+        authorize_access!(issue, epic)

        begin
          ::Issues::UpdateService.new(project: project, current_user: current_user, params: { epic: epic })
@@ -33,10 +33,11 @@ module Mutations

      private

-      def authorize_admin_rights!(issue)
-        return unless issue.present?
+      def authorize_access!(issue, epic)
+        return unless issue.present? && epic.present?

-        raise_resource_not_available_error! unless Ability.allowed?(current_user, :admin_issue, issue)
+        raise_resource_not_available_error! unless Ability.allowed?(current_user, :admin_issue, issue) &&
+          Ability.allowed?(current_user, :read_epic, epic.group)
      end
    end
  end

--- a/ee/app/models/ee/issue.rb
+++ b/ee/app/models/ee/issue.rb
@@ -150,7 +150,7 @@ module EE
    end

    def can_assign_epic?(user)
-      project.group&.feature_available?(:epics) && user&.can?(:admin_issue, project)
+      user&.can?(:read_epic, project.group) && user&.can?(:admin_issue, project)
    end

    def can_be_promoted_to_epic?(user, group = nil)

--- a/ee/app/services/ee/issues/base_service.rb
+++ b/ee/app/services/ee/issues/base_service.rb
@@ -48,7 +48,15 @@ module EE

      def epic_param(issue)
        epic_id = params.delete(:epic_id)
-        params.delete(:epic) || find_epic(issue, epic_id)
+        epic = params.delete(:epic) || find_epic(issue, epic_id)
+
+        return unless epic
+
+        unless can?(current_user, :read_epic, epic) && can?(current_user, :admin_issue, issue)
+          raise ::Gitlab::Access::AccessDeniedError
+        end
+
+        epic
      end

      def find_epic(issue, epic_id)

--- a/ee/app/services/epic_issues/create_service.rb
+++ b/ee/app/services/epic_issues/create_service.rb
@@ -34,6 +34,8 @@ module EpicIssues
    end

    def linkable_issuables(issues)
+      return [] unless can?(current_user, :read_epic, issuable.group)
+
      @linkable_issues ||= begin
        issues.select do |issue|
          linkable_issue?(issue)
@@ -43,7 +45,6 @@ module EpicIssues

    def linkable_issue?(issue)
      issue.supports_epic? &&
-        issue.project.group&.feature_available?(:epics) &&
        issuable_group_descendants.include?(issue.project.group) &&
        !previous_related_issuables.include?(issue)
    end

--- a/ee/lib/api/epic_issues.rb
+++ b/ee/lib/api/epic_issues.rb
@@ -23,6 +23,10 @@ module API
          .with_api_entity_associations
          .sorted_by_epic_position
      end
+
+      def authorize_can_assign_to_epic!(issue)
+        forbidden! unless can?(current_user, :read_epic, epic) && can?(current_user, :admin_issue, issue)
+      end
    end

    params do
@@ -40,7 +44,7 @@ module API
        use :pagination
      end
      put ':id/(-/)epics/:epic_iid/issues/:epic_issue_id' do
-        authorize!(:admin_issue, link.issue)
+        authorize_can_assign_to_epic!(link.issue)

        update_params = {
          move_before_id: params[:move_before_id],
@@ -85,7 +89,7 @@ module API
      # rubocop: disable CodeReuse/ActiveRecord
      post ':id/(-/)epics/:epic_iid/issues/:issue_id' do
        issue = Issue.find(params[:issue_id])
-        authorize!(:admin_issue, issue)
+        authorize_can_assign_to_epic!(issue)

        create_params = { target_issuable: issue }

@@ -109,7 +113,7 @@ module API
        requires :epic_issue_id, type: Integer, desc: 'The ID of the association'
      end
      delete ':id/(-/)epics/:epic_iid/issues/:epic_issue_id' do
-        authorize!(:admin_issue, link.issue)
+        authorize_can_assign_to_epic!(link.issue)
        result = ::EpicIssues::DestroyService.new(link, current_user).execute

        if result[:status] == :success

--- a/ee/spec/requests/api/epic_issues_spec.rb
+++ b/ee/spec/requests/api/epic_issues_spec.rb
@@ -120,7 +120,7 @@ RSpec.describe API::EpicIssues do
          expect(response).to have_gitlab_http_status(:not_found)
        end

-        context 'With user without permissions to admin the issue' do
+        context 'without permissions to admin the issue' do
          before do
            project.add_guest(user)
          end
@@ -132,6 +132,20 @@ RSpec.describe API::EpicIssues do
          end
        end

+        context 'without permissions to read the epic' do
+          let(:epic) { create(:epic, group: create(:group, :private)) }
+
+          before do
+            project.add_developer(user)
+          end
+
+          it 'returns 403 forbidden error' do
+            post api(url, user)
+
+            expect(response).to have_gitlab_http_status(:forbidden)
+          end
+        end
+
        context 'when issue project is not under the epic group' do
          before do
            other_project = create(:project)

--- a/ee/spec/services/ee/issues/update_service_spec.rb
+++ b/ee/spec/services/ee/issues/update_service_spec.rb
@@ -263,7 +263,7 @@ RSpec.describe Issues::UpdateService do

      context 'when a user has permissions to assign an epic' do
        before do
-          group.add_maintainer(user)
+          group.add_reporter(user)
        end

        context 'when EpicIssues::CreateService returns failure', :aggregate_failures do