Wrap Labels and Members menu items with access levels checks

In this commit we're putting the Labels and Members menus behind some access checks. Changelog: fixed

Wrap Labels and Members menu items with access levels checks
In this commit we're putting the Labels and Members menus behind some access checks. Changelog: fixed
e3165a4d · Francisco Javier López · 5696f591 · e3165a4d · e3165a4d
Commit e3165a4d authored Jun 29, 2021 by Francisco Javier López
2 changed files
--- a/lib/sidebars/projects/menus/project_information_menu.rb
+++ b/lib/sidebars/projects/menus/project_information_menu.rb
@@ -51,6 +51,10 @@ module Sidebars
        end
        def labels_menu_item
+          unless can?(context.current_user, :read_label, context.project)
+            return ::Sidebars::NilMenuItem.new(item_id: :labels)
+          end
          ::Sidebars::MenuItem.new(
            title: _('Labels'),
            link: project_labels_path(context.project),
@@ -60,6 +64,10 @@ module Sidebars
        end
        def members_menu_item
+          unless can?(context.current_user, :read_project_member, context.project)
+            return ::Sidebars::NilMenuItem.new(item_id: :members)
+          end
          ::Sidebars::MenuItem.new(
            title: _('Members'),
            link: project_project_members_path(context.project),

--- a/spec/lib/sidebars/projects/menus/project_information_menu_spec.rb
+++ b/spec/lib/sidebars/projects/menus/project_information_menu_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'
 RSpec.describe Sidebars::Projects::Menus::ProjectInformationMenu do
-  let_it_be(:project) { create(:project, :repository) }
+  let_it_be_with_reload(:project) { create(:project, :repository) }
  let(:user) { project.owner }
  let(:context) { Sidebars::Projects::Context.new(current_user: user, container: project) }
@@ -21,12 +21,43 @@ RSpec.describe Sidebars::Projects::Menus::ProjectInformationMenu do
      let(:item_id) { :labels }
      specify { is_expected.not_to be_nil }
+      context 'when merge requests are disabled' do
+        before do
+          project.project_feature.update_attribute(:merge_requests_access_level, Featurable::DISABLED)
+        end
+        specify { is_expected.not_to be_nil }
+      end
+      context 'when issues are disabled' do
+        before do
+          project.project_feature.update_attribute(:issues_access_level, Featurable::DISABLED)
+        end
+        specify { is_expected.not_to be_nil }
+      end
+      context 'when merge requests and issues are disabled' do
+        before do
+          project.project_feature.update_attribute(:merge_requests_access_level, Featurable::DISABLED)
+          project.project_feature.update_attribute(:issues_access_level, Featurable::DISABLED)
+        end
+        specify { is_expected.to be_nil }
+      end
    end
    describe 'Members' do
      let(:item_id) { :members }
      specify { is_expected.not_to be_nil }
+      describe 'when the user does not have access' do
+        let(:user) { nil }
+        specify { is_expected.to be_nil }
+      end
    end
  end
 end