Skip to content

G
gitlab-ce
Commit f1034757 authored by Sean McGivern's avatar Sean McGivern
Browse files
Options

Merge branch 'osw-44295-adjust-authorization-for-discussions-show' into 'master' 

Adjust 404's for LegacyDiffNote discussion rendering

Closes #44295

See merge request gitlab-org/gitlab-ce!18201
parents 9685ab32 07f516d1
Show whitespace changes
Inline Side-by-side
Showing with 54 additions and 2 deletions
app/controllers/projects/discussions_controller.rb
View file @ f1034757
...@@ -4,8 +4,8 @@ class Projects::DiscussionsController < Projects::ApplicationController ...@@ -4,8 +4,8 @@ class Projects::DiscussionsController < Projects::ApplicationController
before_action :check_merge_requests_available! before_action :check_merge_requests_available!
before_action :merge_request before_action :merge_request
before_action :discussion before_action :discussion, only: [:resolve, :unresolve]
before_action :authorize_resolve_discussion! before_action :authorize_resolve_discussion!, only: [:resolve, :unresolve]
def resolve def resolve
Discussions::ResolveService.new(project, current_user, merge_request: merge_request).execute(discussion) Discussions::ResolveService.new(project, current_user, merge_request: merge_request).execute(discussion)
......
changelogs/unreleased/osw-44295-adjust-authorization-for-discussions-show.yml 0 → 100644
View file @ f1034757
---
title: Adjust 404's for LegacyDiffNote discussion rendering
merge_request: 18201
author:
type: fixed
spec/controllers/projects/discussions_controller_spec.rb
View file @ f1034757
...@@ -16,6 +16,53 @@ describe Projects::DiscussionsController do ...@@ -16,6 +16,53 @@ describe Projects::DiscussionsController do
} }
end end
describe 'GET show' do
before do
sign_in user
end
context 'when user is not authorized to read the MR' do
it 'returns 404' do
get :show, request_params, format: :json
expect(response).to have_gitlab_http_status(404)
end
end
context 'when user is authorized to read the MR' do
before do
project.add_reporter(user)
end
it 'returns status 200' do
get :show, request_params, format: :json
expect(response).to have_gitlab_http_status(200)
end
it 'returns status 404 if MR does not exists' do
merge_request.destroy!
get :show, request_params, format: :json
expect(response).to have_gitlab_http_status(404)
end
end
context 'when user is authorized but note is LegacyDiffNote' do
before do
project.add_developer(user)
note.update!(type: 'LegacyDiffNote')
end
it 'returns status 200' do
get :show, request_params, format: :json
expect(response).to have_gitlab_http_status(200)
end
end
end
describe 'POST resolve' do describe 'POST resolve' do
before do before do
sign_in user sign_in user
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7