Commit 0162c132 authored by blackst0ne's avatar blackst0ne

Stop unauthorized users dragging on milestone page

parent 66870960
......@@ -12,6 +12,7 @@ Please view this file on the master branch, on stable branches it's out of date.
- Add hover to trash icon in notes !7008 (blackst0ne)
- Fix sidekiq stats in admin area (blackst0ne)
- Removed delete branch tooltip !6954
- Stop unauthorized users dragging on milestone page (blackst0ne)
- Escape ref and path for relative links !6050 (winniehell)
- Fixed link typo on /help/ui to Alerts section. !6915 (Sam Rose)
- Fix filtering of milestones with quotes in title (airatshigapov)
......
......@@ -38,7 +38,7 @@
&.smoke { background-color: $background-color; }
&:hover {
&:not(.ui-sort-disabled):hover {
background: $row-hover;
}
......
......@@ -3,8 +3,9 @@
- assignee = issuable.assignee
- issuable_type = issuable.class.table_name
- base_url_args = [project.namespace.becomes(Namespace), project, issuable_type]
- can_update = can?(current_user, :"update_#{issuable.to_ability_name}", issuable)
%li{ id: dom_id(issuable, 'sortable'), class: "issuable-row", 'data-iid' => issuable.iid, 'data-url' => polymorphic_path(issuable) }
%li{ id: dom_id(issuable, 'sortable'), class: "issuable-row #{'ui-sort-disabled' unless can_update}", 'data-iid' => issuable.iid, 'data-url' => polymorphic_path(issuable) }
%span
- if show_project_name
%strong #{project.name} ·
......
require 'rails_helper'
describe 'Milestone draggable', feature: true, js: true do
let(:milestone) { create(:milestone, project: project, title: 8.14) }
let(:project) { create(:empty_project, :public) }
let(:user) { create(:user) }
context 'issues' do
let(:issue) { page.find_by_id('issues-list-unassigned').find('li') }
let(:issue_target) { page.find_by_id('issues-list-ongoing') }
it 'does not allow guest to drag issue' do
create_and_drag_issue
expect(issue_target).not_to have_selector('.issuable-row')
end
it 'does not allow authorized user to drag issue' do
login_as(user)
create_and_drag_issue
expect(issue_target).not_to have_selector('.issuable-row')
end
it 'allows author to drag issue' do
login_as(user)
create_and_drag_issue(author: user)
expect(issue_target).to have_selector('.issuable-row')
end
it 'allows admin to drag issue' do
login_as(:admin)
create_and_drag_issue
expect(issue_target).to have_selector('.issuable-row')
end
end
context 'merge requests' do
let(:merge_request) { page.find_by_id('merge_requests-list-unassigned').find('li') }
let(:merge_request_target) { page.find_by_id('merge_requests-list-ongoing') }
it 'does not allow guest to drag merge request' do
create_and_drag_merge_request
expect(merge_request_target).not_to have_selector('.issuable-row')
end
it 'does not allow authorized user to drag merge request' do
login_as(user)
create_and_drag_merge_request
expect(merge_request_target).not_to have_selector('.issuable-row')
end
it 'allows author to drag merge request' do
login_as(user)
create_and_drag_merge_request(author: user)
expect(merge_request_target).to have_selector('.issuable-row')
end
it 'allows admin to drag merge request' do
login_as(:admin)
create_and_drag_merge_request
expect(merge_request_target).to have_selector('.issuable-row')
end
end
def create_and_drag_issue(params = {})
create(:issue, params.merge(title: 'Foo', project: project, milestone: milestone))
visit namespace_project_milestone_path(project.namespace, project, milestone)
issue.drag_to(issue_target)
end
def create_and_drag_merge_request(params = {})
create(:merge_request, params.merge(title: 'Foo', source_project: project, target_project: project, milestone: milestone))
visit namespace_project_milestone_path(project.namespace, project, milestone)
page.find("a[href='#tab-merge-requests']").click
merge_request.drag_to(merge_request_target)
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment