Stop unauthorized users dragging on milestone page
This commit is contained in:
blackst0ne
parent
66870960af
commit
0162c132f4
4 changed files with 90 additions and 2 deletions
|
|
@ -12,6 +12,7 @@ Please view this file on the master branch, on stable branches it's out of date.
|
|||
- Add hover to trash icon in notes !7008 (blackst0ne)
|
||||
- Fix sidekiq stats in admin area (blackst0ne)
|
||||
- Removed delete branch tooltip !6954
|
||||
- Stop unauthorized users dragging on milestone page (blackst0ne)
|
||||
- Escape ref and path for relative links !6050 (winniehell)
|
||||
- Fixed link typo on /help/ui to Alerts section. !6915 (Sam Rose)
|
||||
- Fix filtering of milestones with quotes in title (airatshigapov)
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@
|
|||
|
||||
&.smoke { background-color: $background-color; }
|
||||
|
||||
&:hover {
|
||||
&:not(.ui-sort-disabled):hover {
|
||||
background: $row-hover;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,8 +3,9 @@
|
|||
- assignee = issuable.assignee
|
||||
- issuable_type = issuable.class.table_name
|
||||
- base_url_args = [project.namespace.becomes(Namespace), project, issuable_type]
|
||||
- can_update = can?(current_user, :"update_#{issuable.to_ability_name}", issuable)
|
||||
|
||||
%li{ id: dom_id(issuable, 'sortable'), class: "issuable-row", 'data-iid' => issuable.iid, 'data-url' => polymorphic_path(issuable) }
|
||||
%li{ id: dom_id(issuable, 'sortable'), class: "issuable-row #{'ui-sort-disabled' unless can_update}", 'data-iid' => issuable.iid, 'data-url' => polymorphic_path(issuable) }
|
||||
%span
|
||||
- if show_project_name
|
||||
%strong #{project.name} ·
|
||||
|
|
|
|||
86
spec/features/milestones/milestones_spec.rb
Normal file
86
spec/features/milestones/milestones_spec.rb
Normal file
|
|
@ -0,0 +1,86 @@
|
|||
require 'rails_helper'
|
||||
|
||||
describe 'Milestone draggable', feature: true, js: true do
|
||||
let(:milestone) { create(:milestone, project: project, title: 8.14) }
|
||||
let(:project) { create(:empty_project, :public) }
|
||||
let(:user) { create(:user) }
|
||||
|
||||
context 'issues' do
|
||||
let(:issue) { page.find_by_id('issues-list-unassigned').find('li') }
|
||||
let(:issue_target) { page.find_by_id('issues-list-ongoing') }
|
||||
|
||||
it 'does not allow guest to drag issue' do
|
||||
create_and_drag_issue
|
||||
|
||||
expect(issue_target).not_to have_selector('.issuable-row')
|
||||
end
|
||||
|
||||
it 'does not allow authorized user to drag issue' do
|
||||
login_as(user)
|
||||
create_and_drag_issue
|
||||
|
||||
expect(issue_target).not_to have_selector('.issuable-row')
|
||||
end
|
||||
|
||||
it 'allows author to drag issue' do
|
||||
login_as(user)
|
||||
create_and_drag_issue(author: user)
|
||||
|
||||
expect(issue_target).to have_selector('.issuable-row')
|
||||
end
|
||||
|
||||
it 'allows admin to drag issue' do
|
||||
login_as(:admin)
|
||||
create_and_drag_issue
|
||||
|
||||
expect(issue_target).to have_selector('.issuable-row')
|
||||
end
|
||||
end
|
||||
|
||||
context 'merge requests' do
|
||||
let(:merge_request) { page.find_by_id('merge_requests-list-unassigned').find('li') }
|
||||
let(:merge_request_target) { page.find_by_id('merge_requests-list-ongoing') }
|
||||
|
||||
it 'does not allow guest to drag merge request' do
|
||||
create_and_drag_merge_request
|
||||
|
||||
expect(merge_request_target).not_to have_selector('.issuable-row')
|
||||
end
|
||||
|
||||
it 'does not allow authorized user to drag merge request' do
|
||||
login_as(user)
|
||||
create_and_drag_merge_request
|
||||
|
||||
expect(merge_request_target).not_to have_selector('.issuable-row')
|
||||
end
|
||||
|
||||
it 'allows author to drag merge request' do
|
||||
login_as(user)
|
||||
create_and_drag_merge_request(author: user)
|
||||
|
||||
expect(merge_request_target).to have_selector('.issuable-row')
|
||||
end
|
||||
|
||||
it 'allows admin to drag merge request' do
|
||||
login_as(:admin)
|
||||
create_and_drag_merge_request
|
||||
|
||||
expect(merge_request_target).to have_selector('.issuable-row')
|
||||
end
|
||||
end
|
||||
|
||||
def create_and_drag_issue(params = {})
|
||||
create(:issue, params.merge(title: 'Foo', project: project, milestone: milestone))
|
||||
|
||||
visit namespace_project_milestone_path(project.namespace, project, milestone)
|
||||
issue.drag_to(issue_target)
|
||||
end
|
||||
|
||||
def create_and_drag_merge_request(params = {})
|
||||
create(:merge_request, params.merge(title: 'Foo', source_project: project, target_project: project, milestone: milestone))
|
||||
|
||||
visit namespace_project_milestone_path(project.namespace, project, milestone)
|
||||
page.find("a[href='#tab-merge-requests']").click
|
||||
merge_request.drag_to(merge_request_target)
|
||||
end
|
||||
end
|
||||
Loading…
Reference in a new issue