Only return commands_changes used in frontend
When executing quick actions, this limits the `commands_changes` response to only those used by the frontend
This commit is contained in:
Heinrich Lee Yu
Brett Walker
parent
45a4bc300c
commit
3d85406734
3 changed files with 37 additions and 1 deletions
|
|
@ -48,7 +48,7 @@ module NotesActions
|
||||||
respond_to do |format|
|
respond_to do |format|
|
||||||
format.json do
|
format.json do
|
||||||
json = {
|
json = {
|
||||||
commands_changes: @note.commands_changes
|
commands_changes: @note.commands_changes&.slice(:emoji_award, :time_estimate, :spend_time)
|
||||||
}
|
}
|
||||||
|
|
||||||
if @note.persisted? && return_discussion?
|
if @note.persisted? && return_discussion?
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Remove project serialization in quick actions response
|
||||||
|
merge_request:
|
||||||
|
author:
|
||||||
|
type: security
|
||||||
|
|
@ -413,6 +413,37 @@ describe Projects::NotesController do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when creating a note with quick actions' do
|
||||||
|
context 'with commands that return changes' do
|
||||||
|
let(:note_text) { "/award :thumbsup:\n/estimate 1d\n/spend 3h" }
|
||||||
|
|
||||||
|
it 'includes changes in commands_changes ' do
|
||||||
|
post :create, params: request_params.merge(note: { note: note_text }, format: :json)
|
||||||
|
|
||||||
|
expect(response).to have_gitlab_http_status(200)
|
||||||
|
expect(json_response['commands_changes']).to include('emoji_award', 'time_estimate', 'spend_time')
|
||||||
|
expect(json_response['commands_changes']).not_to include('target_project', 'title')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with commands that do not return changes' do
|
||||||
|
let(:issue) { create(:issue, project: project) }
|
||||||
|
let(:other_project) { create(:project) }
|
||||||
|
let(:note_text) { "/move #{other_project.full_path}\n/title AAA" }
|
||||||
|
|
||||||
|
before do
|
||||||
|
other_project.add_developer(user)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'does not include changes in commands_changes' do
|
||||||
|
post :create, params: request_params.merge(note: { note: note_text }, target_type: 'issue', target_id: issue.id, format: :json)
|
||||||
|
|
||||||
|
expect(response).to have_gitlab_http_status(200)
|
||||||
|
expect(json_response['commands_changes']).not_to include('target_project', 'title')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'PUT update' do
|
describe 'PUT update' do
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue