Fix issue boards leak private label names and descriptions
This commit is contained in:
parent
68b3c8c297
commit
4cccfc0f17
|
@ -3,7 +3,10 @@ module Boards
|
|||
class CreateService < Boards::BaseService
|
||||
def execute
|
||||
List.transaction do
|
||||
create_list_at(next_position)
|
||||
label = project.labels.find(params[:label_id])
|
||||
position = next_position
|
||||
|
||||
create_list(label, position)
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -14,8 +17,8 @@ module Boards
|
|||
max_position.nil? ? 0 : max_position.succ
|
||||
end
|
||||
|
||||
def create_list_at(position)
|
||||
board.lists.create(params.merge(list_type: :label, position: position))
|
||||
def create_list(label, position)
|
||||
board.lists.create(label: label, list_type: :label, position: position)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -39,7 +39,7 @@ describe Projects::Boards::ListsController do
|
|||
allow(Ability.abilities).to receive(:allowed?).with(user, :read_list, project).and_return(false)
|
||||
end
|
||||
|
||||
it 'returns a successful 403 response' do
|
||||
it 'returns a forbidden 403 response' do
|
||||
read_board_list user: user
|
||||
|
||||
expect(response).to have_http_status(403)
|
||||
|
@ -56,9 +56,9 @@ describe Projects::Boards::ListsController do
|
|||
end
|
||||
|
||||
describe 'POST create' do
|
||||
let(:label) { create(:label, project: project, name: 'Development') }
|
||||
|
||||
context 'with valid params' do
|
||||
let(:label) { create(:label, project: project, name: 'Development') }
|
||||
|
||||
it 'returns a successful 200 response' do
|
||||
create_board_list user: user, label_id: label.id
|
||||
|
||||
|
@ -73,20 +73,29 @@ describe Projects::Boards::ListsController do
|
|||
end
|
||||
|
||||
context 'with invalid params' do
|
||||
it 'returns an error' do
|
||||
create_board_list user: user, label_id: nil
|
||||
context 'when label is nil' do
|
||||
it 'returns a not found 404 response' do
|
||||
create_board_list user: user, label_id: nil
|
||||
|
||||
parsed_response = JSON.parse(response.body)
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
|
||||
expect(parsed_response['label']).to contain_exactly "can't be blank"
|
||||
expect(response).to have_http_status(422)
|
||||
context 'when label that does not belongs to project' do
|
||||
it 'returns a not found 404 response' do
|
||||
label = create(:label, name: 'Development')
|
||||
|
||||
create_board_list user: user, label_id: label.id
|
||||
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'with unauthorized user' do
|
||||
let(:label) { create(:label, project: project, name: 'Development') }
|
||||
it 'returns a forbidden 403 response' do
|
||||
label = create(:label, project: project, name: 'Development')
|
||||
|
||||
it 'returns a successful 403 response' do
|
||||
create_board_list user: guest, label_id: label.id
|
||||
|
||||
expect(response).to have_http_status(403)
|
||||
|
@ -122,7 +131,7 @@ describe Projects::Boards::ListsController do
|
|||
end
|
||||
|
||||
context 'with invalid position' do
|
||||
it 'returns a unprocessable entity 422 response' do
|
||||
it 'returns an unprocessable entity 422 response' do
|
||||
move user: user, list: planning, position: 6
|
||||
|
||||
expect(response).to have_http_status(422)
|
||||
|
@ -138,7 +147,7 @@ describe Projects::Boards::ListsController do
|
|||
end
|
||||
|
||||
context 'with unauthorized user' do
|
||||
it 'returns a successful 403 response' do
|
||||
it 'returns a forbidden 403 response' do
|
||||
move user: guest, list: planning, position: 6
|
||||
|
||||
expect(response).to have_http_status(403)
|
||||
|
@ -180,7 +189,7 @@ describe Projects::Boards::ListsController do
|
|||
end
|
||||
|
||||
context 'with unauthorized user' do
|
||||
it 'returns a successful 403 response' do
|
||||
it 'returns a forbidden 403 response' do
|
||||
remove_board_list user: guest, list: planning
|
||||
|
||||
expect(response).to have_http_status(403)
|
||||
|
@ -213,7 +222,7 @@ describe Projects::Boards::ListsController do
|
|||
end
|
||||
|
||||
context 'when board lists is not empty' do
|
||||
it 'returns a unprocessable entity 422 response' do
|
||||
it 'returns an unprocessable entity 422 response' do
|
||||
create(:list, board: board)
|
||||
|
||||
generate_default_board_lists user: user
|
||||
|
@ -223,7 +232,7 @@ describe Projects::Boards::ListsController do
|
|||
end
|
||||
|
||||
context 'with unauthorized user' do
|
||||
it 'returns a successful 403 response' do
|
||||
it 'returns a forbidden 403 response' do
|
||||
generate_default_board_lists user: guest
|
||||
|
||||
expect(response).to have_http_status(403)
|
||||
|
|
|
@ -5,7 +5,7 @@ describe Boards::Lists::CreateService, services: true do
|
|||
let(:project) { create(:project_with_board) }
|
||||
let(:board) { project.board }
|
||||
let(:user) { create(:user) }
|
||||
let(:label) { create(:label, name: 'in-progress') }
|
||||
let(:label) { create(:label, project: project, name: 'in-progress') }
|
||||
|
||||
subject(:service) { described_class.new(project, user, label_id: label.id) }
|
||||
|
||||
|
@ -50,5 +50,14 @@ describe Boards::Lists::CreateService, services: true do
|
|||
expect(list2.reload.position).to eq 1
|
||||
end
|
||||
end
|
||||
|
||||
context 'when provided label does not belongs to the project' do
|
||||
it 'raises an error' do
|
||||
label = create(:label, name: 'in-development')
|
||||
service = described_class.new(project, user, label_id: label.id)
|
||||
|
||||
expect { service.execute }.to raise_error(ActiveRecord::RecordNotFound)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue