Disable board policies when issues are disabled
Board list policies are also included
This commit is contained in:
parent
e927833b94
commit
5dc047dc72
|
@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy
|
||||||
|
|
||||||
rule { issues_disabled }.policy do
|
rule { issues_disabled }.policy do
|
||||||
prevent(*create_read_update_admin_destroy(:issue))
|
prevent(*create_read_update_admin_destroy(:issue))
|
||||||
|
prevent(*create_read_update_admin_destroy(:board))
|
||||||
|
prevent(*create_read_update_admin_destroy(:list))
|
||||||
end
|
end
|
||||||
|
|
||||||
rule { merge_requests_disabled | repository_disabled }.policy do
|
rule { merge_requests_disabled | repository_disabled }.policy do
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Disable issue boards API when issues are disabled
|
||||||
|
merge_request:
|
||||||
|
author:
|
||||||
|
type: security
|
|
@ -130,22 +130,26 @@ describe ProjectPolicy do
|
||||||
subject { described_class.new(owner, project) }
|
subject { described_class.new(owner, project) }
|
||||||
|
|
||||||
context 'when the feature is disabled' do
|
context 'when the feature is disabled' do
|
||||||
it 'does not include the issues permissions' do
|
before do
|
||||||
project.issues_enabled = false
|
project.issues_enabled = false
|
||||||
project.save!
|
project.save!
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'does not include the issues permissions' do
|
||||||
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
|
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
context 'when the feature is disabled and external tracker configured' do
|
it 'disables boards and lists permissions' do
|
||||||
it 'does not include the issues permissions' do
|
expect_disallowed :read_board, :create_board, :update_board, :admin_board
|
||||||
create(:jira_service, project: project)
|
expect_disallowed :read_list, :create_list, :update_list, :admin_list
|
||||||
|
end
|
||||||
|
|
||||||
project.issues_enabled = false
|
context 'when external tracker configured' do
|
||||||
project.save!
|
it 'does not include the issues permissions' do
|
||||||
|
create(:jira_service, project: project)
|
||||||
|
|
||||||
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
|
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue