kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Restrict access for confidential issues on autocomplete

Browse source
This commit is contained in:
Douglas Barbosa Alexandre 2016-03-17 17:39:56 -03:00
parent 43d8bdb4f0
commit 7ee528336a
3 changed files with 81 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/projects_controller.rb
View file

@ -134,7 +134,7 @@ class ProjectsController < ApplicationController
def autocomplete_sources
note_type = params['type']
note_id = params['type_id']
autocomplete = ::Projects::AutocompleteService.new(@project)
autocomplete = ::Projects::AutocompleteService.new(@project, current_user)
participants = ::Projects::ParticipantsService.new(@project, current_user).execute(note_type, note_id)
@suggestions = {

6
app/services/projects/autocomplete_service.rb
View file

@ -1,11 +1,7 @@
module Projects
class AutocompleteService < BaseService
def initialize(project)
@project = project
end
def issues
@project.issues.opened.select([:iid, :title])
@project.issues.visible_to_user(current_user).opened.select([:iid, :title])
end
def merge_requests

79
spec/services/projects/autocomplete_service_spec.rb Normal file
View file

@ -0,0 +1,79 @@
require 'spec_helper'
describe Projects::AutocompleteService, services: true do
describe '#issues' do
describe 'confidential issues' do
let(:author) { create(:user) }
let(:assignee) { create(:user) }
let(:non_member) { create(:user) }
let(:member) { create(:user) }
let(:admin) { create(:admin) }
let(:project) { create(:empty_project, :public) }
let!(:issue) { create(:issue, project: project, title: 'Issue 1') }
let!(:security_issue_1) { create(:issue, :confidential, project: project, title: 'Security issue 1', author: author) }
let!(:security_issue_2) { create(:issue, :confidential, title: 'Security issue 2', project: project, assignee: assignee) }
it 'should not list project confidential issues for guests' do
autocomplete = described_class.new(project, nil)
issues = autocomplete.issues.map(&:iid)
expect(issues).to include issue.iid
expect(issues).not_to include security_issue_1.iid
expect(issues).not_to include security_issue_2.iid
expect(issues.count).to eq 1
end
it 'should not list project confidential issues for non project members' do
autocomplete = described_class.new(project, non_member)
issues = autocomplete.issues.map(&:iid)
expect(issues).to include issue.iid
expect(issues).not_to include security_issue_1.iid
expect(issues).not_to include security_issue_2.iid
expect(issues.count).to eq 1
end
it 'should list project confidential issues for author' do
autocomplete = described_class.new(project, author)
issues = autocomplete.issues.map(&:iid)
expect(issues).to include issue.iid
expect(issues).to include security_issue_1.iid
expect(issues).not_to include security_issue_2.iid
expect(issues.count).to eq 2
end
it 'should list project confidential issues for assignee' do
autocomplete = described_class.new(project, assignee)
issues = autocomplete.issues.map(&:iid)
expect(issues).to include issue.iid
expect(issues).not_to include security_issue_1.iid
expect(issues).to include security_issue_2.iid
expect(issues.count).to eq 2
end
it 'should list project confidential issues for project members' do
project.team << [member, :developer]
autocomplete = described_class.new(project, member)
issues = autocomplete.issues.map(&:iid)
expect(issues).to include issue.iid
expect(issues).to include security_issue_1.iid
expect(issues).to include security_issue_2.iid
expect(issues.count).to eq 3
end
it 'should list all project issues for admin' do
autocomplete = described_class.new(project, admin)
issues = autocomplete.issues.map(&:iid)
expect(issues).to include issue.iid
expect(issues).to include security_issue_1.iid
expect(issues).to include security_issue_2.iid
expect(issues.count).to eq 3
end
end
end
end