Fix 403 errors when adding an assignee list in project boards

Due to a bug in `BoardPolicy`, users were getting back a 403 error when trying to assign users to an assignee list and seeing "Something went wrong while fetching assignees list". For some reason, the declarative policy runtime was ignoring the ternary condition. To work around the issue, we make the project board an explicit condition check. Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/9727
2019-02-14 13:19:59 -08:00 · 2019-02-14 13:19:59 -08:00 · b2da8042b4
commit b2da8042b4
parent c470a77937
4 changed files with 79 additions and 1 deletions
--- a/app/models/board.rb
+++ b/app/models/board.rb
@ -21,6 +21,10 @@ class Board < ActiveRecord::Base
    group_id.present?
  end

+  def project_board?
+    project_id.present?
+  end
+
  def backlog_list
    lists.merge(List.backlog).take
  end
--- a/app/policies/board_policy.rb
+++ b/app/policies/board_policy.rb
@ -4,10 +4,12 @@ class BoardPolicy < BasePolicy
  delegate { @subject.parent }

  condition(:is_group_board) { @subject.group_board? }
+  condition(:is_project_board) { @subject.project_board? }

-  rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent
+  rule { is_project_board & can?(:read_project) }.enable :read_parent

  rule { is_group_board & can?(:read_group) }.policy do
+    enable :read_parent
    enable :read_milestone
    enable :read_issue
  end
--- a/changelogs/unreleased/sh-fix-board-user-assigns.yml
+++ b/changelogs/unreleased/sh-fix-board-user-assigns.yml
@ -0,0 +1,5 @@
+---
+title: Fix 403 errors when adding an assignee list in project boards
+merge_request: 25263
+author:
+type: fixed
--- a/spec/policies/board_policy_spec.rb
+++ b/spec/policies/board_policy_spec.rb
@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe BoardPolicy do
+  let(:user) { create(:user) }
+  let(:project) { create(:project, :private) }
+  let(:group) { create(:group, :private) }
+  let(:group_board) { create(:board, group: group) }
+  let(:project_board) { create(:board, project: project) }
+
+  let(:board_permissions) do
+    [
+      :read_parent,
+      :read_milestone,
+      :read_issue
+    ]
+  end
+
+  def expect_allowed(*permissions)
+    permissions.each { |p| is_expected.to be_allowed(p) }
+  end
+
+  def expect_disallowed(*permissions)
+    permissions.each { |p| is_expected.not_to be_allowed(p) }
+  end
+
+  context 'group board' do
+    subject { described_class.new(user, group_board) }
+
+    context 'user has access' do
+      before do
+        group.add_developer(user)
+      end
+
+      it do
+        expect_allowed(*board_permissions)
+      end
+    end
+
+    context 'user does not have access' do
+      it do
+        expect_disallowed(*board_permissions)
+      end
+    end
+  end
+
+  context 'project board' do
+    subject { described_class.new(user, project_board) }
+
+    context 'user has access' do
+      before do
+        project.add_developer(user)
+      end
+
+      it do
+        expect_allowed(*board_permissions)
+      end
+    end
+
+    context 'user does not have access' do
+      it do
+        expect_disallowed(*board_permissions)
+      end
+    end
+  end
+end