Merge branch 'issue_30663' into 'security-10-2'
Prevent creating issues through API without having permissions See merge request gitlab/gitlabhq!2225 (cherry picked from commit c298bbaa88883343dc9cbbb6abec0808fb3b546c) 915b97c5 Prevent creating issues through API without having permissions
This commit is contained in:
parent
8f29d2640f
commit
c59ae54705
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Prevent creating issues through API when user does not have permissions
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -161,6 +161,8 @@ module API
|
|||
use :issue_params
|
||||
end
|
||||
post ':id/issues' do
|
||||
authorize! :create_issue, user_project
|
||||
|
||||
# Setting created_at time only allowed for admins and project owners
|
||||
unless current_user.admin? || user_project.owner == current_user
|
||||
params.delete(:created_at)
|
||||
|
|
|
@ -860,6 +860,20 @@ describe API::Issues, :mailer do
|
|||
end
|
||||
end
|
||||
|
||||
context 'user does not have permissions to create issue' do
|
||||
let(:not_member) { create(:user) }
|
||||
|
||||
before do
|
||||
project.project_feature.update(issues_access_level: ProjectFeature::PRIVATE)
|
||||
end
|
||||
|
||||
it 'renders 403' do
|
||||
post api("/projects/#{project.id}/issues", not_member), title: 'new issue'
|
||||
|
||||
expect(response).to have_gitlab_http_status(403)
|
||||
end
|
||||
end
|
||||
|
||||
it 'creates a new project issue' do
|
||||
post api("/projects/#{project.id}/issues", user),
|
||||
title: 'new issue', labels: 'label, label2', weight: 3,
|
||||
|
|
Loading…
Reference in New Issue