Restrict access to confidential issues through API
This commit is contained in:
parent
7ee528336a
commit
e4f1c001e6
2 changed files with 112 additions and 3 deletions
|
@ -82,7 +82,7 @@ module API
|
||||||
# GET /projects/:id/issues?milestone=1.0.0&state=closed
|
# GET /projects/:id/issues?milestone=1.0.0&state=closed
|
||||||
# GET /issues?iid=42
|
# GET /issues?iid=42
|
||||||
get ":id/issues" do
|
get ":id/issues" do
|
||||||
issues = user_project.issues
|
issues = user_project.issues.visible_to_user(current_user)
|
||||||
issues = filter_issues_state(issues, params[:state]) unless params[:state].nil?
|
issues = filter_issues_state(issues, params[:state]) unless params[:state].nil?
|
||||||
issues = filter_issues_labels(issues, params[:labels]) unless params[:labels].nil?
|
issues = filter_issues_labels(issues, params[:labels]) unless params[:labels].nil?
|
||||||
issues = filter_by_iid(issues, params[:iid]) unless params[:iid].nil?
|
issues = filter_by_iid(issues, params[:iid]) unless params[:iid].nil?
|
||||||
|
@ -104,6 +104,7 @@ module API
|
||||||
# GET /projects/:id/issues/:issue_id
|
# GET /projects/:id/issues/:issue_id
|
||||||
get ":id/issues/:issue_id" do
|
get ":id/issues/:issue_id" do
|
||||||
@issue = user_project.issues.find(params[:issue_id])
|
@issue = user_project.issues.find(params[:issue_id])
|
||||||
|
not_found! unless can?(current_user, :read_issue, @issue)
|
||||||
present @issue, with: Entities::Issue
|
present @issue, with: Entities::Issue
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,11 @@ require 'spec_helper'
|
||||||
describe API::API, api: true do
|
describe API::API, api: true do
|
||||||
include ApiHelpers
|
include ApiHelpers
|
||||||
let(:user) { create(:user) }
|
let(:user) { create(:user) }
|
||||||
let!(:project) { create(:project, namespace: user.namespace ) }
|
let(:non_member) { create(:user) }
|
||||||
|
let(:author) { create(:author) }
|
||||||
|
let(:assignee) { create(:assignee) }
|
||||||
|
let(:admin) { create(:admin) }
|
||||||
|
let!(:project) { create(:project, :public, namespace: user.namespace ) }
|
||||||
let!(:closed_issue) do
|
let!(:closed_issue) do
|
||||||
create :closed_issue,
|
create :closed_issue,
|
||||||
author: user,
|
author: user,
|
||||||
|
@ -12,6 +16,13 @@ describe API::API, api: true do
|
||||||
state: :closed,
|
state: :closed,
|
||||||
milestone: milestone
|
milestone: milestone
|
||||||
end
|
end
|
||||||
|
let!(:confidential_issue) do
|
||||||
|
create :issue,
|
||||||
|
:confidential,
|
||||||
|
project: project,
|
||||||
|
author: author,
|
||||||
|
assignee: assignee
|
||||||
|
end
|
||||||
let!(:issue) do
|
let!(:issue) do
|
||||||
create :issue,
|
create :issue,
|
||||||
author: user,
|
author: user,
|
||||||
|
@ -123,10 +134,43 @@ describe API::API, api: true do
|
||||||
let(:base_url) { "/projects/#{project.id}" }
|
let(:base_url) { "/projects/#{project.id}" }
|
||||||
let(:title) { milestone.title }
|
let(:title) { milestone.title }
|
||||||
|
|
||||||
it "should return project issues" do
|
it 'should return project issues without confidential issues for non project members' do
|
||||||
|
get api("#{base_url}/issues", non_member)
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(json_response).to be_an Array
|
||||||
|
expect(json_response.length).to eq(2)
|
||||||
|
expect(json_response.first['title']).to eq(issue.title)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should return project confidential issues for author' do
|
||||||
|
get api("#{base_url}/issues", author)
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(json_response).to be_an Array
|
||||||
|
expect(json_response.length).to eq(3)
|
||||||
|
expect(json_response.first['title']).to eq(issue.title)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should return project confidential issues for assignee' do
|
||||||
|
get api("#{base_url}/issues", assignee)
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(json_response).to be_an Array
|
||||||
|
expect(json_response.length).to eq(3)
|
||||||
|
expect(json_response.first['title']).to eq(issue.title)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should return project issues with confidential issues for project members' do
|
||||||
get api("#{base_url}/issues", user)
|
get api("#{base_url}/issues", user)
|
||||||
expect(response.status).to eq(200)
|
expect(response.status).to eq(200)
|
||||||
expect(json_response).to be_an Array
|
expect(json_response).to be_an Array
|
||||||
|
expect(json_response.length).to eq(3)
|
||||||
|
expect(json_response.first['title']).to eq(issue.title)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should return project confidential issues for admin' do
|
||||||
|
get api("#{base_url}/issues", admin)
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(json_response).to be_an Array
|
||||||
|
expect(json_response.length).to eq(3)
|
||||||
expect(json_response.first['title']).to eq(issue.title)
|
expect(json_response.first['title']).to eq(issue.title)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -206,6 +250,41 @@ describe API::API, api: true do
|
||||||
get api("/projects/#{project.id}/issues/54321", user)
|
get api("/projects/#{project.id}/issues/54321", user)
|
||||||
expect(response.status).to eq(404)
|
expect(response.status).to eq(404)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'confidential issues' do
|
||||||
|
it "should return 404 for non project members" do
|
||||||
|
get api("/projects/#{project.id}/issues/#{confidential_issue.id}", non_member)
|
||||||
|
expect(response.status).to eq(404)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should return confidential issue for project members" do
|
||||||
|
get api("/projects/#{project.id}/issues/#{confidential_issue.id}", user)
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(json_response['title']).to eq(confidential_issue.title)
|
||||||
|
expect(json_response['iid']).to eq(confidential_issue.iid)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should return confidential issue for author" do
|
||||||
|
get api("/projects/#{project.id}/issues/#{confidential_issue.id}", author)
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(json_response['title']).to eq(confidential_issue.title)
|
||||||
|
expect(json_response['iid']).to eq(confidential_issue.iid)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should return confidential issue for assignee" do
|
||||||
|
get api("/projects/#{project.id}/issues/#{confidential_issue.id}", assignee)
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(json_response['title']).to eq(confidential_issue.title)
|
||||||
|
expect(json_response['iid']).to eq(confidential_issue.iid)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should return confidential issue for admin" do
|
||||||
|
get api("/projects/#{project.id}/issues/#{confidential_issue.id}", admin)
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(json_response['title']).to eq(confidential_issue.title)
|
||||||
|
expect(json_response['iid']).to eq(confidential_issue.iid)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "POST /projects/:id/issues" do
|
describe "POST /projects/:id/issues" do
|
||||||
|
@ -294,6 +373,35 @@ describe API::API, api: true do
|
||||||
expect(response.status).to eq(400)
|
expect(response.status).to eq(400)
|
||||||
expect(json_response['message']['labels']['?']['title']).to eq(['is invalid'])
|
expect(json_response['message']['labels']['?']['title']).to eq(['is invalid'])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'confidential issues' do
|
||||||
|
it "should return 403 for non project members" do
|
||||||
|
put api("/projects/#{project.id}/issues/#{confidential_issue.id}", non_member),
|
||||||
|
title: 'updated title'
|
||||||
|
expect(response.status).to eq(403)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should update a confidential issue for project members" do
|
||||||
|
put api("/projects/#{project.id}/issues/#{confidential_issue.id}", user),
|
||||||
|
title: 'updated title'
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(json_response['title']).to eq('updated title')
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should update a confidential issue for author" do
|
||||||
|
put api("/projects/#{project.id}/issues/#{confidential_issue.id}", author),
|
||||||
|
title: 'updated title'
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(json_response['title']).to eq('updated title')
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should update a confidential issue for admin" do
|
||||||
|
put api("/projects/#{project.id}/issues/#{confidential_issue.id}", admin),
|
||||||
|
title: 'updated title'
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(json_response['title']).to eq('updated title')
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'PUT /projects/:id/issues/:issue_id to update labels' do
|
describe 'PUT /projects/:id/issues/:issue_id to update labels' do
|
||||||
|
|
Loading…
Reference in a new issue