Don’t do authorisation checks for todos
This commit is contained in:
parent
15179878d5
commit
e60ec75303
2 changed files with 0 additions and 45 deletions
|
@ -39,7 +39,6 @@ class TodosFinder
|
||||||
# Filtering by project HAS TO be the last because we use
|
# Filtering by project HAS TO be the last because we use
|
||||||
# the project IDs yielded by the todos query thus far
|
# the project IDs yielded by the todos query thus far
|
||||||
items = by_project(items)
|
items = by_project(items)
|
||||||
items = visible_to_user(items)
|
|
||||||
|
|
||||||
sort(items)
|
sort(items)
|
||||||
end
|
end
|
||||||
|
@ -96,10 +95,6 @@ class TodosFinder
|
||||||
@project = Project.find(params[:project_id])
|
@project = Project.find(params[:project_id])
|
||||||
|
|
||||||
@project = nil if @project.pending_delete?
|
@project = nil if @project.pending_delete?
|
||||||
|
|
||||||
unless Ability.allowed?(current_user, :read_project, @project)
|
|
||||||
@project = nil
|
|
||||||
end
|
|
||||||
else
|
else
|
||||||
@project = nil
|
@project = nil
|
||||||
end
|
end
|
||||||
|
@ -170,20 +165,6 @@ class TodosFinder
|
||||||
items
|
items
|
||||||
end
|
end
|
||||||
|
|
||||||
def visible_to_user(items)
|
|
||||||
projects = Project.public_or_visible_to_user(current_user)
|
|
||||||
groups = Group.public_or_visible_to_user(current_user)
|
|
||||||
|
|
||||||
items
|
|
||||||
.joins('LEFT JOIN namespaces ON namespaces.id = todos.group_id')
|
|
||||||
.joins('LEFT JOIN projects ON projects.id = todos.project_id')
|
|
||||||
.where(
|
|
||||||
'project_id IN (?) OR group_id IN (?)',
|
|
||||||
projects.select(:id),
|
|
||||||
groups.select(:id)
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
def by_state(items)
|
def by_state(items)
|
||||||
case params[:state].to_s
|
case params[:state].to_s
|
||||||
when 'done'
|
when 'done'
|
||||||
|
|
|
@ -14,32 +14,6 @@ describe TodosFinder do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '#execute' do
|
describe '#execute' do
|
||||||
context 'visibility' do
|
|
||||||
let(:private_group_access) { create(:group, :private) }
|
|
||||||
let(:private_group_hidden) { create(:group, :private) }
|
|
||||||
let(:public_project) { create(:project, :public) }
|
|
||||||
let(:private_project_hidden) { create(:project) }
|
|
||||||
let(:public_group) { create(:group) }
|
|
||||||
|
|
||||||
let!(:todo1) { create(:todo, user: user, project: project, group: nil) }
|
|
||||||
let!(:todo2) { create(:todo, user: user, project: public_project, group: nil) }
|
|
||||||
let!(:todo3) { create(:todo, user: user, project: private_project_hidden, group: nil) }
|
|
||||||
let!(:todo4) { create(:todo, user: user, project: nil, group: group) }
|
|
||||||
let!(:todo5) { create(:todo, user: user, project: nil, group: private_group_access) }
|
|
||||||
let!(:todo6) { create(:todo, user: user, project: nil, group: private_group_hidden) }
|
|
||||||
let!(:todo7) { create(:todo, user: user, project: nil, group: public_group) }
|
|
||||||
|
|
||||||
before do
|
|
||||||
private_group_access.add_developer(user)
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'returns only todos with a target a user has access to' do
|
|
||||||
todos = finder.new(user).execute
|
|
||||||
|
|
||||||
expect(todos).to match_array([todo1, todo2, todo4, todo5, todo7])
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'filtering' do
|
context 'filtering' do
|
||||||
let!(:todo1) { create(:todo, user: user, project: project, target: issue) }
|
let!(:todo1) { create(:todo, user: user, project: project, target: issue) }
|
||||||
let!(:todo2) { create(:todo, user: user, group: group, target: merge_request) }
|
let!(:todo2) { create(:todo, user: user, group: group, target: merge_request) }
|
||||||
|
|
Loading…
Reference in a new issue