Made suggested content changes based on MR Review

Changed the authentication method for removing fork through API Reflected changes to new auth method in API specs

Made suggested content changes based on MR Review
Changed the authentication method for removing fork through API Reflected changes to new auth method in API specs
0bea5ced · Han Loong Liauw · 520d8509 · 0bea5ced · 0bea5ced · 0bea5ced
Commit 0bea5ced authored Oct 14, 2015 by Han Loong Liauw
8 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -46,7 +46,7 @@ v 8.1.0 (unreleased)
  - Fix bug where Emojis in Markdown would truncate remaining text (Sakata Sinji)
  - Persist filters when sorting on admin user page (Jerry Lukins)
  - Adds ability to remove the forked relationship from project settings
-  screen. #2578 (Han Loong Liauw)
+  screen. (Han Loong Liauw)
  - Add spellcheck=false to certain input fields
  - Invalidate stored service password if the endpoint URL is changed

--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -5,7 +5,7 @@ class ProjectsController < ApplicationController
  before_action :repository, except: [:new, :create]
  # Authorize
-  before_action :authorize_admin_project!, only: [:edit, :update, :destroy, :transfer, :archive, :unarchive, :remove_fork]
+  before_action :authorize_admin_project!, only: [:edit, :update]
  before_action :event_filter, only: [:show, :activity]
  layout :determine_layout
@@ -56,6 +56,8 @@ class ProjectsController < ApplicationController
  end
  def transfer
+    return access_denied! unless can?(current_user, :change_namespace, @project)
    namespace = Namespace.find_by(id: params[:new_namespace_id])
    ::Projects::TransferService.new(project, current_user).execute(namespace)
@@ -65,6 +67,8 @@ class ProjectsController < ApplicationController
  end
  def remove_fork
+    return access_denied! unless can?(current_user, :remove_fork_project, @project)
    if @project.forked?
      @project.forked_project_link.destroy
      flash[:notice] = 'Fork relationship has been removed.'

--- a/app/views/projects/edit.html.haml
+++ b/app/views/projects/edit.html.haml
@@ -190,17 +190,17 @@
        .nothing-here-block Only the project owner can transfer a project
      - if @project.forked? && can?(current_user, :remove_fork_project, @project)
-        = form_for([@project.namespace.becomes(Namespace), @project], url: remove_fork_namespace_project_path(@project.namespace, @project), method: :put, remote: true, html: { class: 'transfer-project form-horizontal' }) do |f|
+        = form_for([@project.namespace.becomes(Namespace), @project], url: remove_fork_namespace_project_path(@project.namespace, @project), method: :delete, remote: true, html: { class: 'transfer-project form-horizontal' }) do |f|
          .panel.panel-default.panel.panel-danger
-            .panel-heading Remove forked relationship
+            .panel-heading Remove fork relationship
            .panel-body
              %p
                This will remove the relationship to the source project from
                = link_to project_path(@project.forked_from_project) do
                  = @project.forked_from_project.namespace.try(:name)
                %br
-                %strong Once removed it cannot be reversed through this interface
+                %strong Once removed it cannot be reversed through this interface.
-              = button_to 'Remove forked relationship', '#', class: "btn btn-remove js-confirm-danger", data: { "confirm-danger-message" => remove_fork_project_message(@project) }
+              = button_to 'Remove fork relationship', '#', class: "btn btn-remove js-confirm-danger", data: { "confirm-danger-message" => remove_fork_project_message(@project) }
      - elsif @project.forked?
        .nothing-here-block Only the project owner can remove the fork relationship

--- a/config/routes.rb
+++ b/config/routes.rb
@@ -378,7 +378,7 @@ Gitlab::Application.routes.draw do
              [:new, :create, :index], path: "/") do
      member do
        put :transfer
-        put :remove_fork
+        delete :remove_fork
        post :archive
        post :unarchive
        post :toggle_star

--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -246,7 +246,7 @@ module API
      # Example Request:
      #  DELETE /projects/:id/fork
      delete ":id/fork" do
-        authenticated_as_admin!
+        authorize! :remove_fork_project, user_project
        if user_project.forked?
          user_project.forked_project_link.destroy
        end

--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -72,9 +72,12 @@ describe ProjectsController do
      context 'with forked project' do
        let(:project_fork) { create(:project, namespace: user.namespace) }
-        it 'should remove fork from project' do
+        before do
          create(:forked_project_link, forked_to_project: project_fork)
-          put(:remove_fork,
+        end
+        it 'should remove fork from project' do
+          delete(:remove_fork,
              namespace_id: project_fork.namespace.to_param,
              id: project_fork.to_param, format: :js)
@@ -84,19 +87,22 @@ describe ProjectsController do
        end
      end
-      it 'should do nothing if project was not forked' do
+      context 'when project not forked' do
-        unforked_project = create(:project, namespace: user.namespace)
+        let(:unforked_project) { create(:project, namespace: user.namespace) }
-        put(:remove_fork,
-            namespace_id: unforked_project.namespace.to_param,
-            id: unforked_project.to_param, format: :js)
-        expect(flash[:notice]).to be_nil
+        it 'should do nothing if project was not forked' do
-        expect(response).to render_template(:remove_fork)
+          delete(:remove_fork,
+              namespace_id: unforked_project.namespace.to_param,
+              id: unforked_project.to_param, format: :js)
+          expect(flash[:notice]).to be_nil
+          expect(response).to render_template(:remove_fork)
+        end
      end
    end
    it "does nothing if user is not signed in" do
-      put(:remove_fork,
+      delete(:remove_fork,
          namespace_id: project.namespace.to_param,
          id: project.to_param, format: :js)
      expect(response.status).to eq(401)

--- a/spec/features/projects_spec.rb
+++ b/spec/features/projects_spec.rb
@@ -45,13 +45,13 @@ feature 'Project', feature: true do
    end
    it 'should remove fork' do
-      expect(page).to have_content 'Remove forked relationship'
+      expect(page).to have_content 'Remove fork relationship'
-      remove_with_confirm('Remove forked relationship', project.path)
+      remove_with_confirm('Remove fork relationship', project.path)
      expect(page).to have_content 'Fork relationship has been removed.'
      expect(project.forked?).to be_falsey
-      expect(page).not_to have_content 'Remove forked relationship'
+      expect(page).not_to have_content 'Remove fork relationship'
    end
  end

--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -606,28 +606,42 @@ describe API::API, api: true  do
    describe 'DELETE /projects/:id/fork' do
-      it "shouldn't available for non admin users" do
+      it "shouldn't be visible to users outside group" do
        delete api("/projects/#{project_fork_target.id}/fork", user)
-        expect(response.status).to eq(403)
+        expect(response.status).to eq(404)
      end
-      it 'should make forked project unforked' do
+      context 'when users belong to project group' do
-        post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", admin)
+        let(:project_fork_target) { create(:project, group: create(:group)) }
-        project_fork_target.reload
-        expect(project_fork_target.forked_from_project).not_to be_nil
-        expect(project_fork_target.forked?).to be_truthy
-        delete api("/projects/#{project_fork_target.id}/fork", admin)
-        expect(response.status).to eq(200)
-        project_fork_target.reload
-        expect(project_fork_target.forked_from_project).to be_nil
-        expect(project_fork_target.forked?).not_to be_truthy
-      end
-      it 'should be idempotent if not forked' do
+        before do
-        expect(project_fork_target.forked_from_project).to be_nil
+          project_fork_target.group.add_owner user
-        delete api("/projects/#{project_fork_target.id}/fork", admin)
+          project_fork_target.group.add_developer user2
-        expect(response.status).to eq(200)
+        end
-        expect(project_fork_target.reload.forked_from_project).to be_nil
+        it 'should be forbidden to non-owner users' do
+          delete api("/projects/#{project_fork_target.id}/fork", user2)
+          expect(response.status).to eq(403)
+        end
+        it 'should make forked project unforked' do
+          post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", admin)
+          project_fork_target.reload
+          expect(project_fork_target.forked_from_project).not_to be_nil
+          expect(project_fork_target.forked?).to be_truthy
+          delete api("/projects/#{project_fork_target.id}/fork", admin)
+          expect(response.status).to eq(200)
+          project_fork_target.reload
+          expect(project_fork_target.forked_from_project).to be_nil
+          expect(project_fork_target.forked?).not_to be_truthy
+        end
+        it 'should be idempotent if not forked' do
+          expect(project_fork_target.forked_from_project).to be_nil
+          delete api("/projects/#{project_fork_target.id}/fork", admin)
+          expect(response.status).to eq(200)
+          expect(project_fork_target.reload.forked_from_project).to be_nil
+        end
      end
    end
  end