Merge branch 'issue_20078' into 'master'

Test if issue authors can access private projects See merge request !6419

Merge branch 'issue_20078' into 'master'
Test if issue authors can access private projects See merge request !6419
46f36341 · Yorick Peterse · Ruben Davila · 2eb4d004 · 46f36341 · 46f36341
Commit 46f36341 authored Sep 20, 2016 by Yorick Peterse Committed by Ruben Davila Sep 21, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 0 deletions

CHANGELOG CHANGELOG +1 -0

spec/policies/project_policy_spec.rb spec/policies/project_policy_spec.rb +13 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -56,6 +56,7 @@ v 8.12.0 (unreleased)
  - Emoji can be awarded on Snippets !4456
  - Set path for all JavaScript cookies to honor GitLab's subdirectory setting !5627 (Mike Greiling)
  - Fix blame table layout width
+  - Spec testing if issue authors can read issues on private projects
  - Fix bug where pagination is still displayed despite all todos marked as done (ClemMakesApps)
  - Request only the LDAP attributes we need !6187
  - Center build stage columns in pipeline overview (ClemMakesApps)

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -33,4 +33,17 @@ describe ProjectPolicy, models: true do
  it 'returns increasing permissions for each level' do
    expect(users_permissions).to eq(users_permissions.sort.uniq)
  end
+
+  it 'does not include the read_issue permission when the issue author is not a member of the private project' do
+    project = create(:project, :private)
+    issue   = create(:issue, project: project)
+    user    = issue.author
+
+    expect(project.team.member?(issue.author)).to eq(false)
+
+    expect(BasePolicy.class_for(project).abilities(user, project).can_set).
+      not_to include(:read_issue)
+
+    expect(Ability.allowed?(user, :read_issue, project)).to be_falsy
+  end
 end