Commit 5dc047dc authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Disable board policies when issues are disabled

Board list policies are also included
parent e927833b
...@@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy ...@@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy
rule { issues_disabled }.policy do rule { issues_disabled }.policy do
prevent(*create_read_update_admin_destroy(:issue)) prevent(*create_read_update_admin_destroy(:issue))
prevent(*create_read_update_admin_destroy(:board))
prevent(*create_read_update_admin_destroy(:list))
end end
rule { merge_requests_disabled | repository_disabled }.policy do rule { merge_requests_disabled | repository_disabled }.policy do
......
---
title: Disable issue boards API when issues are disabled
merge_request:
author:
type: security
...@@ -130,22 +130,26 @@ describe ProjectPolicy do ...@@ -130,22 +130,26 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
context 'when the feature is disabled' do context 'when the feature is disabled' do
it 'does not include the issues permissions' do before do
project.issues_enabled = false project.issues_enabled = false
project.save! project.save!
end
it 'does not include the issues permissions' do
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
end end
end
context 'when the feature is disabled and external tracker configured' do it 'disables boards and lists permissions' do
it 'does not include the issues permissions' do expect_disallowed :read_board, :create_board, :update_board, :admin_board
create(:jira_service, project: project) expect_disallowed :read_list, :create_list, :update_list, :admin_list
end
project.issues_enabled = false context 'when external tracker configured' do
project.save! it 'does not include the issues permissions' do
create(:jira_service, project: project)
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment