Commit 072ba67e authored by Eugenia Grieff's avatar Eugenia Grieff

Change permissions to access parent groups

- If the user is a member of a project, they can
access the project group and its ancestors
milestones, but for group milestones we have
to check access rights for each ancestor group
parent cca6c825
...@@ -34,7 +34,7 @@ Parameters: ...@@ -34,7 +34,7 @@ Parameters:
| `state` | string | no | Return only `active` or `closed` milestones | | `state` | string | no | Return only `active` or `closed` milestones |
| `title` | string | no | Return only the milestones having the given `title` | | `title` | string | no | Return only the milestones having the given `title` |
| `search` | string | no | Return only milestones with a title or description matching the provided string | | `search` | string | no | Return only milestones with a title or description matching the provided string |
| `include_parent_milestones` | boolean | optional | Include milestones from parent group and its ancestors. Introduced in [GitLab 13.3](https://gitlab.com/gitlab-org/gitlab/-/issues/196066) | | `include_parent_milestones` | boolean | optional | Include milestones from parent group and its ancestors. Introduced in [GitLab 13.4](https://gitlab.com/gitlab-org/gitlab/-/issues/196066) |
```shell ```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/5/milestones" curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/5/milestones"
......
...@@ -32,7 +32,7 @@ Parameters: ...@@ -32,7 +32,7 @@ Parameters:
| `state` | string | optional | Return only `active` or `closed` milestones | | `state` | string | optional | Return only `active` or `closed` milestones |
| `title` | string | optional | Return only the milestones having the given `title` | | `title` | string | optional | Return only the milestones having the given `title` |
| `search` | string | optional | Return only milestones with a title or description matching the provided string | | `search` | string | optional | Return only milestones with a title or description matching the provided string |
| `include_parent_milestones` | boolean | optional | Include group milestones from parent group and its ancestors. Introduced in [GitLab 13.3](https://gitlab.com/gitlab-org/gitlab/-/issues/196066) | | `include_parent_milestones` | boolean | optional | Include group milestones from parent group and its ancestors. Introduced in [GitLab 13.4](https://gitlab.com/gitlab-org/gitlab/-/issues/196066) |
```shell ```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/milestones" curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/milestones"
......
...@@ -14,7 +14,7 @@ module API ...@@ -14,7 +14,7 @@ module API
params :list_params do params :list_params do
optional :state, type: String, values: %w[active closed all], default: 'all', optional :state, type: String, values: %w[active closed all], default: 'all',
desc: 'Return "active", "closed", or "all" milestones' desc: 'Return "active", "closed", or "all" milestones'
optional :iids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The IIDs of the milestones' optional :iids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The IIDs of the milestones'
optional :title, type: String, desc: 'The title of the milestones' optional :title, type: String, desc: 'The title of the milestones'
optional :search, type: String, desc: 'The search criteria for the title or description of the milestone' optional :search, type: String, desc: 'The search criteria for the title or description of the milestone'
...@@ -27,7 +27,7 @@ module API ...@@ -27,7 +27,7 @@ module API
requires :milestone_id, type: Integer, desc: 'The milestone ID number' requires :milestone_id, type: Integer, desc: 'The milestone ID number'
optional :title, type: String, desc: 'The title of the milestone' optional :title, type: String, desc: 'The title of the milestone'
optional :state_event, type: String, values: %w[close activate], optional :state_event, type: String, values: %w[close activate],
desc: 'The state event of the milestone ' desc: 'The state event of the milestone '
use :optional_params use :optional_params
at_least_one_of :title, :description, :start_date, :due_date, :state_event at_least_one_of :title, :description, :start_date, :due_date, :state_event
end end
...@@ -45,18 +45,6 @@ module API ...@@ -45,18 +45,6 @@ module API
present paginate(milestones), with: Entities::Milestone present paginate(milestones), with: Entities::Milestone
end end
def filter_milestones(milestones)
milestones = Milestone.filter_by_state(milestones, params[:state])
if params[:iids].present? && !params[:include_parent_milestones]
milestones = filter_by_iid(milestones, params[:iids])
end
milestones = filter_by_title(milestones, params[:title]) if params[:title]
milestones = filter_by_search(milestones, params[:search]) if params[:search]
milestones
end
def get_milestone_for(parent) def get_milestone_for(parent)
milestone = parent.milestones.find(params[:milestone_id]) milestone = parent.milestones.find(params[:milestone_id])
present milestone, with: Entities::Milestone present milestone, with: Entities::Milestone
...@@ -125,13 +113,24 @@ module API ...@@ -125,13 +113,24 @@ module API
end end
def parent_and_ancestors_milestones(parent) def parent_and_ancestors_milestones(parent)
project_id = parent.is_a?(Project) ? parent.id : nil project_id, group_ids = if parent.is_a?(Project)
[parent.id, project_group_ids(parent)]
else
[nil, parent_group_ids(parent)]
end
Milestone.for_projects_and_groups(project_id, group_ids)
end
def project_group_ids(parent)
group = parent.group
return unless group.present?
Milestone.for_projects_and_groups(project_id, group_ids(parent)) group.self_and_ancestors.select(:id)
end end
def group_ids(parent) def parent_group_ids(group)
group = parent.is_a?(Project) ? parent.group : parent return unless group.present?
group.self_and_ancestors group.self_and_ancestors
.public_or_visible_to_user(current_user) .public_or_visible_to_user(current_user)
......
...@@ -9,62 +9,56 @@ RSpec.describe API::GroupMilestones do ...@@ -9,62 +9,56 @@ RSpec.describe API::GroupMilestones do
let_it_be(:group_member) { create(:group_member, group: group, user: user) } let_it_be(:group_member) { create(:group_member, group: group, user: user) }
let_it_be(:closed_milestone) { create(:closed_milestone, group: group, title: 'version1', description: 'closed milestone') } let_it_be(:closed_milestone) { create(:closed_milestone, group: group, title: 'version1', description: 'closed milestone') }
let_it_be(:milestone) { create(:milestone, group: group, title: 'version2', description: 'open milestone') } let_it_be(:milestone) { create(:milestone, group: group, title: 'version2', description: 'open milestone') }
let(:route) { "/groups/#{group.id}/milestones" }
it_behaves_like 'group and project milestones', "/groups/:id/milestones" do it_behaves_like 'group and project milestones', "/groups/:id/milestones"
let(:route) { "/groups/#{group.id}/milestones" }
end
describe 'GET /groups/:id/milestones' do describe 'GET /groups/:id/milestones' do
context 'when include_parent_milestones is true' do context 'when include_parent_milestones is true' do
let_it_be(:subgroup) { create(:group, :private, parent: group) } let_it_be(:ancestor_group) { create(:group, :private) }
let_it_be(:subgroup_milestone) { create(:milestone, group: subgroup) } let_it_be(:ancestor_group_milestone) { create(:milestone, group: ancestor_group) }
let_it_be(:route) { "/groups/#{subgroup.id}/milestones" }
let_it_be(:params) { { include_parent_milestones: true } } let_it_be(:params) { { include_parent_milestones: true } }
shared_examples 'lists all milestones' do before_all do
it 'includes parent and ancestors milestones' do group.update(parent: ancestor_group)
milestones = [subgroup_milestone, milestone, closed_milestone] end
shared_examples 'listing all milestones' do
it 'returns correct list of milestones' do
get api(route, user), params: params get api(route, user), params: params
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(json_response.size).to eq(3) expect(json_response.size).to eq(milestones.size)
expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id)) expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id))
end end
end end
context 'when user has access to all groups' do context 'when user has access to ancestor groups' do
let(:milestones) { [ancestor_group_milestone, milestone, closed_milestone] }
before do before do
group.add_developer(user) ancestor_group.add_guest(user)
subgroup.add_developer(user) group.add_guest(user)
end end
it_behaves_like 'lists all milestones' it_behaves_like 'listing all milestones'
context 'when iids param is present' do context 'when iids param is present' do
before do let_it_be(:params) { { include_parent_milestones: true, iids: [milestone.iid] } }
params.merge(iids: [milestone.iid])
end
it_behaves_like 'lists all milestones' it_behaves_like 'listing all milestones'
end end
end end
context 'when user has no access to an ancestor group' do context 'when user has no access to ancestor groups' do
let_it_be(:user2) { create(:user) } let(:user) { create(:user) }
before do before do
subgroup.add_developer(user2) group.add_guest(user)
end end
it 'does not show ancestor group milestones' do it_behaves_like 'listing all milestones' do
milestones = [subgroup_milestone] let(:milestones) { [milestone, closed_milestone] }
get api(route, user2), params: { include_parent_milestones: true }
expect(response).to have_gitlab_http_status(:ok)
expect(json_response.size).to eq(1)
expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id))
end end
end end
end end
......
...@@ -7,74 +7,61 @@ RSpec.describe API::ProjectMilestones do ...@@ -7,74 +7,61 @@ RSpec.describe API::ProjectMilestones do
let_it_be(:project) { create(:project, namespace: user.namespace ) } let_it_be(:project) { create(:project, namespace: user.namespace ) }
let_it_be(:closed_milestone) { create(:closed_milestone, project: project, title: 'version1', description: 'closed milestone') } let_it_be(:closed_milestone) { create(:closed_milestone, project: project, title: 'version1', description: 'closed milestone') }
let_it_be(:milestone) { create(:milestone, project: project, title: 'version2', description: 'open milestone') } let_it_be(:milestone) { create(:milestone, project: project, title: 'version2', description: 'open milestone') }
let_it_be(:route) { "/projects/#{project.id}/milestones" }
before do before do
project.add_developer(user) project.add_developer(user)
end end
it_behaves_like 'group and project milestones', "/projects/:id/milestones" do it_behaves_like 'group and project milestones', "/projects/:id/milestones"
let_it_be(:route) { "/projects/#{project.id}/milestones" }
end
describe 'GET /projects/:id/milestones' do describe 'GET /projects/:id/milestones' do
context 'when include_parent_milestones is true' do context 'when include_parent_milestones is true' do
let_it_be(:parent_group) { create(:group, :private) } let_it_be(:ancestor_group) { create(:group, :private) }
let_it_be(:subgroup) { create(:group, :private, parent: parent_group) } let_it_be(:group) { create(:group, :private, parent: ancestor_group) }
let_it_be(:sub_project) { create(:project, group: subgroup) } let_it_be(:ancestor_group_milestone) { create(:milestone, group: ancestor_group) }
let_it_be(:sub_project_milestone) { create(:milestone, project: sub_project) } let_it_be(:group_milestone) { create(:milestone, group: group) }
let_it_be(:parent_group_milestone) { create(:milestone, group: parent_group) } let(:params) { { include_parent_milestones: true } }
let_it_be(:subgroup_milestone) { create(:milestone, group: subgroup) }
let_it_be(:route) { "/projects/#{sub_project.id}/milestones" } shared_examples 'listing all milestones' do
let_it_be(:params) { { include_parent_milestones: true } } it 'returns correct list of milestones' do
before do
sub_project.add_developer(user)
end
shared_examples 'lists all milestones' do
it 'includes parent and ancestors milestones' do
milestones = [subgroup_milestone, parent_group_milestone, sub_project_milestone]
get api(route, user), params: params get api(route, user), params: params
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(json_response.size).to eq(3) expect(json_response.size).to eq(milestones.size)
expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id)) expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id))
end end
end end
context 'when user has access to all groups' do context 'when project parent is a namespace' do
before do it_behaves_like 'listing all milestones' do
parent_group.add_developer(user) let(:milestones) { [milestone, closed_milestone] }
subgroup.add_developer(user)
end end
end
it_behaves_like 'lists all milestones' context 'when project parent is a group' do
let(:milestones) { [group_milestone, ancestor_group_milestone, milestone, closed_milestone] }
context 'when iids param is present' do
before do
params.merge(iids: [sub_project_milestone.iid])
end
it_behaves_like 'lists all milestones' before_all do
project.update(namespace: group)
end end
end
context 'when user has no access to an ancestor group' do it_behaves_like 'listing all milestones'
let(:user2) { create(:user) }
context 'when iids param is present' do
let(:params) { { include_parent_milestones: true, iids: [group_milestone.iid] } }
before do it_behaves_like 'listing all milestones'
sub_project.add_developer(user2)
end end
it 'does not show ancestor group milestones' do context 'when user is not a member of the private project' do
milestones = [subgroup_milestone, sub_project_milestone] let(:external_user) { create(:user) }
get api(route, user2), params: { include_parent_milestones: true } it 'returns a 404 error' do
get api(route, external_user), params: params
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:not_found)
expect(json_response.size).to eq(2) end
expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id))
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment