lab.nexedi.com will be down from Thursday, 20 March 2025, 07:30:00 UTC for a duration of approximately 2 hours

Commit 0cdce852 authored by Vitali Tatarintev's avatar Vitali Tatarintev

Check if user can comment on issue

Add extra check preventing create notes for issues
with locked discussion
parent ba9b746b
......@@ -11,15 +11,12 @@ module Gitlab
'issue comment <id> *`⇧ Shift`*+*`↵ Enter`* <comment>'
end
def self.allowed?(issue, user)
can?(user, :create_note, issue)
end
def execute(match)
note_body = match[:note_body].to_s.strip
issue = find_by_iid(match[:iid])
return not_found unless issue
return access_denied unless can_create_note?(issue)
note = create_note(issue: issue, note: note_body)
......@@ -32,10 +29,18 @@ module Gitlab
private
def can_create_note?(issue)
Ability.allowed?(current_user, :create_note, issue)
end
def not_found
Gitlab::SlashCommands::Presenters::Access.new.not_found
end
def access_denied
Gitlab::SlashCommands::Presenters::Access.new.generic_access_denied
end
def create_note(issue:, note:)
note_params = { noteable: issue, note: note }
......
......@@ -3,24 +3,43 @@
require 'spec_helper'
describe Gitlab::SlashCommands::IssueComment do
let_it_be(:project) { create(:project) }
let_it_be(:issue) { create(:issue, project: project) }
let(:user) { issue.author }
describe '#execute' do
let(:project) { create(:project, :public) }
let(:issue) { create(:issue, project: project) }
let(:user) { issue.author }
let(:chat_name) { double(:chat_name, user: user) }
let(:regex_match) { described_class.match("issue comment #{issue.iid}\nComment body") }
subject { described_class.new(project, chat_name).execute(regex_match) }
context 'when the issue exists' do
context 'when the user does not have permission' do
context 'when project is private' do
let(:project) { create(:project) }
context 'when the user is not a member of the project' do
let(:chat_name) { double(:chat_name, user: create(:user)) }
it 'does not allow the user to comment' do
expect(subject[:response_type]).to be(:ephemeral)
expect(subject[:text]).to match('not found')
expect(issue.reload.notes.count).to be_zero
end
end
end
context 'when the user is not a member of the project' do
let(:chat_name) { double(:chat_name, user: create(:user)) }
it 'does not allow the user to comment' do
expect(subject[:response_type]).to be(:ephemeral)
expect(subject[:text]).to match('not found')
expect(issue.reload.notes.count).to be_zero
context 'when the discussion is locked in the issue' do
before do
issue.update!(discussion_locked: true)
end
it 'does not allow the user to comment' do
expect(subject[:response_type]).to be(:ephemeral)
expect(subject[:text]).to match('You are not allowed')
expect(issue.reload.notes.count).to be_zero
end
end
end
......@@ -52,7 +71,7 @@ describe Gitlab::SlashCommands::IssueComment do
end
end
context 'the issue does not exist' do
context 'when the issue does not exist' do
let(:regex_match) { described_class.match("issue comment 2343242\nComment body") }
it 'returns not found' do
......@@ -95,24 +114,4 @@ describe Gitlab::SlashCommands::IssueComment do
end
end
end
describe '.allowed?' do
subject { described_class.allowed?(issue, user) }
before do
allow(Ability).to receive(:allowed?).with(user, :create_note, issue).and_return(is_allowed)
end
context 'when the user can create a note' do
let(:is_allowed) { true }
it { is_expected.to be_truthy }
end
context 'when the user cannot create a note' do
let(:is_allowed) { false }
it { is_expected.to be_falsey }
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment