Check if user can comment on issue

Add extra check preventing create notes for issues
with locked discussion

lib/gitlab/slash_commands/issue_comment.rb

@@ -11,15 +11,12 @@ module Gitlab
         'issue comment <id> *`⇧ Shift`*+*`↵ Enter`* <comment>'
       end
 
-      def self.allowed?(issue, user)
-        can?(user, :create_note, issue)
-      end
-
       def execute(match)
         note_body = match[:note_body].to_s.strip
         issue = find_by_iid(match[:iid])
 
         return not_found unless issue
+        return access_denied unless can_create_note?(issue)
 
         note = create_note(issue: issue, note: note_body)
 
@@ -32,10 +29,18 @@ module Gitlab
 
       private
 
+      def can_create_note?(issue)
+        Ability.allowed?(current_user, :create_note, issue)
+      end
+
       def not_found
         Gitlab::SlashCommands::Presenters::Access.new.not_found
       end
 
+      def access_denied
+        Gitlab::SlashCommands::Presenters::Access.new.generic_access_denied
+      end
+
       def create_note(issue:, note:)
         note_params = { noteable: issue, note: note }
 

spec/lib/gitlab/slash_commands/issue_comment_spec.rb

@@ -3,18 +3,20 @@
 require 'spec_helper'
 
 describe Gitlab::SlashCommands::IssueComment do
-  let_it_be(:project) { create(:project) }
-  let_it_be(:issue) { create(:issue, project: project) }
-  let(:user) { issue.author }
-
   describe '#execute' do
+    let(:project) { create(:project, :public) }
+    let(:issue) { create(:issue, project: project) }
+    let(:user) { issue.author }
     let(:chat_name) { double(:chat_name, user: user) }
     let(:regex_match) { described_class.match("issue comment #{issue.iid}\nComment body") }
 
     subject { described_class.new(project, chat_name).execute(regex_match) }
 
     context 'when the issue exists' do
-      context 'when the user does not have permission' do
+      context 'when project is private' do
+        let(:project) { create(:project) }
+
+        context 'when the user is not a member of the project' do
           let(:chat_name) { double(:chat_name, user: create(:user)) }
 
           it 'does not allow the user to comment' do
@@ -23,6 +25,23 @@ describe Gitlab::SlashCommands::IssueComment do
             expect(issue.reload.notes.count).to be_zero
           end
         end
+      end
+
+      context 'when the user is not a member of the project' do
+        let(:chat_name) { double(:chat_name, user: create(:user)) }
+
+        context 'when the discussion is locked in the issue' do
+          before do
+            issue.update!(discussion_locked: true)
+          end
+
+          it 'does not allow the user to comment' do
+            expect(subject[:response_type]).to be(:ephemeral)
+            expect(subject[:text]).to match('You are not allowed')
+            expect(issue.reload.notes.count).to be_zero
+          end
+        end
+      end
 
       context 'when the user can comment on the issue' do
         context 'when comment body exists' do
@@ -52,7 +71,7 @@ describe Gitlab::SlashCommands::IssueComment do
       end
     end
 
-    context 'the issue does not exist' do
+    context 'when the issue does not exist' do
       let(:regex_match) { described_class.match("issue comment 2343242\nComment body") }
 
       it 'returns not found' do
@@ -95,24 +114,4 @@ describe Gitlab::SlashCommands::IssueComment do
       end
     end
   end
-
-  describe '.allowed?' do
-    subject { described_class.allowed?(issue, user) }
-
-    before do
-      allow(Ability).to receive(:allowed?).with(user, :create_note, issue).and_return(is_allowed)
-    end
-
-    context 'when the user can create a note' do
-      let(:is_allowed) { true }
-
-      it { is_expected.to be_truthy }
-    end
-
-    context 'when the user cannot create a note' do
-      let(:is_allowed) { false }
-
-      it { is_expected.to be_falsey }
-    end
-  end
 end