Commit 0dcd256d authored by Kerri Miller's avatar Kerri Miller

Enable visibility filter on Epics menu pill count

:skip_visibility_check, when true, will not account for the user's
access level when attempting to calculate a number for display in the
sidebar (the "pill count"). This number is strong_memoize'd and cached,
so this change should have negligible performance impact.

Changelog: security
EE: true
parent 44cdc72e
...@@ -11,7 +11,7 @@ module Groups ...@@ -11,7 +11,7 @@ module Groups
def relation_for_count def relation_for_count
EpicsFinder EpicsFinder
.new(user, group_id: group.id, state: 'opened') .new(user, group_id: group.id, state: 'opened')
.execute(skip_visibility_check: true) .execute(skip_visibility_check: false)
end end
def issuable_key def issuable_key
......
...@@ -10,17 +10,33 @@ RSpec.describe Groups::EpicsCountService, :use_clean_rails_memory_store_caching ...@@ -10,17 +10,33 @@ RSpec.describe Groups::EpicsCountService, :use_clean_rails_memory_store_caching
subject { described_class.new(group, user) } subject { described_class.new(group, user) }
describe '#relation_for_count' do describe '#relation_for_count' do
before do context "when the user is a reporter" do
group.add_reporter(user) before do
allow(EpicsFinder).to receive(:new).and_call_original group.add_reporter(user)
allow(EpicsFinder).to receive(:new).and_call_original
end
it 'uses the EpicsFinder to scope epics' do
expect(EpicsFinder)
.to receive(:new)
.with(user, group_id: group.id, state: 'opened')
subject.count
end
end end
it 'uses the EpicsFinder to scope epics' do context "when there are confidential epics" do
expect(EpicsFinder) let_it_be(:epic) { create(:epic, :confidential, group: group) }
.to receive(:new)
.with(user, group_id: group.id, state: 'opened') context "when the user has view access to the group and its epics" do
it "filters the count by visibility" do
allow(Ability).to receive(:allowed?).and_call_original
allow(Ability).to receive(:allowed?).with(user, :read_epic, group).and_return(true)
subject.count expect(group.epics.count).to eq(2)
expect(subject.count).to eq(1)
end
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment