Commit 2ba71571 authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Simplify query and add tests for authorization change

parent 6dda8592
...@@ -50,14 +50,10 @@ module BoardsResponses ...@@ -50,14 +50,10 @@ module BoardsResponses
end end
def authorize_create_issue def authorize_create_issue
board = board_parent.boards.find(issue_params[:board_id]) list = List.find(issue_params[:list_id])
list = board.lists.find(issue_params[:list_id]) action = list.backlog? ? :create_issue : :admin_issue
if list.backlog? authorize_action_for!(project, action)
authorize_action_for!(project, :create_issue)
else
authorize_action_for!(project, :admin_issue)
end
end end
def authorize_admin_list def authorize_admin_list
......
...@@ -208,11 +208,22 @@ describe Boards::IssuesController do ...@@ -208,11 +208,22 @@ describe Boards::IssuesController do
end end
end end
context 'with unauthorized user' do context 'with guest user' do
it 'returns a forbidden 403 response' do context 'in open list' do
create_issue user: guest, board: board, list: list1, title: 'New issue' it 'returns a successful 200 response' do
open_list = board.lists.create(list_type: :backlog)
create_issue user: guest, board: board, list: open_list, title: 'New issue'
expect(response).to have_gitlab_http_status(403) expect(response).to have_gitlab_http_status(200)
end
end
context 'in label list' do
it 'returns a forbidden 403 response' do
create_issue user: guest, board: board, list: list1, title: 'New issue'
expect(response).to have_gitlab_http_status(403)
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment