Commit 2bbf3528 authored by Jan Provaznik's avatar Jan Provaznik Committed by George Koltsov

Fix permission checking when for epic todos

Since we support confidential epics, it's not sufficient to check user
can read the epic's group, we should check that user can read the epic
itself.
parent 146067c1
......@@ -13,7 +13,7 @@ class Groups::TodosController < Groups::ApplicationController
strong_memoize(:epic) do
next if params[:issuable_type] != 'epic'
@group.epics.find_by(id: params[:issuable_id])
EpicsFinder.new(current_user, group_id: @group.id).find(params[:issuable_id])
end
end
# rubocop: enable CodeReuse/ActiveRecord
......
......@@ -3,10 +3,7 @@
require 'spec_helper'
RSpec.describe Groups::TodosController do
let(:user) { create(:user) }
let(:group) { create(:group, :private) }
let(:epic) { create(:epic, group: group) }
let(:parent) { group }
let_it_be(:user) { create(:user) }
describe 'POST create' do
def post_create
......@@ -19,6 +16,50 @@ RSpec.describe Groups::TodosController do
format: :json
end
shared_examples_for 'todo for inaccessible resource' do
it 'does not create todo because resource can not be found' do
sign_in(user)
expect do
post_create
end.to change { user.todos.count }.by(0)
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when epic is not confidential' do
let_it_be(:group) { create(:group, :private) }
let_it_be(:epic) { create(:epic, group: group) }
let(:parent) { group }
context 'when epics are available' do
before do
stub_licensed_features(epics: true)
end
it_behaves_like 'todos actions'
end
context 'when epics are not available' do
before do
stub_licensed_features(epics: false)
group.add_developer(user)
end
it_behaves_like 'todo for inaccessible resource'
end
end
context 'when the user can not access confidential epic in public group' do
let_it_be(:group) { create(:group) }
let_it_be(:epic) { create(:epic, :confidential, group: group) }
before do
stub_licensed_features(epics: true)
end
it_behaves_like 'todo for inaccessible resource'
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment