Commit 448af8df authored by Alan (Maciej) Paruszewski's avatar Alan (Maciej) Paruszewski Committed by Mayra Cabrera

Add ability to comment notes created for vulnerabilities

This adds to First Class Vulnerabilities ability to comment notes
created in system and start the discussion.
parent b22ee346
...@@ -12,7 +12,7 @@ module Projects ...@@ -12,7 +12,7 @@ module Projects
include ToggleAwardEmoji include ToggleAwardEmoji
before_action :not_found, unless: -> { project.first_class_vulnerabilities_enabled? } before_action :not_found, unless: -> { project.first_class_vulnerabilities_enabled? }
before_action :vulnerability before_action :authorize_create_note!, only: [:create]
private private
......
...@@ -4,4 +4,8 @@ class VulnerabilityNoteEntity < NoteEntity ...@@ -4,4 +4,8 @@ class VulnerabilityNoteEntity < NoteEntity
expose :toggle_award_path, if: -> (note, _) { note.emoji_awardable? } do |note| expose :toggle_award_path, if: -> (note, _) { note.emoji_awardable? } do |note|
toggle_award_emoji_project_security_vulnerability_note_path(note.noteable.project, note.noteable, note) toggle_award_emoji_project_security_vulnerability_note_path(note.noteable.project, note.noteable, note)
end end
expose :path, if: -> (note, _) { note.noteable } do |note|
project_security_vulnerability_note_path(note.noteable.project, note.noteable, note)
end
end end
...@@ -101,7 +101,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -101,7 +101,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
end end
scope module: :vulnerabilities do scope module: :vulnerabilities do
resources :notes, only: [:index], concerns: :awardable, constraints: { id: /\d+/ } resources :notes, only: [:index, :create, :destroy, :update], concerns: :awardable, constraints: { id: /\d+/ }
end end
end end
end end
......
...@@ -6,7 +6,8 @@ describe Projects::Security::Vulnerabilities::NotesController do ...@@ -6,7 +6,8 @@ describe Projects::Security::Vulnerabilities::NotesController do
let_it_be(:user) { create(:user) } let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project) }
let_it_be(:vulnerability) { create(:vulnerability, project: project) } let_it_be(:vulnerability) { create(:vulnerability, project: project) }
let_it_be(:note) { create(:note, noteable: vulnerability, project: project) }
let!(:note) { create(:note, noteable: vulnerability, project: project) }
it_behaves_like SecurityDashboardsPermissions do it_behaves_like SecurityDashboardsPermissions do
let(:vulnerable) { project } let(:vulnerable) { project }
...@@ -52,4 +53,229 @@ describe Projects::Security::Vulnerabilities::NotesController do ...@@ -52,4 +53,229 @@ describe Projects::Security::Vulnerabilities::NotesController do
end end
end end
end end
describe 'POST create' do
let(:note_params) { { note: 'some note' } }
let(:extra_params) { {} }
let(:request_params) do
{
namespace_id: project.namespace,
project_id: project,
vulnerability_id: vulnerability,
note: note_params,
format: :json
}
end
subject(:create_note) { post :create, params: request_params.merge(extra_params) }
before do
project.add_developer(user)
sign_in(user)
end
context 'when note is empty' do
let(:note_params) { { note: '' } }
it 'does not create new note' do
expect { create_note }.not_to change { Note.count }
end
it 'returns status 422' do
create_note
expect(response).to have_gitlab_http_status(:unprocessable_entity)
end
end
context 'when note is provided' do
let(:note_params) { { note: 'some note' } }
it 'creates new note' do
expect { create_note }.to change { Note.count }.by(1)
end
it 'returns status 200' do
create_note
expect(response).to have_gitlab_http_status(:ok)
end
context 'when user has no permission to create a note' do
before do
project.add_guest(user)
end
it 'does not create new note' do
expect { create_note }.not_to change { Note.count }
end
it 'returns status 403' do
create_note
expect(response).to have_gitlab_http_status(:forbidden)
end
end
context 'when replying to the discussion' do
let(:extra_params) { { in_reply_to_discussion_id: note.discussion_id } }
it 'creates new note in reply to discussion' do
expect { create_note }.to change { Note.where(discussion_id: note.discussion_id).count }.by(1)
end
it 'returns status 200' do
create_note
expect(response).to have_gitlab_http_status(:ok)
end
context 'when return_discussion param is set' do
let(:extra_params) { { in_reply_to_discussion_id: note.discussion_id, return_discussion: 'true' } }
let(:last_returned_note_in_discussion) { json_response.dig('discussion', 'notes').last }
it 'returns discussion JSON when the return_discussion param is set' do
create_note
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).to have_key 'discussion'
expect(last_returned_note_in_discussion['note']).to eq(note_params[:note])
end
end
end
end
end
describe 'PUT update' do
let(:note_params) { { note: 'some note' } }
let(:request_params) do
{
id: note,
namespace_id: project.namespace,
project_id: project,
vulnerability_id: vulnerability,
note: note_params,
format: :json
}
end
subject(:update_note) { put :update, params: request_params }
before do
project.add_developer(user)
sign_in(user)
end
context 'when user is not an author of the note' do
it 'returns status 404' do
update_note
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when user is an author of the note' do
let!(:note) { create(:note, noteable: vulnerability, project: project, author: user) }
context 'when note is provided' do
let(:note_params) { { note: 'some note' } }
it 'updates note' do
expect { update_note }.to change { note.reload.note }.to(note_params[:note])
end
it 'returns status 200' do
update_note
expect(response).to have_gitlab_http_status(:ok)
end
end
end
end
describe 'DELETE destroy' do
let(:request_params) do
{
id: note,
namespace_id: project.namespace,
project_id: project,
vulnerability_id: vulnerability,
format: :js
}
end
subject(:delete_note) { delete :destroy, params: request_params }
before do
project.add_developer(user)
sign_in(user)
end
context 'when user is not an author of the note' do
it 'does not delete the note' do
expect { delete_note }.not_to change { Note.count }
end
it 'returns status 404' do
delete_note
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when user is an author of the note' do
let!(:note) { create(:note, noteable: vulnerability, project: project, author: user) }
it 'deletes the note' do
expect { delete_note }.to change { Note.count }.by(-1)
end
it 'returns status 200' do
delete_note
expect(response).to have_gitlab_http_status(:ok)
end
end
end
describe 'POST toggle_award_emoji' do
let(:request_params) do
{
id: note,
namespace_id: project.namespace,
project_id: project,
vulnerability_id: vulnerability,
format: :json
}
end
subject(:toggle_award_emoji) { post :toggle_award_emoji, params: request_params.merge(name: emoji_name) }
before do
sign_in(user)
project.add_developer(user)
end
let(:emoji_name) { 'thumbsup' }
it 'creates the award emoji' do
expect { toggle_award_emoji }.to change { note.award_emoji.count }.by(1)
expect(response).to have_gitlab_http_status(:ok)
end
context 'when award emoji was already created' do
before do
post :toggle_award_emoji, params: request_params.merge(name: emoji_name)
end
it 'deletes the award emoji' do
expect { toggle_award_emoji }.to change { AwardEmoji.count }.by(-1)
expect(response).to have_gitlab_http_status(:ok)
end
end
end
end end
...@@ -18,6 +18,6 @@ describe VulnerabilityNoteEntity do ...@@ -18,6 +18,6 @@ describe VulnerabilityNoteEntity do
it_behaves_like 'note entity' it_behaves_like 'note entity'
it 'exposes vulnerability-specific elements' do it 'exposes vulnerability-specific elements' do
expect(subject).to include(:toggle_award_path) expect(subject).to include(:toggle_award_path, :path)
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment