Merge branch 'todo-epic-check' into 'master'

Fix permission checking when for epic todos See merge request gitlab-org/gitlab!36727

Merge branch 'todo-epic-check' into 'master'
Fix permission checking when for epic todos See merge request gitlab-org/gitlab!36727
535138a8 · Yorick Peterse · ee456b97 · 2bbf3528 · 535138a8 · 535138a8
Commit 535138a8 authored Jul 13, 2020 by Yorick Peterse
Showing with 47 additions and 6 deletions

ee/app/controllers/groups/todos_controller.rb ee/app/controllers/groups/todos_controller.rb +1 -1

ee/spec/controllers/groups/todos_controller_spec.rb ee/spec/controllers/groups/todos_controller_spec.rb +46 -5

No files found.
--- a/ee/app/controllers/groups/todos_controller.rb
+++ b/ee/app/controllers/groups/todos_controller.rb
@@ -13,7 +13,7 @@ class Groups::TodosController < Groups::ApplicationController
    strong_memoize(:epic) do
      next if params[:issuable_type] != 'epic'

-      @group.epics.find_by(id: params[:issuable_id])
+      EpicsFinder.new(current_user, group_id: @group.id).find(params[:issuable_id])
    end
  end
  # rubocop: enable CodeReuse/ActiveRecord

--- a/ee/spec/controllers/groups/todos_controller_spec.rb
+++ b/ee/spec/controllers/groups/todos_controller_spec.rb
@@ -3,10 +3,7 @@
 require 'spec_helper'

 RSpec.describe Groups::TodosController do
-  let(:user)   { create(:user) }
-  let(:group)  { create(:group, :private) }
-  let(:epic)   { create(:epic, group: group) }
-  let(:parent) { group }
+  let_it_be(:user) { create(:user) }

  describe 'POST create' do
    def post_create
@@ -19,6 +16,50 @@ RSpec.describe Groups::TodosController do
        format: :json
    end

-    it_behaves_like 'todos actions'
+    shared_examples_for 'todo for inaccessible resource' do
+      it 'does not create todo because resource can not be found' do
+        sign_in(user)
+
+        expect do
+          post_create
+        end.to change { user.todos.count }.by(0)
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+
+    context 'when epic is not confidential' do
+      let_it_be(:group) { create(:group, :private) }
+      let_it_be(:epic) { create(:epic, group: group) }
+      let(:parent) { group }
+
+      context 'when epics are available' do
+        before do
+          stub_licensed_features(epics: true)
+        end
+
+        it_behaves_like 'todos actions'
+      end
+
+      context 'when epics are not available' do
+        before do
+          stub_licensed_features(epics: false)
+          group.add_developer(user)
+        end
+
+        it_behaves_like 'todo for inaccessible resource'
+      end
+    end
+
+    context 'when the user can not access confidential epic in public group' do
+      let_it_be(:group) { create(:group) }
+      let_it_be(:epic) { create(:epic, :confidential, group: group) }
+
+      before do
+        stub_licensed_features(epics: true)
+      end
+
+      it_behaves_like 'todo for inaccessible resource'
+    end
  end
 end