Commit 535138a8 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'todo-epic-check' into 'master'

Fix permission checking when for epic todos

See merge request gitlab-org/gitlab!36727
parents ee456b97 2bbf3528
......@@ -13,7 +13,7 @@ class Groups::TodosController < Groups::ApplicationController
strong_memoize(:epic) do
next if params[:issuable_type] != 'epic'
@group.epics.find_by(id: params[:issuable_id])
EpicsFinder.new(current_user, group_id: @group.id).find(params[:issuable_id])
end
end
# rubocop: enable CodeReuse/ActiveRecord
......
......@@ -3,10 +3,7 @@
require 'spec_helper'
RSpec.describe Groups::TodosController do
let(:user) { create(:user) }
let(:group) { create(:group, :private) }
let(:epic) { create(:epic, group: group) }
let(:parent) { group }
let_it_be(:user) { create(:user) }
describe 'POST create' do
def post_create
......@@ -19,6 +16,50 @@ RSpec.describe Groups::TodosController do
format: :json
end
shared_examples_for 'todo for inaccessible resource' do
it 'does not create todo because resource can not be found' do
sign_in(user)
expect do
post_create
end.to change { user.todos.count }.by(0)
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when epic is not confidential' do
let_it_be(:group) { create(:group, :private) }
let_it_be(:epic) { create(:epic, group: group) }
let(:parent) { group }
context 'when epics are available' do
before do
stub_licensed_features(epics: true)
end
it_behaves_like 'todos actions'
end
context 'when epics are not available' do
before do
stub_licensed_features(epics: false)
group.add_developer(user)
end
it_behaves_like 'todo for inaccessible resource'
end
end
context 'when the user can not access confidential epic in public group' do
let_it_be(:group) { create(:group) }
let_it_be(:epic) { create(:epic, :confidential, group: group) }
before do
stub_licensed_features(epics: true)
end
it_behaves_like 'todo for inaccessible resource'
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment