Scope available templates to current user

6b89de85 · Igor Drozdov · GitLab Release Tools Bot · 20cb1800 · 6b89de85 · 6b89de85
Commit 6b89de85 authored Dec 02, 2021 by Igor Drozdov Committed by GitLab Release Tools Bot Dec 02, 2021
Showing with 58 additions and 2 deletions

ee/app/controllers/ee/users_controller.rb ee/app/controllers/ee/users_controller.rb +10 -2

ee/spec/controllers/users_controller_spec.rb ee/spec/controllers/users_controller_spec.rb +48 -0

No files found.
--- a/ee/app/controllers/ee/users_controller.rb
+++ b/ee/app/controllers/ee/users_controller.rb
@@ -29,12 +29,20 @@ module EE
      super.with_compliance_framework_settings
    end

+    # Even though available templates endpoints accept a user
+    # We don't allow fetching the templates for arbitrary user
+    # The endpoints are going to be removed in
+    # https://gitlab.com/gitlab-org/gitlab/-/issues/345897
    def load_custom_project_templates
-      @custom_project_templates ||= user.available_custom_project_templates(search: params[:search]).page(params[:page])
+      render_404 unless user == current_user
+
+      @custom_project_templates ||= user.available_custom_project_templates(search: params[:search]).page(params[:page]) # rubocop:disable Gitlab/ModuleWithInstanceVariables
    end

    def load_group_project_templates
-      @groups_with_project_templates ||=
+      render_404 unless user == current_user
+
+      @groups_with_project_templates ||= # rubocop:disable Gitlab/ModuleWithInstanceVariables
        user.available_subgroups_with_custom_project_templates(params[:group_id])
            .page(params[:page])
    end

--- a/ee/spec/controllers/users_controller_spec.rb
+++ b/ee/spec/controllers/users_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe UsersController do
+  let_it_be(:user) { create(:user) }
+  let_it_be(:another_user) { create(:user) }
+
+  before do
+    sign_in(user)
+  end
+
+  describe 'GET #available_project_templates' do
+    context 'a user requests templates for themselves' do
+      it 'responds successfully' do
+        get :available_project_templates, params: { username: user.username }, xhr: true
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+    end
+
+    context 'a user requests templates for another user' do
+      it 'responds with not found error' do
+        get :available_project_templates, params: { username: another_user.username }, xhr: true
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+
+  describe 'GET #available_group_templates' do
+    context 'a user requests templates for themselves' do
+      it 'responds successfully' do
+        get :available_group_templates, params: { username: user.username }, xhr: true
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+    end
+
+    context 'a user requests templates for another user' do
+      it 'responds with not found error' do
+        get :available_group_templates, params: { username: another_user.username }, xhr: true
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+end