Skip to content

G
gitlab-ce
Commit 6d0685af authored by Dmytro Zaporozhets (DZ)'s avatar Dmytro Zaporozhets (DZ)
Browse files
Options

Merge branch 'tancnle-fix-param-filter-project-approvals-api' into 'master' 

Fix params not filtered on project approval API

See merge request gitlab-org/gitlab!44885
parents 89eb3459 37bb0d0a
Hide whitespace changes
Inline Side-by-side
Showing with 24 additions and 25 deletions
ee/changelogs/unreleased/tancnle-fix-param-filter-project-approvals-api.yml 0 → 100644
View file @ 6d0685af
---
title: Fix params not filtered on project approval API
merge_request: 44885
author:
type: fixed
ee/lib/api/project_approvals.rb
View file @ 6d0685af
...@@ -6,18 +6,15 @@ module API ...@@ -6,18 +6,15 @@ module API
before { authorize! :update_approvers, user_project } before { authorize! :update_approvers, user_project }
helpers do helpers do
def filter_forbidden_param!(permission, param) def filter_forbidden_param(params, permission, param)
unless can?(current_user, permission, user_project) can?(current_user, permission, user_project) ? params : params.except(param)
params.delete(param)
end
end end
def filter_params(params) def filter_params(params)
filter_forbidden_param!(:modify_merge_request_committer_setting, :merge_requests_disable_committers_approval)
filter_forbidden_param!(:modify_approvers_rules, :disable_overriding_approvers_per_merge_request)
filter_forbidden_param!(:modify_merge_request_author_setting, :merge_requests_author_approval)
params params
.then { |params| filter_forbidden_param(params, :modify_merge_request_committer_setting, :merge_requests_disable_committers_approval) }
.then { |params| filter_forbidden_param(params, :modify_approvers_rules, :disable_overriding_approvers_per_merge_request) }
.then { |params| filter_forbidden_param(params, :modify_merge_request_author_setting, :merge_requests_author_approval) }
end end
end end
......
ee/spec/requests/api/project_approvals_spec.rb
View file @ 6d0685af
...@@ -101,21 +101,19 @@ RSpec.describe API::ProjectApprovals do ...@@ -101,21 +101,19 @@ RSpec.describe API::ProjectApprovals do
shared_examples 'updates merge requests settings when possible' do shared_examples 'updates merge requests settings when possible' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:license_value, :setting_value, :param_value, :final_value) do where(:permission_value, :param_value, :final_value) do
false | false | false | false false | false | false
false | true | false | false false | true | false
false | false | true | true true | false | false
false | true | true | true true | true | true
true | false | false | false
true | true | false | false
true | false | true | true
true | true | true | true
end end
with_them do with_them do
before do before do
stub_licensed_features(admin_merge_request_approvers_rules: license_value) project.update_column(setting, false)
stub_application_setting(app_setting => setting_value)
allow(Ability).to receive(:allowed?).and_call_original
allow(Ability).to receive(:allowed?).with(current_user, permission, project).and_return(permission_value)
end end
it 'changes settings properly' do it 'changes settings properly' do
...@@ -124,9 +122,8 @@ RSpec.describe API::ProjectApprovals do ...@@ -124,9 +122,8 @@ RSpec.describe API::ProjectApprovals do
} }
post api(url, current_user), params: settings post api(url, current_user), params: settings
project.reload
expect(project[setting]).to eq(final_value) expect(project.reload[setting]).to eq(final_value)
end end
end end
end end
...@@ -147,20 +144,20 @@ RSpec.describe API::ProjectApprovals do ...@@ -147,20 +144,20 @@ RSpec.describe API::ProjectApprovals do
context 'updates merge requests settings' do context 'updates merge requests settings' do
it_behaves_like 'updates merge requests settings when possible' do it_behaves_like 'updates merge requests settings when possible' do
let(:current_user) { admin } let(:current_user) { admin }
let(:app_setting) { :disable_overriding_approvers_per_merge_request } let(:permission) { :modify_approvers_rules }
let(:setting) { :disable_overriding_approvers_per_merge_request } let(:setting) { :disable_overriding_approvers_per_merge_request }
end end
it_behaves_like 'updates merge requests settings when possible' do it_behaves_like 'updates merge requests settings when possible' do
let(:current_user) { admin } let(:current_user) { admin }
let(:app_setting) { :prevent_merge_requests_committers_approval } let(:permission) { :modify_merge_request_committer_setting }
let(:setting) { :merge_requests_disable_committers_approval } let(:setting) { :merge_requests_disable_committers_approval }
end end
it_behaves_like 'updates merge requests settings when possible' do it_behaves_like 'updates merge requests settings when possible' do
let(:current_user) { admin } let(:current_user) { admin }
let(:app_setting) { :prevent_merge_requests_committers_approval } let(:permission) { :modify_merge_request_author_setting }
let(:setting) { :merge_requests_disable_committers_approval } let(:setting) { :merge_requests_author_approval }
end end
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7