Commit 73ee63b0 authored by Alan (Maciej) Paruszewski's avatar Alan (Maciej) Paruszewski Committed by James Fargher

Present only issues visible to user in Vulnerabilitiy Issue Links API

parent 6f1b899d
---
title: Present only issues visible to user in Vulnerabilitiy Issue Links API
merge_request: 36987
author:
type: fixed
...@@ -33,10 +33,8 @@ module API ...@@ -33,10 +33,8 @@ module API
end end
get ':id/issue_links' do get ':id/issue_links' do
vulnerability = find_and_authorize_vulnerability!(:read_vulnerability) vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
present vulnerability related_issues = vulnerability.related_issues.with_api_entity_associations.with_vulnerability_links
.related_issues present Ability.issues_readable_by_user(related_issues, current_user),
.with_api_entity_associations
.with_vulnerability_links,
with: EE::API::Entities::VulnerabilityRelatedIssue with: EE::API::Entities::VulnerabilityRelatedIssue
end end
......
...@@ -78,7 +78,7 @@ FactoryBot.define do ...@@ -78,7 +78,7 @@ FactoryBot.define do
trait :with_issue_links do trait :with_issue_links do
after(:create) do |vulnerability| after(:create) do |vulnerability|
create_list(:issue, 2).each do |issue| create_list(:issue, 2, project: vulnerability.project).each do |issue|
create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: issue) create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: issue)
end end
end end
......
...@@ -24,7 +24,8 @@ RSpec.describe API::VulnerabilityIssueLinks do ...@@ -24,7 +24,8 @@ RSpec.describe API::VulnerabilityIssueLinks do
project.add_developer(user) project.add_developer(user)
end end
it 'gets the list of vulnerabilities' do shared_examples "responds with list of only visible issue links" do
it 'gets the list of visible issue links', :aggregate_failures do
get_issue_links get_issue_links
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
...@@ -34,6 +35,41 @@ RSpec.describe API::VulnerabilityIssueLinks do ...@@ -34,6 +35,41 @@ RSpec.describe API::VulnerabilityIssueLinks do
match_array(vulnerability.issue_links.map(&:id))) match_array(vulnerability.issue_links.map(&:id)))
expect(json_response.map { |link| link['vulnerability_link_type'] }).to all eq 'related' expect(json_response.map { |link| link['vulnerability_link_type'] }).to all eq 'related'
end end
end
context 'when linked issue is not confidential and available for the user' do
include_examples 'responds with list of only visible issue links'
end
context 'when there is an additional confidential issue linked' do
let_it_be(:public_project) { create(:project, :public) }
let_it_be(:confidential_issue) { create(:issue, :confidential, project: public_project) }
let_it_be(:confidential_issue_link) { create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: confidential_issue) }
include_examples 'responds with list of only visible issue links'
it 'does not return confidential issue in the response' do
get_issue_links
expect(json_response.map { |link| link['id'] }).not_to include(confidential_issue.id)
expect(json_response.map { |link| link['vulnerability_link_id'] }).not_to include(confidential_issue_link.id)
end
end
context 'when link is created to issue in the inaccessible project' do
let_it_be(:private_project) { create(:project, :private) }
let_it_be(:private_issue) { create(:issue, :confidential, project: private_project) }
let_it_be(:private_issue_link) { create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: private_issue) }
include_examples 'responds with list of only visible issue links'
it 'does not return issue from inaccessible project' do
get_issue_links
expect(json_response.map { |link| link['id'] }).not_to include(private_issue.id)
expect(json_response.map { |link| link['vulnerability_link_id'] }).not_to include(private_issue_link.id)
end
end
it_behaves_like 'responds with "not found" for an unknown vulnerability ID' it_behaves_like 'responds with "not found" for an unknown vulnerability ID'
...@@ -81,7 +117,7 @@ RSpec.describe API::VulnerabilityIssueLinks do ...@@ -81,7 +117,7 @@ RSpec.describe API::VulnerabilityIssueLinks do
end end
end end
context 'with valid target_project_id and target_issue_iid params' do context 'when issue is from different project' do
let_it_be(:other_issue) { create(:issue) } let_it_be(:other_issue) { create(:issue) }
let(:target_project_id) { other_issue.project_id } let(:target_project_id) { other_issue.project_id }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment