Fixes from broken tests and code review

* created_at on create, updated_at on update * changed the location of the policy from epic to group * (hopefully) fixed the tests

Fixes from broken tests and code review
* created_at on create, updated_at on update * changed the location of the policy from epic to group * (hopefully) fixed the tests
7a4fdbad · Raimund Hook · Jan Provaznik · e2dd75d6 · 7a4fdbad · 7a4fdbad
Commit 7a4fdbad authored Oct 01, 2020 by Raimund Hook Committed by Jan Provaznik Oct 01, 2020
6 changed files
--- a/doc/api/epics.md
+++ b/doc/api/epics.md
@@ -267,6 +267,7 @@ POST /groups/:id/epics
 | `labels`            | string           | no         | The comma separated list of labels |
 | `description`       | string           | no         | The description of the epic. Limited to 1,048,576 characters.  |
 | `confidential`      | boolean          | no         | Whether the epic should be confidential |
+| `created_at`        | string           | no         | When the epic was created. Date time string, ISO 8601 formatted, for example `2016-03-11T03:45:40Z` . Requires administrator or project/group owner privileges ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255309) in GitLab 13.5) |
 | `start_date_is_fixed` | boolean        | no         | Whether start date should be sourced from `start_date_fixed` or from milestones (since 11.3) |
 | `start_date_fixed`  | string           | no         | The fixed start date of an epic (since 11.3) |
 | `due_date_is_fixed` | boolean          | no         | Whether due date should be sourced from `due_date_fixed` or from milestones (since 11.3) |
@@ -349,6 +350,7 @@ PUT /groups/:id/epics/:epic_iid
 | `description`       | string           | no         | The description of an epic. Limited to 1,048,576 characters.  |
 | `confidential`      | boolean          | no         | Whether the epic should be confidential |
 | `labels`            | string           | no         | The comma separated list of labels |
+| `updated_at`        | string           | no         | When the epic was updated. Date time string, ISO 8601 formatted, for example `2016-03-11T03:45:40Z` . Requires administrator or project/group owner privileges ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255309) in GitLab 13.5) |
 | `start_date_is_fixed` | boolean        | no         | Whether start date should be sourced from `start_date_fixed` or from milestones (since 11.3) |
 | `start_date_fixed`  | string           | no         | The fixed start date of an epic (since 11.3) |
 | `due_date_is_fixed` | boolean          | no         | Whether due date should be sourced from `due_date_fixed` or from milestones (since 11.3) |

--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -122,10 +122,15 @@ module EE
        enable :admin_wiki
      end

-      rule { owner }.policy do
+      rule { owner | admin }.policy do
        enable :owner_access
      end

+      rule { can?(:owner_access) }.policy do
+        enable :set_epic_created_at
+        enable :set_epic_updated_at
+      end
+
      rule { can?(:read_cluster) & cluster_deployments_available }
        .enable :read_cluster_environments


--- a/ee/changelogs/unreleased/255309-add-created_at-epic-api.yml
+++ b/ee/changelogs/unreleased/255309-add-created_at-epic-api.yml
+---
+title: Allow created_at and updated_at to be set through Epics API
+merge_request: 43279
+author: stingrayza
+type: added
--- a/ee/lib/api/epics.rb
+++ b/ee/lib/api/epics.rb
@@ -70,6 +70,7 @@ module API
        requires :title, type: String, desc: 'The title of an epic'
        optional :description, type: String, desc: 'The description of an epic'
        optional :confidential, type: Boolean, desc: 'Indicates if the epic is confidential'
+        optional :created_at, type: DateTime, desc: 'Date time when the epic was created. Available only for admins and project owners.'
        optional :start_date, as: :start_date_fixed, type: String, desc: 'The start date of an epic'
        optional :start_date_is_fixed, type: Boolean, desc: 'Indicates start date should be sourced from start_date_fixed field not the issue milestones'
        optional :end_date, as: :due_date_fixed, type: String, desc: 'The due date of an epic'
@@ -80,6 +81,9 @@ module API
      post ':id/(-/)epics' do
        authorize_can_create!

+        # Setting created_at is allowed only for admins and owners
+        params.delete(:created_at) unless current_user.can?(:set_epic_created_at, user_group)
+
        epic = ::Epics::CreateService.new(user_group, current_user, declared_params(include_missing: false)).execute
        if epic.valid?
          present epic, epic_options
@@ -96,6 +100,7 @@ module API
        optional :title, type: String, desc: 'The title of an epic'
        optional :description, type: String, desc: 'The description of an epic'
        optional :confidential, type: Boolean, desc: 'Indicates if the epic is confidential'
+        optional :updated_at, type: DateTime, desc: 'Date time when the epic was updated. Available only for admins and project owners.'
        optional :start_date, as: :start_date_fixed, type: String, desc: 'The start date of an epic'
        optional :start_date_is_fixed, type: Boolean, desc: 'Indicates start date should be sourced from start_date_fixed field not the issue milestones'
        optional :end_date, as: :due_date_fixed, type: String, desc: 'The due date of an epic'
@@ -108,6 +113,10 @@ module API
        Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab/issues/194104')

        authorize_can_admin_epic!
+
+        # Setting updated_at is allowed only for admins and owners
+        params.delete(:updated_at) unless current_user.can?(:set_epic_updated_at, user_group)
+
        update_params = declared_params(include_missing: false)
        update_params.delete(:epic_iid)


--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -22,6 +22,12 @@ RSpec.describe GroupPolicy do
      it { is_expected.to be_allowed(:read_epic, :create_epic, :admin_epic, :destroy_epic, :read_confidential_epic, :destroy_epic_link) }
    end

+    context 'when user is admin' do
+      let(:current_user) { admin }
+
+      it { is_expected.to be_allowed(:read_epic, :create_epic, :admin_epic, :destroy_epic, :read_confidential_epic, :destroy_epic_link) }
+    end
+
    context 'when user is maintainer' do
      let(:current_user) { maintainer }


--- a/ee/spec/requests/api/epics_spec.rb
+++ b/ee/spec/requests/api/epics_spec.rb
@@ -610,6 +610,39 @@ RSpec.describe API::Epics do
        end
      end

+      context 'setting created_at' do
+        let(:creation_time) { 2.weeks.ago }
+        let(:params) { { title: 'new epic', created_at: creation_time } }
+
+        it 'sets the creation time on the new epic if the user is an admin' do
+          admin = create(:user, :admin)
+
+          post api(url, admin), params: params
+
+          expect(response).to have_gitlab_http_status(:created)
+          expect(Time.parse(json_response['created_at'])).to be_like_time(creation_time)
+        end
+
+        it 'sets the creation time on the new epic if the user is a group owner' do
+          group.add_owner(user)
+
+          post api(url, user), params: params
+
+          expect(response).to have_gitlab_http_status(:created)
+          expect(Time.parse(json_response['created_at'])).to be_like_time(creation_time)
+        end
+
+        it 'ignores the given creation time if the user is another user' do
+          user2 = create(:user)
+          group.add_developer(user2)
+
+          post api(url, user2), params: params
+
+          expect(response).to have_gitlab_http_status(:created)
+          expect(Time.parse(json_response['created_at'])).not_to be_like_time(creation_time)
+        end
+      end
+
      it 'creates a new epic with labels param as array' do
        params[:labels] = ['label1', 'label2', 'foo, bar', '&,?']

@@ -765,6 +798,38 @@ RSpec.describe API::Epics do
          end
        end

+        context 'setting updated_at' do
+          let(:update_time) { 1.week.ago }
+
+          it 'ignores the given update time when run by another user' do
+            user2 = create(:user)
+            group.add_developer(user2)
+
+            put api(url, user2), params: { title: 'updated by other user', updated_at: update_time }
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(Time.parse(json_response['updated_at'])).not_to be_like_time(update_time)
+          end
+
+          it 'sets the update time on the epic when run by an admin' do
+            admin = create(:user, :admin)
+
+            put api(url, admin), params: { title: 'updated by admin', updated_at: update_time }
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(Time.parse(json_response['updated_at'])).to be_like_time(update_time)
+          end
+
+          it 'sets the update time on the epic when run by a group owner' do
+            group.add_owner(user)
+
+            put api(url, user), params: { title: 'updated by owner', updated_at: update_time }
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(Time.parse(json_response['updated_at'])).to be_like_time(update_time)
+          end
+        end
+
        context 'when deprecated start_date and end_date params are present' do
          let(:epic) { create(:epic, :use_fixed_dates, group: group) }
          let(:new_start_date) { epic.start_date + 1.day }