Commit 7ce5bfe0 authored by Brett Walker's avatar Brett Walker

Add `:read_board` to GroupPolicy

This brings more consistency to board permissions
between projects and groups.
parent f503bfec
......@@ -4,6 +4,7 @@ class Groups::BoardsController < Groups::ApplicationController
include BoardsActions
include RecordUserLastActivity
before_action :authorize_read_board!, only: [:index, :show]
before_action :assign_endpoint_vars
before_action do
push_frontend_feature_flag(:multi_select_board, default_enabled: true)
......@@ -16,4 +17,8 @@ class Groups::BoardsController < Groups::ApplicationController
@namespace_path = group.to_param
@labels_endpoint = group_labels_url(group)
end
def authorize_read_board!
access_denied! unless can?(current_user, :read_board, group)
end
end
......@@ -67,6 +67,7 @@ class GroupPolicy < BasePolicy
enable :read_milestone
enable :read_list
enable :read_label
enable :read_board
end
rule { has_access }.enable :read_namespace
......
......@@ -28,6 +28,7 @@ module API
success ::API::Entities::Board
end
get '/:board_id' do
authorize!(:read_board, user_group)
present board, with: ::API::Entities::Board
end
......@@ -39,6 +40,7 @@ module API
use :pagination
end
get '/' do
authorize!(:read_board, user_group)
present paginate(board_parent.boards.with_associations), with: Entities::Board
end
end
......@@ -55,6 +57,7 @@ module API
use :pagination
end
get '/lists' do
authorize!(:read_board, user_group)
present paginate(board_lists), with: Entities::List
end
......@@ -66,6 +69,7 @@ module API
requires :list_id, type: Integer, desc: 'The ID of a list'
end
get '/lists/:list_id' do
authorize!(:read_board, user_group)
present board_lists.find(params[:list_id]), with: Entities::List
end
......
......@@ -27,7 +27,8 @@ describe Groups::BoardsController do
context 'with unauthorized user' do
before do
allow(Ability).to receive(:allowed?).with(user, :read_cross_project, :global).and_return(true)
allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(false)
allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(true)
allow(Ability).to receive(:allowed?).with(user, :read_board, group).and_return(false)
end
it 'returns a not found 404 response' do
......@@ -70,7 +71,8 @@ describe Groups::BoardsController do
context 'with unauthorized user' do
before do
allow(Ability).to receive(:allowed?).with(user, :read_cross_project, :global).and_return(true)
allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(false)
allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(true)
allow(Ability).to receive(:allowed?).with(user, :read_board, group).and_return(false)
end
it 'returns a not found 404 response' do
......@@ -105,7 +107,8 @@ describe Groups::BoardsController do
context 'with unauthorized user' do
before do
allow(Ability).to receive(:allowed?).with(user, :read_cross_project, :global).and_return(true)
allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(false)
allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(true)
allow(Ability).to receive(:allowed?).with(user, :read_board, group).and_return(false)
end
it 'returns a not found 404 response' do
......@@ -142,6 +145,7 @@ describe Groups::BoardsController do
context 'with unauthorized user' do
before do
allow(Ability).to receive(:allowed?).with(user, :read_cross_project, :global).and_return(true)
allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(true)
allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(false)
end
......
......@@ -438,7 +438,7 @@ describe GroupPolicy do
end
end
context "create_projects" do
context 'create_projects' do
context 'when group has no project creation level set' do
before_all do
group.update(project_creation_level: nil)
......@@ -560,7 +560,7 @@ describe GroupPolicy do
end
end
context "create_subgroup" do
context 'create_subgroup' do
context 'when group has subgroup creation level set to owner' do
before_all do
group.update(subgroup_creation_level: ::Gitlab::Access::OWNER_SUBGROUP_ACCESS)
......
......@@ -16,7 +16,7 @@ RSpec.shared_context 'GroupPolicy context' do
read_group_merge_requests
]
end
let(:read_group_permissions) { %i[read_label read_list read_milestone] }
let(:read_group_permissions) { %i[read_label read_list read_milestone read_board] }
let(:reporter_permissions) { %i[admin_label read_container_image] }
let(:developer_permissions) { [:admin_milestone] }
let(:maintainer_permissions) do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment