Merge branch 'sh-fix-board-user-assigns' into 'master'

Fix 403 errors when adding an assignee list in project boards Closes gitlab-ee#9727 See merge request gitlab-org/gitlab-ce!25263

Merge branch 'sh-fix-board-user-assigns' into 'master'
Fix 403 errors when adding an assignee list in project boards Closes gitlab-ee#9727 See merge request gitlab-org/gitlab-ce!25263
a092b5ae · Douglas Barbosa Alexandre · e2a56bd1 · b2da8042 · a092b5ae · a092b5ae
Commit a092b5ae authored Feb 14, 2019 by Douglas Barbosa Alexandre
4 changed files
--- a/app/models/board.rb
+++ b/app/models/board.rb
@@ -21,6 +21,10 @@ class Board < ActiveRecord::Base
    group_id.present?
  end

+  def project_board?
+    project_id.present?
+  end
+
  def backlog_list
    lists.merge(List.backlog).take
  end

--- a/app/policies/board_policy.rb
+++ b/app/policies/board_policy.rb
@@ -4,10 +4,12 @@ class BoardPolicy < BasePolicy
  delegate { @subject.parent }

  condition(:is_group_board) { @subject.group_board? }
+  condition(:is_project_board) { @subject.project_board? }

-  rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent
+  rule { is_project_board & can?(:read_project) }.enable :read_parent

  rule { is_group_board & can?(:read_group) }.policy do
+    enable :read_parent
    enable :read_milestone
    enable :read_issue
  end

--- a/changelogs/unreleased/sh-fix-board-user-assigns.yml
+++ b/changelogs/unreleased/sh-fix-board-user-assigns.yml
+---
+title: Fix 403 errors when adding an assignee list in project boards
+merge_request: 25263
+author:
+type: fixed
--- a/spec/policies/board_policy_spec.rb
+++ b/spec/policies/board_policy_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe BoardPolicy do
+  let(:user) { create(:user) }
+  let(:project) { create(:project, :private) }
+  let(:group) { create(:group, :private) }
+  let(:group_board) { create(:board, group: group) }
+  let(:project_board) { create(:board, project: project) }
+
+  let(:board_permissions) do
+    [
+      :read_parent,
+      :read_milestone,
+      :read_issue
+    ]
+  end
+
+  def expect_allowed(*permissions)
+    permissions.each { |p| is_expected.to be_allowed(p) }
+  end
+
+  def expect_disallowed(*permissions)
+    permissions.each { |p| is_expected.not_to be_allowed(p) }
+  end
+
+  context 'group board' do
+    subject { described_class.new(user, group_board) }
+
+    context 'user has access' do
+      before do
+        group.add_developer(user)
+      end
+
+      it do
+        expect_allowed(*board_permissions)
+      end
+    end
+
+    context 'user does not have access' do
+      it do
+        expect_disallowed(*board_permissions)
+      end
+    end
+  end
+
+  context 'project board' do
+    subject { described_class.new(user, project_board) }
+
+    context 'user has access' do
+      before do
+        project.add_developer(user)
+      end
+
+      it do
+        expect_allowed(*board_permissions)
+      end
+    end
+
+    context 'user does not have access' do
+      it do
+        expect_disallowed(*board_permissions)
+      end
+    end
+  end
+end