Commit a4bebd81 authored by Matthias Käppler's avatar Matthias Käppler

Merge branch 'id-fix-label-promotion' into 'master'

Fix permissions for label promotion via API

See merge request gitlab-org/gitlab!75930
parents 7afc0894 be1b386c
...@@ -105,7 +105,11 @@ module API ...@@ -105,7 +105,11 @@ module API
end end
def promote_label(parent) def promote_label(parent)
authorize! :admin_label, parent unless parent.group
render_api_error!('Failed to promote project label to group label', 400)
end
authorize! :admin_label, parent.group
label = find_label(parent, params[:name], include_ancestor_groups: false) label = find_label(parent, params[:name], include_ancestor_groups: false)
......
...@@ -589,6 +589,15 @@ RSpec.describe API::Labels do ...@@ -589,6 +589,15 @@ RSpec.describe API::Labels do
expect(response).to have_gitlab_http_status(:forbidden) expect(response).to have_gitlab_http_status(:forbidden)
end end
it 'returns 403 if reporter promotes label' do
reporter = create(:user)
project.add_reporter(reporter)
put api("/projects/#{project.id}/labels/promote", reporter), params: { name: label1.name }
expect(response).to have_gitlab_http_status(:forbidden)
end
it 'returns 404 if label does not exist' do it 'returns 404 if label does not exist' do
put api("/projects/#{project.id}/labels/promote", user), params: { name: 'unknown' } put api("/projects/#{project.id}/labels/promote", user), params: { name: 'unknown' }
...@@ -601,6 +610,13 @@ RSpec.describe API::Labels do ...@@ -601,6 +610,13 @@ RSpec.describe API::Labels do
expect(response).to have_gitlab_http_status(:bad_request) expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['error']).to eq('name is missing') expect(json_response['error']).to eq('name is missing')
end end
it 'returns 400 if project does not have a group' do
project = create(:project, creator_id: user.id, namespace: user.namespace)
put api("/projects/#{project.id}/labels/promote", user), params: { name: label1.name }
expect(response).to have_gitlab_http_status(:bad_request)
end
end end
describe "POST /projects/:id/labels/:label_id/subscribe" do describe "POST /projects/:id/labels/:label_id/subscribe" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment