Merge branch 'fix-epic-link-create-perm' into 'master'

Check user permissions correctly See merge request gitlab-org/gitlab!24946

Merge branch 'fix-epic-link-create-perm' into 'master'
Check user permissions correctly See merge request gitlab-org/gitlab!24946
acb5376b · Jan Provaznik · 2dd90ff5 · d533b4f8 · acb5376b · acb5376b
Commit acb5376b authored Feb 12, 2020 by Jan Provaznik
3 changed files
--- a/ee/app/models/ee/epic.rb
+++ b/ee/app/models/ee/epic.rb
@@ -346,7 +346,7 @@ module EE
      elsif parent.has_ancestor?(self)
        errors.add :parent, "This epic can't be added as it is already assigned to this epic's ancestor"
      elsif !preloaded_parent_group_and_descendants.include?(group)
-        errors.add :parent, "This epic can't be added because parent and child epics must belong to the same group"
+        errors.add :parent, "This epic can't be added because it must belong to the same group as the parent, or subgroup of the parent epic’s group"
      elsif level_depth_exceeded?(parent)
        errors.add :parent, "This epic can't be added as the maximum depth of nested epics would be exceeded"
      end

--- a/ee/app/services/epic_links/create_service.rb
+++ b/ee/app/services/epic_links/create_service.rb
@@ -3,6 +3,10 @@
 module EpicLinks
  class CreateService < IssuableLinks::CreateService
    def execute
+      unless can?(current_user, :admin_epic, issuable.group)
+        return error(issuables_not_found_message, 404)
+      end
      if issuable.max_hierarchy_depth_achieved?
        return error("This epic can't be added because the parent is already at the maximum depth from its most distant ancestor", 409)
      end
@@ -54,8 +58,6 @@ module EpicLinks
    def linkable_issuables(epics)
      @linkable_issuables ||= begin
-        return [] unless can?(current_user, :admin_epic, issuable.group)
        epics.select do |epic|
          linkable_epic?(epic)
        end

--- a/ee/spec/services/epic_links/create_service_spec.rb
+++ b/ee/spec/services/epic_links/create_service_spec.rb
@@ -70,9 +70,18 @@ describe EpicLinks::CreateService do
        context 'when a single epic is given' do
          subject { add_epic([valid_reference]) }
-          context 'when an epic from a another group is given' do
+          context 'when a user does not have permissions to add an epic' do
+            include_examples 'returns an error'
+          end
+          context 'when a user has permissions to add an epic' do
+            before do
+              group.add_developer(user)
+            end
+            context 'when an epic from another group is given' do
              let(:other_group) { create(:group) }
-            let(:expected_error) { "This epic can't be added because parent and child epics must belong to the same group" }
+              let(:expected_error) { "This epic can't be added because it must belong to the same group as the parent, or subgroup of the parent epic’s group" }
              let(:expected_code) { 409 }
              before do
@@ -145,7 +154,7 @@ describe EpicLinks::CreateService do
              include_examples 'returns an error'
            end
-          context 'when total depth after adding would exceed limit' do
+            context 'when total depth after adding would exceed depth limit' do
              let(:expected_error) { "This epic can't be added as the maximum depth of nested epics would be exceeded" }
              let(:expected_code) { 409 }
@@ -164,6 +173,7 @@ describe EpicLinks::CreateService do
              include_examples 'returns an error'
            end
          end
+        end
        context 'when multiple epics are given' do
          let(:another_epic) { create(:epic) }
@@ -174,6 +184,15 @@ describe EpicLinks::CreateService do
            )
          end
+          context 'when a user dos not have permissions to add an epic' do
+            include_examples 'returns an error'
+          end
+          context 'when a user has permissions to add an epic' do
+            before do
+              group.add_developer(user)
+            end
            context 'when adding epics that are already a child of the parent epic' do
              let(:expected_error) { 'Epic(s) already assigned' }
              let(:expected_code) { 409 }
@@ -229,19 +248,20 @@ describe EpicLinks::CreateService do
                include_examples 'returns an error'
              end
            end
-        end
-      end
-      context 'when user has permissions to link the epic' do
-        before do
-          group.add_developer(user)
-        end
            context 'when the reference list is empty' do
              subject { add_epic([]) }
              include_examples 'returns an error'
            end
+          end
+        end
+      end
+      context 'when everything is ok' do
+        before do
+          group.add_developer(user)
+        end
        context 'when a correct reference is given' do
          subject { add_epic([valid_reference]) }