Apply user authorization for listing and creating related issues

c438cc4c · Oswaldo Ferreira · 258e4e97 · c438cc4c · c438cc4c · c438cc4c
Commit c438cc4c authored Apr 25, 2017 by Oswaldo Ferreira
4 changed files
--- a/app/controllers/projects/related_issues_controller.rb
+++ b/app/controllers/projects/related_issues_controller.rb
@@ -2,7 +2,8 @@ module Projects
  class RelatedIssuesController < ApplicationController
    include IssuesHelper
-    before_action :authorize_read_issue!, only: [:index, :create]
+    before_action :authorize_read_related_issue!
+    before_action :authorize_admin_related_issue!, only: [:create]
    def index
      render json: serialize_as_json
@@ -17,6 +18,14 @@ module Projects
    private
+    def authorize_admin_related_issue!
+      return render_404 unless can?(current_user, :admin_related_issue, @project)
+    end
+    def authorize_read_related_issue!
+      return render_404 unless can?(current_user, :read_related_issue, @project)
+    end
    # TODO: Move to service class
    def serialize_as_json
      related_issues.map do |related_issue|

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -40,6 +40,7 @@ class ProjectPolicy < BasePolicy
    can! :read_wiki
    can! :read_issue
    can! :read_label
+    can! :read_related_issue
    can! :read_milestone
    can! :read_project_snippet
    can! :read_project_member
@@ -66,6 +67,7 @@ class ProjectPolicy < BasePolicy
    can! :admin_issue
    can! :admin_label
    can! :admin_board
+    can! :admin_related_issue
    can! :admin_list
    can! :read_commit_status
    can! :read_build
@@ -306,6 +308,7 @@ class ProjectPolicy < BasePolicy
    can! :read_list
    can! :read_wiki
    can! :read_label
+    can! :read_related_issue
    can! :read_milestone
    can! :read_project_snippet
    can! :read_project_member

--- a/spec/controllers/projects/related_issues_controller_spec.rb
+++ b/spec/controllers/projects/related_issues_controller_spec.rb
@@ -37,8 +37,6 @@ describe Projects::RelatedIssuesController, type: :controller do
                  issue_id: issue,
                  format: :json
      expect(json_response.size).to eq(3)
      expect(json_response[0]).to eq(
@@ -74,9 +72,10 @@ describe Projects::RelatedIssuesController, type: :controller do
    let(:service) { double(CreateRelatedIssueService, execute: service_response) }
    let(:service_response) { { 'message' => 'yay' } }
    let(:issue_references) { double }
+    let(:user_role) { :developer }
    before do
-      project.team << [user, :developer]
+      project.team << [user, user_role]
      allow(CreateRelatedIssueService).to receive(:new)
        .with(issue, user, { issue_references: issue_references })
@@ -101,6 +100,14 @@ describe Projects::RelatedIssuesController, type: :controller do
    end
    context 'with failure' do
+      context 'when unauthorized' do
+        let(:user_role) { :guest }
+        it 'returns 404' do
+          is_expected.to have_http_status(404)
+        end
+      end
      context 'when failure service result' do
        let(:service_response) { { 'http_status' => 401 } }

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -13,7 +13,7 @@ describe ProjectPolicy, models: true do
  let(:guest_permissions) do
    %i[
      read_project read_board read_list read_wiki read_issue read_label
-      read_milestone read_project_snippet read_project_member
+      read_related_issue read_milestone read_project_snippet read_project_member
      read_note create_project create_issue create_note
      upload_file
    ]
@@ -22,7 +22,7 @@ describe ProjectPolicy, models: true do
  let(:reporter_permissions) do
    %i[
      download_code fork_project create_project_snippet update_issue
-      admin_issue admin_label admin_list read_commit_status read_build
+      admin_issue admin_label admin_related_issue admin_list read_commit_status read_build
      read_container_image read_pipeline read_environment read_deployment
      read_merge_request download_wiki_code
    ]
@@ -71,7 +71,7 @@ describe ProjectPolicy, models: true do
  let(:auditor_permissions) do
    %i[
      download_code download_wiki_code read_project read_board read_list
-      read_wiki read_issue read_label read_milestone read_project_snippet
+      read_wiki read_issue read_label read_related_issue read_milestone read_project_snippet
      read_project_member read_note read_cycle_analytics read_pipeline
      read_build read_commit_status read_container_image read_environment
      read_deployment read_merge_request read_pages