Commit c9fca0f0 authored by Mario de la Ossa's avatar Mario de la Ossa

Fix Approvals API not allowing empty params on form-encoded input

parent 7701c4ba
---
title: Fix approvers API not accepting empty form-encoded params
merge_request: 5784
author:
type: fixed
...@@ -2,6 +2,8 @@ module API ...@@ -2,6 +2,8 @@ module API
class MergeRequestApprovals < ::Grape::API class MergeRequestApprovals < ::Grape::API
before { authenticate_non_get! } before { authenticate_non_get! }
ARRAY_COERCION_LAMBDA = ->(val) { val.empty? ? [] : Array.wrap(val) }
helpers do helpers do
def handle_merge_request_errors!(errors) def handle_merge_request_errors!(errors)
if errors.has_key? :project_access if errors.has_key? :project_access
...@@ -69,8 +71,8 @@ module API ...@@ -69,8 +71,8 @@ module API
success Entities::MergeRequestApprovals success Entities::MergeRequestApprovals
end end
params do params do
requires :approver_ids, type: Array[String], allow_blank: true, desc: 'Array of User IDs to set as approvers.' requires :approver_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of User IDs to set as approvers.'
requires :approver_group_ids, type: Array[String], allow_blank: true, desc: 'Array of Group IDs to set as approvers.' requires :approver_group_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of Group IDs to set as approvers.'
end end
put 'approvers' do put 'approvers' do
merge_request = find_merge_request_with_access(params[:merge_request_iid], :update_approvers) merge_request = find_merge_request_with_access(params[:merge_request_iid], :update_approvers)
......
...@@ -3,6 +3,8 @@ module API ...@@ -3,6 +3,8 @@ module API
before { authenticate! } before { authenticate! }
before { authorize! :update_approvers, user_project } before { authorize! :update_approvers, user_project }
ARRAY_COERCION_LAMBDA = ->(val) { val.empty? ? [] : Array.wrap(val) }
params do params do
requires :id, type: String, desc: 'The ID of a project' requires :id, type: String, desc: 'The ID of a project'
end end
...@@ -44,8 +46,8 @@ module API ...@@ -44,8 +46,8 @@ module API
success ::API::Entities::ApprovalSettings success ::API::Entities::ApprovalSettings
end end
params do params do
requires :approver_ids, type: Array[String], allow_blank: true, desc: 'Array of User IDs to set as approvers.' requires :approver_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of User IDs to set as approvers.'
requires :approver_group_ids, type: Array[String], allow_blank: true, desc: 'Array of Group IDs to set as approvers.' requires :approver_group_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of Group IDs to set as approvers.'
end end
put ':id/approvers' do put ':id/approvers' do
result = ::Projects::UpdateService.new(user_project, current_user, declared(params, include_parent_namespaces: false).merge(remove_old_approvers: true)).execute result = ::Projects::UpdateService.new(user_project, current_user, declared(params, include_parent_namespaces: false).merge(remove_old_approvers: true)).execute
......
...@@ -165,6 +165,22 @@ describe API::MergeRequestApprovals do ...@@ -165,6 +165,22 @@ describe API::MergeRequestApprovals do
expect(response).to have_gitlab_http_status(200) expect(response).to have_gitlab_http_status(200)
expect(json_response['approvers']).to eq([]) expect(json_response['approvers']).to eq([])
end end
context 'when sending form-encoded data' do
it 'removes approvers not in the payload' do
merge_request.approvers.create(user: approver)
merge_request.approver_groups.create(group: approver_group)
expect do
put api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/approvers", current_user),
approver_ids: '', approver_group_ids: ''
end.to change { merge_request.approvers.count }.from(1).to(0)
.and change { merge_request.approver_groups.count }.from(1).to(0)
expect(response).to have_gitlab_http_status(200)
expect(json_response['approvers']).to eq([])
end
end
end end
end end
......
...@@ -107,6 +107,20 @@ describe API::ProjectApprovals do ...@@ -107,6 +107,20 @@ describe API::ProjectApprovals do
expect(json_response['approver_groups']).to be_empty expect(json_response['approver_groups']).to be_empty
end end
context 'when sending form-encoded data' do
it 'removes all approvers if no params are given' do
project.approvers.create(user: approver)
expect do
put api(url, current_user), approver_ids: '', approver_group_ids: ''
end.to change { project.approvers.count }.from(1).to(0)
expect(response).to have_gitlab_http_status(200)
expect(json_response['approvers']).to be_empty
expect(json_response['approver_groups']).to be_empty
end
end
it 'sets approvers and approver groups' do it 'sets approvers and approver groups' do
project.approvers.create(user: approver) project.approvers.create(user: approver)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment