Fix service desk controller permissions

d1bec074 · Felipe Artur · e113fc9f · d1bec074 · d1bec074
Commit d1bec074 authored Apr 06, 2017 by Felipe Artur
2 changed files
--- a/app/controllers/projects/service_desk_controller.rb
+++ b/app/controllers/projects/service_desk_controller.rb
 class Projects::ServiceDeskController < Projects::ApplicationController
-  before_action :authorize_admin_project!, only: :update
-  before_action :authorize_read_project!, only: :show
+  before_action :authorize_admin_instance!, only: :update
+  before_action :authorize_admin_project!, only: :show

  def show
    json_response
@@ -16,10 +16,14 @@ class Projects::ServiceDeskController < Projects::ApplicationController

  def json_response
    respond_to do |format|
-      attributes =
+      service_desk_attributes =
        { service_desk_address: project.service_desk_address, service_desk_enabled: project.service_desk_enabled }

-      format.json { render json: attributes.to_json, status: :ok }
+      format.json { render json: service_desk_attributes }
    end
  end
+
+  def authorize_admin_instance!
+    return render_404 unless current_user.is_admin?
+  end
 end
--- a/spec/controllers/projects/service_desk_controller_spec.rb
+++ b/spec/controllers/projects/service_desk_controller_spec.rb
@@ -2,19 +2,18 @@ require 'spec_helper'

 describe Projects::ServiceDeskController do
  let(:project) { create(:project_empty_repo, :private) }
-  let(:user)    { create(:user) }
+  let(:user)    { create(:user, admin: true) }

  before do
-    project.add_master(user)
-    sign_in(user)
    allow_any_instance_of(License).to receive(:add_on?).and_call_original
    allow_any_instance_of(License).to receive(:add_on?).with('GitLab_ServiceDesk') { true }
+    project.update(service_desk_enabled: true)
+    project.add_master(user)
+    sign_in(user)
  end

  describe 'GET service desk properties' do
    it 'returns service_desk JSON data' do
-      project.update(service_desk_enabled: true)
-
      get :show, namespace_id: project.namespace.to_param, project_id: project, format: :json

      body = JSON.parse(response.body)
@@ -22,6 +21,19 @@ describe Projects::ServiceDeskController do
      expect(body["service_desk_enabled"]).to be_truthy
      expect(response.status).to eq(200)
    end
+
+    context 'when user is not project master' do
+      let(:guest) { create(:user) }
+
+      it 'renders 404' do
+        project.add_guest(guest)
+        sign_in(guest)
+
+        get :show, namespace_id: project.namespace.to_param, project_id: project, format: :json
+
+        expect(response.status).to eq(404)
+      end
+    end
  end

  describe 'PUT service desk properties' do
@@ -38,5 +50,15 @@ describe Projects::ServiceDeskController do
      expect(body["service_desk_enabled"]).to be_truthy
      expect(response.status).to eq(200)
    end
+
+    context 'when user is not admin' do
+      before { user.update(admin: false) }
+
+      it 'renders 404' do
+        put :update, namespace_id: project.namespace.to_param, project_id: project, service_desk_enabled: true, format: :json
+
+        expect(response.status).to eq(404)
+      end
+    end
  end
 end