Commit ee743909 authored by Oswaldo Ferreira's avatar Oswaldo Ferreira

Returns 404 on removal when no authorization on the related issue project

parent b8587050
...@@ -16,6 +16,11 @@ module Projects ...@@ -16,6 +16,11 @@ module Projects
def destroy def destroy
related_issue = RelatedIssue.find(params[:id]) related_issue = RelatedIssue.find(params[:id])
# In order to remove a given relation, one must be allowed to admin_related_issue both the current
# project and on the related issue project.
return render_404 unless can?(current_user, :admin_related_issue, related_issue.related_issue.project)
result = RelatedIssues::DestroyService.new(related_issue, current_user).execute result = RelatedIssues::DestroyService.new(related_issue, current_user).execute
render json: result render json: result
......
...@@ -82,10 +82,11 @@ describe Projects::RelatedIssuesController, type: :controller do ...@@ -82,10 +82,11 @@ describe Projects::RelatedIssuesController, type: :controller do
end end
describe 'DELETE #destroy' do describe 'DELETE #destroy' do
let(:related_issue) { create :related_issue } let(:referenced_issue) { create :issue, project: project }
let(:related_issue) { create :related_issue, related_issue: referenced_issue }
let(:service) { double(RelatedIssues::DestroyService, execute: service_response) } let(:service) { double(RelatedIssues::DestroyService, execute: service_response) }
let(:service_response) { { 'message' => 'yay' } } let(:service_response) { { 'message' => 'yay' } }
let(:user_role) { :developer } let(:current_project_user_role) { :developer }
subject do subject do
delete :destroy, namespace_id: issue.project.namespace, delete :destroy, namespace_id: issue.project.namespace,
...@@ -96,7 +97,7 @@ describe Projects::RelatedIssuesController, type: :controller do ...@@ -96,7 +97,7 @@ describe Projects::RelatedIssuesController, type: :controller do
end end
before do before do
project.team << [user, user_role] project.team << [user, current_project_user_role]
sign_in user sign_in user
allow(RelatedIssues::DestroyService).to receive(:new) allow(RelatedIssues::DestroyService).to receive(:new)
...@@ -105,15 +106,26 @@ describe Projects::RelatedIssuesController, type: :controller do ...@@ -105,15 +106,26 @@ describe Projects::RelatedIssuesController, type: :controller do
end end
context 'when unauthorized' do context 'when unauthorized' do
let(:user_role) { :guest } context 'when no authorization on current project' do
let(:current_project_user_role) { :guest }
it 'returns 404' do it 'returns 404' do
is_expected.to have_http_status(404) is_expected.to have_http_status(404)
end end
end end
context 'when no authorization on the related issue project' do
let(:referenced_issue) { create :issue }
let(:current_project_user_role) { :developer }
it 'returns 404' do
is_expected.to have_http_status(404)
end
end
end
context 'when authorized' do context 'when authorized' do
let(:user_role) { :developer } let(:current_project_user_role) { :developer }
it 'returns success JSON' do it 'returns success JSON' do
is_expected.to have_http_status(200) is_expected.to have_http_status(200)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment