Commit f97684de authored by Eugenia Grieff's avatar Eugenia Grieff

Change API permissions to set epic of an issue

- Update GraphQL mutation Issues::SetEpic
- Update RESt endpoint

Changelog: changed
EE: true
parent f77caca4
......@@ -16,7 +16,7 @@ module Mutations
issue = authorized_find!(project_path: project_path, iid: iid)
project = issue.project
authorize_admin_rights!(epic)
authorize_admin_rights!(issue)
begin
::Issues::UpdateService.new(project: project, current_user: current_user, params: { epic: epic })
......@@ -33,10 +33,10 @@ module Mutations
private
def authorize_admin_rights!(epic)
return unless epic.present?
def authorize_admin_rights!(issue)
return unless issue.present?
raise_resource_not_available_error! unless Ability.allowed?(current_user, :admin_epic, epic.group)
raise_resource_not_available_error! unless Ability.allowed?(current_user, :admin_issue, issue)
end
end
end
......
......@@ -52,7 +52,7 @@ module EE
return unless epic
unless can?(current_user, :admin_epic, epic)
unless can?(current_user, :admin_issue, issue)
raise ::Gitlab::Access::AccessDeniedError
end
......
......@@ -35,10 +35,9 @@ module EpicIssues
def linkable_issuables(issues)
@linkable_issues ||= begin
return [] unless can?(current_user, :admin_epic, issuable.group)
issues.select do |issue|
issue.supports_epic? &&
can?(current_user, :admin_issue, issue) &&
issuable_group_descendants.include?(issue.project.group) &&
!previous_related_issuables.include?(issue)
end
......
......@@ -40,7 +40,7 @@ module API
use :pagination
end
put ':id/(-/)epics/:epic_iid/issues/:epic_issue_id' do
authorize_can_admin_epic!
authorize!(:admin_issue, link.issue)
update_params = {
move_before_id: params[:move_before_id],
......@@ -84,9 +84,8 @@ module API
end
# rubocop: disable CodeReuse/ActiveRecord
post ':id/(-/)epics/:epic_iid/issues/:issue_id' do
authorize_can_admin_epic!
issue = Issue.find(params[:issue_id])
authorize!(:admin_issue, issue)
create_params = { target_issuable: issue }
......@@ -110,8 +109,7 @@ module API
requires :epic_issue_id, type: Integer, desc: 'The ID of the association'
end
delete ':id/(-/)epics/:epic_iid/issues/:epic_issue_id' do
authorize_can_admin_epic!
authorize!(:admin_issue, link.issue)
result = ::EpicIssues::DestroyService.new(link, current_user).execute
if result[:status] == :success
......
......@@ -22,7 +22,7 @@ RSpec.describe Mutations::Issues::SetEpic do
context 'when the user can update the issue' do
before do
stub_licensed_features(epics: true)
project.add_developer(user)
project.add_guest(user)
end
it 'raises an error if the epic is not accessible to the user' do
......
......@@ -120,10 +120,16 @@ RSpec.describe API::EpicIssues do
expect(response).to have_gitlab_http_status(:not_found)
end
it 'returns 403 forbidden error for a user without permissions to admin the epic' do
post api(url, user)
context 'With user without permissions to admin the issue' do
before do
project.add_guest(user)
end
expect(response).to have_gitlab_http_status(:forbidden)
it 'returns 403 forbidden error' do
post api(url, user)
expect(response).to have_gitlab_http_status(:forbidden)
end
end
context 'when issue project is not under the epic group' do
......@@ -205,10 +211,16 @@ RSpec.describe API::EpicIssues do
expect(response).to have_gitlab_http_status(:not_found)
end
it 'returns 403 forbidden error for a user without permissions to admin the epic' do
delete api(url, user)
context 'With user without permissions to admin the issue' do
before do
project.add_guest(user)
end
expect(response).to have_gitlab_http_status(:forbidden)
it 'returns 403 forbidden error' do
delete api(url, user)
expect(response).to have_gitlab_http_status(:forbidden)
end
end
context 'when epic_issue association does not include the epic in the url' do
......
......@@ -252,6 +252,10 @@ RSpec.describe Issues::UpdateService do
subject { update_issue(params) }
context 'when a user does not have permissions to assign an epic' do
before do
project.add_guest(author)
end
it 'raises an exception' do
expect { subject }.to raise_error(Gitlab::Access::AccessDeniedError)
end
......
......@@ -26,7 +26,7 @@ RSpec.shared_examples 'issue with epic_id parameter' do
context 'when user can not add issues to the epic' do
before do
project.add_maintainer(user)
project.add_guest(user)
end
let(:params) { { title: 'issue1', epic_id: epic.id } }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment