Merge branch 'barthc/gitlab-ce-prevent_authored_vote_from_notes'

See merge request !6544.

Merge branch 'barthc/gitlab-ce-prevent_authored_vote_from_notes'
See merge request !6544.
0e43e34b · Rémy Coutable · 1f84dbaa · ea6c5c1c · 0e43e34b · 0e43e34b
Commit 0e43e34b authored Oct 24, 2016 by Rémy Coutable
Showing with 18 additions and 4 deletions

CHANGELOG.md CHANGELOG.md +1 -0

app/services/notes/create_service.rb app/services/notes/create_service.rb +4 -2

spec/requests/api/notes_spec.rb spec/requests/api/notes_spec.rb +13 -2

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 ## 8.14.0 (2016-11-22)
  - Adds user project membership expired event to clarify why user was removed (Callum Dryden)
  - Trim leading and trailing whitespace on project_path (Linus Thiel)
+  - Prevent award emoji via notes for issues/MRs authored by user (barthc)
  - Fix HipChat notifications rendering (airatshigapov, eisnerd)
  - Add hover to trash icon in notes !7008 (blackst0ne)
  - Simpler arguments passed to named_route on toggle_award_url helper method

--- a/app/services/notes/create_service.rb
+++ b/app/services/notes/create_service.rb
@@ -7,8 +7,10 @@ module Notes

      if note.award_emoji?
        noteable = note.noteable
-        todo_service.new_award_emoji(noteable, current_user)
-        return noteable.create_award_emoji(note.award_emoji_name, current_user)
+        if noteable.user_can_award?(current_user, note.award_emoji_name)
+          todo_service.new_award_emoji(noteable, current_user)
+          return noteable.create_award_emoji(note.award_emoji_name, current_user)
+        end
      end

      # We execute commands (extracted from `params[:note]`) on the noteable

--- a/spec/requests/api/notes_spec.rb
+++ b/spec/requests/api/notes_spec.rb
@@ -221,12 +221,23 @@ describe API::API, api: true  do
        end
      end

-      context 'when the user is posting an award emoji' do
+      context 'when the user is posting an award emoji on an issue created by someone else' do
+        let(:issue2) { create(:issue, project: project) }
+
        it 'returns an award emoji' do
+          post api("/projects/#{project.id}/issues/#{issue2.id}/notes", user), body: ':+1:'
+
+          expect(response).to have_http_status(201)
+          expect(json_response['awardable_id']).to eq issue2.id
+        end
+      end
+
+      context 'when the user is posting an award emoji on his/her own issue' do
+        it 'creates a new issue note' do
          post api("/projects/#{project.id}/issues/#{issue.id}/notes", user), body: ':+1:'

          expect(response).to have_http_status(201)
-          expect(json_response['awardable_id']).to eq issue.id
+          expect(json_response['body']).to eq(':+1:')
        end
      end
    end