Commit 98559adf authored by Felipe Artur's avatar Felipe Artur

Test if issue authors can access private projects

parent fe084819
......@@ -41,6 +41,7 @@ v 8.12.0 (unreleased)
- Expose `sha` and `merge_commit_sha` in merge request API (Ben Boeckel)
- Set path for all JavaScript cookies to honor GitLab's subdirectory setting !5627 (Mike Greiling)
- Fix blame table layout width
- Spec testing if issue authors can read issues on private projects
- Fix bug where pagination is still displayed despite all todos marked as done (ClemMakesApps)
- Request only the LDAP attributes we need !6187
- Center build stage columns in pipeline overview (ClemMakesApps)
......
......@@ -33,4 +33,17 @@ describe ProjectPolicy, models: true do
it 'returns increasing permissions for each level' do
expect(users_permissions).to eq(users_permissions.sort.uniq)
end
it 'does not include the read_issue permission when the issue author is not a member of the private project' do
project = create(:project, :private)
issue = create(:issue, project: project)
user = issue.author
expect(project.team.member?(issue.author)).to eq(false)
expect(BasePolicy.class_for(project).abilities(user, project).can_set).
not_to include(:read_issue)
expect(Ability.allowed?(user, :read_issue, project)).to be_falsy
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment