Commit b8d44c4c authored by Robert Speicher's avatar Robert Speicher

Merge branch 'prevent_authored_awardable_votes' into 'master'

prevent authored awardable thumbs  votes

## What does this MR do?
This MR should prevent users from upvoting or downvoting   issues/merge requests/notes authored by them. 

## What are the relevant issue numbers?
Closes #20913 

See merge request !5841
parents 7dd97cff 5c5d13c4
...@@ -8,10 +8,14 @@ module ToggleAwardEmoji ...@@ -8,10 +8,14 @@ module ToggleAwardEmoji
def toggle_award_emoji def toggle_award_emoji
name = params.require(:name) name = params.require(:name)
if awardable.user_can_award?(current_user, name)
awardable.toggle_award_emoji(name, current_user) awardable.toggle_award_emoji(name, current_user)
TodoService.new.new_award_emoji(to_todoable(awardable), current_user) TodoService.new.new_award_emoji(to_todoable(awardable), current_user)
render json: { ok: true } render json: { ok: true }
else
render json: { ok: false }
end
end end
private private
......
...@@ -59,6 +59,18 @@ module Awardable ...@@ -59,6 +59,18 @@ module Awardable
true true
end end
def awardable_votes?(name)
AwardEmoji::UPVOTE_NAME == name || AwardEmoji::DOWNVOTE_NAME == name
end
def user_can_award?(current_user, name)
if user_authored?(current_user)
!awardable_votes?(normalize_name(name))
else
true
end
end
def awarded_emoji?(emoji_name, current_user) def awarded_emoji?(emoji_name, current_user)
award_emoji.where(name: emoji_name, user: current_user).exists? award_emoji.where(name: emoji_name, user: current_user).exists?
end end
......
...@@ -196,6 +196,10 @@ module Issuable ...@@ -196,6 +196,10 @@ module Issuable
end end
end end
def user_authored?(user)
user == author
end
def subscribed_without_subscriptions?(user) def subscribed_without_subscriptions?(user)
participants(user).include?(user) participants(user).include?(user)
end end
......
...@@ -223,6 +223,10 @@ class Note < ActiveRecord::Base ...@@ -223,6 +223,10 @@ class Note < ActiveRecord::Base
end end
end end
def user_authored?(user)
user == author
end
def award_emoji? def award_emoji?
can_be_award_emoji? && contains_emoji_only? can_be_award_emoji? && contains_emoji_only?
end end
......
...@@ -54,7 +54,7 @@ module API ...@@ -54,7 +54,7 @@ module API
post endpoint do post endpoint do
required_attributes! [:name] required_attributes! [:name]
not_found!('Award Emoji') unless can_read_awardable? not_found!('Award Emoji') unless can_read_awardable? && can_award_awardable?
award = awardable.create_award_emoji(params[:name], current_user) award = awardable.create_award_emoji(params[:name], current_user)
...@@ -92,6 +92,10 @@ module API ...@@ -92,6 +92,10 @@ module API
can?(current_user, ability, awardable) can?(current_user, ability, awardable)
end end
def can_award_awardable?
awardable.user_can_award?(current_user, params[:name])
end
def awardable def awardable
@awardable ||= @awardable ||=
begin begin
......
...@@ -12,7 +12,6 @@ describe 'Awards Emoji', feature: true do ...@@ -12,7 +12,6 @@ describe 'Awards Emoji', feature: true do
describe 'Click award emoji from issue#show' do describe 'Click award emoji from issue#show' do
let!(:issue) do let!(:issue) do
create(:issue, create(:issue,
author: @user,
assignee: @user, assignee: @user,
project: project) project: project)
end end
......
...@@ -4,7 +4,7 @@ describe API::API, api: true do ...@@ -4,7 +4,7 @@ describe API::API, api: true do
include ApiHelpers include ApiHelpers
let(:user) { create(:user) } let(:user) { create(:user) }
let!(:project) { create(:project) } let!(:project) { create(:project) }
let(:issue) { create(:issue, project: project, author: user) } let(:issue) { create(:issue, project: project) }
let!(:award_emoji) { create(:award_emoji, awardable: issue, user: user) } let!(:award_emoji) { create(:award_emoji, awardable: issue, user: user) }
let!(:merge_request) { create(:merge_request, source_project: project, target_project: project) } let!(:merge_request) { create(:merge_request, source_project: project, target_project: project) }
let!(:downvote) { create(:award_emoji, :downvote, awardable: merge_request, user: user) } let!(:downvote) { create(:award_emoji, :downvote, awardable: merge_request, user: user) }
...@@ -115,6 +115,8 @@ describe API::API, api: true do ...@@ -115,6 +115,8 @@ describe API::API, api: true do
end end
describe "POST /projects/:id/awardable/:awardable_id/award_emoji" do describe "POST /projects/:id/awardable/:awardable_id/award_emoji" do
let(:issue2) { create(:issue, project: project, author: user) }
context "on an issue" do context "on an issue" do
it "creates a new award emoji" do it "creates a new award emoji" do
post api("/projects/#{project.id}/issues/#{issue.id}/award_emoji", user), name: 'blowfish' post api("/projects/#{project.id}/issues/#{issue.id}/award_emoji", user), name: 'blowfish'
...@@ -136,6 +138,12 @@ describe API::API, api: true do ...@@ -136,6 +138,12 @@ describe API::API, api: true do
expect(response).to have_http_status(401) expect(response).to have_http_status(401)
end end
it "returns a 404 error if the user authored issue" do
post api("/projects/#{project.id}/issues/#{issue2.id}/award_emoji", user), name: 'thumbsup'
expect(response).to have_http_status(404)
end
it "normalizes +1 as thumbsup award" do it "normalizes +1 as thumbsup award" do
post api("/projects/#{project.id}/issues/#{issue.id}/award_emoji", user), name: '+1' post api("/projects/#{project.id}/issues/#{issue.id}/award_emoji", user), name: '+1'
...@@ -155,6 +163,8 @@ describe API::API, api: true do ...@@ -155,6 +163,8 @@ describe API::API, api: true do
end end
describe "POST /projects/:id/awardable/:awardable_id/notes/:note_id/award_emoji" do describe "POST /projects/:id/awardable/:awardable_id/notes/:note_id/award_emoji" do
let(:note2) { create(:note, project: project, noteable: issue, author: user) }
it 'creates a new award emoji' do it 'creates a new award emoji' do
expect do expect do
post api("/projects/#{project.id}/issues/#{issue.id}/notes/#{note.id}/award_emoji", user), name: 'rocket' post api("/projects/#{project.id}/issues/#{issue.id}/notes/#{note.id}/award_emoji", user), name: 'rocket'
...@@ -164,6 +174,12 @@ describe API::API, api: true do ...@@ -164,6 +174,12 @@ describe API::API, api: true do
expect(json_response['user']['username']).to eq(user.username) expect(json_response['user']['username']).to eq(user.username)
end end
it "it returns 404 error when user authored note" do
post api("/projects/#{project.id}/issues/#{issue.id}/notes/#{note2.id}/award_emoji", user), name: 'thumbsup'
expect(response).to have_http_status(404)
end
it "normalizes +1 as thumbsup award" do it "normalizes +1 as thumbsup award" do
post api("/projects/#{project.id}/issues/#{issue.id}/notes/#{note.id}/award_emoji", user), name: '+1' post api("/projects/#{project.id}/issues/#{issue.id}/notes/#{note.id}/award_emoji", user), name: '+1'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment