Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
c9be74e2
Commit
c9be74e2
authored
May 16, 2016
by
Felipe Artur
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix single note api request
parent
93ca5c99
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
23 additions
and
8 deletions
+23
-8
lib/api/helpers.rb
lib/api/helpers.rb
+4
-0
lib/api/notes.rb
lib/api/notes.rb
+5
-5
spec/requests/api/notes_spec.rb
spec/requests/api/notes_spec.rb
+14
-3
No files found.
lib/api/helpers.rb
View file @
c9be74e2
...
...
@@ -397,5 +397,9 @@ module API
error!
(
errors
[
:access_level
],
422
)
if
errors
[
:access_level
].
any?
not_found!
(
errors
)
end
def
noteable_ability_name
(
noteable
)
"read_
#{
noteable
.
class
.
to_s
.
underscore
.
downcase
}
"
.
to_sym
end
end
end
lib/api/notes.rb
View file @
c9be74e2
...
...
@@ -20,9 +20,8 @@ module API
# GET /projects/:id/snippets/:noteable_id/notes
get
":id/
#{
noteables_str
}
/:
#{
noteable_id_str
}
/notes"
do
@noteable
=
user_project
.
send
(
noteables_str
.
to_sym
).
find
(
params
[
noteable_id_str
.
to_sym
])
read_ability_name
=
"read_
#{
@noteable
.
class
.
to_s
.
underscore
.
downcase
}
"
.
to_sym
if
can?
(
current_user
,
read_ability_name
,
@noteable
)
if
can?
(
current_user
,
noteable_ability_name
(
@noteable
)
,
@noteable
)
# We exclude notes that are cross-references and that cannot be viewed
# by the current user. By doing this exclusion at this level and not
# at the DB query level (which we cannot in that case), the current
...
...
@@ -52,11 +51,12 @@ module API
get
":id/
#{
noteables_str
}
/:
#{
noteable_id_str
}
/notes/:note_id"
do
@noteable
=
user_project
.
send
(
noteables_str
.
to_sym
).
find
(
params
[
noteable_id_str
.
to_sym
])
@note
=
@noteable
.
notes
.
find
(
params
[
:note_id
])
can_read_note
=
can?
(
current_user
,
noteable_ability_name
(
@noteable
),
@noteable
)
&&
!
@note
.
cross_reference_not_visible_for?
(
current_user
)
if
@note
.
cross_reference_not_visible_for?
(
current_user
)
not_found!
(
"Note"
)
else
if
can_read_note
present
@note
,
with:
Entities
::
Note
else
not_found!
(
"Note"
)
end
end
...
...
spec/requests/api/notes_spec.rb
View file @
c9be74e2
...
...
@@ -3,7 +3,7 @@ require 'spec_helper'
describe
API
::
API
,
api:
true
do
include
ApiHelpers
let
(
:user
)
{
create
(
:user
)
}
let!
(
:project
)
{
create
(
:project
,
namespace:
user
.
namespace
)
}
let!
(
:project
)
{
create
(
:project
,
:public
,
namespace:
user
.
namespace
)
}
let!
(
:issue
)
{
create
(
:issue
,
project:
project
,
author:
user
)
}
let!
(
:merge_request
)
{
create
(
:merge_request
,
source_project:
project
,
target_project:
project
,
author:
user
)
}
let!
(
:snippet
)
{
create
(
:project_snippet
,
project:
project
,
author:
user
)
}
...
...
@@ -51,7 +51,7 @@ describe API::API, api: true do
expect
(
response
.
status
).
to
eq
(
404
)
end
context
"
that references a private issue
"
do
context
"
and current user cannot view the notes
"
do
it
"should return an empty array"
do
get
api
(
"/projects/
#{
ext_proj
.
id
}
/issues/
#{
ext_issue
.
id
}
/notes"
,
user
)
...
...
@@ -142,13 +142,24 @@ describe API::API, api: true do
expect
(
response
.
status
).
to
eq
(
404
)
end
context
"
that references a private issu
e"
do
context
"
and current user cannot view the not
e"
do
it
"should return a 404 error"
do
get
api
(
"/projects/
#{
ext_proj
.
id
}
/issues/
#{
ext_issue
.
id
}
/notes/
#{
cross_reference_note
.
id
}
"
,
user
)
expect
(
response
.
status
).
to
eq
(
404
)
end
context
"when issue is confidential"
do
before
{
issue
.
update_attributes
(
confidential:
true
)
}
it
"returns 404"
do
get
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
id
}
/notes/
#{
issue_note
.
id
}
"
,
private_user
)
expect
(
response
.
status
).
to
eq
(
404
)
end
end
context
"and current user can view the note"
do
it
"should return an issue note by id"
do
get
api
(
"/projects/
#{
ext_proj
.
id
}
/issues/
#{
ext_issue
.
id
}
/notes/
#{
cross_reference_note
.
id
}
"
,
private_user
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment