Disallow reopening of locked merge requests

Fixes #56864

Disallow reopening of locked merge requests
Fixes #56864
eba4b940 · Jan Beckmann · Sean McGivern · 66481881 · eba4b940 · eba4b940
Commit eba4b940 authored Mar 08, 2019 by Jan Beckmann Committed by Sean McGivern Mar 08, 2019
9 changed files
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -17,6 +17,7 @@ class IssuablePolicy < BasePolicy
    enable :reopen_issue
    enable :read_merge_request
    enable :update_merge_request
+    enable :reopen_merge_request
  end

  rule { locked & ~is_project_member }.policy do

--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
 # frozen_string_literal: true

 class MergeRequestPolicy < IssuablePolicy
+  rule { locked }.policy do
+    prevent :reopen_merge_request
+  end
 end
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -231,6 +231,7 @@ class ProjectPolicy < BasePolicy
    enable :admin_merge_request
    enable :admin_milestone
    enable :update_merge_request
+    enable :reopen_merge_request
    enable :create_commit_status
    enable :update_commit_status
    enable :create_build

--- a/app/services/merge_requests/reopen_service.rb
+++ b/app/services/merge_requests/reopen_service.rb
@@ -3,7 +3,7 @@
 module MergeRequests
  class ReopenService < MergeRequests::BaseService
    def execute(merge_request)
-      return merge_request unless can?(current_user, :update_merge_request, merge_request)
+      return merge_request unless can?(current_user, :reopen_merge_request, merge_request)

      if merge_request.reopen
        create_event(merge_request)

--- a/app/views/projects/merge_requests/_mr_title.html.haml
+++ b/app/views/projects/merge_requests/_mr_title.html.haml
 - can_update_merge_request = can?(current_user, :update_merge_request, @merge_request)
+- can_reopen_merge_request = can?(current_user, :reopen_merge_request, @merge_request)

 - if @merge_request.closed_without_fork?
  .alert.alert-danger
@@ -33,10 +34,11 @@
          - if can_update_merge_request
            %li{ class: [merge_request_button_visibility(@merge_request, true), 'js-close-item'] }
              = link_to 'Close', merge_request_path(@merge_request, merge_request: { state_event: :close }), method: :put, title: 'Close merge request'
+          - if can_reopen_merge_request
            %li{ class: merge_request_button_visibility(@merge_request, false) }
              = link_to 'Reopen', merge_request_path(@merge_request, merge_request: { state_event: :reopen }), method: :put, class: 'reopen-mr-link', title: 'Reopen merge request'

      - if can_update_merge_request
        = link_to 'Edit', edit_project_merge_request_path(@project, @merge_request), class: "d-none d-sm-none d-md-block btn btn-grouped js-issuable-edit qa-edit-button"

-      = render 'shared/issuable/close_reopen_button', issuable: @merge_request, can_update: can_update_merge_request, can_reopen: can_update_merge_request
+      = render 'shared/issuable/close_reopen_button', issuable: @merge_request, can_update: can_update_merge_request, can_reopen: can_reopen_merge_request
--- a/changelogs/unreleased/56864-reopen-locked-mr.yml
+++ b/changelogs/unreleased/56864-reopen-locked-mr.yml
+---
+title: Disallow reopening of a locked merge request
+merge_request: 24882
+author: Jan Beckmann
+type: fixed
--- a/doc/user/discussions/index.md
+++ b/doc/user/discussions/index.md
@@ -276,7 +276,7 @@ edit existing comments. Non-team members are restricted from adding or editing c
 | :-----------: | :----------: |
 | ![Comment form member](img/lock_form_member.png) | ![Comment form non-member](img/lock_form_non_member.png) |

-Additionally locked issues can not be reopened.
+Additionally, locked issues and merge requests can not be reopened.

 ## Filtering notes


--- a/spec/policies/issuable_policy_spec.rb
+++ b/spec/policies/issuable_policy_spec.rb
@@ -13,7 +13,7 @@ describe IssuablePolicy, models: true do

      context 'when user is able to read project' do
        it 'enables user to read and update issuables' do
-          expect(policies).to be_allowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request)
+          expect(policies).to be_allowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request, :reopen_merge_request)
        end
      end

@@ -24,12 +24,12 @@ describe IssuablePolicy, models: true do
          it 'enables user to read and update issuables' do
            project.add_maintainer(user)

-            expect(policies).to be_allowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request)
+            expect(policies).to be_allowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request, :reopen_merge_request)
          end
        end

        it 'disallows user from reading and updating issuables from that project' do
-          expect(policies).to be_disallowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request)
+          expect(policies).to be_disallowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request, :reopen_merge_request)
        end
      end
    end

--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
+require 'spec_helper'
+
+describe MergeRequestPolicy do
+  let(:guest) { create(:user) }
+  let(:author) { create(:user) }
+  let(:developer) { create(:user) }
+  let(:project) { create(:project, :public) }
+
+  def permissions(user, merge_request)
+    described_class.new(user, merge_request)
+  end
+
+  before do
+    project.add_guest(guest)
+    project.add_guest(author)
+    project.add_developer(developer)
+  end
+
+  context 'when merge request is unlocked' do
+    let(:merge_request) { create(:merge_request, :closed, source_project: project, target_project: project, author: author) }
+
+    it 'allows author to reopen merge request' do
+      expect(permissions(author, merge_request)).to be_allowed(:reopen_merge_request)
+    end
+
+    it 'allows developer to reopen merge request' do
+      expect(permissions(developer, merge_request)).to be_allowed(:reopen_merge_request)
+    end
+
+    it 'prevents guest from reopening merge request' do
+      expect(permissions(guest, merge_request)).to be_disallowed(:reopen_merge_request)
+    end
+  end
+
+  context 'when merge request is locked' do
+    let(:merge_request_locked) { create(:merge_request, :closed, discussion_locked: true, source_project: project, target_project: project, author: author) }
+
+    it 'prevents author from reopening merge request' do
+      expect(permissions(author, merge_request_locked)).to be_disallowed(:reopen_merge_request)
+    end
+
+    it 'prevents developer from reopening merge request' do
+      expect(permissions(developer, merge_request_locked)).to be_disallowed(:reopen_merge_request)
+    end
+
+    it 'prevents guests from reopening merge request' do
+      expect(permissions(guest, merge_request_locked)).to be_disallowed(:reopen_merge_request)
+    end
+  end
+end