Commit 072ba67e authored by Eugenia Grieff's avatar Eugenia Grieff

Change permissions to access parent groups

- If the user is a member of a project, they can
access the project group and its ancestors
milestones, but for group milestones we have
to check access rights for each ancestor group
parent cca6c825
......@@ -34,7 +34,7 @@ Parameters:
| `state` | string | no | Return only `active` or `closed` milestones |
| `title` | string | no | Return only the milestones having the given `title` |
| `search` | string | no | Return only milestones with a title or description matching the provided string |
| `include_parent_milestones` | boolean | optional | Include milestones from parent group and its ancestors. Introduced in [GitLab 13.3](https://gitlab.com/gitlab-org/gitlab/-/issues/196066) |
| `include_parent_milestones` | boolean | optional | Include milestones from parent group and its ancestors. Introduced in [GitLab 13.4](https://gitlab.com/gitlab-org/gitlab/-/issues/196066) |
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/5/milestones"
......
......@@ -32,7 +32,7 @@ Parameters:
| `state` | string | optional | Return only `active` or `closed` milestones |
| `title` | string | optional | Return only the milestones having the given `title` |
| `search` | string | optional | Return only milestones with a title or description matching the provided string |
| `include_parent_milestones` | boolean | optional | Include group milestones from parent group and its ancestors. Introduced in [GitLab 13.3](https://gitlab.com/gitlab-org/gitlab/-/issues/196066) |
| `include_parent_milestones` | boolean | optional | Include group milestones from parent group and its ancestors. Introduced in [GitLab 13.4](https://gitlab.com/gitlab-org/gitlab/-/issues/196066) |
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/milestones"
......
......@@ -45,18 +45,6 @@ module API
present paginate(milestones), with: Entities::Milestone
end
def filter_milestones(milestones)
milestones = Milestone.filter_by_state(milestones, params[:state])
if params[:iids].present? && !params[:include_parent_milestones]
milestones = filter_by_iid(milestones, params[:iids])
end
milestones = filter_by_title(milestones, params[:title]) if params[:title]
milestones = filter_by_search(milestones, params[:search]) if params[:search]
milestones
end
def get_milestone_for(parent)
milestone = parent.milestones.find(params[:milestone_id])
present milestone, with: Entities::Milestone
......@@ -125,13 +113,24 @@ module API
end
def parent_and_ancestors_milestones(parent)
project_id = parent.is_a?(Project) ? parent.id : nil
project_id, group_ids = if parent.is_a?(Project)
[parent.id, project_group_ids(parent)]
else
[nil, parent_group_ids(parent)]
end
Milestone.for_projects_and_groups(project_id, group_ids)
end
def project_group_ids(parent)
group = parent.group
return unless group.present?
Milestone.for_projects_and_groups(project_id, group_ids(parent))
group.self_and_ancestors.select(:id)
end
def group_ids(parent)
group = parent.is_a?(Project) ? parent.group : parent
def parent_group_ids(group)
return unless group.present?
group.self_and_ancestors
.public_or_visible_to_user(current_user)
......
......@@ -9,62 +9,56 @@ RSpec.describe API::GroupMilestones do
let_it_be(:group_member) { create(:group_member, group: group, user: user) }
let_it_be(:closed_milestone) { create(:closed_milestone, group: group, title: 'version1', description: 'closed milestone') }
let_it_be(:milestone) { create(:milestone, group: group, title: 'version2', description: 'open milestone') }
it_behaves_like 'group and project milestones', "/groups/:id/milestones" do
let(:route) { "/groups/#{group.id}/milestones" }
end
it_behaves_like 'group and project milestones', "/groups/:id/milestones"
describe 'GET /groups/:id/milestones' do
context 'when include_parent_milestones is true' do
let_it_be(:subgroup) { create(:group, :private, parent: group) }
let_it_be(:subgroup_milestone) { create(:milestone, group: subgroup) }
let_it_be(:route) { "/groups/#{subgroup.id}/milestones" }
let_it_be(:ancestor_group) { create(:group, :private) }
let_it_be(:ancestor_group_milestone) { create(:milestone, group: ancestor_group) }
let_it_be(:params) { { include_parent_milestones: true } }
shared_examples 'lists all milestones' do
it 'includes parent and ancestors milestones' do
milestones = [subgroup_milestone, milestone, closed_milestone]
before_all do
group.update(parent: ancestor_group)
end
shared_examples 'listing all milestones' do
it 'returns correct list of milestones' do
get api(route, user), params: params
expect(response).to have_gitlab_http_status(:ok)
expect(json_response.size).to eq(3)
expect(json_response.size).to eq(milestones.size)
expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id))
end
end
context 'when user has access to all groups' do
context 'when user has access to ancestor groups' do
let(:milestones) { [ancestor_group_milestone, milestone, closed_milestone] }
before do
group.add_developer(user)
subgroup.add_developer(user)
ancestor_group.add_guest(user)
group.add_guest(user)
end
it_behaves_like 'lists all milestones'
it_behaves_like 'listing all milestones'
context 'when iids param is present' do
before do
params.merge(iids: [milestone.iid])
end
let_it_be(:params) { { include_parent_milestones: true, iids: [milestone.iid] } }
it_behaves_like 'lists all milestones'
it_behaves_like 'listing all milestones'
end
end
context 'when user has no access to an ancestor group' do
let_it_be(:user2) { create(:user) }
context 'when user has no access to ancestor groups' do
let(:user) { create(:user) }
before do
subgroup.add_developer(user2)
group.add_guest(user)
end
it 'does not show ancestor group milestones' do
milestones = [subgroup_milestone]
get api(route, user2), params: { include_parent_milestones: true }
expect(response).to have_gitlab_http_status(:ok)
expect(json_response.size).to eq(1)
expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id))
it_behaves_like 'listing all milestones' do
let(:milestones) { [milestone, closed_milestone] }
end
end
end
......
......@@ -7,74 +7,61 @@ RSpec.describe API::ProjectMilestones do
let_it_be(:project) { create(:project, namespace: user.namespace ) }
let_it_be(:closed_milestone) { create(:closed_milestone, project: project, title: 'version1', description: 'closed milestone') }
let_it_be(:milestone) { create(:milestone, project: project, title: 'version2', description: 'open milestone') }
let_it_be(:route) { "/projects/#{project.id}/milestones" }
before do
project.add_developer(user)
end
it_behaves_like 'group and project milestones', "/projects/:id/milestones" do
let_it_be(:route) { "/projects/#{project.id}/milestones" }
end
it_behaves_like 'group and project milestones', "/projects/:id/milestones"
describe 'GET /projects/:id/milestones' do
context 'when include_parent_milestones is true' do
let_it_be(:parent_group) { create(:group, :private) }
let_it_be(:subgroup) { create(:group, :private, parent: parent_group) }
let_it_be(:sub_project) { create(:project, group: subgroup) }
let_it_be(:sub_project_milestone) { create(:milestone, project: sub_project) }
let_it_be(:parent_group_milestone) { create(:milestone, group: parent_group) }
let_it_be(:subgroup_milestone) { create(:milestone, group: subgroup) }
let_it_be(:route) { "/projects/#{sub_project.id}/milestones" }
let_it_be(:params) { { include_parent_milestones: true } }
before do
sub_project.add_developer(user)
end
shared_examples 'lists all milestones' do
it 'includes parent and ancestors milestones' do
milestones = [subgroup_milestone, parent_group_milestone, sub_project_milestone]
let_it_be(:ancestor_group) { create(:group, :private) }
let_it_be(:group) { create(:group, :private, parent: ancestor_group) }
let_it_be(:ancestor_group_milestone) { create(:milestone, group: ancestor_group) }
let_it_be(:group_milestone) { create(:milestone, group: group) }
let(:params) { { include_parent_milestones: true } }
shared_examples 'listing all milestones' do
it 'returns correct list of milestones' do
get api(route, user), params: params
expect(response).to have_gitlab_http_status(:ok)
expect(json_response.size).to eq(3)
expect(json_response.size).to eq(milestones.size)
expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id))
end
end
context 'when user has access to all groups' do
before do
parent_group.add_developer(user)
subgroup.add_developer(user)
context 'when project parent is a namespace' do
it_behaves_like 'listing all milestones' do
let(:milestones) { [milestone, closed_milestone] }
end
end
it_behaves_like 'lists all milestones'
context 'when project parent is a group' do
let(:milestones) { [group_milestone, ancestor_group_milestone, milestone, closed_milestone] }
context 'when iids param is present' do
before do
params.merge(iids: [sub_project_milestone.iid])
before_all do
project.update(namespace: group)
end
it_behaves_like 'lists all milestones'
end
end
it_behaves_like 'listing all milestones'
context 'when user has no access to an ancestor group' do
let(:user2) { create(:user) }
context 'when iids param is present' do
let(:params) { { include_parent_milestones: true, iids: [group_milestone.iid] } }
before do
sub_project.add_developer(user2)
it_behaves_like 'listing all milestones'
end
it 'does not show ancestor group milestones' do
milestones = [subgroup_milestone, sub_project_milestone]
context 'when user is not a member of the private project' do
let(:external_user) { create(:user) }
get api(route, user2), params: { include_parent_milestones: true }
it 'returns a 404 error' do
get api(route, external_user), params: params
expect(response).to have_gitlab_http_status(:ok)
expect(json_response.size).to eq(2)
expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id))
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment