Commit 0cdce852 authored by Vitali Tatarintev's avatar Vitali Tatarintev

Check if user can comment on issue

Add extra check preventing create notes for issues
with locked discussion
parent ba9b746b
......@@ -11,15 +11,12 @@ module Gitlab
'issue comment <id> *`⇧ Shift`*+*`↵ Enter`* <comment>'
end
def self.allowed?(issue, user)
can?(user, :create_note, issue)
end
def execute(match)
note_body = match[:note_body].to_s.strip
issue = find_by_iid(match[:iid])
return not_found unless issue
return access_denied unless can_create_note?(issue)
note = create_note(issue: issue, note: note_body)
......@@ -32,10 +29,18 @@ module Gitlab
private
def can_create_note?(issue)
Ability.allowed?(current_user, :create_note, issue)
end
def not_found
Gitlab::SlashCommands::Presenters::Access.new.not_found
end
def access_denied
Gitlab::SlashCommands::Presenters::Access.new.generic_access_denied
end
def create_note(issue:, note:)
note_params = { noteable: issue, note: note }
......
......@@ -3,18 +3,20 @@
require 'spec_helper'
describe Gitlab::SlashCommands::IssueComment do
let_it_be(:project) { create(:project) }
let_it_be(:issue) { create(:issue, project: project) }
let(:user) { issue.author }
describe '#execute' do
let(:project) { create(:project, :public) }
let(:issue) { create(:issue, project: project) }
let(:user) { issue.author }
let(:chat_name) { double(:chat_name, user: user) }
let(:regex_match) { described_class.match("issue comment #{issue.iid}\nComment body") }
subject { described_class.new(project, chat_name).execute(regex_match) }
context 'when the issue exists' do
context 'when the user does not have permission' do
context 'when project is private' do
let(:project) { create(:project) }
context 'when the user is not a member of the project' do
let(:chat_name) { double(:chat_name, user: create(:user)) }
it 'does not allow the user to comment' do
......@@ -23,6 +25,23 @@ describe Gitlab::SlashCommands::IssueComment do
expect(issue.reload.notes.count).to be_zero
end
end
end
context 'when the user is not a member of the project' do
let(:chat_name) { double(:chat_name, user: create(:user)) }
context 'when the discussion is locked in the issue' do
before do
issue.update!(discussion_locked: true)
end
it 'does not allow the user to comment' do
expect(subject[:response_type]).to be(:ephemeral)
expect(subject[:text]).to match('You are not allowed')
expect(issue.reload.notes.count).to be_zero
end
end
end
context 'when the user can comment on the issue' do
context 'when comment body exists' do
......@@ -52,7 +71,7 @@ describe Gitlab::SlashCommands::IssueComment do
end
end
context 'the issue does not exist' do
context 'when the issue does not exist' do
let(:regex_match) { described_class.match("issue comment 2343242\nComment body") }
it 'returns not found' do
......@@ -95,24 +114,4 @@ describe Gitlab::SlashCommands::IssueComment do
end
end
end
describe '.allowed?' do
subject { described_class.allowed?(issue, user) }
before do
allow(Ability).to receive(:allowed?).with(user, :create_note, issue).and_return(is_allowed)
end
context 'when the user can create a note' do
let(:is_allowed) { true }
it { is_expected.to be_truthy }
end
context 'when the user cannot create a note' do
let(:is_allowed) { false }
it { is_expected.to be_falsey }
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment