Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
2023167f
Commit
2023167f
authored
Nov 09, 2018
by
Felipe Artur
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Resolve: Guest can set weight of a new issue
Delete weight parameter when guest is creating issuables.
parent
c756b66b
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
55 additions
and
1 deletion
+55
-1
ee/app/services/ee/issuable_base_service.rb
ee/app/services/ee/issuable_base_service.rb
+7
-1
ee/changelogs/unreleased/security-issue_7696.yml
ee/changelogs/unreleased/security-issue_7696.yml
+5
-0
ee/spec/services/issues/create_service_spec.rb
ee/spec/services/issues/create_service_spec.rb
+43
-0
No files found.
ee/app/services/ee/issuable_base_service.rb
View file @
2023167f
...
@@ -3,7 +3,13 @@ module EE
...
@@ -3,7 +3,13 @@ module EE
private
private
def
filter_params
(
issuable
)
def
filter_params
(
issuable
)
params
.
delete
(
:weight
)
unless
issuable
.
supports_weight?
# This security check is repeated here to avoid multiple backports,
# this should be refactored to be reused from the base class.
ability_name
=
:"admin_
#{
issuable
.
to_ability_name
}
"
unless
issuable
.
supports_weight?
&&
can?
(
current_user
,
ability_name
,
issuable
)
params
.
delete
(
:weight
)
end
super
super
end
end
...
...
ee/changelogs/unreleased/security-issue_7696.yml
0 → 100644
View file @
2023167f
---
title
:
'
Resolve:
Guest
can
set
weight
of
a
new
issue'
merge_request
:
author
:
type
:
security
ee/spec/services/issues/create_service_spec.rb
0 → 100644
View file @
2023167f
require
'spec_helper'
describe
Issues
::
CreateService
do
let
(
:project
)
{
create
(
:project
)
}
let
(
:opts
)
do
{
title:
'Awesome issue'
,
description:
'please fix'
,
weight:
9
}
end
context
'when current user cannot admin issues in the project'
do
let
(
:guest
)
{
create
(
:user
)
}
before
do
project
.
add_guest
(
guest
)
end
it
'filters out params that cannot be set without the :admin_issue permission'
do
issue
=
described_class
.
new
(
project
,
guest
,
opts
).
execute
expect
(
issue
).
to
be_persisted
expect
(
issue
.
weight
).
to
be_nil
end
end
context
'when current user can admin issues in the project'
do
let
(
:reporter
)
{
create
(
:user
)
}
before
do
project
.
add_reporter
(
reporter
)
end
it
'sets permitted params correctly'
do
issue
=
described_class
.
new
(
project
,
reporter
,
opts
).
execute
expect
(
issue
).
to
be_persisted
expect
(
issue
.
weight
).
to
eq
(
9
)
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment