Merge branch 'fa-fix_test_cases_controller__permission' into 'master'

Fix TestCasesController permission inconsistency See merge request gitlab-org/gitlab!55893

Merge branch 'fa-fix_test_cases_controller__permission' into 'master'
Fix TestCasesController permission inconsistency See merge request gitlab-org/gitlab!55893
3b1446c8 · Mark Chao · 8f5fc535 · d15fb4cc · 3b1446c8 · 3b1446c8
Commit 3b1446c8 authored Mar 10, 2021 by Mark Chao
2 changed files
--- a/ee/app/controllers/projects/quality/test_cases_controller.rb
+++ b/ee/app/controllers/projects/quality/test_cases_controller.rb
@@ -5,7 +5,7 @@ class Projects::Quality::TestCasesController < Projects::ApplicationController

  before_action :check_quality_management_available!
  before_action :authorize_read_issue!
-  before_action :authorize_create_issue!, only: [:new]
+  before_action :authorize_admin_issue!, only: [:new]

  feature_category :quality_management


--- a/ee/spec/controllers/projects/quality/test_cases_controller_spec.rb
+++ b/ee/spec/controllers/projects/quality/test_cases_controller_spec.rb
@@ -4,13 +4,14 @@ require 'spec_helper'

 RSpec.describe Projects::Quality::TestCasesController do
  let_it_be(:project) { create(:project) }
-  let_it_be(:user) { create(:user) }
+  let_it_be(:non_member) { create(:user) }
+  let_it_be(:guest) { create(:project_member, :guest, project: project).user }
+  let_it_be(:reporter) { create(:project_member, :reporter, project: project).user }

  shared_examples_for 'test case action' do |template|
    context 'with authorized user' do
      before do
-        project.add_developer(user)
-        sign_in(user)
+        sign_in(authorized_user)
      end

      context 'when feature is available' do
@@ -41,7 +42,7 @@ RSpec.describe Projects::Quality::TestCasesController do

    context 'with unauthorized user' do
      before do
-        sign_in(user)
+        sign_in(unauthorized_user)
      end

      context 'when feature is available' do
@@ -69,18 +70,26 @@ RSpec.describe Projects::Quality::TestCasesController do

  describe 'GET' do
    describe '#index' do
+      let_it_be(:authorized_user) { guest }
+      let_it_be(:unauthorized_user) { non_member }
+
      subject { get :index, params: { namespace_id: project.namespace, project_id: project } }

      it_behaves_like 'test case action', :index
    end

    describe '#new' do
+      let_it_be(:authorized_user) { reporter }
+      let_it_be(:unauthorized_user) { guest }
+
      subject { get :new, params: { namespace_id: project.namespace, project_id: project } }

      it_behaves_like 'test case action', :new
    end

    describe '#show' do
+      let_it_be(:authorized_user) { guest }
+      let_it_be(:unauthorized_user) { non_member }
      let_it_be(:test_case) { create(:quality_test_case, project: project) }

      subject { get :show, params: { namespace_id: project.namespace, project_id: project, id: test_case } }
@@ -90,8 +99,7 @@ RSpec.describe Projects::Quality::TestCasesController do
      context 'when feature is enabled and user has access' do
        before do
          stub_licensed_features(quality_management: true)
-          project.add_developer(user)
-          sign_in(user)
+          sign_in(authorized_user)
        end

        it 'assigns test case related variables' do