Commit 48e31ef4 authored by Peter Leitzen's avatar Peter Leitzen

Prevent users from assigning an invalid issue type to new issues

Prior this change, when creating a new issue, the passed parameter
`issue_type` wasn't validated for its presence. We only checked if the
corresponding policy is allowed.

For example:

When passing issue_type=incident we check if `create_incident` policy
exists.

When passing issue_type=foo the policy check failed because there was no
`create_foo` policy.

When passing issue_type=project, however, passes the policy check for
`create_project` but the following assignment of issue_type in Issue
fails with 500 error because there is no such issue type (WorkItem::Type
soon) "project".

This commit checks the presence of the passed issue_type before checking
the corresponding policy to prevent such error.
parent ff3342be
...@@ -84,6 +84,7 @@ module Issues ...@@ -84,6 +84,7 @@ module Issues
# @param object [Issue, Project] # @param object [Issue, Project]
def issue_type_allowed?(object) def issue_type_allowed?(object)
WorkItem::Type.base_types.key?(params[:issue_type]) &&
can?(current_user, :"create_#{params[:issue_type]}", object) can?(current_user, :"create_#{params[:issue_type]}", object)
end end
......
...@@ -183,8 +183,8 @@ RSpec.describe Issues::BuildService do ...@@ -183,8 +183,8 @@ RSpec.describe Issues::BuildService do
expect(issue).to be_incident expect(issue).to be_incident
end end
it 'cannot set invalid type' do it 'cannot set invalid issue type' do
issue = build_issue(issue_type: 'invalid type') issue = build_issue(issue_type: 'project')
expect(issue).to be_issue expect(issue).to be_issue
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment