Merge branch '54385-board-policy' into 'master'

Add BoardPolicy Closes gitlab-ce#54385 See merge request gitlab-org/gitlab-ee!9218

Merge branch '54385-board-policy' into 'master'
Add BoardPolicy Closes gitlab-ce#54385 See merge request gitlab-org/gitlab-ee!9218
4a363578 · Rémy Coutable · 0ef4f416 · fcecee43 · 4a363578 · 4a363578
Commit 4a363578 authored Jan 24, 2019 by Rémy Coutable
8 changed files
--- a/app/controllers/concerns/boards_responses.rb
+++ b/app/controllers/concerns/boards_responses.rb
@@ -34,15 +34,11 @@ module BoardsResponses
  end

  def authorize_read_list
-    ability = board.group_board? ? :read_group : :read_list
-
-    authorize_action_for!(board.parent, ability)
+    authorize_action_for!(board, :read_list)
  end

  def authorize_read_issue
-    ability = board.group_board? ? :read_group : :read_issue
-
-    authorize_action_for!(board.parent, ability)
+    authorize_action_for!(board, :read_issue)
  end

  def authorize_update_issue
@@ -57,7 +53,7 @@ module BoardsResponses
  end

  def authorize_admin_list
-    authorize_action_for!(board.parent, :admin_list)
+    authorize_action_for!(board, :admin_list)
  end

  def authorize_action_for!(resource, ability)

--- a/app/policies/board_policy.rb
+++ b/app/policies/board_policy.rb
+# frozen_string_literal: true
+
+class BoardPolicy < BasePolicy
+  delegate { @subject.parent }
+
+  condition(:is_group_board) { @subject.group_board? }
+
+  rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent
+
+  rule { is_group_board & can?(:read_group) }.policy do
+    enable :read_milestone
+    enable :read_issue
+  end
+end
--- a/ee/app/controllers/concerns/ee/boards_responses.rb
+++ b/ee/app/controllers/concerns/ee/boards_responses.rb
@@ -5,15 +5,11 @@ module EE
    extend ActiveSupport::Concern

    def authorize_read_parent
-      ability = board.group_board? ? :read_group : :read_project
-
-      authorize_action_for!(board.parent, ability)
+      authorize_action_for!(board, :read_parent)
    end

    def authorize_read_milestone
-      ability = board.group_board? ? :read_group : :read_milestone
-
-      authorize_action_for!(board.parent, ability)
+      authorize_action_for!(board, :read_milestone)
    end
  end
 end
--- a/ee/spec/controllers/boards/issues_controller_spec.rb
+++ b/ee/spec/controllers/boards/issues_controller_spec.rb
@@ -3,7 +3,7 @@ require 'spec_helper'
 describe Boards::IssuesController do
  include ExternalAuthorizationServiceHelpers

-  let(:group) { create(:group) }
+  let(:group) { create(:group, :private) }
  let(:project_1) { create(:project, namespace: group) }
  let(:project_2) { create(:project, namespace: group) }
  let(:board) { create(:board, group: group) }
@@ -79,8 +79,7 @@ describe Boards::IssuesController do

    context 'with unauthorized user' do
      before do
-        allow(Ability).to receive(:allowed?).and_call_original
-        allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(false)
+        group.group_member(user).destroy
      end

      it 'returns a forbidden 403 response' do

--- a/ee/spec/controllers/boards/lists_controller_spec.rb
+++ b/ee/spec/controllers/boards/lists_controller_spec.rb
 require 'spec_helper'

 describe Boards::ListsController do
-  let(:group) { create(:group) }
+  let(:group) { create(:group, :private) }
  let(:board)   { create(:board, group: group) }
  let(:user)    { create(:user) }
  let(:guest)   { create(:user) }
@@ -32,7 +32,7 @@ describe Boards::ListsController do

    context 'with unauthorized user' do
      before do
-        allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(false)
+        group.group_member(user).destroy
      end

      it 'returns a forbidden 403 response' do

--- a/ee/spec/controllers/boards/milestones_controller_spec.rb
+++ b/ee/spec/controllers/boards/milestones_controller_spec.rb
 require 'spec_helper'

 describe Boards::MilestonesController do
-  let(:project) { create(:project) }
+  let(:project) { create(:project, :private) }
  let(:board) { create(:board, project: project) }
  let(:user)  { create(:user) }

@@ -14,15 +14,34 @@ describe Boards::MilestonesController do
        sign_in(user)
      end

-      it 'returns a list of all milestones of board parent' do
-        get :index, params: { board_id: board.to_param }, format: :json
+      shared_examples 'authorized board milestone listing' do
+        it 'returns a list of all milestones of board parent' do
+          get :index, params: { board_id: board.to_param }, format: :json
+
+          expect(response).to have_gitlab_http_status(200)
+
+          parsed_response = JSON.parse(response.body)
+
+          expect(response.content_type).to eq('application/json')
+          expect(parsed_response).to all(match_schema('entities/milestone', dir: 'ee'))
+          expect(parsed_response.size).to eq(1)
+        end
+      end
+
+      context 'with private group board' do
+        let(:group) { create(:group, :private) }
+        let(:board) { create(:board, group: group) }

-        parsed_response = JSON.parse(response.body)
+        before do
+          create(:milestone, group: group)
+          group.add_maintainer(user)
+        end

-        expect(response).to have_gitlab_http_status(200)
-        expect(response.content_type).to eq('application/json')
-        expect(parsed_response).to all(match_schema('entities/milestone', dir: 'ee'))
-        expect(parsed_response.size).to eq(1)
+        it_behaves_like 'authorized board milestone listing'
+      end
+
+      context 'with private project board' do
+        it_behaves_like 'authorized board milestone listing'
      end
    end


--- a/spec/controllers/boards/issues_controller_spec.rb
+++ b/spec/controllers/boards/issues_controller_spec.rb
 require 'spec_helper'

 describe Boards::IssuesController do
-  let(:project) { create(:project) }
+  let(:project) { create(:project, :private) }
  let(:board)   { create(:board, project: project) }
  let(:user)    { create(:user) }
  let(:guest)   { create(:user) }
@@ -127,14 +127,10 @@ describe Boards::IssuesController do
    end

    context 'with unauthorized user' do
-      before do
-        allow(Ability).to receive(:allowed?).and_call_original
-        allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true)
-        allow(Ability).to receive(:allowed?).with(user, :read_issue, project).and_return(false)
-      end
+      let(:unauth_user) { create(:user) }

      it 'returns a forbidden 403 response' do
-        list_issues user: user, board: board, list: list2
+        list_issues user: unauth_user, board: board, list: list2

        expect(response).to have_gitlab_http_status(403)
      end

--- a/spec/controllers/boards/lists_controller_spec.rb
+++ b/spec/controllers/boards/lists_controller_spec.rb
@@ -31,13 +31,10 @@ describe Boards::ListsController do
    end

    context 'with unauthorized user' do
-      before do
-        allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true)
-        allow(Ability).to receive(:allowed?).with(user, :read_list, project).and_return(false)
-      end
+      let(:unauth_user) { create(:user) }

      it 'returns a forbidden 403 response' do
-        read_board_list user: user, board: board
+        read_board_list user: unauth_user, board: board

        expect(response).to have_gitlab_http_status(403)
      end