Merge branch 'fix-epic-boards-auth' into 'master'

Fix authorizations for epic boards

See merge request gitlab-org/gitlab!60742

app/controllers/concerns/boards_actions.rb

@@ -7,6 +7,7 @@ module BoardsActions
   included do
     include BoardsResponses
 
+    before_action :authorize_read_board!, only: [:index, :show]
     before_action :boards, only: :index
     before_action :board, only: :show
     before_action :push_licensed_features, only: [:index, :show]

app/controllers/groups/boards_controller.rb

@@ -5,7 +5,6 @@ class Groups::BoardsController < Groups::ApplicationController
   include RecordUserLastActivity
   include Gitlab::Utils::StrongMemoize
 
-  before_action :authorize_read_board!, only: [:index, :show]
   before_action :assign_endpoint_vars
   before_action do
     push_frontend_feature_flag(:graphql_board_lists, group, default_enabled: false)

app/controllers/projects/boards_controller.rb

@@ -5,7 +5,6 @@ class Projects::BoardsController < Projects::ApplicationController
   include IssuableCollections
 
   before_action :check_issues_available!
-  before_action :authorize_read_board!, only: [:index, :show]
   before_action :assign_endpoint_vars
   before_action do
     push_frontend_feature_flag(:swimlanes_buffered_rendering, project, default_enabled: :yaml)

ee/app/controllers/groups/epic_boards_controller.rb

@@ -5,7 +5,6 @@ class Groups::EpicBoardsController < Groups::ApplicationController
   include Gitlab::Utils::StrongMemoize
   extend ::Gitlab::Utils::Override
 
-  before_action :authorize_read_board!, only: [:index]
   before_action :assign_endpoint_vars
   before_action do
     push_frontend_feature_flag(:epic_boards, group, default_enabled: :yaml)

ee/spec/controllers/groups/epic_boards_controller_spec.rb

@@ -11,20 +11,52 @@ RSpec.describe Groups::EpicBoardsController do
   let(:group) { public_group }
 
   before do
+    stub_licensed_features(epics: true)
+
     group.add_maintainer(user)
     sign_in(user)
   end
 
   describe 'GET index' do
-    it 'creates a new board when group does not have one' do
-      expect { list_boards }.to change(group.epic_boards, :count).by(1)
+    context 'with epics disabled' do
+      before do
+        stub_licensed_features(epics: false)
+      end
+
+      it 'does not create a new board when group does not have one' do
+        expect { list_boards }.not_to change(group.epic_boards, :count)
+      end
+
+      it 'returns a not found 404 response' do
+        list_boards
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+
+    context 'with authorized user' do
+      it 'creates a new board when group does not have one' do
+        expect { list_boards }.to change(group.epic_boards, :count).by(1)
+      end
+
+      it 'returns correct response' do
+        list_boards
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
     end
 
     context 'with unauthorized user' do
+      let_it_be(:group) { private_group }
+
       before do
         sign_in(other_user)
       end
 
+      it 'does not create a new board when group does not have one' do
+        expect { list_boards }.not_to change(group.epic_boards, :count)
+      end
+
       it 'returns a not found 404 response' do
         list_boards
 
@@ -53,6 +85,18 @@ RSpec.describe Groups::EpicBoardsController do
   describe 'GET show' do
     let!(:board) { create(:epic_board, group: group) }
 
+    context 'with epics disabled' do
+      before do
+        stub_licensed_features(epics: false)
+      end
+
+      it 'returns a not found 404 response' do
+        read_board(board: board)
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+
     context 'json request' do
       it 'is not supported' do
         read_board(board: board, format: :json)