Commit 54994762 authored by Mario de la Ossa's avatar Mario de la Ossa

Backport of 54385-board-policy

parent c46b8e96
......@@ -34,15 +34,11 @@ module BoardsResponses
end
def authorize_read_list
ability = board.group_board? ? :read_group : :read_list
authorize_action_for!(board.parent, ability)
authorize_action_for!(board, :read_list)
end
def authorize_read_issue
ability = board.group_board? ? :read_group : :read_issue
authorize_action_for!(board.parent, ability)
authorize_action_for!(board, :read_issue)
end
def authorize_update_issue
......@@ -57,7 +53,7 @@ module BoardsResponses
end
def authorize_admin_list
authorize_action_for!(board.parent, :admin_list)
authorize_action_for!(board, :admin_list)
end
def authorize_action_for!(resource, ability)
......
# frozen_string_literal: true
class BoardPolicy < BasePolicy
delegate { @subject.parent }
condition(:is_group_board) { @subject.group_board? }
rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent
rule { is_group_board & can?(:read_group) }.policy do
enable :read_milestone
enable :read_issue
end
end
require 'spec_helper'
describe Boards::IssuesController do
let(:project) { create(:project) }
let(:project) { create(:project, :private) }
let(:board) { create(:board, project: project) }
let(:user) { create(:user) }
let(:guest) { create(:user) }
......@@ -127,14 +127,10 @@ describe Boards::IssuesController do
end
context 'with unauthorized user' do
before do
allow(Ability).to receive(:allowed?).and_call_original
allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true)
allow(Ability).to receive(:allowed?).with(user, :read_issue, project).and_return(false)
end
let(:unauth_user) { create(:user) }
it 'returns a forbidden 403 response' do
list_issues user: user, board: board, list: list2
list_issues user: unauth_user, board: board, list: list2
expect(response).to have_gitlab_http_status(403)
end
......
......@@ -31,13 +31,10 @@ describe Boards::ListsController do
end
context 'with unauthorized user' do
before do
allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true)
allow(Ability).to receive(:allowed?).with(user, :read_list, project).and_return(false)
end
let(:unauth_user) { create(:user) }
it 'returns a forbidden 403 response' do
read_board_list user: user, board: board
read_board_list user: unauth_user, board: board
expect(response).to have_gitlab_http_status(403)
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment