Hide date fields related to edit if user does not have permission

Rationale: match closer to web UI where users without epic edit access can not see those fields.

Hide date fields related to edit if user does not have permission
Rationale: match closer to web UI where users without epic edit access can not see those fields.
646a37be · Mark Chao · 6d1fca0e · 646a37be · 646a37be · 646a37be
Commit 646a37be authored Jul 18, 2018 by Mark Chao
Showing with 44 additions and 12 deletions

ee/lib/api/epics.rb ee/lib/api/epics.rb +4 -4

ee/lib/ee/api/entities.rb ee/lib/ee/api/entities.rb +6 -6

ee/spec/requests/api/epics_spec.rb ee/spec/requests/api/epics_spec.rb +34 -2

No files found.
--- a/ee/lib/api/epics.rb
+++ b/ee/lib/api/epics.rb
@@ -58,7 +58,7 @@ module API
        optional :labels, type: String, desc: 'Comma-separated list of label names'
      end
      get ':id/(-/)epics' do
-        present find_epics(group_id: user_group.id), with: EE::API::Entities::Epic
+        present find_epics(group_id: user_group.id), with: EE::API::Entities::Epic, user: current_user
      end

      desc 'Get details of an epic' do
@@ -70,7 +70,7 @@ module API
      get ':id/(-/)epics/:epic_iid' do
        authorize_can_read!

-        present epic, with: EE::API::Entities::Epic
+        present epic, with: EE::API::Entities::Epic, user: current_user
      end

      desc 'Create a new epic' do
@@ -90,7 +90,7 @@ module API

        epic = ::Epics::CreateService.new(user_group, current_user, declared_params(include_missing: false)).execute
        if epic.valid?
-          present epic, with: EE::API::Entities::Epic
+          present epic, with: EE::API::Entities::Epic, user: current_user
        else
          render_validation_error!(epic)
        end
@@ -118,7 +118,7 @@ module API
        result = ::Epics::UpdateService.new(user_group, current_user, update_params).execute(epic)

        if result.valid?
-          present result, with: EE::API::Entities::Epic
+          present result, with: EE::API::Entities::Epic, user: current_user
        else
          render_validation_error!(result)
        end

--- a/ee/lib/ee/api/entities.rb
+++ b/ee/lib/ee/api/entities.rb
@@ -155,6 +155,8 @@ module EE
      end

      class Epic < Grape::Entity
+        allowed_to_admin = ->(epic, opts) { Ability.allowed?(opts[:user], :admin_epic, epic) }
+
        expose :id
        expose :iid
        expose :group_id
@@ -162,14 +164,12 @@ module EE
        expose :description
        expose :author, using: ::API::Entities::UserBasic
        expose :start_date
-        expose :start_date_is_fixed?, as: :start_date_is_fixed
-        expose :start_date_fixed
-        expose :start_date_from_milestones
+        expose :start_date_is_fixed?, as: :start_date_is_fixed, if: allowed_to_admin
+        expose :start_date_fixed, :start_date_from_milestones, if: allowed_to_admin
        expose :end_date # @deprecated
        expose :end_date, as: :due_date
-        expose :due_date_is_fixed?, as: :due_date_is_fixed
-        expose :due_date_fixed
-        expose :due_date_from_milestones
+        expose :due_date_is_fixed?, as: :due_date_is_fixed, if: allowed_to_admin
+        expose :due_date_fixed, :due_date_from_milestones, if: allowed_to_admin
        expose :created_at
        expose :updated_at
        expose :labels do |epic, options|

--- a/ee/spec/requests/api/epics_spec.rb
+++ b/ee/spec/requests/api/epics_spec.rb
@@ -40,6 +40,32 @@ describe API::Epics do
    end
  end

+  shared_examples 'admin_epic permission' do
+    let(:extra_date_fields) { %w[start_date_is_fixed start_date_fixed due_date_is_fixed due_date_fixed] }
+
+    context 'when permission is absent' do
+      RSpec::Matchers.define_negated_matcher :exclude, :include
+
+      it 'returns epic with extra date fields' do
+        get api(url, user), params
+
+        expect(Array.wrap(JSON.parse(response.body))).to all(exclude(*extra_date_fields))
+      end
+    end
+
+    context 'when permission is present' do
+      before do
+        group.add_maintainer(user)
+      end
+
+      it 'returns epic with extra date fields' do
+        get api(url, user), params
+
+        expect(Array.wrap(JSON.parse(response.body))).to all(include(*extra_date_fields))
+      end
+    end
+  end
+
  describe 'GET /groups/:id/epics' do
    let(:url) { "/groups/#{group.path}/epics" }

@@ -138,6 +164,8 @@ describe API::Epics do

        expect_array_response([epic2.id])
      end
+
+      it_behaves_like 'admin_epic permission'
    end
  end

@@ -149,17 +177,21 @@ describe API::Epics do
    context 'when the request is correct' do
      before do
        stub_licensed_features(epics: true)
-
-        get api(url, user)
      end

      it 'returns 200 status' do
+        get api(url, user)
+
        expect(response).to have_gitlab_http_status(200)
      end

      it 'matches the response schema' do
+        get api(url, user)
+
        expect(response).to match_response_schema('public_api/v4/epic', dir: 'ee')
      end
+
+      it_behaves_like 'admin_epic permission'
    end
  end