Commit 82330e91 authored by Sean Arnold's avatar Sean Arnold Committed by Mayra Cabrera

Move participant permission validation to service

- Add spec changes
parent db700dd3
...@@ -18,16 +18,7 @@ module IncidentManagement ...@@ -18,16 +18,7 @@ module IncidentManagement
validates :color_palette, presence: true validates :color_palette, presence: true
validates :color_weight, presence: true validates :color_weight, presence: true
validates :user, presence: true, uniqueness: { scope: :oncall_rotation_id } validates :user, presence: true, uniqueness: { scope: :oncall_rotation_id }
validate :user_can_read_project, if: :user, on: :create
delegate :project, to: :rotation, allow_nil: true delegate :project, to: :rotation, allow_nil: true
private
def user_can_read_project
unless user.can?(:read_project, project)
errors.add(:user, 'does not have access to the project')
end
end
end end
end end
...@@ -36,6 +36,8 @@ module IncidentManagement ...@@ -36,6 +36,8 @@ module IncidentManagement
break error_in_validation(oncall_rotation) unless oncall_rotation.persisted? break error_in_validation(oncall_rotation) unless oncall_rotation.persisted?
participants = participants_for(oncall_rotation) participants = participants_for(oncall_rotation)
break error_participant_has_no_permission if participants.nil?
first_invalid_participant = participants.find(&:invalid?) first_invalid_participant = participants.find(&:invalid?)
break error_in_validation(first_invalid_participant) if first_invalid_participant break error_in_validation(first_invalid_participant) if first_invalid_participant
...@@ -65,6 +67,8 @@ module IncidentManagement ...@@ -65,6 +67,8 @@ module IncidentManagement
def participants_for(rotation) def participants_for(rotation)
participants_params.map do |participant| participants_params.map do |participant|
break unless participant[:user].can?(:read_project, project)
OncallParticipant.new( OncallParticipant.new(
rotation: rotation, rotation: rotation,
user: participant[:user], user: participant[:user],
...@@ -102,6 +106,10 @@ module IncidentManagement ...@@ -102,6 +106,10 @@ module IncidentManagement
ServiceResponse.success(payload: { oncall_rotation: oncall_rotation }) ServiceResponse.success(payload: { oncall_rotation: oncall_rotation })
end end
def error_participant_has_no_permission
error('A participant has insufficient permissions to access the project')
end
def error_too_many_participants def error_too_many_participants
error(_('A maximum of %{count} participants can be added') % { count: MAXIMUM_PARTICIPANTS }) error(_('A maximum of %{count} participants can be added') % { count: MAXIMUM_PARTICIPANTS })
end end
......
...@@ -36,33 +36,6 @@ RSpec.describe IncidentManagement::OncallParticipant do ...@@ -36,33 +36,6 @@ RSpec.describe IncidentManagement::OncallParticipant do
expect(subject.errors.full_messages.to_sentence).to eq('User has already been taken') expect(subject.errors.full_messages.to_sentence).to eq('User has already been taken')
end end
end end
context 'when participant cannot read project' do
let_it_be(:other_user) { create(:user) }
subject { build(:incident_management_oncall_participant, rotation: rotation, user: other_user) }
context 'on creation' do
it 'has validation errors' do
expect(subject).to be_invalid
expect(subject.errors.full_messages.to_sentence).to eq('User does not have access to the project')
end
end
context 'after creation' do
let(:project) { rotation.project }
before do
project.add_developer(other_user)
end
it 'is valid' do
subject.save!
remove_user_from_project(other_user, project)
expect(subject).to be_valid
end
end
end
end end
private private
......
...@@ -85,18 +85,20 @@ RSpec.describe IncidentManagement::OncallRotations::CreateService do ...@@ -85,18 +85,20 @@ RSpec.describe IncidentManagement::OncallRotations::CreateService do
end end
end end
context 'participants do not have access to the project' do context 'when participant cannot read project' do
let_it_be(:other_user) { create(:user) }
let(:participants) do let(:participants) do
[ [
{ {
user: create(:user), user: other_user,
color_palette: 'blue', color_palette: 'blue',
color_weight: '500' color_weight: '500'
} }
] ]
end end
it_behaves_like 'error response', 'User does not have access to the project' it_behaves_like 'error response', 'A participant has insufficient permissions to access the project'
end end
context 'participant is included multiple times' do context 'participant is included multiple times' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment