Skip to content

G
gitlab-ce
Commit 89057a2b authored by Sean McGivern's avatar Sean McGivern Committed by Winnie Hellmann
Browse files
Options

Merge branch 'issue_30663' into 'security-10-2' 

Prevent creating issues through API without having permissions

See merge request gitlab/gitlabhq!2225

(cherry picked from commit c298bbaa88883343dc9cbbb6abec0808fb3b546c)

915b97c5 Prevent creating issues through API without having permissions
parent 9a153bba
Hide whitespace changes
Inline Side-by-side
Showing with 21 additions and 0 deletions
changelogs/unreleased/issue_30663.yml 0 → 100644
View file @ 89057a2b
---
title: Prevent creating issues through API when user does not have permissions
merge_request:
author:
type: security
lib/api/issues.rb
View file @ 89057a2b
......@@ -166,6 +166,8 @@ module API
use :issue_params
end
post ':id/issues' do
authorize! :create_issue, user_project
# Setting created_at time only allowed for admins and project owners
unless current_user.admin? || user_project.owner == current_user
params.delete(:created_at)
......
spec/requests/api/issues_spec.rb
View file @ 89057a2b
......@@ -864,6 +864,20 @@ describe API::Issues, :mailer do
end
end
context 'user does not have permissions to create issue' do
let(:not_member) { create(:user) }
before do
project.project_feature.update(issues_access_level: ProjectFeature::PRIVATE)
end
it 'renders 403' do
post api("/projects/#{project.id}/issues", not_member), title: 'new issue'
expect(response).to have_gitlab_http_status(403)
end
end
it 'creates a new project issue' do
post api("/projects/#{project.id}/issues", user),
title: 'new issue', labels: 'label, label2', weight: 3,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7