Commit 9ad955fd authored by Cindy Pallares's avatar Cindy Pallares

Merge branch 'security-issue_7696' into 'master'

[master] Resolve: Guest can set weight of a new issue

See merge request gitlab/gitlab-ee!720
parents 0dc6871f 2023167f
...@@ -3,7 +3,13 @@ module EE ...@@ -3,7 +3,13 @@ module EE
private private
def filter_params(issuable) def filter_params(issuable)
params.delete(:weight) unless issuable.supports_weight? # This security check is repeated here to avoid multiple backports,
# this should be refactored to be reused from the base class.
ability_name = :"admin_#{issuable.to_ability_name}"
unless issuable.supports_weight? && can?(current_user, ability_name, issuable)
params.delete(:weight)
end
super super
end end
......
---
title: 'Resolve: Guest can set weight of a new issue'
merge_request:
author:
type: security
require 'spec_helper'
describe Issues::CreateService do
let(:project) { create(:project) }
let(:opts) do
{
title: 'Awesome issue',
description: 'please fix',
weight: 9
}
end
context 'when current user cannot admin issues in the project' do
let(:guest) { create(:user) }
before do
project.add_guest(guest)
end
it 'filters out params that cannot be set without the :admin_issue permission' do
issue = described_class.new(project, guest, opts).execute
expect(issue).to be_persisted
expect(issue.weight).to be_nil
end
end
context 'when current user can admin issues in the project' do
let(:reporter) { create(:user) }
before do
project.add_reporter(reporter)
end
it 'sets permitted params correctly' do
issue = described_class.new(project, reporter, opts).execute
expect(issue).to be_persisted
expect(issue.weight).to eq(9)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment