Commit b359d5d5 authored by Stan Hu's avatar Stan Hu

Fix groups API to list only user's accessible projects

Closes #17496
parent d6e5299f
...@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date. ...@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.9.0 (unreleased) v 8.9.0 (unreleased)
- Redesign navigation for project pages - Redesign navigation for project pages
- Fix groups API to list only user's accessible projects
- Use gitlab-shell v3.0.0 - Use gitlab-shell v3.0.0
v 8.8.2 (unreleased) v 8.8.2 (unreleased)
......
...@@ -18,7 +18,7 @@ class GroupProjectsFinder < UnionFinder ...@@ -18,7 +18,7 @@ class GroupProjectsFinder < UnionFinder
projects = [] projects = []
if current_user if current_user
if @group.users.include?(current_user) if @group.users.include?(current_user) || current_user.admin?
projects << @group.projects unless only_shared projects << @group.projects unless only_shared
projects << @group.shared_projects unless only_owned projects << @group.shared_projects unless only_owned
else else
......
...@@ -95,8 +95,7 @@ module API ...@@ -95,8 +95,7 @@ module API
# GET /groups/:id/projects # GET /groups/:id/projects
get ":id/projects" do get ":id/projects" do
group = find_group(params[:id]) group = find_group(params[:id])
projects = group.projects projects = GroupProjectsFinder.new(group).execute(current_user)
projects = filter_projects(projects)
projects = paginate projects projects = paginate projects
present projects, with: Entities::Project present projects, with: Entities::Project
end end
......
...@@ -12,6 +12,7 @@ describe API::API, api: true do ...@@ -12,6 +12,7 @@ describe API::API, api: true do
let!(:group2) { create(:group, :private) } let!(:group2) { create(:group, :private) }
let!(:project1) { create(:project, namespace: group1) } let!(:project1) { create(:project, namespace: group1) }
let!(:project2) { create(:project, namespace: group2) } let!(:project2) { create(:project, namespace: group2) }
let!(:project3) { create(:project, namespace: group1, path: 'test', visibility_level: Gitlab::VisibilityLevel::PRIVATE) }
before do before do
group1.add_owner(user1) group1.add_owner(user1)
...@@ -147,9 +148,11 @@ describe API::API, api: true do ...@@ -147,9 +148,11 @@ describe API::API, api: true do
context "when authenticated as user" do context "when authenticated as user" do
it "should return the group's projects" do it "should return the group's projects" do
get api("/groups/#{group1.id}/projects", user1) get api("/groups/#{group1.id}/projects", user1)
expect(response.status).to eq(200) expect(response.status).to eq(200)
expect(json_response.length).to eq(1) expect(json_response.length).to eq(2)
expect(json_response.first['name']).to eq(project1.name) project_names = json_response.map { |proj| proj['name' ] }
expect(project_names).to match_array([project1.name, project3.name])
end end
it "should not return a non existing group" do it "should not return a non existing group" do
...@@ -162,6 +165,16 @@ describe API::API, api: true do ...@@ -162,6 +165,16 @@ describe API::API, api: true do
expect(response.status).to eq(404) expect(response.status).to eq(404)
end end
it "should only return projects to which user has access" do
project3.team << [user3, :developer]
get api("/groups/#{group1.id}/projects", user3)
expect(response.status).to eq(200)
expect(json_response.length).to eq(1)
expect(json_response.first['name']).to eq(project3.name)
end
end end
context "when authenticated as admin" do context "when authenticated as admin" do
...@@ -181,8 +194,10 @@ describe API::API, api: true do ...@@ -181,8 +194,10 @@ describe API::API, api: true do
context 'when using group path in URL' do context 'when using group path in URL' do
it 'should return any existing group' do it 'should return any existing group' do
get api("/groups/#{group1.path}/projects", admin) get api("/groups/#{group1.path}/projects", admin)
expect(response.status).to eq(200) expect(response.status).to eq(200)
expect(json_response.first['name']).to eq(project1.name) project_names = json_response.map { |proj| proj['name' ] }
expect(project_names).to match_array([project1.name, project3.name])
end end
it 'should not return a non existing group' do it 'should not return a non existing group' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment