Add check for access to Namespace

b9b0b37b · Rubén Dávila · 6f03ddcd · b9b0b37b · b9b0b37b · b9b0b37b
Commit b9b0b37b authored Aug 30, 2017 by Rubén Dávila
3 changed files
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -20,7 +20,10 @@ class ProjectsController < Projects::ApplicationController
  end

  def new
-    @project ||= Project.new(params.permit(:namespace_id))
+    namespace = Namespace.find_by(id: params[:namespace_id]) if params[:namespace_id]
+    return access_denied! if namespace && !can?(current_user, :create_projects, namespace)
+
+    @project = Project.new(namespace_id: namespace&.id)
  end

  def edit

--- a/app/helpers/namespaces_helper.rb
+++ b/app/helpers/namespaces_helper.rb
@@ -45,8 +45,8 @@ module NamespacesHelper
         visibility_level: n.visibility_level_value,
         visibility: n.visibility,
         name: n.name,
-         show_path: n.is_a?(Group) ? group_path(n) : user_path(n),
-         edit_path: n.is_a?(Group) ? edit_group_path(n) : nil
+         show_path: (type == 'group') ? group_path(n) : user_path(n),
+         edit_path: (type == 'group') ? edit_group_path(n) : nil
       }]
    end


--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -7,6 +7,38 @@ describe ProjectsController do
  let(:jpg) { fixture_file_upload(Rails.root + 'spec/fixtures/rails_sample.jpg', 'image/jpg') }
  let(:txt) { fixture_file_upload(Rails.root + 'spec/fixtures/doc_sample.txt', 'text/plain') }

+  describe 'GET new' do
+    context 'with an authenticated user' do
+      let(:group) { create(:group) }
+
+      before do
+        sign_in(user)
+      end
+
+      context 'when namespace_id param is present' do
+        context 'when user has access to the namespace' do
+          it 'renders the template' do
+            group.add_owner(user)
+
+            get :new, namespace_id: group.id
+
+            expect(response).to have_http_status(200)
+            expect(response).to render_template('new')
+          end
+        end
+
+        context 'when user does not have access to the namespace' do
+          it 'responds with status 404' do
+            get :new, namespace_id: group.id
+
+            expect(response).to have_http_status(404)
+            expect(response).not_to render_template('new')
+          end
+        end
+      end
+    end
+  end
+
  describe 'GET index' do
    context 'as a user' do
      it 'redirects to root page' do