Added restriction for guest on Release page

Added restriction for evidence in Release API. Added restriction in Release controller. Added relevant tests.

Added restriction for guest on Release page
Added restriction for evidence in Release API. Added restriction in Release controller. Added relevant tests.
baeeb272 · Etienne Baqué · 3cb5e9e0 · baeeb272 · baeeb272 · baeeb272
Commit baeeb272 authored Dec 03, 2019 by Etienne Baqué
3 changed files
--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -10,6 +10,7 @@ class Projects::ReleasesController < Projects::ApplicationController
    push_frontend_feature_flag(:release_evidence_collection, project)
  end
  before_action :authorize_update_release!, only: %i[edit update]
+  before_action :authorize_download_code!, only: [:evidence]

  def index
    respond_to do |format|

--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -1319,7 +1319,7 @@ module API
      expose :milestones, using: Entities::Milestone, if: -> (release, _) { release.milestones.present? }
      expose :commit_path, expose_nil: false
      expose :tag_path, expose_nil: false
-      expose :evidence_sha, expose_nil: false
+      expose :evidence_sha, expose_nil: false, if: ->(_, _) { can_download_code? }
      expose :assets do
        expose :assets_count, as: :count do |release, _|
          assets_to_exclude = can_download_code? ? [] : [:sources]
@@ -1329,7 +1329,7 @@ module API
        expose :links, using: Entities::Releases::Link do |release, options|
          release.links.sorted
        end
-        expose :evidence_file_path, expose_nil: false
+        expose :evidence_file_path, expose_nil: false, if: ->(_, _) { can_download_code? }
      end
      expose :_links do
        expose :merge_requests_url, expose_nil: false

--- a/spec/controllers/projects/releases_controller_spec.rb
+++ b/spec/controllers/projects/releases_controller_spec.rb
@@ -184,6 +184,7 @@ describe Projects::ReleasesController do
      sign_in(user)
    end

+    context 'when the user is a developer' do
      it 'returns the correct evidence summary as a json' do
        subject

@@ -201,6 +202,23 @@ describe Projects::ReleasesController do
      end
    end

+    context 'when the user is a guest for the project' do
+      before do
+        project.add_guest(user)
+      end
+
+      context 'if the project is private' do
+        let(:project) { private_project }
+
+        it_behaves_like 'not found'
+      end
+
+      context 'if the project is public' do
+        it_behaves_like 'successful request'
+      end
+    end
+  end
+
  private

  def get_index