Require group_id or project_id for MR target branch autocomplete action

bd8b98c7 · Nick Thomas · 0f3b0904 · bd8b98c7 · bd8b98c7 · bd8b98c7
Commit bd8b98c7 authored Nov 28, 2019 by Nick Thomas
4 changed files
--- a/app/controllers/autocomplete_controller.rb
+++ b/app/controllers/autocomplete_controller.rb
@@ -40,10 +40,20 @@ class AutocompleteController < ApplicationController
  end
  def merge_request_target_branches
-    merge_requests = MergeRequestsFinder.new(current_user, params).execute
+    if target_branch_params.present?
-    target_branches = merge_requests.recent_target_branches
+      merge_requests = MergeRequestsFinder.new(current_user, target_branch_params).execute
+      target_branches = merge_requests.recent_target_branches
+      render json: target_branches.map { |target_branch| { title: target_branch } }
+    else
+      render json: { error: _('At least one of group_id or project_id must be specified') }, status: :bad_request
+    end
+  end
+  private
-    render json: target_branches.map { |target_branch| { title: target_branch } }
+  def target_branch_params
+    params.permit(:group_id, :project_id)
  end
 end

--- a/changelogs/unreleased/31830-limit-mr-target-branches.yml
+++ b/changelogs/unreleased/31830-limit-mr-target-branches.yml
+---
+title: Require group_id or project_id for MR target branch autocomplete action
+merge_request: 20933
+author:
+type: performance
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -2171,6 +2171,9 @@ msgstr ""
 msgid "At least one approval from a code owner is required to change files matching the respective CODEOWNER rules."
 msgstr ""
+msgid "At least one of group_id or project_id must be specified"
+msgstr ""
 msgid "Attach a file"
 msgstr ""

--- a/spec/controllers/autocomplete_controller_spec.rb
+++ b/spec/controllers/autocomplete_controller_spec.rb
@@ -365,35 +365,67 @@ describe AutocompleteController do
        expect(json_response[3]).to match('name' => 'thumbsdown')
      end
    end
+  end
-    context 'Get merge_request_target_branches' do
+  context 'Get merge_request_target_branches' do
-      let(:user2) { create(:user) }
+    let!(:merge_request) { create(:merge_request, source_project: project, target_branch: 'feature') }
-      let!(:merge_request1) { create(:merge_request, source_project: project, target_branch: 'feature') }
-      context 'unauthorized user' do
+    context 'anonymous user' do
-        it 'returns empty json' do
+      it 'returns empty json' do
-          get :merge_request_target_branches
+        get :merge_request_target_branches, params: { project_id: project.id }
-          expect(json_response).to be_empty
+        expect(response).to have_gitlab_http_status(200)
-        end
+        expect(json_response).to be_empty
      end
+    end
-      context 'sign in as user without any accesible merge requests' do
+    context 'user without any accessible merge requests' do
-        it 'returns empty json' do
+      it 'returns empty json' do
-          sign_in(user2)
+        sign_in(create(:user))
-          get :merge_request_target_branches
-          expect(json_response).to be_empty
+        get :merge_request_target_branches, params: { project_id: project.id }
-        end
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response).to be_empty
      end
+    end
-      context 'sign in as user with a accesible merge request' do
+    context 'user with an accessible merge request but no scope' do
-        it 'returns json' do
+      it 'returns an error' do
-          sign_in(user)
+        sign_in(user)
-          get :merge_request_target_branches
-          expect(json_response).to contain_exactly({ 'title' => 'feature' })
+        get :merge_request_target_branches
-        end
+        expect(response).to have_gitlab_http_status(400)
+        expect(json_response).to eq({ 'error' => 'At least one of group_id or project_id must be specified' })
+      end
+    end
+    context 'user with an accessible merge request by project' do
+      it 'returns json' do
+        sign_in(user)
+        get :merge_request_target_branches, params: { project_id: project.id }
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response).to contain_exactly({ 'title' => 'feature' })
+      end
+    end
+    context 'user with an accessible merge request by group' do
+      let(:group) { create(:group) }
+      let(:project) { create(:project, namespace: group) }
+      let(:user) { create(:user) }
+      it 'returns json' do
+        group.add_owner(user)
+        sign_in(user)
+        get :merge_request_target_branches, params: { group_id: group.id }
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response).to contain_exactly({ 'title' => 'feature' })
      end
    end
  end