Commit c59ae547 authored by Sean McGivern's avatar Sean McGivern Committed by Michael Kozono

Merge branch 'issue_30663' into 'security-10-2'

Prevent creating issues through API without having permissions

See merge request gitlab/gitlabhq!2225

(cherry picked from commit c298bbaa88883343dc9cbbb6abec0808fb3b546c)

915b97c5 Prevent creating issues through API without having permissions
parent 8f29d264
---
title: Prevent creating issues through API when user does not have permissions
merge_request:
author:
type: security
...@@ -161,6 +161,8 @@ module API ...@@ -161,6 +161,8 @@ module API
use :issue_params use :issue_params
end end
post ':id/issues' do post ':id/issues' do
authorize! :create_issue, user_project
# Setting created_at time only allowed for admins and project owners # Setting created_at time only allowed for admins and project owners
unless current_user.admin? || user_project.owner == current_user unless current_user.admin? || user_project.owner == current_user
params.delete(:created_at) params.delete(:created_at)
......
...@@ -860,6 +860,20 @@ describe API::Issues, :mailer do ...@@ -860,6 +860,20 @@ describe API::Issues, :mailer do
end end
end end
context 'user does not have permissions to create issue' do
let(:not_member) { create(:user) }
before do
project.project_feature.update(issues_access_level: ProjectFeature::PRIVATE)
end
it 'renders 403' do
post api("/projects/#{project.id}/issues", not_member), title: 'new issue'
expect(response).to have_gitlab_http_status(403)
end
end
it 'creates a new project issue' do it 'creates a new project issue' do
post api("/projects/#{project.id}/issues", user), post api("/projects/#{project.id}/issues", user),
title: 'new issue', labels: 'label, label2', weight: 3, title: 'new issue', labels: 'label, label2', weight: 3,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment