Merge branch 'bw-read-board-group-policy' into 'master'

Add `:read_board` to GroupPolicy See merge request gitlab-org/gitlab!24500

Merge branch 'bw-read-board-group-policy' into 'master'
Add `:read_board` to GroupPolicy See merge request gitlab-org/gitlab!24500
c61d4e39 · Robert Speicher · ae492e65 · 7ce5bfe0 · c61d4e39 · c61d4e39
Commit c61d4e39 authored Feb 11, 2020 by Robert Speicher
6 changed files
--- a/app/controllers/groups/boards_controller.rb
+++ b/app/controllers/groups/boards_controller.rb
@@ -4,6 +4,7 @@ class Groups::BoardsController < Groups::ApplicationController
  include BoardsActions
  include RecordUserLastActivity

+  before_action :authorize_read_board!, only: [:index, :show]
  before_action :assign_endpoint_vars
  before_action do
    push_frontend_feature_flag(:multi_select_board, default_enabled: true)
@@ -16,4 +17,8 @@ class Groups::BoardsController < Groups::ApplicationController
    @namespace_path = group.to_param
    @labels_endpoint = group_labels_url(group)
  end
+
+  def authorize_read_board!
+    access_denied! unless can?(current_user, :read_board, group)
+  end
 end
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -67,6 +67,7 @@ class GroupPolicy < BasePolicy
    enable :read_milestone
    enable :read_list
    enable :read_label
+    enable :read_board
  end

  rule { has_access }.enable :read_namespace

--- a/lib/api/group_boards.rb
+++ b/lib/api/group_boards.rb
@@ -28,6 +28,7 @@ module API
          success ::API::Entities::Board
        end
        get '/:board_id' do
+          authorize!(:read_board, user_group)
          present board, with: ::API::Entities::Board
        end

@@ -39,6 +40,7 @@ module API
          use :pagination
        end
        get '/' do
+          authorize!(:read_board, user_group)
          present paginate(board_parent.boards.with_associations), with: Entities::Board
        end
      end
@@ -55,6 +57,7 @@ module API
          use :pagination
        end
        get '/lists' do
+          authorize!(:read_board, user_group)
          present paginate(board_lists), with: Entities::List
        end

@@ -66,6 +69,7 @@ module API
          requires :list_id, type: Integer, desc: 'The ID of a list'
        end
        get '/lists/:list_id' do
+          authorize!(:read_board, user_group)
          present board_lists.find(params[:list_id]), with: Entities::List
        end


--- a/spec/controllers/groups/boards_controller_spec.rb
+++ b/spec/controllers/groups/boards_controller_spec.rb
@@ -27,7 +27,8 @@ describe Groups::BoardsController do
      context 'with unauthorized user' do
        before do
          allow(Ability).to receive(:allowed?).with(user, :read_cross_project, :global).and_return(true)
-          allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(false)
+          allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(true)
+          allow(Ability).to receive(:allowed?).with(user, :read_board, group).and_return(false)
        end

        it 'returns a not found 404 response' do
@@ -70,7 +71,8 @@ describe Groups::BoardsController do
      context 'with unauthorized user' do
        before do
          allow(Ability).to receive(:allowed?).with(user, :read_cross_project, :global).and_return(true)
-          allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(false)
+          allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(true)
+          allow(Ability).to receive(:allowed?).with(user, :read_board, group).and_return(false)
        end

        it 'returns a not found 404 response' do
@@ -105,7 +107,8 @@ describe Groups::BoardsController do
      context 'with unauthorized user' do
        before do
          allow(Ability).to receive(:allowed?).with(user, :read_cross_project, :global).and_return(true)
-          allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(false)
+          allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(true)
+          allow(Ability).to receive(:allowed?).with(user, :read_board, group).and_return(false)
        end

        it 'returns a not found 404 response' do
@@ -142,6 +145,7 @@ describe Groups::BoardsController do
      context 'with unauthorized user' do
        before do
          allow(Ability).to receive(:allowed?).with(user, :read_cross_project, :global).and_return(true)
+          allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(true)
          allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(false)
        end


--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -438,7 +438,7 @@ describe GroupPolicy do
    end
  end

-  context "create_projects" do
+  context 'create_projects' do
    context 'when group has no project creation level set' do
      before_all do
        group.update(project_creation_level: nil)
@@ -560,7 +560,7 @@ describe GroupPolicy do
    end
  end

-  context "create_subgroup" do
+  context 'create_subgroup' do
    context 'when group has subgroup creation level set to owner' do
      before_all do
        group.update(subgroup_creation_level: ::Gitlab::Access::OWNER_SUBGROUP_ACCESS)

--- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
@@ -16,7 +16,7 @@ RSpec.shared_context 'GroupPolicy context' do
      read_group_merge_requests
   ]
  end
-  let(:read_group_permissions) { %i[read_label read_list read_milestone] }
+  let(:read_group_permissions) { %i[read_label read_list read_milestone read_board] }
  let(:reporter_permissions) { %i[admin_label read_container_image] }
  let(:developer_permissions) { [:admin_milestone] }
  let(:maintainer_permissions) do