Merge branch '971-confidential-issue' into 'master'

API: Restore backward-compatibility for POST /projects/:id/members when membership is locked Closes #971. /cc @rdavila See merge request !715

Merge branch '971-confidential-issue' into 'master'
API: Restore backward-compatibility for POST /projects/:id/members when membership is locked Closes #971. /cc @rdavila See merge request !715
c8194018 · Rémy Coutable · 9c059140 · b36be538 · c8194018 · c8194018
Commit c8194018 authored Sep 05, 2016 by Rémy Coutable
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 0 deletions

CHANGELOG-EE CHANGELOG-EE +6 -0

lib/api/members.rb lib/api/members.rb +6 -0

spec/requests/api/members_spec.rb spec/requests/api/members_spec.rb +21 -0

No files found.
--- a/CHANGELOG-EE
+++ b/CHANGELOG-EE
 Please view this file on the master branch, on stable branches it's out of date.
 v 8.12.0 (Unreleased)

+v 8.11.5
+  - API: Restore backward-compatibility for POST /projects/:id/members when membership is locked
+
+v 8.11.4
+  - No EE-specific changes
+
 v 8.11.3
  - [ES] Add logging to indexer
  - Fix missing EE-specific service parameters for Jenkins CI

--- a/lib/api/members.rb
+++ b/lib/api/members.rb
@@ -59,6 +59,12 @@ module API
          authorize_admin_source!(source_type, source)
          required_attributes! [:user_id, :access_level]

+          ## EE specific
+          if source_type == 'project' && source.group && source.group.membership_lock
+            not_allowed!
+          end
+          ## EE specific
+
          access_requester = source.requesters.find_by(user_id: params[:user_id])
          if access_requester
            # We pass current_user = access_requester so that the requester doesn't

--- a/spec/requests/api/members_spec.rb
+++ b/spec/requests/api/members_spec.rb
@@ -162,6 +162,23 @@ describe API::Members, api: true  do
    end
  end

+  ## EE specific
+  shared_examples 'POST /projects/:id/members with the project group membership locked' do
+    context 'project in a group' do
+      it 'returns a 405 method not allowed error when group membership lock is enabled' do
+        group_with_membership_locked = create(:group, membership_lock: true)
+        project = create(:project, group: group_with_membership_locked)
+        project.group.add_owner(master)
+
+        post api("/projects/#{project.id}/members", master),
+             user_id: developer.id, access_level: Member::MASTER
+
+        expect(response.status).to eq 405
+      end
+    end
+  end
+  ## EE specific
+
  shared_examples 'PUT /:sources/:id/members/:user_id' do |source_type|
    context "with :sources == #{source_type.pluralize}" do
      it_behaves_like 'a 404 response when source is private' do
@@ -292,6 +309,10 @@ describe API::Members, api: true  do
    let(:source) { project }
  end

+  ## EE specific
+  it_behaves_like 'POST /projects/:id/members with the project group membership locked'
+  ## EE specific
+
  it_behaves_like 'POST /:sources/:id/members', 'group' do
    let(:source) { group }
  end