Commit c82e11cd authored by Alex Kalderimis's avatar Alex Kalderimis

Ensure assignees have access to the merge request before assignment

parent 855b1ef0
...@@ -10,9 +10,11 @@ module MergeRequests ...@@ -10,9 +10,11 @@ module MergeRequests
return merge_request unless current_user&.can?(:update_merge_request, merge_request) return merge_request unless current_user&.can?(:update_merge_request, merge_request)
old_ids = merge_request.assignees.map(&:id) old_ids = merge_request.assignees.map(&:id)
return merge_request if old_ids.to_set == update_attrs[:assignee_ids].to_set # no-change new_ids = new_assignee_ids(merge_request)
return merge_request if old_ids.to_set == new_ids.to_set # no-change
merge_request.update!(**update_attrs) attrs = update_attrs.merge(assignee_ids: new_ids)
merge_request.update!(**attrs)
# Defer the more expensive operations (handle_assignee_changes) to the background # Defer the more expensive operations (handle_assignee_changes) to the background
MergeRequests::AssigneesChangeWorker.perform_async(merge_request.id, current_user.id, old_ids) MergeRequests::AssigneesChangeWorker.perform_async(merge_request.id, current_user.id, old_ids)
...@@ -33,6 +35,12 @@ module MergeRequests ...@@ -33,6 +35,12 @@ module MergeRequests
private private
def new_assignee_ids(merge_request)
User.id_in(update_attrs[:assignee_ids]).map do |user|
user.id if user.can?(:read_merge_request, merge_request)
end.compact
end
def assignee_ids def assignee_ids
params.fetch(:assignee_ids).first(1) params.fetch(:assignee_ids).first(1)
end end
......
...@@ -22,17 +22,20 @@ RSpec.shared_examples 'an assignable resource' do ...@@ -22,17 +22,20 @@ RSpec.shared_examples 'an assignable resource' do
assignee_usernames: assignee_usernames) assignee_usernames: assignee_usernames)
end end
before do
resource.project.add_developer(assignee)
resource.project.add_developer(assignee2)
end
it 'raises an error if the resource is not accessible to the user' do it 'raises an error if the resource is not accessible to the user' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end end
it 'does not change assignees if the resource is not accessible to the assignees' do
resource.project.add_developer(user)
expect { subject }.not_to change { resource.reload.assignee_ids }
end
context 'when the user can update the resource' do context 'when the user can update the resource' do
before do before do
resource.project.add_developer(assignee)
resource.project.add_developer(assignee2)
resource.project.add_developer(user) resource.project.add_developer(user)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment