Commit e2c7c2df authored by Patrick Bajao's avatar Patrick Bajao

Don't publish drafts if user can't create notes

When request is made to publish drafts, we create `Note`s from
the `DraftNote`s. So if user can't create notes, they shouldn't be
able to publish draft notes as well.

Check if user can `:create_note` when publishing and deny if not.
parent a1b0c955
...@@ -6,7 +6,7 @@ class Projects::MergeRequests::DraftsController < Projects::MergeRequests::Appli ...@@ -6,7 +6,7 @@ class Projects::MergeRequests::DraftsController < Projects::MergeRequests::Appli
respond_to :json respond_to :json
before_action :check_draft_notes_available!, except: [:index] before_action :check_draft_notes_available!, except: [:index]
before_action :authorize_create_draft!, only: [:create] before_action :authorize_create_note!, only: [:create, :publish]
before_action :authorize_admin_draft!, only: [:update, :destroy] before_action :authorize_admin_draft!, only: [:update, :destroy]
before_action :authorize_admin_draft!, if: -> { action_name == 'publish' && params[:id].present? } before_action :authorize_admin_draft!, if: -> { action_name == 'publish' && params[:id].present? }
...@@ -128,7 +128,7 @@ class Projects::MergeRequests::DraftsController < Projects::MergeRequests::Appli ...@@ -128,7 +128,7 @@ class Projects::MergeRequests::DraftsController < Projects::MergeRequests::Appli
access_denied! unless can?(current_user, :admin_note, draft_note) access_denied! unless can?(current_user, :admin_note, draft_note)
end end
def authorize_create_draft! def authorize_create_note!
access_denied! unless can?(current_user, :create_note, merge_request) access_denied! unless can?(current_user, :create_note, merge_request)
end end
......
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
module DraftNotes module DraftNotes
class PublishService < DraftNotes::BaseService class PublishService < DraftNotes::BaseService
def execute(draft = nil) def execute(draft = nil)
return error('Not allowed to create notes') unless can?(current_user, :create_note, merge_request)
if draft if draft
publish_draft_note(draft) publish_draft_note(draft)
else else
......
---
title: Don't publish drafts if user can't create notes
merge_request:
author:
type: security
...@@ -215,18 +215,42 @@ describe Projects::MergeRequests::DraftsController do ...@@ -215,18 +215,42 @@ describe Projects::MergeRequests::DraftsController do
describe 'POST #publish' do describe 'POST #publish' do
context 'without permissions' do context 'without permissions' do
shared_examples_for 'action that does not allow publishing draft note' do
it 'does not allow publishing draft note' do
expect { action }
.to not_change { Note.count }
.and not_change { DraftNote.count }
expect(response).to have_gitlab_http_status(404)
end
end
before do before do
sign_in(user2) sign_in(user2)
end
context 'when note belongs to someone else' do
before do
project.add_developer(user2) project.add_developer(user2)
end end
it 'does not allow publishing draft note belonging to someone else' do it_behaves_like 'action that does not allow publishing draft note' do
draft = create(:draft_note, merge_request: merge_request, author: user) let!(:draft) { create(:draft_note, merge_request: merge_request, author: user) }
let(:action) { post :publish, params: params.merge(id: draft.id) }
end
end
expect { post :publish, params: params.merge(id: draft.id) }.to change { Note.count }.by(0) context 'when merge request discussion is locked' do
.and change { DraftNote.count }.by(0) let(:project) { create(:project, :public, :merge_requests_public, :repository) }
expect(response).to have_gitlab_http_status(404) before do
create(:draft_note, merge_request: merge_request, author: user2)
merge_request.update!(discussion_locked: true)
end
it_behaves_like 'action that does not allow publishing draft note' do
let(:action) { post :publish, params: params }
end
end end
end end
......
...@@ -246,4 +246,14 @@ describe DraftNotes::PublishService do ...@@ -246,4 +246,14 @@ describe DraftNotes::PublishService do
publish publish
end end
end end
context 'user cannot create notes' do
before do
allow(Ability).to receive(:allowed?).with(user, :create_note, merge_request).and_return(false)
end
it 'returns an error' do
expect(publish[:status]).to eq(:error)
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment