Commit a092b5ae authored by Douglas Barbosa Alexandre's avatar Douglas Barbosa Alexandre
Browse files

Merge branch 'sh-fix-board-user-assigns' into 'master'

Fix 403 errors when adding an assignee list in project boards

Closes gitlab-ee#9727

See merge request gitlab-org/gitlab-ce!25263
parents e2a56bd1 b2da8042
......@@ -21,6 +21,10 @@ def group_board?
group_id.present?
end
def project_board?
project_id.present?
end
def backlog_list
lists.merge(List.backlog).take
end
......
......@@ -4,10 +4,12 @@ class BoardPolicy < BasePolicy
delegate { @subject.parent }
condition(:is_group_board) { @subject.group_board? }
condition(:is_project_board) { @subject.project_board? }
rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent
rule { is_project_board & can?(:read_project) }.enable :read_parent
rule { is_group_board & can?(:read_group) }.policy do
enable :read_parent
enable :read_milestone
enable :read_issue
end
......
---
title: Fix 403 errors when adding an assignee list in project boards
merge_request: 25263
author:
type: fixed
# frozen_string_literal: true
require 'spec_helper'
describe BoardPolicy do
let(:user) { create(:user) }
let(:project) { create(:project, :private) }
let(:group) { create(:group, :private) }
let(:group_board) { create(:board, group: group) }
let(:project_board) { create(:board, project: project) }
let(:board_permissions) do
[
:read_parent,
:read_milestone,
:read_issue
]
end
def expect_allowed(*permissions)
permissions.each { |p| is_expected.to be_allowed(p) }
end
def expect_disallowed(*permissions)
permissions.each { |p| is_expected.not_to be_allowed(p) }
end
context 'group board' do
subject { described_class.new(user, group_board) }
context 'user has access' do
before do
group.add_developer(user)
end
it do
expect_allowed(*board_permissions)
end
end
context 'user does not have access' do
it do
expect_disallowed(*board_permissions)
end
end
end
context 'project board' do
subject { described_class.new(user, project_board) }
context 'user has access' do
before do
project.add_developer(user)
end
it do
expect_allowed(*board_permissions)
end
end
context 'user does not have access' do
it do
expect_disallowed(*board_permissions)
end
end
end
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment