From cb87176051f7f0abcbed3afae3d21c87d5ca12eb Mon Sep 17 00:00:00 2001
From: Lee Tickett <lee@tickett.net>
Date: Tue, 23 Aug 2022 12:24:23 +0100
Subject: [PATCH] Fix timelog type policy check
Changelog: fixed
---
app/graphql/types/timelog_type.rb | 2 +-
app/policies/issuable_policy.rb | 5 +++
spec/graphql/types/timelog_type_spec.rb | 2 +-
spec/policies/issuable_policy_spec.rb | 54 ++++++++++++++++++++++++-
4 files changed, 59 insertions(+), 4 deletions(-)
diff --git a/app/graphql/types/timelog_type.rb b/app/graphql/types/timelog_type.rb
index c3fb9b779275b..3856e1aa3b357 100644
--- a/app/graphql/types/timelog_type.rb
+++ b/app/graphql/types/timelog_type.rb
@@ -4,7 +4,7 @@ module Types
class TimelogType < BaseObject
graphql_name 'Timelog'
- authorize :read_issue
+ authorize :read_issuable
expose_permissions Types::PermissionTypes::Timelog
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index 3c5e1020c8a0f..e5913bab7268d 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -5,6 +5,7 @@ class IssuablePolicy < BasePolicy
condition(:locked, scope: :subject, score: 0) { @subject.discussion_locked? }
condition(:is_project_member) { @user && @subject.project && @subject.project.team.member?(@user) }
+ condition(:can_read_issuable) { can?(:"read_#{@subject.to_ability_name}") }
desc "User is the assignee or author"
condition(:assignee_or_author) do
@@ -48,6 +49,10 @@ class IssuablePolicy < BasePolicy
rule { can?(:reporter_access) }.policy do
enable :create_timelog
end
+
+ rule { can_read_issuable }.policy do
+ enable :read_issuable
+ end
end
IssuablePolicy.prepend_mod_with('IssuablePolicy')
diff --git a/spec/graphql/types/timelog_type_spec.rb b/spec/graphql/types/timelog_type_spec.rb
index c897a25d10dfc..3a26ba89e04d7 100644
--- a/spec/graphql/types/timelog_type_spec.rb
+++ b/spec/graphql/types/timelog_type_spec.rb
@@ -7,7 +7,7 @@
it { expect(described_class.graphql_name).to eq('Timelog') }
it { expect(described_class).to have_graphql_fields(fields) }
- it { expect(described_class).to require_graphql_authorizations(:read_issue) }
+ it { expect(described_class).to require_graphql_authorizations(:read_issuable) }
it { expect(described_class).to expose_permissions_using(Types::PermissionTypes::Timelog) }
describe 'user field' do
diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb
index 706570babd58e..fd7ec5917d698 100644
--- a/spec/policies/issuable_policy_spec.rb
+++ b/spec/policies/issuable_policy_spec.rb
@@ -18,8 +18,8 @@
project.add_reporter(reporter)
end
- def permissions(user, issue)
- described_class.new(user, issue)
+ def permissions(user, issuable)
+ described_class.new(user, issuable)
end
describe '#rules' do
@@ -153,5 +153,55 @@ def permissions(user, issue)
expect(permissions(reporter, issue)).to be_allowed(:create_timelog)
end
end
+
+ context 'when subject is a Merge Request' do
+ let(:issuable) { create(:merge_request) }
+ let(:policy) { permissions(user, issuable) }
+
+ before do
+ allow(policy).to receive(:can?).with(:read_merge_request).and_return(can_read_merge_request)
+ end
+
+ context 'when can_read_merge_request is false' do
+ let(:can_read_merge_request) { false }
+
+ it 'does not allow :read_issuable' do
+ expect(policy).not_to be_allowed(:read_issuable)
+ end
+ end
+
+ context 'when can_read_merge_request is true' do
+ let(:can_read_merge_request) { true }
+
+ it 'allows :read_issuable' do
+ expect(policy).to be_allowed(:read_issuable)
+ end
+ end
+ end
+
+ context 'when subject is an Issue' do
+ let(:issuable) { create(:issue) }
+ let(:policy) { permissions(user, issuable) }
+
+ before do
+ allow(policy).to receive(:can?).with(:read_issue).and_return(can_read_issue)
+ end
+
+ context 'when can_read_issue is false' do
+ let(:can_read_issue) { false }
+
+ it 'does not allow :read_issuable' do
+ expect(policy).not_to be_allowed(:read_issuable)
+ end
+ end
+
+ context 'when can_read_issue is true' do
+ let(:can_read_issue) { true }
+
+ it 'allows :read_issuable' do
+ expect(policy).to be_allowed(:read_issuable)
+ end
+ end
+ end
end
end
--
GitLab