diff --git a/app/controllers/projects/boards/lists_controller.rb b/app/controllers/projects/boards/lists_controller.rb
index b426dc25e0dad31efa0466518effea78b76768ca..4726ab88dcfa3f02d84fb2891e5a42e7f78cf653 100644
--- a/app/controllers/projects/boards/lists_controller.rb
+++ b/app/controllers/projects/boards/lists_controller.rb
@@ -1,7 +1,12 @@
module Projects
module Boards
class ListsController < Boards::ApplicationController
- before_action :authorize_admin_list!
+ before_action :authorize_admin_list!, only: [:create, :update, :destroy, :generate]
+ before_action :authorize_read_list!, only: [:index]
+
+ def index
+ render json: project.board.lists.as_json(only: [:id, :list_type, :position], methods: [:title], include: { label: { only: [:id, :title, :description, :color, :priority] } })
+ end
def create
list = ::Boards::Lists::CreateService.new(project, current_user, list_params).execute
@@ -49,6 +54,10 @@ module Projects
return render_403 unless can?(current_user, :admin_list, project)
end
+ def authorize_read_list!
+ return render_403 unless can?(current_user, :read_list, project)
+ end
+
def list_params
params.require(:list).permit(:label_id)
end
diff --git a/app/controllers/projects/boards_controller.rb b/app/controllers/projects/boards_controller.rb
index 052c15f99d091f0a49d442b5e587b0d43dbf93da..3320671708983bc8c6d11c64abf96444c355836f 100644
--- a/app/controllers/projects/boards_controller.rb
+++ b/app/controllers/projects/boards_controller.rb
@@ -1,23 +1,15 @@
class Projects::BoardsController < Projects::ApplicationController
+ respond_to :html
+
before_action :authorize_read_board!, only: [:show]
def show
- board = Boards::CreateService.new(project, current_user).execute
-
- respond_to do |format|
- format.html
- format.json { render json: board.lists.as_json(only: [:id, :list_type, :position], methods: [:title], include: { label: { only: [:id, :title, :description, :color, :priority] } }) }
- end
+ ::Boards::CreateService.new(project, current_user).execute
end
private
def authorize_read_board!
- unless can?(current_user, :read_board, project)
- respond_to do |format|
- format.html { return access_denied! }
- format.json { return render_403 }
- end
- end
+ return access_denied! unless can?(current_user, :read_board, project)
end
end
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 4458ee1d590b2052a3bfe5b3bb1d8550d3bd2114..55265c3cfcb70482c7f62af3345bdfd3bb5824fb 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -91,6 +91,7 @@ class Ability
rules = [
:read_project,
:read_board,
+ :read_list,
:read_wiki,
:read_label,
:read_milestone,
@@ -230,6 +231,7 @@ class Ability
:read_wiki,
:read_issue,
:read_board,
+ :read_list,
:read_label,
:read_milestone,
:read_project_snippet,
diff --git a/config/routes.rb b/config/routes.rb
index b74d6fa4464f718fa1fe80332d246a251150b7ab..09a8945c59ed96f72a6565e58abb79393775be01 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -860,7 +860,7 @@ Rails.application.routes.draw do
scope module: :boards do
resources :issues, only: [:update]
- resources :lists, only: [:create, :update, :destroy] do
+ resources :lists, only: [:index, :create, :update, :destroy] do
collection do
post :generate
end
diff --git a/spec/controllers/projects/boards/lists_controller_spec.rb b/spec/controllers/projects/boards/lists_controller_spec.rb
index 3d7d35881652be5b500997985af581a70334cc1d..8e6b496e1d60d0973869926236611c001476cf1b 100644
--- a/spec/controllers/projects/boards/lists_controller_spec.rb
+++ b/spec/controllers/projects/boards/lists_controller_spec.rb
@@ -11,6 +11,46 @@ describe Projects::Boards::ListsController do
project.team << [guest, :guest]
end
+ describe 'GET #index' do
+ it 'returns a successful 200 response' do
+ read_board_list user: user
+
+ expect(response).to have_http_status(200)
+ expect(response.content_type).to eq 'application/json'
+ end
+
+ it 'returns a list of board lists' do
+ board = project.create_board
+ create(:backlog_list, board: board)
+ create(:list, board: board)
+ create(:done_list, board: board)
+
+ read_board_list user: user
+
+ parsed_response = JSON.parse(response.body)
+
+ expect(response).to match_response_schema('list', array: true)
+ expect(parsed_response.length).to eq 3
+ end
+
+ it 'returns a successful 403 response with unauthorized user' do
+ allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
+ allow(Ability.abilities).to receive(:allowed?).with(user, :read_list, project).and_return(false)
+
+ read_board_list user: user
+
+ expect(response).to have_http_status(403)
+ end
+
+ def read_board_list(user:)
+ sign_in(user)
+
+ get :index, namespace_id: project.namespace.to_param,
+ project_id: project.to_param,
+ format: :json
+ end
+ end
+
describe 'POST #create' do
let(:label) { create(:label, project: project, name: 'Development') }
diff --git a/spec/controllers/projects/boards_controller_spec.rb b/spec/controllers/projects/boards_controller_spec.rb
index 7ef4b786b42d8df45a3a57848bb926de092adb72..2c0e3e5df31e5fd997846abac88e0005adeae1ad 100644
--- a/spec/controllers/projects/boards_controller_spec.rb
+++ b/spec/controllers/projects/boards_controller_spec.rb
@@ -10,64 +10,24 @@ describe Projects::BoardsController do
end
describe 'GET #show' do
- context 'when project does not have a board' do
- it 'creates a new board' do
- expect { read_board }.to change(Board, :count).by(1)
- end
+ it 'creates a new board when project does not have one' do
+ expect { read_board }.to change(Board, :count).by(1)
end
- context 'when format is HTML' do
- it 'renders HTML template' do
- read_board
+ it 'renders HTML template' do
+ read_board
- expect(response).to render_template :show
- expect(response.content_type).to eq 'text/html'
- end
-
- context 'with unauthorized user' do
- it 'returns a successful 404 response' do
- allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
- allow(Ability.abilities).to receive(:allowed?).with(user, :read_board, project).and_return(false)
-
- read_board
-
- expect(response).to have_http_status(404)
- end
- end
+ expect(response).to render_template :show
+ expect(response.content_type).to eq 'text/html'
end
- context 'when format is JSON' do
- it 'returns a successful 200 response' do
- read_board format: :json
-
- expect(response).to have_http_status(200)
- expect(response.content_type).to eq 'application/json'
- end
-
- it 'returns a list of board lists' do
- board = project.create_board
- create(:backlog_list, board: board)
- create(:list, board: board)
- create(:done_list, board: board)
-
- read_board format: :json
-
- parsed_response = JSON.parse(response.body)
-
- expect(response).to match_response_schema('list', array: true)
- expect(parsed_response.length).to eq 3
- end
-
- context 'with unauthorized user' do
- it 'returns a successful 403 response' do
- allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
- allow(Ability.abilities).to receive(:allowed?).with(user, :read_board, project).and_return(false)
+ it 'returns a successful 404 response with unauthorized user' do
+ allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
+ allow(Ability.abilities).to receive(:allowed?).with(user, :read_board, project).and_return(false)
- read_board format: :json
+ read_board
- expect(response).to have_http_status(403)
- end
- end
+ expect(response).to have_http_status(404)
end
def read_board(format: :html)