Skip to content
Snippets Groups Projects
Commit ad5894e2 authored by blackst0ne's avatar blackst0ne
Browse files

Stop unauthorized users dragging on milestone page

parent d6e72f61
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
CHANGELOG.md
+ 1
0
View file @ ad5894e2
@@ -8,6 +8,7 @@ Please view this file on the master branch, on stable branches it's out of date.
@@ -8,6 +8,7 @@ Please view this file on the master branch, on stable branches it's out of date.
- Fix extra space on Build sidebar on Firefox !7060 - Fix extra space on Build sidebar on Firefox !7060
- Fix HipChat notifications rendering (airatshigapov, eisnerd) - Fix HipChat notifications rendering (airatshigapov, eisnerd)
- Add hover to trash icon in notes !7008 (blackst0ne) - Add hover to trash icon in notes !7008 (blackst0ne)
- Stop unauthorized users dragging on milestone page (blackst0ne)
- Escape ref and path for relative links !6050 (winniehell) - Escape ref and path for relative links !6050 (winniehell)
- Simpler arguments passed to named_route on toggle_award_url helper method - Simpler arguments passed to named_route on toggle_award_url helper method
- Fix: Backup restore doesn't clear cache - Fix: Backup restore doesn't clear cache
app/assets/stylesheets/framework/lists.scss
+ 1
1
View file @ ad5894e2
@@ -38,7 +38,7 @@
@@ -38,7 +38,7 @@
   
&.smoke { background-color: $background-color; } &.smoke { background-color: $background-color; }
   
&:hover { &:not(.ui-sort-disabled):hover {
background: $row-hover; background: $row-hover;
} }
   
app/views/shared/milestones/_issuable.html.haml
+ 2
1
View file @ ad5894e2
@@ -3,8 +3,9 @@
@@ -3,8 +3,9 @@
- assignee = issuable.assignee - assignee = issuable.assignee
- issuable_type = issuable.class.table_name - issuable_type = issuable.class.table_name
- base_url_args = [project.namespace.becomes(Namespace), project, issuable_type] - base_url_args = [project.namespace.becomes(Namespace), project, issuable_type]
- can_update = can?(current_user, :"update_#{issuable.to_ability_name}", issuable)
   
%li{ id: dom_id(issuable, 'sortable'), class: "issuable-row", 'data-iid' => issuable.iid, 'data-url' => polymorphic_path(issuable) } %li{ id: dom_id(issuable, 'sortable'), class: "issuable-row #{'ui-sort-disabled' unless can_update}", 'data-iid' => issuable.iid, 'data-url' => polymorphic_path(issuable) }
%span %span
- if show_project_name - if show_project_name
%strong #{project.name} · %strong #{project.name} ·
spec/features/milestones/milestones_spec.rb 0 → 100644
+ 86
0
View file @ ad5894e2
require 'rails_helper'
describe 'Milestone draggable', feature: true, js: true do
let(:milestone) { create(:milestone, project: project, title: 8.14) }
let(:project) { create(:empty_project, :public) }
let(:user) { create(:user) }
context 'issues' do
let(:issue) { page.find_by_id('issues-list-unassigned').find('li') }
let(:issue_target) { page.find_by_id('issues-list-ongoing') }
it 'does not allow guest to drag issue' do
create_and_drag_issue
expect(issue_target).not_to have_selector('.issuable-row')
end
it 'does not allow authorized user to drag issue' do
login_as(user)
create_and_drag_issue
expect(issue_target).not_to have_selector('.issuable-row')
end
it 'allows author to drag issue' do
login_as(user)
create_and_drag_issue(author: user)
expect(issue_target).to have_selector('.issuable-row')
end
it 'allows admin to drag issue' do
login_as(:admin)
create_and_drag_issue
expect(issue_target).to have_selector('.issuable-row')
end
end
context 'merge requests' do
let(:merge_request) { page.find_by_id('merge_requests-list-unassigned').find('li') }
let(:merge_request_target) { page.find_by_id('merge_requests-list-ongoing') }
it 'does not allow guest to drag merge request' do
create_and_drag_merge_request
expect(merge_request_target).not_to have_selector('.issuable-row')
end
it 'does not allow authorized user to drag merge request' do
login_as(user)
create_and_drag_merge_request
expect(merge_request_target).not_to have_selector('.issuable-row')
end
it 'allows author to drag merge request' do
login_as(user)
create_and_drag_merge_request(author: user)
expect(merge_request_target).to have_selector('.issuable-row')
end
it 'allows admin to drag merge request' do
login_as(:admin)
create_and_drag_merge_request
expect(merge_request_target).to have_selector('.issuable-row')
end
end
def create_and_drag_issue(params = {})
create(:issue, params.merge(title: 'Foo', project: project, milestone: milestone))
visit namespace_project_milestone_path(project.namespace, project, milestone)
issue.drag_to(issue_target)
end
def create_and_drag_merge_request(params = {})
create(:merge_request, params.merge(title: 'Foo', source_project: project, target_project: project, milestone: milestone))
visit namespace_project_milestone_path(project.namespace, project, milestone)
page.find("a[href='#tab-merge-requests']").click
merge_request.drag_to(merge_request_target)
end
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment