Add authorization to issues board related controllers

5 files changed, 32 insertions, 1 deletions

diff --git a/app/controllers/projects/board_issues_controller.rb b/app/controllers/projects/board_issues_controller.rb
index fdc3a8795ef..89d0be54855 100644
--- a/app/controllers/projects/board_issues_controller.rb
+++ b/app/controllers/projects/board_issues_controller.rb
@@ -1,6 +1,9 @@
 class Projects::BoardIssuesController < Projects::ApplicationController
   respond_to :json
 
+  before_action :authorize_read_issue!, only: [:index]
+  before_action :authorize_update_issue!, only: [:update]
+
   rescue_from ActiveRecord::RecordNotFound, with: :record_not_found
 
   def index
@@ -27,6 +30,14 @@ class Projects::BoardIssuesController < Projects::ApplicationController
 
   private
 
+  def authorize_read_issue!
+    return render_403 unless can?(current_user, :read_issue, project)
+  end
+
+  def authorize_update_issue!
+    return render_403 unless can?(current_user, :update_issue, project)
+  end
+
   def filter_params
     params.merge(id: params[:list_id])
   end
diff --git a/app/controllers/projects/board_lists_controller.rb b/app/controllers/projects/board_lists_controller.rb
index 63daba09e6a..75b80c55b21 100644
--- a/app/controllers/projects/board_lists_controller.rb
+++ b/app/controllers/projects/board_lists_controller.rb
@@ -1,6 +1,8 @@
 class Projects::BoardListsController < Projects::ApplicationController
   respond_to :json
 
+  before_action :authorize_admin_list!
+
   rescue_from ActiveRecord::RecordNotFound, with: :record_not_found
 
   def create
@@ -45,6 +47,10 @@ class Projects::BoardListsController < Projects::ApplicationController
 
   private
 
+  def authorize_admin_list!
+    return render_403 unless can?(current_user, :admin_list, project)
+  end
+
   def list_params
     params.require(:list).permit(:label_id)
   end
diff --git a/app/controllers/projects/boards_controller.rb b/app/controllers/projects/boards_controller.rb
index 50311acec32..301c718ad57 100644
--- a/app/controllers/projects/boards_controller.rb
+++ b/app/controllers/projects/boards_controller.rb
@@ -1,4 +1,6 @@
 class Projects::BoardsController < Projects::ApplicationController
+  before_action :authorize_read_board!, only: [:show]
+
   def show
     board = Boards::CreateService.new(project, current_user).execute
 
@@ -7,4 +9,15 @@ class Projects::BoardsController < Projects::ApplicationController
       format.json { render json: board.lists.as_json(only: [:id, :list_type, :position], methods: [:title], include: { label: { only: [:id, :title, :color] } }) }
     end
   end
+
+  private
+
+  def authorize_read_board!
+    unless can?(current_user, :read_board, project)
+      respond_to do |format|
+        format.html { return access_denied! }
+        format.json { return render_403 }
+      end
+    end
+  end
 end
diff --git a/app/models/ability.rb b/app/models/ability.rb
index d9113ffd99a..b70451db12f 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -228,6 +228,7 @@ class Ability
         :read_project,
         :read_wiki,
         :read_issue,
+        :read_board,
         :read_label,
         :read_milestone,
         :read_project_snippet,
@@ -249,6 +250,7 @@ class Ability
         :update_issue,
         :admin_issue,
         :admin_label,
+        :admin_list,
         :read_commit_status,
         :read_build,
         :read_container_image,
diff --git a/app/services/boards/issues/move_service.rb b/app/services/boards/issues/move_service.rb
index 398a02ebbfd..381bd95c837 100644
--- a/app/services/boards/issues/move_service.rb
+++ b/app/services/boards/issues/move_service.rb
@@ -4,7 +4,6 @@ module Boards
       def execute
         return false unless issue.present?
         return false unless valid_move?
-        return false unless user.can?(:update_issue, issue)
 
         update_service.execute(issue)
         reopen_service.execute(issue) if moving_from.done?