diff options
| -rw-r--r-- | app/controllers/projects/boards/lists_controller.rb | 11 | ||||
| -rw-r--r-- | app/controllers/projects/boards_controller.rb | 16 | ||||
| -rw-r--r-- | app/models/ability.rb | 2 | ||||
| -rw-r--r-- | config/routes.rb | 2 | ||||
| -rw-r--r-- | spec/controllers/projects/boards/lists_controller_spec.rb | 40 | ||||
| -rw-r--r-- | spec/controllers/projects/boards_controller_spec.rb | 62 |
6 files changed, 68 insertions, 65 deletions
diff --git a/app/controllers/projects/boards/lists_controller.rb b/app/controllers/projects/boards/lists_controller.rb index b426dc25e0d..4726ab88dcf 100644 --- a/app/controllers/projects/boards/lists_controller.rb +++ b/app/controllers/projects/boards/lists_controller.rb @@ -1,7 +1,12 @@ module Projects module Boards class ListsController < Boards::ApplicationController - before_action :authorize_admin_list! + before_action :authorize_admin_list!, only: [:create, :update, :destroy, :generate] + before_action :authorize_read_list!, only: [:index] + + def index + render json: project.board.lists.as_json(only: [:id, :list_type, :position], methods: [:title], include: { label: { only: [:id, :title, :description, :color, :priority] } }) + end def create list = ::Boards::Lists::CreateService.new(project, current_user, list_params).execute @@ -49,6 +54,10 @@ module Projects return render_403 unless can?(current_user, :admin_list, project) end + def authorize_read_list! + return render_403 unless can?(current_user, :read_list, project) + end + def list_params params.require(:list).permit(:label_id) end diff --git a/app/controllers/projects/boards_controller.rb b/app/controllers/projects/boards_controller.rb index 052c15f99d0..33206717089 100644 --- a/app/controllers/projects/boards_controller.rb +++ b/app/controllers/projects/boards_controller.rb @@ -1,23 +1,15 @@ class Projects::BoardsController < Projects::ApplicationController + respond_to :html + before_action :authorize_read_board!, only: [:show] def show - board = Boards::CreateService.new(project, current_user).execute - - respond_to do |format| - format.html - format.json { render json: board.lists.as_json(only: [:id, :list_type, :position], methods: [:title], include: { label: { only: [:id, :title, :description, :color, :priority] } }) } - end + ::Boards::CreateService.new(project, current_user).execute end private def authorize_read_board! - unless can?(current_user, :read_board, project) - respond_to do |format| - format.html { return access_denied! } - format.json { return render_403 } - end - end + return access_denied! unless can?(current_user, :read_board, project) end end diff --git a/app/models/ability.rb b/app/models/ability.rb index 4458ee1d590..55265c3cfcb 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -91,6 +91,7 @@ class Ability rules = [ :read_project, :read_board, + :read_list, :read_wiki, :read_label, :read_milestone, @@ -230,6 +231,7 @@ class Ability :read_wiki, :read_issue, :read_board, + :read_list, :read_label, :read_milestone, :read_project_snippet, diff --git a/config/routes.rb b/config/routes.rb index b74d6fa4464..09a8945c59e 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -860,7 +860,7 @@ Rails.application.routes.draw do scope module: :boards do resources :issues, only: [:update] - resources :lists, only: [:create, :update, :destroy] do + resources :lists, only: [:index, :create, :update, :destroy] do collection do post :generate end diff --git a/spec/controllers/projects/boards/lists_controller_spec.rb b/spec/controllers/projects/boards/lists_controller_spec.rb index 3d7d3588165..8e6b496e1d6 100644 --- a/spec/controllers/projects/boards/lists_controller_spec.rb +++ b/spec/controllers/projects/boards/lists_controller_spec.rb @@ -11,6 +11,46 @@ describe Projects::Boards::ListsController do project.team << [guest, :guest] end + describe 'GET #index' do + it 'returns a successful 200 response' do + read_board_list user: user + + expect(response).to have_http_status(200) + expect(response.content_type).to eq 'application/json' + end + + it 'returns a list of board lists' do + board = project.create_board + create(:backlog_list, board: board) + create(:list, board: board) + create(:done_list, board: board) + + read_board_list user: user + + parsed_response = JSON.parse(response.body) + + expect(response).to match_response_schema('list', array: true) + expect(parsed_response.length).to eq 3 + end + + it 'returns a successful 403 response with unauthorized user' do + allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true) + allow(Ability.abilities).to receive(:allowed?).with(user, :read_list, project).and_return(false) + + read_board_list user: user + + expect(response).to have_http_status(403) + end + + def read_board_list(user:) + sign_in(user) + + get :index, namespace_id: project.namespace.to_param, + project_id: project.to_param, + format: :json + end + end + describe 'POST #create' do let(:label) { create(:label, project: project, name: 'Development') } diff --git a/spec/controllers/projects/boards_controller_spec.rb b/spec/controllers/projects/boards_controller_spec.rb index 7ef4b786b42..2c0e3e5df31 100644 --- a/spec/controllers/projects/boards_controller_spec.rb +++ b/spec/controllers/projects/boards_controller_spec.rb @@ -10,64 +10,24 @@ describe Projects::BoardsController do end describe 'GET #show' do - context 'when project does not have a board' do - it 'creates a new board' do - expect { read_board }.to change(Board, :count).by(1) - end + it 'creates a new board when project does not have one' do + expect { read_board }.to change(Board, :count).by(1) end - context 'when format is HTML' do - it 'renders HTML template' do - read_board + it 'renders HTML template' do + read_board - expect(response).to render_template :show - expect(response.content_type).to eq 'text/html' - end - - context 'with unauthorized user' do - it 'returns a successful 404 response' do - allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true) - allow(Ability.abilities).to receive(:allowed?).with(user, :read_board, project).and_return(false) - - read_board - - expect(response).to have_http_status(404) - end - end + expect(response).to render_template :show + expect(response.content_type).to eq 'text/html' end - context 'when format is JSON' do - it 'returns a successful 200 response' do - read_board format: :json - - expect(response).to have_http_status(200) - expect(response.content_type).to eq 'application/json' - end - - it 'returns a list of board lists' do - board = project.create_board - create(:backlog_list, board: board) - create(:list, board: board) - create(:done_list, board: board) - - read_board format: :json - - parsed_response = JSON.parse(response.body) - - expect(response).to match_response_schema('list', array: true) - expect(parsed_response.length).to eq 3 - end - - context 'with unauthorized user' do - it 'returns a successful 403 response' do - allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true) - allow(Ability.abilities).to receive(:allowed?).with(user, :read_board, project).and_return(false) + it 'returns a successful 404 response with unauthorized user' do + allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true) + allow(Ability.abilities).to receive(:allowed?).with(user, :read_board, project).and_return(false) - read_board format: :json + read_board - expect(response).to have_http_status(403) - end - end + expect(response).to have_http_status(404) end def read_board(format: :html) |