diff options
Diffstat (limited to 'app/controllers/projects/analytics/cycle_analytics/stages_controller.rb')
-rw-r--r-- | app/controllers/projects/analytics/cycle_analytics/stages_controller.rb | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/app/controllers/projects/analytics/cycle_analytics/stages_controller.rb b/app/controllers/projects/analytics/cycle_analytics/stages_controller.rb index 7b38c069a60..ab2cf3abdde 100644 --- a/app/controllers/projects/analytics/cycle_analytics/stages_controller.rb +++ b/app/controllers/projects/analytics/cycle_analytics/stages_controller.rb @@ -2,6 +2,7 @@ class Projects::Analytics::CycleAnalytics::StagesController < Projects::ApplicationController include ::Analytics::CycleAnalytics::StageActions + include Gitlab::Utils::StrongMemoize extend ::Gitlab::Utils::Override respond_to :json @@ -10,6 +11,7 @@ class Projects::Analytics::CycleAnalytics::StagesController < Projects::Applicat before_action :authorize_read_cycle_analytics! before_action :only_default_value_stream_is_allowed! + before_action :authorize_stage!, only: [:median, :count, :average, :records] urgency :low @@ -25,7 +27,26 @@ class Projects::Analytics::CycleAnalytics::StagesController < Projects::Applicat Analytics::CycleAnalytics::ProjectValueStream end + override :cycle_analytics_configuration + def cycle_analytics_configuration(stages) + super(stages.select { |stage| permitted_stage?(stage) }) + end + def only_default_value_stream_is_allowed! render_404 if params[:value_stream_id] != Analytics::CycleAnalytics::Stages::BaseService::DEFAULT_VALUE_STREAM_NAME end + + def permitted_stage?(stage) + permissions[stage.name.to_sym] # name matches the permission key (only when default stages are used) + end + + def permissions + strong_memoize(:permissions) do + Gitlab::CycleAnalytics::Permissions.new(user: current_user, project: parent).get + end + end + + def authorize_stage! + render_403 unless permitted_stage?(stage) + end end |