From b2da8042b4d11db246a26b63eebc78a3c0660b08 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Thu, 14 Feb 2019 13:19:59 -0800
Subject: Fix 403 errors when adding an assignee list in project boards

Due to a bug in `BoardPolicy`, users were getting back a 403 error when
trying to assign users to an assignee list and seeing "Something went
wrong while fetching assignees list". For some reason, the declarative
policy runtime was ignoring the ternary condition.

To work around the issue, we make the project board an explicit
condition check.

Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/9727
---
 app/policies/board_policy.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'app/policies/board_policy.rb')

diff --git a/app/policies/board_policy.rb b/app/policies/board_policy.rb
index 46db008421f..4bf1e7bd3e1 100644
--- a/app/policies/board_policy.rb
+++ b/app/policies/board_policy.rb
@@ -4,10 +4,12 @@ class BoardPolicy < BasePolicy
   delegate { @subject.parent }
 
   condition(:is_group_board) { @subject.group_board? }
+  condition(:is_project_board) { @subject.project_board? }
 
-  rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent
+  rule { is_project_board & can?(:read_project) }.enable :read_parent
 
   rule { is_group_board & can?(:read_group) }.policy do
+    enable :read_parent
     enable :read_milestone
     enable :read_issue
   end
-- 
cgit v1.2.3