Adjust 404's for LegacyDiffNote discussion rendering

07f516d1 · Oswaldo Ferreira · 166b4575 · 07f516d1 · 07f516d1 · 07f516d1
Commit 07f516d1 authored Apr 05, 2018 by Oswaldo Ferreira
3 changed files
--- a/app/controllers/projects/discussions_controller.rb
+++ b/app/controllers/projects/discussions_controller.rb
@@ -4,8 +4,8 @@ class Projects::DiscussionsController < Projects::ApplicationController

  before_action :check_merge_requests_available!
  before_action :merge_request
-  before_action :discussion
-  before_action :authorize_resolve_discussion!
+  before_action :discussion, only: [:resolve, :unresolve]
+  before_action :authorize_resolve_discussion!, only: [:resolve, :unresolve]

  def resolve
    Discussions::ResolveService.new(project, current_user, merge_request: merge_request).execute(discussion)

--- a/changelogs/unreleased/osw-44295-adjust-authorization-for-discussions-show.yml
+++ b/changelogs/unreleased/osw-44295-adjust-authorization-for-discussions-show.yml
+---
+title: Adjust 404's for LegacyDiffNote discussion rendering
+merge_request: 18201
+author:
+type: fixed
--- a/spec/controllers/projects/discussions_controller_spec.rb
+++ b/spec/controllers/projects/discussions_controller_spec.rb
@@ -16,6 +16,53 @@ describe Projects::DiscussionsController do
    }
  end

+  describe 'GET show' do
+    before do
+      sign_in user
+    end
+
+    context 'when user is not authorized to read the MR' do
+      it 'returns 404' do
+        get :show, request_params, format: :json
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'when user is authorized to read the MR' do
+      before do
+        project.add_reporter(user)
+      end
+
+      it 'returns status 200' do
+        get :show, request_params, format: :json
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+
+      it 'returns status 404 if MR does not exists' do
+        merge_request.destroy!
+
+        get :show, request_params, format: :json
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'when user is authorized but note is LegacyDiffNote' do
+      before do
+        project.add_developer(user)
+        note.update!(type: 'LegacyDiffNote')
+      end
+
+      it 'returns status 200' do
+        get :show, request_params, format: :json
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+    end
+  end
+
  describe 'POST resolve' do
    before do
      sign_in user