BigW Consortium Gitlab

Commit c9be74e2 by Felipe Artur

Fix single note api request

parent 93ca5c99
...@@ -397,5 +397,9 @@ module API ...@@ -397,5 +397,9 @@ module API
error!(errors[:access_level], 422) if errors[:access_level].any? error!(errors[:access_level], 422) if errors[:access_level].any?
not_found!(errors) not_found!(errors)
end end
def noteable_ability_name(noteable)
"read_#{noteable.class.to_s.underscore.downcase}".to_sym
end
end end
end end
...@@ -20,9 +20,8 @@ module API ...@@ -20,9 +20,8 @@ module API
# GET /projects/:id/snippets/:noteable_id/notes # GET /projects/:id/snippets/:noteable_id/notes
get ":id/#{noteables_str}/:#{noteable_id_str}/notes" do get ":id/#{noteables_str}/:#{noteable_id_str}/notes" do
@noteable = user_project.send(noteables_str.to_sym).find(params[noteable_id_str.to_sym]) @noteable = user_project.send(noteables_str.to_sym).find(params[noteable_id_str.to_sym])
read_ability_name = "read_#{@noteable.class.to_s.underscore.downcase}".to_sym
if can?(current_user, read_ability_name, @noteable) if can?(current_user, noteable_ability_name(@noteable), @noteable)
# We exclude notes that are cross-references and that cannot be viewed # We exclude notes that are cross-references and that cannot be viewed
# by the current user. By doing this exclusion at this level and not # by the current user. By doing this exclusion at this level and not
# at the DB query level (which we cannot in that case), the current # at the DB query level (which we cannot in that case), the current
...@@ -52,11 +51,12 @@ module API ...@@ -52,11 +51,12 @@ module API
get ":id/#{noteables_str}/:#{noteable_id_str}/notes/:note_id" do get ":id/#{noteables_str}/:#{noteable_id_str}/notes/:note_id" do
@noteable = user_project.send(noteables_str.to_sym).find(params[noteable_id_str.to_sym]) @noteable = user_project.send(noteables_str.to_sym).find(params[noteable_id_str.to_sym])
@note = @noteable.notes.find(params[:note_id]) @note = @noteable.notes.find(params[:note_id])
can_read_note = can?(current_user, noteable_ability_name(@noteable), @noteable) && !@note.cross_reference_not_visible_for?(current_user)
if @note.cross_reference_not_visible_for?(current_user) if can_read_note
not_found!("Note")
else
present @note, with: Entities::Note present @note, with: Entities::Note
else
not_found!("Note")
end end
end end
......
...@@ -3,7 +3,7 @@ require 'spec_helper' ...@@ -3,7 +3,7 @@ require 'spec_helper'
describe API::API, api: true do describe API::API, api: true do
include ApiHelpers include ApiHelpers
let(:user) { create(:user) } let(:user) { create(:user) }
let!(:project) { create(:project, namespace: user.namespace) } let!(:project) { create(:project, :public, namespace: user.namespace) }
let!(:issue) { create(:issue, project: project, author: user) } let!(:issue) { create(:issue, project: project, author: user) }
let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) } let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) }
let!(:snippet) { create(:project_snippet, project: project, author: user) } let!(:snippet) { create(:project_snippet, project: project, author: user) }
...@@ -51,7 +51,7 @@ describe API::API, api: true do ...@@ -51,7 +51,7 @@ describe API::API, api: true do
expect(response.status).to eq(404) expect(response.status).to eq(404)
end end
context "that references a private issue" do context "and current user cannot view the notes" do
it "should return an empty array" do it "should return an empty array" do
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", user) get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", user)
...@@ -142,13 +142,24 @@ describe API::API, api: true do ...@@ -142,13 +142,24 @@ describe API::API, api: true do
expect(response.status).to eq(404) expect(response.status).to eq(404)
end end
context "that references a private issue" do context "and current user cannot view the note" do
it "should return a 404 error" do it "should return a 404 error" do
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes/#{cross_reference_note.id}", user) get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes/#{cross_reference_note.id}", user)
expect(response.status).to eq(404) expect(response.status).to eq(404)
end end
context "when issue is confidential" do
before { issue.update_attributes(confidential: true) }
it "returns 404" do
get api("/projects/#{project.id}/issues/#{issue.id}/notes/#{issue_note.id}", private_user)
expect(response.status).to eq(404)
end
end
context "and current user can view the note" do context "and current user can view the note" do
it "should return an issue note by id" do it "should return an issue note by id" do
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes/#{cross_reference_note.id}", private_user) get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes/#{cross_reference_note.id}", private_user)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment