Skip to content

G
gitlab-foss

李少辉-开发者 / gitlab-foss

通知 15
Star 0
Fork 0
G
gitlab-foss

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 57eb3954 编写于 作者: G Grzegorz Bizon
浏览文件
操作

Do not pass unsanitized params to issue move service

上级 4cbe87d5
隐藏空白更改
内联 并排
Showing with 11 addition and 9 deletion
app/controllers/projects/issues_controller.rb
浏览文件 @ 57eb3954
...@@ -88,7 +88,8 @@ class Projects::IssuesController < Projects::ApplicationController ...@@ -88,7 +88,8 @@ class Projects::IssuesController < Projects::ApplicationController
def update def update
@issue = Issues::UpdateService.new(project, current_user, issue_params).execute(issue) @issue = Issues::UpdateService.new(project, current_user, issue_params).execute(issue)
move_service = Issues::MoveService.new(project, current_user, params.require(:issue).permit!, @issue) move_service = Issues::MoveService.new(project, current_user, issue_params,
@issue, params['move_to_project_id'])
if move_service.move? if move_service.move?
@issue = move_service.execute @issue = move_service.execute
......
app/services/issues/move_service.rb
浏览文件 @ 57eb3954
module Issues module Issues
class MoveService < Issues::BaseService class MoveService < Issues::BaseService
def initialize(project, current_user, params, issue) def initialize(project, current_user, params, issue, new_project_id)
super(project, current_user, params) super(project, current_user, params)
@issue_old = issue @issue_old = issue
@issue_new = @issue_old.dup @issue_new = @issue_old.dup
@project_old = @project @project_old = @project
@project_new = Project.find(new_project_id) if new_project_id
if params['move_to_project_id']
@project_new = Project.find(params['move_to_project_id'])
end
end end
def execute def execute
......
spec/services/issues/move_service_spec.rb
浏览文件 @ 57eb3954
...@@ -7,10 +7,14 @@ describe Issues::MoveService, services: true do ...@@ -7,10 +7,14 @@ describe Issues::MoveService, services: true do
let(:old_project) { create(:project) } let(:old_project) { create(:project) }
let(:old_issue) { create(:issue, title: title, description: description, project: old_project) } let(:old_issue) { create(:issue, title: title, description: description, project: old_project) }
let(:new_project) { create(:project) } let(:new_project) { create(:project) }
let(:move_service) { described_class.new(old_project, user, move_params, old_issue) } let(:issue_params) { old_issue.serializable_hash }
let(:move_service) do
described_class.new(old_project, user, issue_params, old_issue, new_project_id)
end
shared_context 'issue move requested' do shared_context 'issue move requested' do
let(:move_params) { { 'move_to_project_id' => new_project.id } } let(:new_project_id) { new_project.id }
end end
shared_context 'user can move issue' do shared_context 'user can move issue' do
...@@ -108,7 +112,7 @@ describe Issues::MoveService, services: true do ...@@ -108,7 +112,7 @@ describe Issues::MoveService, services: true do
end end
context 'issue move not requested' do context 'issue move not requested' do
let(:move_params) { {} } let(:new_project_id) { nil }
describe '#move?' do describe '#move?' do
subject { move_service.move? } subject { move_service.move? }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册