From 6b68acbfe9db1d3c855d7505817ebca62e3a61c1 Mon Sep 17 00:00:00 2001 From: Patrick Bajao Date: Mon, 1 Jul 2019 16:23:23 +0800 Subject: [PATCH] Check if user can `update_issue` on project If user can update an issue under the specified confidential issue project, should be able to find the project. --- app/controllers/projects/branches_controller.rb | 2 +- spec/controllers/projects/branches_controller_spec.rb | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/controllers/projects/branches_controller.rb b/app/controllers/projects/branches_controller.rb index b3dfafb7b87..5e50801eb23 100644 --- a/app/controllers/projects/branches_controller.rb +++ b/app/controllers/projects/branches_controller.rb @@ -170,7 +170,7 @@ class Projects::BranchesController < Projects::ApplicationController confidential_issue_project = Project.find(params[:confidential_issue_project_id]) - return unless can?(current_user, :push_code, confidential_issue_project) + return unless can?(current_user, :update_issue, confidential_issue_project) confidential_issue_project end diff --git a/spec/controllers/projects/branches_controller_spec.rb b/spec/controllers/projects/branches_controller_spec.rb index 712c3fa0ffe..dbc8681eb49 100644 --- a/spec/controllers/projects/branches_controller_spec.rb +++ b/spec/controllers/projects/branches_controller_spec.rb @@ -124,7 +124,7 @@ describe Projects::BranchesController do stub_feature_flags(create_confidential_merge_request: true) end - context 'user cannot push code to issue project' do + context 'user cannot update issue' do let(:issue) { create(:issue, project: confidential_issue_project) } it 'does not post a system note' do @@ -134,9 +134,9 @@ describe Projects::BranchesController do end end - context 'user can push code to issue project' do + context 'user can update issue' do before do - confidential_issue_project.add_developer(user) + confidential_issue_project.add_reporter(user) end context 'issue is under the specified project' do -- GitLab