From 910c60c342f53fc16798eb66f212966731fd5284 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 25 Mar 2024 12:51:52 +0100 Subject: [PATCH] Do not expose updatedAt changing for admins in work packages The field may be updating due to external changes (causes, default values, rescheduling) --- .../work_packages/create_contract.rb | 2 +- .../work_packages/create_contract_spec.rb | 2 +- .../create_service_integration_spec.rb | 29 ++++++++++++++----- 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/app/contracts/work_packages/create_contract.rb b/app/contracts/work_packages/create_contract.rb index e8086638b262..9c8c735e7ad9 100644 --- a/app/contracts/work_packages/create_contract.rb +++ b/app/contracts/work_packages/create_contract.rb @@ -31,7 +31,7 @@ module WorkPackages class CreateContract < BaseContract include AdminWritableTimestamps - allow_writable_timestamps + allow_writable_timestamps :created_at attribute :author_id, writable: -> { default_attributes_admin_writable? } diff --git a/spec/contracts/work_packages/create_contract_spec.rb b/spec/contracts/work_packages/create_contract_spec.rb index 810bca17a333..4820e03b5823 100644 --- a/spec/contracts/work_packages/create_contract_spec.rb +++ b/spec/contracts/work_packages/create_contract_spec.rb @@ -161,7 +161,7 @@ let(:user) { build_stubbed(:admin) } it_behaves_like "can write", :created_at, 1.day.ago - it_behaves_like "can write", :updated_at, 1.day.ago + it_behaves_like "can not write", :updated_at, 1.day.ago it_behaves_like "can write", :author_id, 1234 end diff --git a/spec/services/work_packages/create_service_integration_spec.rb b/spec/services/work_packages/create_service_integration_spec.rb index 7c9b1373706c..5ff940d2c415 100644 --- a/spec/services/work_packages/create_service_integration_spec.rb +++ b/spec/services/work_packages/create_service_integration_spec.rb @@ -231,25 +231,41 @@ shared_let(:other_user) { create(:user) } let(:created_at) { 11.days.ago } - let(:updated_at) { 10.days.ago } let(:attributes) do { subject: "child", project:, author: other_user, - created_at:, - updated_at: + created_at: } end context "when enabled", with_settings: { apiv3_write_readonly_attributes: true } do - it "updates the timestamps correctly" do + it "sets created_at accordingly" do expect(service_result) .to be_success expect(new_work_package.created_at).to be_within(1.second).of(created_at) - expect(new_work_package.updated_at).to be_within(1.second).of(updated_at) + end + end + + context "when enabled, but disallowed field", with_settings: { apiv3_write_readonly_attributes: true } do + let(:attributes) do + { + subject: "child", + project:, + author: other_user, + updated_at: created_at + } + end + + it "rejects updated_at" do + expect(service_result) + .not_to be_success + + expect(new_work_package.errors.symbols_for(:updated_at)) + .to contain_exactly(:error_readonly) end end @@ -260,9 +276,6 @@ expect(new_work_package.errors.symbols_for(:created_at)) .to contain_exactly(:error_readonly) - - expect(new_work_package.errors.symbols_for(:updated_at)) - .to contain_exactly(:error_readonly) end end end