diff options
| author | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2016-04-29 18:56:53 +0200 |
|---|---|---|
| committer | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2016-04-29 18:56:53 +0200 |
| commit | 9ef50db6279d722caed1ab1e4576275428e6a94f (patch) | |
| tree | 4c8904969b8ddc568c0d7eb4a9a96270084af1ec | |
| parent | d698d3e846c83f49cd363291dd811220c338c8e9 (diff) | |
| download | gitlab-ce-9ef50db6279d722caed1ab1e4576275428e6a94f.tar.gz | |
Specify that oauth cannot push code
| -rw-r--r-- | spec/requests/git_http_spec.rb | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb index 20c7357cba5..14d126480a3 100644 --- a/spec/requests/git_http_spec.rb +++ b/spec/requests/git_http_spec.rb @@ -179,6 +179,25 @@ describe 'Git HTTP requests', lib: true do end end + context "when an oauth token is provided" do + before do + application = Doorkeeper::Application.create!(name: "MyApp", redirect_uri: "https://app.com", owner: user) + @token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id) + end + + it "downloads get status 200" do + clone_get "#{project.path_with_namespace}.git", user: 'oauth2', password: @token.token + + expect(response.status).to eq(200) + end + + it "uploads get status 401 (no project existence information leak)" do + push_get "#{project.path_with_namespace}.git", user: 'oauth2', password: @token.token + + expect(response.status).to eq(401) + end + end + context "when blank password attempts follow a valid login" do def attempt_login(include_password) password = include_password ? user.password : "" |