diff options
author | Ruben Davila <rdavila84@gmail.com> | 2016-06-24 16:20:53 -0500 |
---|---|---|
committer | Ruben Davila <rdavila84@gmail.com> | 2016-06-24 16:20:53 -0500 |
commit | 7627cc19897d1ff8963fde37697e6dc5d32e51ba (patch) | |
tree | bb932e1bb8e65b79ca3571e922663b83d70381b3 | |
parent | e6d87b39e4ae29e6be499aa5f11a2db99a20b648 (diff) | |
download | gitlab-ce-7627cc19897d1ff8963fde37697e6dc5d32e51ba.tar.gz |
Validate presence of essential params for diff renderingissue_19096
This will avoid application errors generated by the assumption of the
presence of these params.
-rw-r--r-- | app/controllers/projects/blob_controller.rb | 7 | ||||
-rw-r--r-- | spec/controllers/projects/blob_controller_spec.rb | 40 |
2 files changed, 47 insertions, 0 deletions
diff --git a/app/controllers/projects/blob_controller.rb b/app/controllers/projects/blob_controller.rb index cd8b2911674..7599fec3cdf 100644 --- a/app/controllers/projects/blob_controller.rb +++ b/app/controllers/projects/blob_controller.rb @@ -16,6 +16,7 @@ class Projects::BlobController < Projects::ApplicationController before_action :from_merge_request, only: [:edit, :update] before_action :require_branch_head, only: [:edit, :update] before_action :editor_variables, except: [:show, :preview, :diff] + before_action :validate_diff_params, only: :diff def new commit unless @repository.empty? @@ -146,4 +147,10 @@ class Projects::BlobController < Projects::ApplicationController file_content_encoding: params[:encoding] } end + + def validate_diff_params + if [:since, :to, :offset].any? { |key| params[key].blank? } + render nothing: true + end + end end diff --git a/spec/controllers/projects/blob_controller_spec.rb b/spec/controllers/projects/blob_controller_spec.rb new file mode 100644 index 00000000000..9444a50b1ce --- /dev/null +++ b/spec/controllers/projects/blob_controller_spec.rb @@ -0,0 +1,40 @@ +require 'rails_helper' + +describe Projects::BlobController do + let(:project) { create(:project) } + let(:user) { create(:user) } + + before do + user = create(:user) + project.team << [user, :master] + + sign_in(user) + end + + describe 'GET diff' do + render_views + + def do_get(opts = {}) + params = { namespace_id: project.namespace.to_param, + project_id: project.to_param, + id: 'master/CHANGELOG' } + get :diff, params.merge(opts) + end + + context 'when essential params are missing' do + it 'renders nothing' do + do_get + + expect(response.body).to be_blank + end + end + + context 'when essential params are present' do + it 'renders the diff content' do + do_get(since: 1, to: 5, offset: 10) + + expect(response.body).to be_present + end + end + end +end |