diff options
author | Bob Van Landuyt <bob@vanlanduyt.co> | 2017-10-09 12:02:40 +0200 |
---|---|---|
committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2017-10-09 12:02:40 +0200 |
commit | 524f65152fde2591a52d4c58d14c643ce379ec5b (patch) | |
tree | d4ba7ddb7fbb96925fb746f61bf0e22e8b8697d8 /spec/controllers/concerns | |
parent | da5073cc15935a953870d5932468c94f79d31a0b (diff) | |
download | gitlab-ce-524f65152fde2591a52d4c58d14c643ce379ec5b.tar.gz |
Only expand ancestors when searching
Not all_groups, since that would expose groups the user does not have
access to
Diffstat (limited to 'spec/controllers/concerns')
-rw-r--r-- | spec/controllers/concerns/group_tree_spec.rb | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/spec/controllers/concerns/group_tree_spec.rb b/spec/controllers/concerns/group_tree_spec.rb index 2fe041a5ecc..ba84fbf8564 100644 --- a/spec/controllers/concerns/group_tree_spec.rb +++ b/spec/controllers/concerns/group_tree_spec.rb @@ -9,7 +9,7 @@ describe GroupTree do include GroupTree # rubocop:disable RSpec/DescribedClass def index - render_group_tree Group.all + render_group_tree GroupsFinder.new(current_user).execute end end @@ -52,6 +52,17 @@ describe GroupTree do expect(assigns(:groups)).to contain_exactly(group, subgroup) end + + it 'does not include groups the user does not have access to' do + parent = create(:group, :private) + subgroup = create(:group, :private, parent: parent, name: 'filter') + subgroup.add_developer(user) + _other_subgroup = create(:group, :private, parent: parent, name: 'filte') + + get :index, filter: 'filt', format: :json + + expect(assigns(:groups)).to contain_exactly(parent, subgroup) + end end context 'json content' do |