diff options
author | Sean McGivern <sean@gitlab.com> | 2017-06-13 17:14:57 +0000 |
---|---|---|
committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2017-07-19 15:54:53 +0100 |
commit | 406ab9b2aa24b7ede6ebbd48f338462f7d947583 (patch) | |
tree | cb7f12c54c3fb409ef7fda86ec67bab0718b632b /spec/controllers/dashboard/todos_controller_spec.rb | |
parent | aaa1a18fbd8abffb57b6d8617684e082ece69d15 (diff) | |
download | gitlab-ce-406ab9b2aa24b7ede6ebbd48f338462f7d947583.tar.gz |
Merge branch '33303-9-1-security-fix' into 'security-9-1'
[9.1 security fix] Renders 404 if given project is not readable by the user on Todos dashboard
See merge request !2120
Diffstat (limited to 'spec/controllers/dashboard/todos_controller_spec.rb')
-rw-r--r-- | spec/controllers/dashboard/todos_controller_spec.rb | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb index 6075259ea99..d8e46dcd9ad 100644 --- a/spec/controllers/dashboard/todos_controller_spec.rb +++ b/spec/controllers/dashboard/todos_controller_spec.rb @@ -14,6 +14,36 @@ describe Dashboard::TodosController do end describe 'GET #index' do + context 'project authorization' do + it 'renders 404 when user does not have read access on given project' do + unauthorized_project = create(:empty_project, :private) + + get :index, project_id: unauthorized_project.id + + expect(response).to have_http_status(404) + end + + it 'renders 404 when given project does not exists' do + get :index, project_id: 999 + + expect(response).to have_http_status(404) + end + + it 'renders 200 when filtering for "any project" todos' do + get :index, project_id: '' + + expect(response).to have_http_status(200) + end + + it 'renders 200 when user has access on given project' do + authorized_project = create(:empty_project, :public) + + get :index, project_id: authorized_project.id + + expect(response).to have_http_status(200) + end + end + context 'when using pagination' do let(:last_page) { user.todos.page.total_pages } let!(:issues) { create_list(:issue, 2, project: project, assignee: user) } |