Add authorization to issues board related controllers

author: Douglas Barbosa Alexandre <dbalexandre@gmail.com> 2016-08-08 19:03:41 -0300
committer: Douglas Barbosa Alexandre <dbalexandre@gmail.com> 2016-08-17 12:58:59 -0300
commit: a8b1ad250e1ebc1c1e835399ccd010b223108a1d (patch)
tree: 6d863ac30dcc7db0238ad5b6c3f82988b7bc1029 /spec/controllers/projects/boards_controller_spec.rb
parent: 6113767045971abd3a279705f481c8e712660c88 (diff)
download: gitlab-ce-a8b1ad250e1ebc1c1e835399ccd010b223108a1d.tar.gz
1 files changed, 32 insertions, 4 deletions
diff --git a/spec/controllers/projects/boards_controller_spec.rb b/spec/controllers/projects/boards_controller_spec.rb
index 2392ee18602..7ef4b786b42 100644
--- a/spec/controllers/projects/boards_controller_spec.rb
+++ b/spec/controllers/projects/boards_controller_spec.rb
@@ -12,22 +12,33 @@ describe Projects::BoardsController do
   describe 'GET #show' do
     context 'when project does not have a board' do
       it 'creates a new board' do
-        expect { get :show, namespace_id: project.namespace.to_param, project_id: project.to_param }.to change(Board, :count).by(1)
+        expect { read_board }.to change(Board, :count).by(1)
       end
     end
 
     context 'when format is HTML' do
       it 'renders HTML template' do
-        get :show, namespace_id: project.namespace.to_param, project_id: project.to_param
+        read_board
 
         expect(response).to render_template :show
         expect(response.content_type).to eq 'text/html'
       end
+
+      context 'with unauthorized user' do
+        it 'returns a successful 404 response' do
+          allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
+          allow(Ability.abilities).to receive(:allowed?).with(user, :read_board, project).and_return(false)
+
+          read_board
+
+          expect(response).to have_http_status(404)
+        end
+      end
     end
 
     context 'when format is JSON' do
       it 'returns a successful 200 response' do
-        get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, format: :json
+        read_board format: :json
 
         expect(response).to have_http_status(200)
         expect(response.content_type).to eq 'application/json'
@@ -39,13 +50,30 @@ describe Projects::BoardsController do
         create(:list, board: board)
         create(:done_list, board: board)
 
-        get :show, namespace_id: project.namespace.to_param, project_id: project.to_param, format: :json
+        read_board format: :json
 
         parsed_response = JSON.parse(response.body)
 
         expect(response).to match_response_schema('list', array: true)
         expect(parsed_response.length).to eq 3
       end
+
+      context 'with unauthorized user' do
+        it 'returns a successful 403 response' do
+          allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
+          allow(Ability.abilities).to receive(:allowed?).with(user, :read_board, project).and_return(false)
+
+          read_board format: :json
+
+          expect(response).to have_http_status(403)
+        end
+      end
+    end
+
+    def read_board(format: :html)
+      get :show, namespace_id: project.namespace.to_param,
+                 project_id: project.to_param,
+                 format: format
     end
   end
 end
author	Douglas Barbosa Alexandre <dbalexandre@gmail.com>	2016-08-08 19:03:41 -0300
committer	Douglas Barbosa Alexandre <dbalexandre@gmail.com>	2016-08-17 12:58:59 -0300
commit	a8b1ad250e1ebc1c1e835399ccd010b223108a1d (patch)
tree	6d863ac30dcc7db0238ad5b6c3f82988b7bc1029 /spec/controllers/projects/boards_controller_spec.rb
parent	6113767045971abd3a279705f481c8e712660c88 (diff)
download	gitlab-ce-a8b1ad250e1ebc1c1e835399ccd010b223108a1d.tar.gz