diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-11-18 13:51:52 +0000 |
|---|---|---|
| committer | Alejandro RodrÃguez <alejorro70@gmail.com> | 2016-11-28 21:25:46 -0300 |
| commit | 6d37fe952b5679d7586eaa569d0488dbb92032fe (patch) | |
| tree | 351b4fd2ad8f3bc21da4d8f5eb47947eb10a5de4 /spec/controllers/projects/branches_controller_spec.rb | |
| parent | 742cee756bf39d93fe5c7f207f8a54143ae6a384 (diff) | |
| download | gitlab-ce-6d37fe952b5679d7586eaa569d0488dbb92032fe.tar.gz | |
Merge branch 'jej-fix-missing-access-check-on-issues' into 'security'
Fix missing access checks on issue lookup using IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
- [x] :white_check_mark: app/controllers/projects/branches_controller.rb:39
- `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
confidential issues, issues only visible to team, etc.
- [x] :traffic_light: app/models/cycle_analytics/summary.rb:9 [`.count`]
- [x] :white_check_mark: app/controllers/projects/todos_controller.rb:19
- [x] Potential double render in app/controllers/projects/todos_controller.rb
- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24
See merge request !2030
Diffstat (limited to 'spec/controllers/projects/branches_controller_spec.rb')
| -rw-r--r-- | spec/controllers/projects/branches_controller_spec.rb | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/spec/controllers/projects/branches_controller_spec.rb b/spec/controllers/projects/branches_controller_spec.rb index f7cf006efd6..b88586b8678 100644 --- a/spec/controllers/projects/branches_controller_spec.rb +++ b/spec/controllers/projects/branches_controller_spec.rb @@ -94,6 +94,24 @@ describe Projects::BranchesController do branch_name: branch, issue_iid: issue.iid end + + context 'without issue feature access' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC) + project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE) + project.team.truncate + end + + it "doesn't post a system note" do + expect(SystemNoteService).not_to receive(:new_issue_branch) + + post :create, + namespace_id: project.namespace.to_param, + project_id: project.to_param, + branch_name: branch, + issue_iid: issue.iid + end + end end end |