diff options
author | DJ Mountney <dj@gitlab.com> | 2017-03-18 04:23:15 +0000 |
---|---|---|
committer | DJ Mountney <david@twkie.net> | 2017-03-20 18:54:17 -0700 |
commit | 7be39a894b27c0c0e4fab52c2f8147f216376538 (patch) | |
tree | 806b9552af5476d8a59d746e5260dade42e4237b /spec/controllers/projects/issues_controller_spec.rb | |
parent | 83a0c39808b132e8759d75cc774e0724f56b17ab (diff) | |
download | gitlab-ce-7be39a894b27c0c0e4fab52c2f8147f216376538.tar.gz |
Merge branch 'render-json-leak' into 'security'
fix for render json include leaks
See merge request !2074
Diffstat (limited to 'spec/controllers/projects/issues_controller_spec.rb')
-rw-r--r-- | spec/controllers/projects/issues_controller_spec.rb | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb index 6ceaf96f78f..98f3122240c 100644 --- a/spec/controllers/projects/issues_controller_spec.rb +++ b/spec/controllers/projects/issues_controller_spec.rb @@ -141,6 +141,24 @@ describe Projects::IssuesController do it_behaves_like 'update invalid issuable', Issue + context 'changing the assignee' do + it 'limits the attributes exposed on the assignee' do + assignee = create(:user) + project.add_developer(assignee) + + put :update, + namespace_id: project.namespace.to_param, + project_id: project, + id: issue.iid, + issue: { assignee_id: assignee.id }, + format: :json + body = JSON.parse(response.body) + + expect(body['assignee'].keys) + .to match_array(%w(name username avatar_url)) + end + end + context 'when moving issue to another private project' do let(:another_project) { create(:empty_project, :private) } |