summaryrefslogtreecommitdiff
path: root/spec/controllers/projects/tags_controller_spec.rb
diff options
context:
space:
mode:
authorCindy Pallares <cindy@gitlab.com>2018-11-28 19:06:02 +0000
committerCindy Pallares <cindy@gitlab.com>2018-11-28 19:13:59 -0500
commitfe5f75930e781ef854b458fafa307ebb90a8ed2e (patch)
tree7160814e28d056568685e8fe84456755ce02fecd /spec/controllers/projects/tags_controller_spec.rb
parente122e14ac6a25c7813ca888a97bd4a3298e78d9d (diff)
downloadgitlab-ce-fe5f75930e781ef854b458fafa307ebb90a8ed2e.tar.gz
Merge branch 'security-fix-pat-web-access' into 'master'
[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2583
Diffstat (limited to 'spec/controllers/projects/tags_controller_spec.rb')
-rw-r--r--spec/controllers/projects/tags_controller_spec.rb22
1 files changed, 22 insertions, 0 deletions
diff --git a/spec/controllers/projects/tags_controller_spec.rb b/spec/controllers/projects/tags_controller_spec.rb
index c48f41ca12e..6fbf75d0259 100644
--- a/spec/controllers/projects/tags_controller_spec.rb
+++ b/spec/controllers/projects/tags_controller_spec.rb
@@ -35,4 +35,26 @@ describe Projects::TagsController do
it { is_expected.to respond_with(:not_found) }
end
end
+
+ context 'private project with token authentication' do
+ let(:private_project) { create(:project, :repository, :private) }
+
+ it_behaves_like 'authenticates sessionless user', :index, :atom do
+ before do
+ default_params.merge!(project_id: private_project, namespace_id: private_project.namespace)
+
+ private_project.add_maintainer(user)
+ end
+ end
+ end
+
+ context 'public project with token authentication' do
+ let(:public_project) { create(:project, :repository, :public) }
+
+ it_behaves_like 'authenticates sessionless user', :index, :atom, public: true do
+ before do
+ default_params.merge!(project_id: public_project, namespace_id: public_project.namespace)
+ end
+ end
+ end
end