summaryrefslogtreecommitdiff
path: root/spec/controllers/projects
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-05-26 15:41:13 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-05-26 15:41:13 +0000
commit1e61fc763e645038f2da69fc9af6fe166a6b101a (patch)
tree76053795a637d056347c1891d98935c0361a331d /spec/controllers/projects
parent57b9b49b27a730294ae37d2ac25cab943f4b801d (diff)
downloadgitlab-ce-1e61fc763e645038f2da69fc9af6fe166a6b101a.tar.gz
Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee
Diffstat (limited to 'spec/controllers/projects')
-rw-r--r--spec/controllers/projects/deploy_keys_controller_spec.rb38
1 files changed, 37 insertions, 1 deletions
diff --git a/spec/controllers/projects/deploy_keys_controller_spec.rb b/spec/controllers/projects/deploy_keys_controller_spec.rb
index 1b2b326b6e9..9d41e2f59cb 100644
--- a/spec/controllers/projects/deploy_keys_controller_spec.rb
+++ b/spec/controllers/projects/deploy_keys_controller_spec.rb
@@ -256,7 +256,7 @@ describe Projects::DeployKeysController do
end
def deploy_key_params(title, can_push)
- deploy_keys_projects_attributes = { '0' => { id: deploy_keys_project, can_push: can_push } }
+ deploy_keys_projects_attributes = { '0' => { can_push: can_push } }
{ deploy_key: { title: title, deploy_keys_projects_attributes: deploy_keys_projects_attributes } }
end
@@ -300,6 +300,42 @@ describe Projects::DeployKeysController do
expect { subject }.to change { deploy_keys_project.reload.can_push }.from(false).to(true)
end
end
+
+ context 'when a different deploy key id param is injected' do
+ let(:extra_params) { deploy_key_params('updated title', '1') }
+ let(:hacked_params) do
+ extra_params.reverse_merge(id: other_deploy_key_id,
+ namespace_id: project.namespace,
+ project_id: project)
+ end
+
+ subject { put :update, params: hacked_params }
+
+ context 'and that deploy key id exists' do
+ let(:other_project) { create(:project) }
+ let(:other_deploy_key) do
+ key = create(:deploy_key)
+ project.deploy_keys << key
+ key
+ end
+
+ let(:other_deploy_key_id) { other_deploy_key.id }
+
+ it 'does not update the can_push attribute' do
+ expect { subject }.not_to change { deploy_key.deploy_keys_project_for(project).can_push }
+ end
+ end
+
+ context 'and that deploy key id does not exist' do
+ let(:other_deploy_key_id) { 9999 }
+
+ it 'returns 404' do
+ subject
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+ end
+ end
end
context 'with admin as project maintainer' do