Merge remote-tracking branch 'origin/master' into bitbucket-oauth2

2 files changed, 110 insertions, 0 deletions

diff --git a/spec/controllers/profiles/personal_access_tokens_spec.rb b/spec/controllers/profiles/personal_access_tokens_spec.rb
new file mode 100644
index 00000000000..45534a3a587
--- /dev/null
+++ b/spec/controllers/profiles/personal_access_tokens_spec.rb
@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe Profiles::PersonalAccessTokensController do
+  let(:user) { create(:user) }
+
+  describe '#create' do
+    def created_token
+      PersonalAccessToken.order(:created_at).last
+    end
+
+    before { sign_in(user) }
+
+    it "allows creation of a token" do
+      name = FFaker::Product.brand
+
+      post :create, personal_access_token: { name: name }
+
+      expect(created_token).not_to be_nil
+      expect(created_token.name).to eq(name)
+      expect(created_token.expires_at).to be_nil
+      expect(PersonalAccessToken.active).to include(created_token)
+    end
+
+    it "allows creation of a token with an expiry date" do
+      expires_at = 5.days.from_now
+
+      post :create, personal_access_token: { name: FFaker::Product.brand, expires_at: expires_at }
+
+      expect(created_token).not_to be_nil
+      expect(created_token.expires_at.to_i).to eq(expires_at.to_i)
+    end
+
+    context "scopes" do
+      it "allows creation of a token with scopes" do
+        post :create, personal_access_token: { name: FFaker::Product.brand, scopes: ['api', 'read_user'] }
+
+        expect(created_token).not_to be_nil
+        expect(created_token.scopes).to eq(['api', 'read_user'])
+      end
+
+      it "allows creation of a token with no scopes" do
+        post :create, personal_access_token: { name: FFaker::Product.brand, scopes: [] }
+
+        expect(created_token).not_to be_nil
+        expect(created_token.scopes).to eq([])
+      end
+    end
+  end
+end
diff --git a/spec/controllers/search_controller_spec.rb b/spec/controllers/search_controller_spec.rb
new file mode 100644
index 00000000000..b7bb9290712
--- /dev/null
+++ b/spec/controllers/search_controller_spec.rb
@@ -0,0 +1,61 @@
+require 'spec_helper'
+
+describe SearchController do
+  let(:user)    { create(:user) }
+  let(:project) { create(:empty_project, :public) }
+
+  before do
+    sign_in(user)
+  end
+
+  it 'finds issue comments' do
+    project = create(:empty_project, :public)
+    note = create(:note_on_issue, project: project)
+
+    get :show, project_id: project.id, scope: 'notes', search: note.note
+
+    expect(assigns[:search_objects].first).to eq note
+  end
+
+  context 'on restricted projects' do
+    context 'when signed out' do
+      before { sign_out(user) }
+
+      it "doesn't expose comments on issues" do
+        project = create(:empty_project, :public, issues_access_level: ProjectFeature::PRIVATE)
+        note = create(:note_on_issue, project: project)
+
+        get :show, project_id: project.id, scope: 'notes', search: note.note
+
+        expect(assigns[:search_objects].count).to eq(0)
+      end
+    end
+
+    it "doesn't expose comments on issues" do
+      project = create(:empty_project, :public, issues_access_level: ProjectFeature::PRIVATE)
+      note = create(:note_on_issue, project: project)
+
+      get :show, project_id: project.id, scope: 'notes', search: note.note
+
+      expect(assigns[:search_objects].count).to eq(0)
+    end
+
+    it "doesn't expose comments on merge_requests" do
+      project = create(:empty_project, :public, merge_requests_access_level: ProjectFeature::PRIVATE)
+      note = create(:note_on_merge_request, project: project)
+
+      get :show, project_id: project.id, scope: 'notes', search: note.note
+
+      expect(assigns[:search_objects].count).to eq(0)
+    end
+
+    it "doesn't expose comments on snippets" do
+      project = create(:empty_project, :public, snippets_access_level: ProjectFeature::PRIVATE)
+      note = create(:note_on_project_snippet, project: project)
+
+      get :show, project_id: project.id, scope: 'notes', search: note.note
+
+      expect(assigns[:search_objects].count).to eq(0)
+    end
+  end
+end