diff options
| author | Alex Groleau <agroleau@gitlab.com> | 2019-08-27 12:41:39 -0400 |
|---|---|---|
| committer | Alex Groleau <agroleau@gitlab.com> | 2019-08-27 12:41:39 -0400 |
| commit | aa01f092829facd1044ad02f334422b7dbdc8b0e (patch) | |
| tree | a754bf2497820432df7da0f2108bb7527a8dd7b8 /spec/features/merge_request/user_tries_to_access_private_project_info_through_new_mr_spec.rb | |
| parent | a1d9c9994a9a4d79b824c3fd9322688303ac8b03 (diff) | |
| parent | 6b10779053ff4233c7a64c5ab57754fce63f6710 (diff) | |
| download | gitlab-ce-aa01f092829facd1044ad02f334422b7dbdc8b0e.tar.gz | |
Merge branch 'master' of gitlab_gitlab:gitlab-org/gitlab-cerunner-metrics-extractor
Diffstat (limited to 'spec/features/merge_request/user_tries_to_access_private_project_info_through_new_mr_spec.rb')
| -rw-r--r-- | spec/features/merge_request/user_tries_to_access_private_project_info_through_new_mr_spec.rb | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/spec/features/merge_request/user_tries_to_access_private_project_info_through_new_mr_spec.rb b/spec/features/merge_request/user_tries_to_access_private_project_info_through_new_mr_spec.rb new file mode 100644 index 00000000000..1ebe9e2e409 --- /dev/null +++ b/spec/features/merge_request/user_tries_to_access_private_project_info_through_new_mr_spec.rb @@ -0,0 +1,56 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'Merge Request > User tries to access private project information through the new mr page' do + let(:current_user) { create(:user) } + let(:private_project) do + create(:project, :public, :repository, + path: 'nothing-to-see-here', + name: 'nothing to see here', + repository_access_level: ProjectFeature::PRIVATE) + end + let(:owned_project) do + create(:project, :public, :repository, + namespace: current_user.namespace, + creator: current_user) + end + + context 'when the user enters the querystring info for the other project' do + let(:mr_path) do + project_new_merge_request_diffs_path( + owned_project, + merge_request: { + source_project_id: private_project.id, + source_branch: 'feature' + } + ) + end + + before do + sign_in current_user + visit mr_path + end + + it "does not mention the project the user can't see the repo of" do + expect(page).not_to have_content('nothing-to-see-here') + end + + context 'when the user enters label information from the private project in the querystring' do + let(:inaccessible_label) { create(:label, project: private_project) } + let(:mr_path) do + project_new_merge_request_path( + owned_project, + merge_request: { + label_ids: [inaccessible_label.id], + source_branch: 'feature' + } + ) + end + + it 'does not expose the label name' do + expect(page).not_to have_content(inaccessible_label.name) + end + end + end +end |