diff options
| author | John Jarvis <jarv@gitlab.com> | 2019-01-01 20:38:45 +0000 |
|---|---|---|
| committer | John Jarvis <jarv@gitlab.com> | 2019-01-01 20:38:45 +0000 |
| commit | 3fca973e339e9bbf7a2e993bb36e0d800d4e1041 (patch) | |
| tree | e724d9132931c7bb3016ecf5134d7170bc1a35ae /spec/features/merge_request | |
| parent | 0058c97a1b564b7050e17bbf015ca2482f04657f (diff) | |
| parent | 08dbd93bd6e08bca179567a3c020b8fac5139b49 (diff) | |
| download | gitlab-ce-3fca973e339e9bbf7a2e993bb36e0d800d4e1041.tar.gz | |
Merge branch 'security-bvl-fix-cross-project-mr-exposure' into 'master'
[master] Validate projects in MR build service
See merge request gitlab/gitlabhq!2678
Diffstat (limited to 'spec/features/merge_request')
| -rw-r--r-- | spec/features/merge_request/user_tries_to_access_private_repository_through_new_mr_spec.rb | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/spec/features/merge_request/user_tries_to_access_private_repository_through_new_mr_spec.rb b/spec/features/merge_request/user_tries_to_access_private_repository_through_new_mr_spec.rb new file mode 100644 index 00000000000..9318b5f1ebb --- /dev/null +++ b/spec/features/merge_request/user_tries_to_access_private_repository_through_new_mr_spec.rb @@ -0,0 +1,37 @@ +require 'spec_helper' + +describe 'Merge Request > Tries to access private repo of public project' do + let(:current_user) { create(:user) } + let(:private_project) do + create(:project, :public, :repository, + path: 'nothing-to-see-here', + name: 'nothing to see here', + repository_access_level: ProjectFeature::PRIVATE) + end + let(:owned_project) do + create(:project, :public, :repository, + namespace: current_user.namespace, + creator: current_user) + end + + context 'when the user enters the querystring info for the other project' do + let(:mr_path) do + project_new_merge_request_diffs_path( + owned_project, + merge_request: { + source_project_id: private_project.id, + source_branch: 'feature' + } + ) + end + + before do + sign_in current_user + visit mr_path + end + + it "does not mention the project the user can't see the repo of" do + expect(page).not_to have_content('nothing-to-see-here') + end + end +end |