Merge branch 'snippets-finder-visibility' into 'security'

Refactor snippets finder & dont return internal snippets for external users See merge request !2094
author: Douwe Maan <douwe@gitlab.com> 2017-04-28 22:06:27 +0000
committer: Bob Van Landuyt <bob@gitlab.com> 2017-05-10 16:48:18 +0200
commit: ad309f5d110ebf8859b2e7196c7a1d0b039c0d7c (patch)
tree: 68e378c1c60578b73f3508b48fea343db0c6a762 /spec/features
parent: 576e244b6c017dcda2d2d848670ec3b60db63409 (diff)
download: gitlab-ce-ad309f5d110ebf8859b2e7196c7a1d0b039c0d7c.tar.gz
4 files changed, 127 insertions, 15 deletions
diff --git a/spec/features/dashboard/snippets_spec.rb b/spec/features/dashboard/snippets_spec.rb
index 62937688c22..c6ba118220a 100644
--- a/spec/features/dashboard/snippets_spec.rb
+++ b/spec/features/dashboard/snippets_spec.rb
@@ -12,4 +12,51 @@ describe 'Dashboard snippets', feature: true do
 
     it_behaves_like 'paginated snippets'
   end
+
+  context 'filtering by visibility' do
+    let(:user) { create(:user) }
+    let!(:snippets) do
+      [
+        create(:personal_snippet, :public, author: user),
+        create(:personal_snippet, :internal, author: user),
+        create(:personal_snippet, :private, author: user),
+        create(:personal_snippet, :public)
+      ]
+    end
+
+    before do
+      login_as(user)
+
+      visit dashboard_snippets_path
+    end
+
+    it 'contains all snippets of logged user' do
+      expect(page).to have_selector('.snippet-row', count: 3)
+
+      expect(page).to have_content(snippets[0].title)
+      expect(page).to have_content(snippets[1].title)
+      expect(page).to have_content(snippets[2].title)
+    end
+
+    it 'contains all private snippets of logged user when clicking on private' do
+      click_link('Private')
+
+      expect(page).to have_selector('.snippet-row', count: 1)
+      expect(page).to have_content(snippets[2].title)
+    end
+
+    it 'contains all internal snippets of logged user when clicking on internal' do
+      click_link('Internal')
+
+      expect(page).to have_selector('.snippet-row', count: 1)
+      expect(page).to have_content(snippets[1].title)
+    end
+
+    it 'contains all public snippets of logged user when clicking on public' do
+      click_link('Public')
+
+      expect(page).to have_selector('.snippet-row', count: 1)
+      expect(page).to have_content(snippets[0].title)
+    end
+  end
 end
diff --git a/spec/features/projects/snippets_spec.rb b/spec/features/projects/snippets_spec.rb
index d37e8ed4699..18689c17fe9 100644
--- a/spec/features/projects/snippets_spec.rb
+++ b/spec/features/projects/snippets_spec.rb
@@ -4,11 +4,27 @@ describe 'Project snippets', feature: true do
   context 'when the project has snippets' do
     let(:project) { create(:empty_project, :public) }
     let!(:snippets) { create_list(:project_snippet, 2, :public, author: project.owner, project: project) }
-    before do
-      allow(Snippet).to receive(:default_per_page).and_return(1)
-      visit namespace_project_snippets_path(project.namespace, project)
+    let!(:other_snippet) { create(:project_snippet) }
+
+    context 'pagination' do
+      before do
+        allow(Snippet).to receive(:default_per_page).and_return(1)
+
+        visit namespace_project_snippets_path(project.namespace, project)
+      end
+
+      it_behaves_like 'paginated snippets'
     end
 
-    it_behaves_like 'paginated snippets'
+    context 'list content' do
+      it 'contains all project snippets' do
+        visit namespace_project_snippets_path(project.namespace, project)
+
+        expect(page).to have_selector('.snippet-row', count: 2)
+
+        expect(page).to have_content(snippets[0].title)
+        expect(page).to have_content(snippets[1].title)
+      end
+    end
   end
 end
diff --git a/spec/features/snippets/explore_spec.rb b/spec/features/snippets/explore_spec.rb
index 10a4597e467..fd097fe2e74 100644
--- a/spec/features/snippets/explore_spec.rb
+++ b/spec/features/snippets/explore_spec.rb
@@ -1,11 +1,11 @@
 require 'rails_helper'
 
 feature 'Explore Snippets', feature: true do
-  scenario 'User should see snippets that are not private' do
-    public_snippet = create(:personal_snippet, :public)
-    internal_snippet = create(:personal_snippet, :internal)
-    private_snippet = create(:personal_snippet, :private)
+  let!(:public_snippet) { create(:personal_snippet, :public) }
+  let!(:internal_snippet) { create(:personal_snippet, :internal) }
+  let!(:private_snippet) { create(:personal_snippet, :private) }
 
+  scenario 'User should see snippets that are not private' do
     login_as create(:user)
     visit explore_snippets_path
 
@@ -13,4 +13,21 @@ feature 'Explore Snippets', feature: true do
     expect(page).to have_content(internal_snippet.title)
     expect(page).not_to have_content(private_snippet.title)
   end
+
+  scenario 'External user should see only public snippets' do
+    login_as create(:user, :external)
+    visit explore_snippets_path
+
+    expect(page).to have_content(public_snippet.title)
+    expect(page).not_to have_content(internal_snippet.title)
+    expect(page).not_to have_content(private_snippet.title)
+  end
+
+  scenario 'Not authenticated user should see only public snippets' do
+    visit explore_snippets_path
+
+    expect(page).to have_content(public_snippet.title)
+    expect(page).not_to have_content(internal_snippet.title)
+    expect(page).not_to have_content(private_snippet.title)
+  end
 end
diff --git a/spec/features/users/snippets_spec.rb b/spec/features/users/snippets_spec.rb
index 1546a06b80c..4efbd672322 100644
--- a/spec/features/users/snippets_spec.rb
+++ b/spec/features/users/snippets_spec.rb
@@ -3,14 +3,46 @@ require 'spec_helper'
 describe 'Snippets tab on a user profile', feature: true, js: true do
   context 'when the user has snippets' do
     let(:user) { create(:user) }
-    let!(:snippets) { create_list(:snippet, 2, :public, author: user) }
-    before do
-      allow(Snippet).to receive(:default_per_page).and_return(1)
-      visit user_path(user)
-      page.within('.user-profile-nav') { click_link 'Snippets' }
-      wait_for_ajax
+
+    context 'pagination' do
+      let!(:snippets) { create_list(:snippet, 2, :public, author: user) }
+
+      before do
+        allow(Snippet).to receive(:default_per_page).and_return(1)
+        visit user_path(user)
+        page.within('.user-profile-nav') { click_link 'Snippets' }
+        wait_for_ajax
+      end
+
+      it_behaves_like 'paginated snippets', remote: true
     end
 
-    it_behaves_like 'paginated snippets', remote: true
+    context 'list content' do
+      let!(:public_snippet) { create(:snippet, :public, author: user) }
+      let!(:internal_snippet) { create(:snippet, :internal, author: user) }
+      let!(:private_snippet) { create(:snippet, :private, author: user) }
+      let!(:other_snippet) { create(:snippet, :public) }
+
+      it 'contains only internal and public snippets of a user when a user is logged in' do
+        login_as(:user)
+        visit user_path(user)
+        page.within('.user-profile-nav') { click_link 'Snippets' }
+        wait_for_ajax
+
+        expect(page).to have_selector('.snippet-row', count: 2)
+
+        expect(page).to have_content(public_snippet.title)
+        expect(page).to have_content(internal_snippet.title)
+      end
+
+      it 'contains only public snippets of a user when a user is not logged in' do
+        visit user_path(user)
+        page.within('.user-profile-nav') { click_link 'Snippets' }
+        wait_for_ajax
+
+        expect(page).to have_selector('.snippet-row', count: 1)
+        expect(page).to have_content(public_snippet.title)
+      end
+    end
   end
 end
author	Douwe Maan <douwe@gitlab.com>	2017-04-28 22:06:27 +0000
committer	Bob Van Landuyt <bob@gitlab.com>	2017-05-10 16:48:18 +0200
commit	ad309f5d110ebf8859b2e7196c7a1d0b039c0d7c (patch)
tree	68e378c1c60578b73f3508b48fea343db0c6a762 /spec/features
parent	576e244b6c017dcda2d2d848670ec3b60db63409 (diff)
download	gitlab-ce-ad309f5d110ebf8859b2e7196c7a1d0b039c0d7c.tar.gz