diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-11-30 08:11:43 +0000 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2016-12-06 12:26:48 +1100 |
| commit | 29ceb98b5162677601702704e89d845580372078 (patch) | |
| tree | 8df439d9a22ff3cbda523148d8e40ae0fbcf47de /spec/finders | |
| parent | f0f514ac25763a5e02aac7abb8a7528a0437577f (diff) | |
| download | gitlab-ce-29ceb98b5162677601702704e89d845580372078.tar.gz | |
Merge branch 'issue_25064' into 'security'
Ensure state param has a valid value when filtering issuables.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25064
This fix makes sure we only call safe methods on issuable when filtering by state.
See merge request !2038
Diffstat (limited to 'spec/finders')
| -rw-r--r-- | spec/finders/issues_finder_spec.rb | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/spec/finders/issues_finder_spec.rb b/spec/finders/issues_finder_spec.rb index 40bccb8e50b..7f69e888f32 100644 --- a/spec/finders/issues_finder_spec.rb +++ b/spec/finders/issues_finder_spec.rb @@ -10,6 +10,7 @@ describe IssuesFinder do let(:issue1) { create(:issue, author: user, assignee: user, project: project1, milestone: milestone, title: 'gitlab') } let(:issue2) { create(:issue, author: user, assignee: user, project: project2, description: 'gitlab') } let(:issue3) { create(:issue, author: user2, assignee: user2, project: project2) } + let(:closed_issue) { create(:issue, author: user2, assignee: user2, project: project2, state: 'closed') } let!(:label_link) { create(:label_link, label: label, target: issue2) } before do @@ -25,7 +26,7 @@ describe IssuesFinder do describe '#execute' do let(:search_user) { user } let(:params) { {} } - let(:issues) { IssuesFinder.new(search_user, params.merge(scope: scope, state: 'opened')).execute } + let(:issues) { IssuesFinder.new(search_user, params.reverse_merge(scope: scope, state: 'opened')).execute } context 'scope: all' do let(:scope) { 'all' } @@ -143,6 +144,40 @@ describe IssuesFinder do end end + context 'filtering by state' do + context 'with opened' do + let(:params) { { state: 'opened' } } + + it 'returns only opened issues' do + expect(issues).to contain_exactly(issue1, issue2, issue3) + end + end + + context 'with closed' do + let(:params) { { state: 'closed' } } + + it 'returns only closed issues' do + expect(issues).to contain_exactly(closed_issue) + end + end + + context 'with all' do + let(:params) { { state: 'all' } } + + it 'returns all issues' do + expect(issues).to contain_exactly(issue1, issue2, issue3, closed_issue) + end + end + + context 'with invalid state' do + let(:params) { { state: 'invalid_state' } } + + it 'returns all issues' do + expect(issues).to contain_exactly(issue1, issue2, issue3, closed_issue) + end + end + end + context 'when the user is unauthorized' do let(:search_user) { nil } |