diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 18:37:10 +0000 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 18:37:10 +0000 |
| commit | 6683298fe6d85bb0785906723663482798418907 (patch) | |
| tree | fafecb6b03174e521879d21f81d8bf39120c51c5 /spec/finders | |
| parent | a43fd6acb697edc897e930dee7c636e4d714565e (diff) | |
| parent | 325527e6ca7635aeeea8e0beb7523c3892e21bf6 (diff) | |
| download | gitlab-ce-6683298fe6d85bb0785906723663482798418907.tar.gz | |
Merge branch 'security-commit-private-related-mr' into 'master'
Don't allow non-members to see private related MRs
Closes #2787
See merge request gitlab/gitlabhq!2866
Diffstat (limited to 'spec/finders')
| -rw-r--r-- | spec/finders/merge_requests_finder_spec.rb | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/spec/finders/merge_requests_finder_spec.rb b/spec/finders/merge_requests_finder_spec.rb index 107da08a0a9..79f854cdb96 100644 --- a/spec/finders/merge_requests_finder_spec.rb +++ b/spec/finders/merge_requests_finder_spec.rb @@ -31,7 +31,7 @@ describe MergeRequestsFinder do p end end - let(:project4) { create_project_without_n_plus_1(group: subgroup) } + let(:project4) { create_project_without_n_plus_1(:repository, group: subgroup) } let(:project5) { create_project_without_n_plus_1(group: subgroup) } let(:project6) { create_project_without_n_plus_1(group: subgroup) } @@ -68,6 +68,15 @@ describe MergeRequestsFinder do expect(merge_requests.size).to eq(2) end + it 'filters by commit sha' do + merge_requests = described_class.new( + user, + commit_sha: merge_request5.merge_request_diff.last_commit_sha + ).execute + + expect(merge_requests).to contain_exactly(merge_request5) + end + context 'filtering by group' do it 'includes all merge requests when user has access' do params = { group_id: group.id } @@ -269,6 +278,21 @@ describe MergeRequestsFinder do expect(merge_requests).to contain_exactly(old_merge_request, new_merge_request) end end + + context 'when project restricts merge requests' do + let(:non_member) { create(:user) } + let(:project) { create(:project, :repository, :public, :merge_requests_private) } + let!(:merge_request) { create(:merge_request, source_project: project) } + + it "returns nothing to to non members" do + merge_requests = described_class.new( + non_member, + project_id: project.id + ).execute + + expect(merge_requests).to be_empty + end + end end describe '#row_count', :request_store do |