summaryrefslogtreecommitdiff
path: root/spec/mailers
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2016-07-01 22:23:26 +0000
committerDouwe Maan <douwe@gitlab.com>2016-07-01 22:23:26 +0000
commitd1c94f034bbf688248f46482b941fe673940c6b0 (patch)
tree768ea37a0dd881c4e8bded1532fa6bac06e20d27 /spec/mailers
parent0ccdc631e6f45c0fd327631decb47f80d781302e (diff)
parentbd78f5733ca546bf940438b84aefa2fa3abacb36 (diff)
downloadgitlab-ce-d1c94f034bbf688248f46482b941fe673940c6b0.tar.gz
Merge branch 'explicit-requesters-scope' into 'master'
Exclude requesters from Project#members, Group#members and User#members ## What does this MR do? It excludes requesters from the `Project#members`, `Group#members` and `User#members` associations, and adds new `Project#requesters` and `Group#requesters` associations. ## Are there points in the code the reviewer needs to double check? No. ## Why was this MR needed? Without this, if you call `project.members`, requesters are included in the results! This is at best misleading, and at worst can lead to security issues. By excluding requesters from the `#members` associations, we avoid introducing security inadvertently since you have to call the `#requesters` association explicitly to get requesters. ## What are the relevant issue numbers? This is something I realized while fixing the security issue #19102. ## Does this MR meet the acceptance criteria? - [x] I don't think this needs a CHANGELOG since this is an internal change - Tests - [x] Added for this feature/bug - [ ] All builds are passing - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if you do - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) See merge request !4946
Diffstat (limited to 'spec/mailers')
-rw-r--r--spec/mailers/notify_spec.rb10
1 files changed, 5 insertions, 5 deletions
diff --git a/spec/mailers/notify_spec.rb b/spec/mailers/notify_spec.rb
index 016856a62f8..aa382f930d7 100644
--- a/spec/mailers/notify_spec.rb
+++ b/spec/mailers/notify_spec.rb
@@ -406,7 +406,7 @@ describe Notify do
let(:user) { create(:user) }
let(:project_member) do
project.request_access(user)
- project.members.request.find_by(user_id: user.id)
+ project.requesters.find_by(user_id: user.id)
end
subject { Notify.member_access_requested_email('project', project_member.id) }
@@ -433,7 +433,7 @@ describe Notify do
let(:user) { create(:user) }
let(:project_member) do
project.request_access(user)
- project.members.request.find_by(user_id: user.id)
+ project.requesters.find_by(user_id: user.id)
end
subject { Notify.member_access_requested_email('project', project_member.id) }
@@ -459,7 +459,7 @@ describe Notify do
let(:user) { create(:user) }
let(:project_member) do
project.request_access(user)
- project.members.request.find_by(user_id: user.id)
+ project.requesters.find_by(user_id: user.id)
end
subject { Notify.member_access_denied_email('project', project.id, user.id) }
@@ -684,7 +684,7 @@ describe Notify do
let(:user) { create(:user) }
let(:group_member) do
group.request_access(user)
- group.members.request.find_by(user_id: user.id)
+ group.requesters.find_by(user_id: user.id)
end
subject { Notify.member_access_requested_email('group', group_member.id) }
@@ -705,7 +705,7 @@ describe Notify do
let(:user) { create(:user) }
let(:group_member) do
group.request_access(user)
- group.members.request.find_by(user_id: user.id)
+ group.requesters.find_by(user_id: user.id)
end
subject { Notify.member_access_denied_email('group', group.id, user.id) }
View Lorry Controller Status