Add latest changes from gitlab-org/gitlab@master

3 files changed, 45 insertions, 3 deletions

diff --git a/spec/models/abuse_report_spec.rb b/spec/models/abuse_report_spec.rb
index 95e61488c80..29baccfe0ee 100644
--- a/spec/models/abuse_report_spec.rb
+++ b/spec/models/abuse_report_spec.rb
@@ -20,6 +20,11 @@ RSpec.describe AbuseReport, feature_category: :insider_threat do
   end
 
   describe 'validations' do
+    let(:http)  { 'http://gitlab.com' }
+    let(:https) { 'https://gitlab.com' }
+    let(:ftp)   { 'ftp://example.com' }
+    let(:javascript) { 'javascript:alert(window.opener.document.location)' }
+
     it { is_expected.to validate_presence_of(:reporter) }
     it { is_expected.to validate_presence_of(:user) }
     it { is_expected.to validate_presence_of(:message) }
@@ -28,8 +33,16 @@ RSpec.describe AbuseReport, feature_category: :insider_threat do
     it do
       is_expected.to validate_uniqueness_of(:user_id)
         .scoped_to(:reporter_id)
-        .with_message('You have already reported this user')
+        .with_message('has already been reported for abuse')
     end
+
+    it { is_expected.to validate_length_of(:reported_from_url).is_at_most(512).allow_blank }
+    it { is_expected.to allow_value(http).for(:reported_from_url) }
+    it { is_expected.to allow_value(https).for(:reported_from_url) }
+    it { is_expected.not_to allow_value(ftp).for(:reported_from_url) }
+    it { is_expected.not_to allow_value(javascript).for(:reported_from_url) }
+    it { is_expected.to allow_value('http://localhost:9000').for(:reported_from_url) }
+    it { is_expected.to allow_value('https://gitlab.com').for(:reported_from_url) }
   end
 
   describe '#remove_user' do
diff --git a/spec/models/integrations/apple_app_store_spec.rb b/spec/models/integrations/apple_app_store_spec.rb
index dde26e383c7..1a57f556895 100644
--- a/spec/models/integrations/apple_app_store_spec.rb
+++ b/spec/models/integrations/apple_app_store_spec.rb
@@ -29,7 +29,7 @@ RSpec.describe Integrations::AppleAppStore, feature_category: :mobile_devops do
     describe '#fields' do
       it 'returns custom fields' do
         expect(apple_app_store_integration.fields.pluck(:name)).to eq(%w[app_store_issuer_id app_store_key_id
-                                                                         app_store_private_key])
+          app_store_private_key])
       end
     end
 
diff --git a/spec/models/personal_access_token_spec.rb b/spec/models/personal_access_token_spec.rb
index 9d4c53f8d55..f65b5ff824b 100644
--- a/spec/models/personal_access_token_spec.rb
+++ b/spec/models/personal_access_token_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe PersonalAccessToken do
+RSpec.describe PersonalAccessToken, feature_category: :authentication_and_authorization do
   subject { described_class }
 
   describe '.build' do
@@ -210,6 +210,12 @@ RSpec.describe PersonalAccessToken do
       expect(personal_access_token).to be_valid
     end
 
+    it "allows creating a token with `admin_mode` scope" do
+      personal_access_token.scopes = [:api, :admin_mode]
+
+      expect(personal_access_token).to be_valid
+    end
+
     context 'when registry is disabled' do
       before do
         stub_container_registry_config(enabled: false)
@@ -340,4 +346,27 @@ RSpec.describe PersonalAccessToken do
       end
     end
   end
+
+  # During the implementation of Admin Mode for API, tokens of
+  # administrators should automatically get the `admin_mode` scope as well
+  # See https://gitlab.com/gitlab-org/gitlab/-/issues/42692
+  describe '`admin_mode scope' do
+    subject { create(:personal_access_token, user: user, scopes: ['api']) }
+
+    context 'with administrator user' do
+      let_it_be(:user) { create(:user, :admin) }
+
+      it 'adds `admin_mode` scope before created' do
+        expect(subject.scopes).to contain_exactly('api', 'admin_mode')
+      end
+    end
+
+    context 'with normal user' do
+      let_it_be(:user) { create(:user) }
+
+      it 'does not add `admin_mode` scope before created' do
+        expect(subject.scopes).to contain_exactly('api')
+      end
+    end
+  end
 end