diff options
author | Małgorzata Ksionek <meksionek@gmail.com> | 2019-02-11 12:53:58 +0100 |
---|---|---|
committer | Małgorzata Ksionek <meksionek@gmail.com> | 2019-02-28 15:27:49 +0100 |
commit | 3a321c80031630c3687cfdc08699bb0824a3dbfa (patch) | |
tree | 80e5db873438058b8357b630243cf5ae984ef08f /spec/policies | |
parent | d40a3809fd387f8dc9a28218a004260b600a1412 (diff) | |
download | gitlab-ce-3a321c80031630c3687cfdc08699bb0824a3dbfa.tar.gz |
Secure vulerability and add specs
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/group_policy_spec.rb | 40 |
1 files changed, 34 insertions, 6 deletions
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index be1804c5ce0..4c31ff30fc6 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -74,6 +74,38 @@ describe GroupPolicy do end end + context 'with no user and public project' do + let(:project) { create(:project, :public) } + let(:user) { create(:user) } + let(:current_user) { nil } + + before do + Projects::GroupLinks::CreateService.new( + project, + user, + link_group_access: ProjectGroupLink::DEVELOPER + ).execute(group) + end + + it { expect_disallowed(:read_group) } + end + + context 'with foreign user and public project' do + let(:project) { create(:project, :public) } + let(:user) { create(:user) } + let(:current_user) { create(:user) } + + before do + Projects::GroupLinks::CreateService.new( + project, + user, + link_group_access: ProjectGroupLink::DEVELOPER + ).execute(group) + end + + it { expect_disallowed(:read_group) } + end + context 'has projects' do let(:current_user) { create(:user) } let(:project) { create(:project, namespace: group) } @@ -82,17 +114,13 @@ describe GroupPolicy do project.add_developer(current_user) end - it do - expect_allowed(:read_group, :read_label) - end + it { expect_allowed(:read_label) } context 'in subgroups', :nested_groups do let(:subgroup) { create(:group, :private, parent: group) } let(:project) { create(:project, namespace: subgroup) } - it do - expect_allowed(:read_group, :read_label) - end + it { expect_allowed(:read_label) } end end |