summaryrefslogtreecommitdiff
path: root/spec/policies
diff options
context:
space:
mode:
authorMałgorzata Ksionek <meksionek@gmail.com>2019-02-11 12:53:58 +0100
committerMałgorzata Ksionek <meksionek@gmail.com>2019-02-28 15:27:49 +0100
commit3a321c80031630c3687cfdc08699bb0824a3dbfa (patch)
tree80e5db873438058b8357b630243cf5ae984ef08f /spec/policies
parentd40a3809fd387f8dc9a28218a004260b600a1412 (diff)
downloadgitlab-ce-3a321c80031630c3687cfdc08699bb0824a3dbfa.tar.gz
Secure vulerability and add specs
Diffstat (limited to 'spec/policies')
-rw-r--r--spec/policies/group_policy_spec.rb40
1 files changed, 34 insertions, 6 deletions
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index be1804c5ce0..4c31ff30fc6 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -74,6 +74,38 @@ describe GroupPolicy do
end
end
+ context 'with no user and public project' do
+ let(:project) { create(:project, :public) }
+ let(:user) { create(:user) }
+ let(:current_user) { nil }
+
+ before do
+ Projects::GroupLinks::CreateService.new(
+ project,
+ user,
+ link_group_access: ProjectGroupLink::DEVELOPER
+ ).execute(group)
+ end
+
+ it { expect_disallowed(:read_group) }
+ end
+
+ context 'with foreign user and public project' do
+ let(:project) { create(:project, :public) }
+ let(:user) { create(:user) }
+ let(:current_user) { create(:user) }
+
+ before do
+ Projects::GroupLinks::CreateService.new(
+ project,
+ user,
+ link_group_access: ProjectGroupLink::DEVELOPER
+ ).execute(group)
+ end
+
+ it { expect_disallowed(:read_group) }
+ end
+
context 'has projects' do
let(:current_user) { create(:user) }
let(:project) { create(:project, namespace: group) }
@@ -82,17 +114,13 @@ describe GroupPolicy do
project.add_developer(current_user)
end
- it do
- expect_allowed(:read_group, :read_label)
- end
+ it { expect_allowed(:read_label) }
context 'in subgroups', :nested_groups do
let(:subgroup) { create(:group, :private, parent: group) }
let(:project) { create(:project, namespace: subgroup) }
- it do
- expect_allowed(:read_group, :read_label)
- end
+ it { expect_allowed(:read_label) }
end
end