diff options
| author | Stan Hu <stanhu@gmail.com> | 2016-05-24 17:55:57 -0700 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2016-05-24 18:14:12 -0700 |
| commit | b359d5d57f4b836c04e9e2ef7e1fcb3775bd5305 (patch) | |
| tree | b42616e6cfb255ba085c60c7e8e26fe014f4ddd9 /spec/requests/api/groups_spec.rb | |
| parent | d6e5299fb696ff4aae8bb78b28542f2c87a53dba (diff) | |
| download | gitlab-ce-b359d5d57f4b836c04e9e2ef7e1fcb3775bd5305.tar.gz | |
Fix groups API to list only user's accessible projects
Closes #17496
Diffstat (limited to 'spec/requests/api/groups_spec.rb')
| -rw-r--r-- | spec/requests/api/groups_spec.rb | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index 37ddab83c30..7ecefce80d6 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -12,6 +12,7 @@ describe API::API, api: true do let!(:group2) { create(:group, :private) } let!(:project1) { create(:project, namespace: group1) } let!(:project2) { create(:project, namespace: group2) } + let!(:project3) { create(:project, namespace: group1, path: 'test', visibility_level: Gitlab::VisibilityLevel::PRIVATE) } before do group1.add_owner(user1) @@ -147,9 +148,11 @@ describe API::API, api: true do context "when authenticated as user" do it "should return the group's projects" do get api("/groups/#{group1.id}/projects", user1) + expect(response.status).to eq(200) - expect(json_response.length).to eq(1) - expect(json_response.first['name']).to eq(project1.name) + expect(json_response.length).to eq(2) + project_names = json_response.map { |proj| proj['name' ] } + expect(project_names).to match_array([project1.name, project3.name]) end it "should not return a non existing group" do @@ -162,6 +165,16 @@ describe API::API, api: true do expect(response.status).to eq(404) end + + it "should only return projects to which user has access" do + project3.team << [user3, :developer] + + get api("/groups/#{group1.id}/projects", user3) + + expect(response.status).to eq(200) + expect(json_response.length).to eq(1) + expect(json_response.first['name']).to eq(project3.name) + end end context "when authenticated as admin" do @@ -181,8 +194,10 @@ describe API::API, api: true do context 'when using group path in URL' do it 'should return any existing group' do get api("/groups/#{group1.path}/projects", admin) + expect(response.status).to eq(200) - expect(json_response.first['name']).to eq(project1.name) + project_names = json_response.map { |proj| proj['name' ] } + expect(project_names).to match_array([project1.name, project3.name]) end it 'should not return a non existing group' do |