diff options
author | Stan Hu <stanhu@gmail.com> | 2016-04-24 20:07:59 -0700 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-04-25 12:20:29 +0200 |
commit | 03ae2cdbff49d4f72d32529963a2173c7308da40 (patch) | |
tree | 3a591e20cd6ec2617bf0462d328298a6173073a8 /spec/requests/api/milestones_spec.rb | |
parent | 793a7664633385d3e610f6e3ec909067db60f882 (diff) | |
download | gitlab-ce-03ae2cdbff49d4f72d32529963a2173c7308da40.tar.gz |
Filter confidential issues from milestones API if user does not have access
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579
Diffstat (limited to 'spec/requests/api/milestones_spec.rb')
-rw-r--r-- | spec/requests/api/milestones_spec.rb | 40 |
1 files changed, 39 insertions, 1 deletions
diff --git a/spec/requests/api/milestones_spec.rb b/spec/requests/api/milestones_spec.rb index 344f0fe0b7f..cb9c3dde5ee 100644 --- a/spec/requests/api/milestones_spec.rb +++ b/spec/requests/api/milestones_spec.rb @@ -127,7 +127,7 @@ describe API::API, api: true do describe 'GET /projects/:id/milestones/:milestone_id/issues' do before do - milestone.issues << create(:issue) + milestone.issues << create(:issue, project: project) end it 'should return project issues for a particular milestone' do get api("/projects/#{project.id}/milestones/#{milestone.id}/issues", user) @@ -141,4 +141,42 @@ describe API::API, api: true do expect(response.status).to eq(401) end end + + describe 'confidential issues' do + it 'should return confidential issues to team members' do + public_project = create(:project, :public) + user = create(:user) + milestone = create(:milestone, project: public_project) + issue = create(:issue, project: public_project) + confidential_issue = create(:issue, confidential: true, project: public_project) + public_project.team << [user, :developer] + milestone.issues << issue + milestone.issues << confidential_issue + + get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", user) + + expect(response.status).to eq(200) + expect(json_response).to be_an Array + expect(json_response.size).to eq(2) + expect(json_response.map { |issue| issue['id'] }).to include(issue.id, confidential_issue.id) + end + + it 'should not return confidential issues to regular users' do + public_project = create(:project, :public) + normal_user = create(:user) + milestone = create(:milestone, project: public_project) + issue = create(:issue, project: public_project) + confidential_issue = create(:issue, confidential: true, project: public_project) + public_project.team << [user, :developer] + milestone.issues << issue + milestone.issues << confidential_issue + + get api("/projects/#{public_project.id}/milestones/#{milestone.id}/issues", normal_user) + + expect(response.status).to eq(200) + expect(json_response).to be_an Array + expect(json_response.size).to eq(1) + expect(json_response.map { |issue| issue['id'] }).to include(issue.id) + end + end end |