diff options
| author | Rémy Coutable <remy@rymai.me> | 2016-01-13 19:42:36 +0100 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2016-01-13 19:42:36 +0100 |
| commit | 0c10aee59677e2dadfef6538a74fe1e28fcdd37e (patch) | |
| tree | 6bc250845daa18f218e61881f50d6c3c2b37a1ff /spec/requests/api/notes_spec.rb | |
| parent | 1f0b8c32e75b446848cead98c550e750801be534 (diff) | |
| download | gitlab-ce-0c10aee59677e2dadfef6538a74fe1e28fcdd37e.tar.gz | |
Ensure the API doesn't return notes that the current user shouldn't see
Diffstat (limited to 'spec/requests/api/notes_spec.rb')
| -rw-r--r-- | spec/requests/api/notes_spec.rb | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/spec/requests/api/notes_spec.rb b/spec/requests/api/notes_spec.rb index 8b177af4689..565805d870c 100644 --- a/spec/requests/api/notes_spec.rb +++ b/spec/requests/api/notes_spec.rb @@ -10,6 +10,24 @@ describe API::API, api: true do let!(:issue_note) { create(:note, noteable: issue, project: project, author: user) } let!(:merge_request_note) { create(:note, noteable: merge_request, project: project, author: user) } let!(:snippet_note) { create(:note, noteable: snippet, project: project, author: user) } + + # For testing the cross-reference of a private issue in a public issue + let(:private_user) { create(:user) } + let(:private_project) { + create(:project, namespace: private_user.namespace). + tap { |p| p.team << [private_user, :master] } + } + let(:private_issue) { create(:issue, project: private_project) } + let(:ext_proj) { create(:project, :public) } + let(:ext_issue) { create(:issue, project: ext_proj) } + + let!(:cross_reference_note) { + create :note, + noteable: ext_issue, project: ext_proj, + note: "mentioned in issue #{private_issue.to_reference(ext_proj)}", + system: true + } + before { project.team << [user, :reporter] } describe "GET /projects/:id/noteable/:noteable_id/notes" do @@ -25,6 +43,24 @@ describe API::API, api: true do get api("/projects/#{project.id}/issues/123/notes", user) expect(response.status).to eq(404) end + + context "that references a private issue" do + it "should return an empty array" do + get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", user) + expect(response.status).to eq(200) + expect(json_response).to be_an Array + expect(json_response).to be_empty + end + + context "and current user can view the note" do + it "should return an empty array" do + get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", private_user) + expect(response.status).to eq(200) + expect(json_response).to be_an Array + expect(json_response.first['body']).to eq(cross_reference_note.note) + end + end + end end context "when noteable is a Snippet" do @@ -68,6 +104,21 @@ describe API::API, api: true do get api("/projects/#{project.id}/issues/#{issue.id}/notes/123", user) expect(response.status).to eq(404) end + + context "that references a private issue" do + it "should return a 404 error" do + get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes/#{cross_reference_note.id}", user) + expect(response.status).to eq(404) + end + + context "and current user can view the note" do + it "should return an issue note by id" do + get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes/#{cross_reference_note.id}", private_user) + expect(response.status).to eq(200) + expect(json_response['body']).to eq(cross_reference_note.note) + end + end + end end context "when noteable is a Snippet" do |