diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-29 23:53:47 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-29 23:53:47 +0000 |
commit | dd45a03c04b9cc91cd761bf2e94644ee92f2a8f6 (patch) | |
tree | f3c37cfb47f1c390d87c219babc1c4d15321776c /spec/requests/api/repositories_spec.rb | |
parent | 5f3e1225fc725ed303f3dee989e5b84fafb307d8 (diff) | |
download | gitlab-ce-dd45a03c04b9cc91cd761bf2e94644ee92f2a8f6.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-10-stable-ee
Diffstat (limited to 'spec/requests/api/repositories_spec.rb')
-rw-r--r-- | spec/requests/api/repositories_spec.rb | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb index b146dda5030..8853eff0b3e 100644 --- a/spec/requests/api/repositories_spec.rb +++ b/spec/requests/api/repositories_spec.rb @@ -572,6 +572,22 @@ RSpec.describe API::Repositories, feature_category: :source_code_management do context 'when authenticated', 'as a developer' do it_behaves_like 'repository compare' do let(:current_user) { user } + + context 'when user does not have read access to the parent project' do + let_it_be(:group) { create(:group) } + let(:forked_project) { fork_project(project, current_user, repository: true, namespace: group) } + + before do + forked_project.add_guest(current_user) + end + + it 'returns 403 error' do + get api(route, current_user), params: { from: 'improve/awesome', to: 'feature', from_project_id: forked_project.id } + + expect(response).to have_gitlab_http_status(:forbidden) + expect(json_response['message']).to eq("403 Forbidden - You don't have access to this fork's parent project") + end + end end end |