Add latest changes from gitlab-org/gitlab@master

1 files changed, 47 insertions, 2 deletions

diff --git a/spec/requests/api/api_spec.rb b/spec/requests/api/api_spec.rb
index baebbbce631..201c0d1796c 100644
--- a/spec/requests/api/api_spec.rb
+++ b/spec/requests/api/api_spec.rb
@@ -3,15 +3,60 @@
 require 'spec_helper'
 
 describe API::API do
-  let(:user) { create(:user, last_activity_on: Date.yesterday) }
+  include GroupAPIHelpers
 
   describe 'Record user last activity in after hook' do
     # It does not matter which endpoint is used because last_activity_on should
     # be updated on every request. `/groups` is used as an example
     # to represent any API endpoint
+    let(:user) { create(:user, last_activity_on: Date.yesterday) }
 
-    it 'updates the users last_activity_on date' do
+    it 'updates the users last_activity_on to the current date' do
       expect { get api('/groups', user) }.to change { user.reload.last_activity_on }.to(Date.today)
     end
   end
+
+  describe 'User with only read_api scope personal access token' do
+    # It does not matter which endpoint is used because this should behave
+    # in the same way for every request. `/groups` is used as an example
+    # to represent any API endpoint
+
+    context 'when personal access token has only read_api scope' do
+      let_it_be(:user) { create(:user) }
+      let_it_be(:group) { create(:group) }
+      let_it_be(:token) { create(:personal_access_token, user: user, scopes: [:read_api]) }
+
+      before_all do
+        group.add_owner(user)
+      end
+
+      it 'does authorize user for get request' do
+        get api('/groups', personal_access_token: token)
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
+      it 'does not authorize user for post request' do
+        params = attributes_for_group_api
+
+        post api("/groups", personal_access_token: token), params: params
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+
+      it 'does not authorize user for put request' do
+        group_param = { name: 'Test' }
+
+        put api("/groups/#{group.id}", personal_access_token: token), params: group_param
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+
+      it 'does not authorize user for delete request' do
+        delete api("/groups/#{group.id}", personal_access_token: token)
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+  end
 end