diff options
author | Sean McGivern <sean@mcgivern.me.uk> | 2017-04-25 10:57:32 +0000 |
---|---|---|
committer | Sean McGivern <sean@mcgivern.me.uk> | 2017-04-25 10:57:32 +0000 |
commit | 6dc424c949ab3de9395d821b05d2e1cc5f632ed2 (patch) | |
tree | c74460ecbf621cf8560053560b787cddd9cda6b5 /spec/requests | |
parent | 9a905e1b9f9575bb8d637560cb3c59fd82079d2d (diff) | |
parent | 0befa887b52613831809380d2cd5d3d2bff88220 (diff) | |
download | gitlab-ce-6dc424c949ab3de9395d821b05d2e1cc5f632ed2.tar.gz |
Merge branch '29903-remove-user-is-admin-flag-from-api' into 'master'
Don't display the `is_admin?` flag for user API responses
Closes #29903
See merge request !10846
Diffstat (limited to 'spec/requests')
-rw-r--r-- | spec/requests/api/keys_spec.rb | 6 | ||||
-rw-r--r-- | spec/requests/api/users_spec.rb | 8 | ||||
-rw-r--r-- | spec/requests/api/v3/users_spec.rb | 6 |
3 files changed, 18 insertions, 2 deletions
diff --git a/spec/requests/api/keys_spec.rb b/spec/requests/api/keys_spec.rb index b5586088485..ab957c72984 100644 --- a/spec/requests/api/keys_spec.rb +++ b/spec/requests/api/keys_spec.rb @@ -32,6 +32,12 @@ describe API::Keys do expect(json_response['user']['id']).to eq(user.id) expect(json_response['user']['username']).to eq(user.username) end + + it "does not include the user's `is_admin` flag" do + get api("/keys/#{key.id}", admin) + + expect(json_response['user']['is_admin']).to be_nil + end end end end diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb index 2c6ae592d91..4919ad19833 100644 --- a/spec/requests/api/users_spec.rb +++ b/spec/requests/api/users_spec.rb @@ -135,6 +135,12 @@ describe API::Users do expect(json_response['username']).to eq(user.username) end + it "does not return the user's `is_admin` flag" do + get api("/users/#{user.id}", user) + + expect(json_response['is_admin']).to be_nil + end + it "returns a 401 if unauthenticated" do get api("/users/9998") expect(response).to have_http_status(401) @@ -397,7 +403,6 @@ describe API::Users do it "updates admin status" do put api("/users/#{user.id}", admin), { admin: true } expect(response).to have_http_status(200) - expect(json_response['is_admin']).to eq(true) expect(user.reload.admin).to eq(true) end @@ -411,7 +416,6 @@ describe API::Users do it "does not update admin status" do put api("/users/#{admin_user.id}", admin), { can_create_group: false } expect(response).to have_http_status(200) - expect(json_response['is_admin']).to eq(true) expect(admin_user.reload.admin).to eq(true) expect(admin_user.can_create_group).to eq(false) end diff --git a/spec/requests/api/v3/users_spec.rb b/spec/requests/api/v3/users_spec.rb index 05ee704f738..e9c57f7c6c3 100644 --- a/spec/requests/api/v3/users_spec.rb +++ b/spec/requests/api/v3/users_spec.rb @@ -274,5 +274,11 @@ describe API::V3::Users do expect(new_user).to be_confirmed end + + it 'does not reveal the `is_admin` flag of the user' do + post v3_api('/users', admin), attributes_for(:user) + + expect(json_response['is_admin']).to be_nil + end end end |