diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 20:26:26 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 20:26:26 +0000 |
| commit | 1581fb4cba8abf4439cea2ca138fd5f9818b0884 (patch) | |
| tree | eb0488d9a9c70df75774b07f417e8815ba0ced04 /spec/requests | |
| parent | a2c31462f7fc013f41e7ca914a0b96869aa42c73 (diff) | |
| parent | b271eb42861c8067fc640a83a957742184d1221c (diff) | |
| download | gitlab-ce-1581fb4cba8abf4439cea2ca138fd5f9818b0884.tar.gz | |
Merge branch 'security-bvl-validate-force-remove-branch-on-mrs-12-4-ce' into '12-4-stable'
Only assign merge params when allowed
See merge request gitlab/gitlabhq!3487
Diffstat (limited to 'spec/requests')
| -rw-r--r-- | spec/requests/api/merge_requests_spec.rb | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/spec/requests/api/merge_requests_spec.rb b/spec/requests/api/merge_requests_spec.rb index 8179da2f97c..05160a33e61 100644 --- a/spec/requests/api/merge_requests_spec.rb +++ b/spec/requests/api/merge_requests_spec.rb @@ -1737,6 +1737,38 @@ describe API::MergeRequests do expect(json_response['state']).to eq('closed') expect(json_response['force_remove_source_branch']).to be_truthy end + + context 'with a merge request across forks' do + let(:fork_owner) { create(:user) } + let(:source_project) { fork_project(project, fork_owner) } + let(:target_project) { project } + + let(:merge_request) do + create(:merge_request, + source_project: source_project, + target_project: target_project, + source_branch: 'fixes', + merge_params: { 'force_remove_source_branch' => false }) + end + + it 'is true for an authorized user' do + put api("/projects/#{target_project.id}/merge_requests/#{merge_request.iid}", fork_owner), params: { state_event: 'close', remove_source_branch: true } + + expect(response).to have_gitlab_http_status(200) + expect(json_response['state']).to eq('closed') + expect(json_response['force_remove_source_branch']).to be true + end + + it 'is false for an unauthorized user' do + expect do + put api("/projects/#{target_project.id}/merge_requests/#{merge_request.iid}", target_project.owner), params: { state_event: 'close', remove_source_branch: true } + end.not_to change { merge_request.reload.merge_params } + + expect(response).to have_gitlab_http_status(200) + expect(json_response['state']).to eq('closed') + expect(json_response['force_remove_source_branch']).to be false + end + end end context "to close a MR" do |