Check permissions before showing a forked project's source

author: Nick Thomas <nick@gitlab.com> 2019-11-19 16:17:35 +0000
committer: Nick Thomas <nick@gitlab.com> 2019-11-25 11:44:16 +0000
commit: b1dad8b2525b81f473bafbe69a3e2dfe24d90f49 (patch)
tree: 782bf18f1fc8b942c38655fafe49bd1c766444b2 /spec/requests
parent: dbd50b6e203994cdb393494faa8fc1b2fb406487 (diff)
download: gitlab-ce-b1dad8b2525b81f473bafbe69a3e2dfe24d90f49.tar.gz
1 files changed, 36 insertions, 0 deletions
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index f1447536e0f..cda2dd7d2f4 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -49,6 +49,8 @@ shared_examples 'languages and percentages JSON response' do
 end
 
 describe API::Projects do
+  include ProjectForksHelper
+
   let(:user) { create(:user) }
   let(:user2) { create(:user) }
   let(:user3) { create(:user) }
@@ -1163,6 +1165,18 @@ describe API::Projects do
         expect(json_response.keys).not_to include('permissions')
       end
 
+      context 'the project is a public fork' do
+        it 'hides details of a public fork parent' do
+          public_project = create(:project, :repository, :public)
+          fork = fork_project(public_project)
+
+          get api("/projects/#{fork.id}")
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['forked_from_project']).to be_nil
+        end
+      end
+
       context 'and the project has a private repository' do
         let(:project) { create(:project, :repository, :public, :repository_private) }
         let(:protected_attributes) { %w(default_branch ci_config_path) }
@@ -1479,6 +1493,28 @@ describe API::Projects do
         end
       end
 
+      context 'the project is a fork' do
+        it 'shows details of a visible fork parent' do
+          fork = fork_project(project, user)
+
+          get api("/projects/#{fork.id}", user)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['forked_from_project']).to include('id' => project.id)
+        end
+
+        it 'hides details of a hidden fork parent' do
+          fork = fork_project(project, user)
+          fork_user = create(:user)
+          fork.team.add_developer(fork_user)
+
+          get api("/projects/#{fork.id}", fork_user)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['forked_from_project']).to be_nil
+        end
+      end
+
       describe 'permissions' do
         context 'all projects' do
           before do
author	Nick Thomas <nick@gitlab.com>	2019-11-19 16:17:35 +0000
committer	Nick Thomas <nick@gitlab.com>	2019-11-25 11:44:16 +0000
commit	b1dad8b2525b81f473bafbe69a3e2dfe24d90f49 (patch)
tree	782bf18f1fc8b942c38655fafe49bd1c766444b2 /spec/requests
parent	dbd50b6e203994cdb393494faa8fc1b2fb406487 (diff)
download	gitlab-ce-b1dad8b2525b81f473bafbe69a3e2dfe24d90f49.tar.gz