Add latest changes from gitlab-org/security/gitlab@15-0-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-01 07:28:22 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-01 07:28:28 +0000
commit: 37f194bbc19045abe013a58274494c1a6c8bbdd5 (patch)
tree: 99ae3d2a13d8d5592c8fabc7ed38d5117dbfe163 /spec/requests
parent: de222caa576cab3d0894c65531f5822f205877d5 (diff)
download: gitlab-ce-37f194bbc19045abe013a58274494c1a6c8bbdd5.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/spec/requests/api/members_spec.rb b/spec/requests/api/members_spec.rb
index 0db42e7439c..63ef8643088 100644
--- a/spec/requests/api/members_spec.rb
+++ b/spec/requests/api/members_spec.rb
@@ -184,6 +184,21 @@ RSpec.describe API::Members do
       expect(json_response).to be_an Array
       expect(json_response.map { |u| u['id'] }).to match_array [maintainer.id, developer.id, nested_user.id]
     end
+
+    context 'with a subgroup' do
+      let(:group) { create(:group, :private)}
+      let(:subgroup) { create(:group, :private, parent: group)}
+      let(:project) { create(:project, group: subgroup) }
+
+      before do
+        subgroup.add_developer(developer)
+      end
+
+      it 'subgroup member cannot get parent group members list' do
+        get api("/groups/#{group.id}/members/all", developer)
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
   end
 
   shared_examples 'GET /:source_type/:id/members/(all/):user_id' do |source_type, all|
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-01 07:28:22 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-01 07:28:28 +0000
commit	37f194bbc19045abe013a58274494c1a6c8bbdd5 (patch)
tree	99ae3d2a13d8d5592c8fabc7ed38d5117dbfe163 /spec/requests
parent	de222caa576cab3d0894c65531f5822f205877d5 (diff)
download	gitlab-ce-37f194bbc19045abe013a58274494c1a6c8bbdd5.tar.gz