diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-01 07:28:22 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-01 07:28:28 +0000 |
commit | 37f194bbc19045abe013a58274494c1a6c8bbdd5 (patch) | |
tree | 99ae3d2a13d8d5592c8fabc7ed38d5117dbfe163 /spec/requests | |
parent | de222caa576cab3d0894c65531f5822f205877d5 (diff) | |
download | gitlab-ce-37f194bbc19045abe013a58274494c1a6c8bbdd5.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-0-stable-ee
Diffstat (limited to 'spec/requests')
-rw-r--r-- | spec/requests/api/members_spec.rb | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/spec/requests/api/members_spec.rb b/spec/requests/api/members_spec.rb index 0db42e7439c..63ef8643088 100644 --- a/spec/requests/api/members_spec.rb +++ b/spec/requests/api/members_spec.rb @@ -184,6 +184,21 @@ RSpec.describe API::Members do expect(json_response).to be_an Array expect(json_response.map { |u| u['id'] }).to match_array [maintainer.id, developer.id, nested_user.id] end + + context 'with a subgroup' do + let(:group) { create(:group, :private)} + let(:subgroup) { create(:group, :private, parent: group)} + let(:project) { create(:project, group: subgroup) } + + before do + subgroup.add_developer(developer) + end + + it 'subgroup member cannot get parent group members list' do + get api("/groups/#{group.id}/members/all", developer) + expect(response).to have_gitlab_http_status(:forbidden) + end + end end shared_examples 'GET /:source_type/:id/members/(all/):user_id' do |source_type, all| |