Redact events shown in the events API

author: Nick Thomas <nick@gitlab.com> 2018-09-21 09:44:34 +0100
committer: Nick Thomas <nick@gitlab.com> 2018-09-21 14:33:08 +0100
commit: 45ced6c5de760ef64b1f5e201ce518b1912c7704 (patch)
tree: ad81f9c3c1fed3569b070592a3e16d7623915064 /spec/requests
parent: 8c2192943a5efc4d0a28c67b04bf9b979def66a1 (diff)
download: gitlab-ce-45ced6c5de760ef64b1f5e201ce518b1912c7704.tar.gz
1 files changed, 68 insertions, 0 deletions
diff --git a/spec/requests/api/redacted_events_spec.rb b/spec/requests/api/redacted_events_spec.rb
new file mode 100644
index 00000000000..086dd3df9ba
--- /dev/null
+++ b/spec/requests/api/redacted_events_spec.rb
@@ -0,0 +1,68 @@
+require 'spec_helper'
+
+describe 'Redacted events in API::Events' do
+  shared_examples 'private events are redacted' do
+    it 'redacts events the user does not have access to' do
+      expect_any_instance_of(Event).to receive(:visible_to_user?).and_call_original
+
+      get api(path), user
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(json_response).to contain_exactly(
+        'project_id' => nil,
+        'action_name' => nil,
+        'target_id' => nil,
+        'target_iid' => nil,
+        'target_type' => nil,
+        'author_id' => nil,
+        'target_title' => 'Confidential event',
+        'created_at' => nil,
+        'author_username' => nil
+      )
+    end
+  end
+
+  describe '/users/:id/events' do
+    let(:project) { create(:project, :public) }
+    let(:path) { "/users/#{project.owner.id}/events" }
+    let(:issue) { create(:issue, :confidential, project: project) }
+
+    before do
+      EventCreateService.new.open_issue(issue, issue.author)
+    end
+
+    context 'unauthenticated user views another user with private events' do
+      let(:user) { nil }
+
+      include_examples 'private events are redacted'
+    end
+
+    context 'authenticated user without access views another user with private events' do
+      let(:user) { create(:user) }
+
+      include_examples 'private events are redacted'
+    end
+  end
+
+  describe '/projects/:id/events' do
+    let(:project) { create(:project, :public) }
+    let(:path) { "/projects/#{project.id}/events" }
+    let(:issue) { create(:issue, :confidential, project: project) }
+
+    before do
+      EventCreateService.new.open_issue(issue, issue.author)
+    end
+
+    context 'unauthenticated user views public project' do
+      let(:user) { nil }
+
+      include_examples 'private events are redacted'
+    end
+
+    context 'authenticated user without access views public project' do
+      let(:user) { create(:user) }
+
+      include_examples 'private events are redacted'
+    end
+  end
+end
author	Nick Thomas <nick@gitlab.com>	2018-09-21 09:44:34 +0100
committer	Nick Thomas <nick@gitlab.com>	2018-09-21 14:33:08 +0100
commit	45ced6c5de760ef64b1f5e201ce518b1912c7704 (patch)
tree	ad81f9c3c1fed3569b070592a3e16d7623915064 /spec/requests
parent	8c2192943a5efc4d0a28c67b04bf9b979def66a1 (diff)
download	gitlab-ce-45ced6c5de760ef64b1f5e201ce518b1912c7704.tar.gz