summaryrefslogtreecommitdiff
path: root/spec/services/groups
diff options
context:
space:
mode:
authorSean McGivern <sean@gitlab.com>2017-03-28 11:09:44 +0000
committerDJ Mountney <david@twkie.net>2017-03-29 19:18:38 -0700
commit91f43587a8c05a5c2955f0b5c464f03688552cb6 (patch)
treedba32618ae3452ae117df78184ad38d3b5ff26b1 /spec/services/groups
parent60c0c0f3d08aa2c2a5be68aa784a86304fdb9c99 (diff)
downloadgitlab-ce-91f43587a8c05a5c2955f0b5c464f03688552cb6.tar.gz
Merge branch 'jej-group-name-disclosure' into 'security'
Prevent private group disclosure via parent_id See merge request !2077
Diffstat (limited to 'spec/services/groups')
-rw-r--r--spec/services/groups/update_service_spec.rb14
1 files changed, 14 insertions, 0 deletions
diff --git a/spec/services/groups/update_service_spec.rb b/spec/services/groups/update_service_spec.rb
index 91ec224d1c4..f6ad5cebd2c 100644
--- a/spec/services/groups/update_service_spec.rb
+++ b/spec/services/groups/update_service_spec.rb
@@ -36,6 +36,20 @@ describe Groups::UpdateService, services: true do
end
end
end
+
+ context "with parent_id user doesn't have permissions for" do
+ let(:service) { described_class.new(public_group, user, parent_id: private_group.id) }
+
+ before do
+ service.execute
+ end
+
+ it 'does not update parent_id' do
+ updated_group = public_group.reload
+
+ expect(updated_group.parent_id).to be_nil
+ end
+ end
end
context "unauthorized visibility_level validation" do