diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-28 22:00:24 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-28 22:00:32 +0000 |
commit | 36c8a31d573bdd2edd4c87be63eb8dde20a79761 (patch) | |
tree | 066a4e64b1efb9c9dabbf3c2e097d32a82656ef8 /spec/services | |
parent | cc201d1e1be2c8f4de2e2265c2b83bd925f8a260 (diff) | |
download | gitlab-ce-36c8a31d573bdd2edd4c87be63eb8dde20a79761.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee
Diffstat (limited to 'spec/services')
-rw-r--r-- | spec/services/issues/create_service_spec.rb | 13 | ||||
-rw-r--r-- | spec/services/issues/update_service_spec.rb | 17 |
2 files changed, 30 insertions, 0 deletions
diff --git a/spec/services/issues/create_service_spec.rb b/spec/services/issues/create_service_spec.rb index 4a84862b9d5..3d52dc07c4f 100644 --- a/spec/services/issues/create_service_spec.rb +++ b/spec/services/issues/create_service_spec.rb @@ -47,6 +47,19 @@ RSpec.describe Issues::CreateService do due_date: Date.tomorrow } end + context 'when an unauthorized project_id is provided' do + let(:unauthorized_project) { create(:project) } + + before do + opts[:project_id] = unauthorized_project.id + end + + it 'ignores the project_id param and creates issue in the given project' do + expect(issue.project).to eq(project) + expect(unauthorized_project.reload.issues.count).to eq(0) + end + end + it 'works if base work item types were not created yet' do WorkItems::Type.delete_all diff --git a/spec/services/issues/update_service_spec.rb b/spec/services/issues/update_service_spec.rb index 8a2e9ed74f7..634a4206d48 100644 --- a/spec/services/issues/update_service_spec.rb +++ b/spec/services/issues/update_service_spec.rb @@ -69,6 +69,23 @@ RSpec.describe Issues::UpdateService, :mailer do } end + context 'when an unauthorized project_id is provided' do + let(:unauthorized_project) { create(:project) } + + before do + opts[:project_id] = unauthorized_project.id + end + + it 'ignores the project_id param and does not update the issue\'s project' do + expect do + update_issue(opts) + unauthorized_project.reload + end.to not_change { unauthorized_project.issues.count } + + expect(issue.project).to eq(project) + end + end + it 'updates the issue with the given params' do expect(TodosDestroyer::ConfidentialIssueWorker).not_to receive(:perform_in) |