summaryrefslogtreecommitdiff
path: root/spec/services
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-07-27 19:03:35 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2022-07-27 19:03:56 +0000
commitd625f4e9fe78a69be0d481c20cba33b6dd88ef1a (patch)
tree510ee7d62fa2d6084a5058446cf61d328900325a /spec/services
parent9b60052467242bbc071bcb0f74b7437fb3dfc870 (diff)
downloadgitlab-ce-d625f4e9fe78a69be0d481c20cba33b6dd88ef1a.tar.gz
Add latest changes from gitlab-org/security/gitlab@15-2-stable-ee
Diffstat (limited to 'spec/services')
-rw-r--r--spec/services/groups/update_service_spec.rb63
-rw-r--r--spec/services/members/invite_service_spec.rb33
-rw-r--r--spec/services/projects/update_service_spec.rb59
3 files changed, 151 insertions, 4 deletions
diff --git a/spec/services/groups/update_service_spec.rb b/spec/services/groups/update_service_spec.rb
index c0e1691fe26..856dd4a2567 100644
--- a/spec/services/groups/update_service_spec.rb
+++ b/spec/services/groups/update_service_spec.rb
@@ -242,6 +242,69 @@ RSpec.describe Groups::UpdateService do
end
end
+ context 'when user is not group owner' do
+ context 'when group is private' do
+ before do
+ private_group.add_maintainer(user)
+ end
+
+ it 'does not update the group to public' do
+ result = described_class.new(private_group, user, visibility_level: Gitlab::VisibilityLevel::PUBLIC).execute
+
+ expect(result).to eq(false)
+ expect(private_group.errors.count).to eq(1)
+ expect(private_group).to be_private
+ end
+
+ it 'does not update the group to public with tricky value' do
+ result = described_class.new(private_group, user, visibility_level: Gitlab::VisibilityLevel::PUBLIC.to_s + 'r').execute
+
+ expect(result).to eq(false)
+ expect(private_group.errors.count).to eq(1)
+ expect(private_group).to be_private
+ end
+ end
+
+ context 'when group is public' do
+ before do
+ public_group.add_maintainer(user)
+ end
+
+ it 'does not update the group to private' do
+ result = described_class.new(public_group, user, visibility_level: Gitlab::VisibilityLevel::PRIVATE).execute
+
+ expect(result).to eq(false)
+ expect(public_group.errors.count).to eq(1)
+ expect(public_group).to be_public
+ end
+
+ it 'does not update the group to private with invalid string value' do
+ result = described_class.new(public_group, user, visibility_level: 'invalid').execute
+
+ expect(result).to eq(false)
+ expect(public_group.errors.count).to eq(1)
+ expect(public_group).to be_public
+ end
+
+ it 'does not update the group to private with valid string value' do
+ result = described_class.new(public_group, user, visibility_level: 'private').execute
+
+ expect(result).to eq(false)
+ expect(public_group.errors.count).to eq(1)
+ expect(public_group).to be_public
+ end
+
+ # See https://gitlab.com/gitlab-org/gitlab/-/issues/359910
+ it 'does not update the group to private because of Active Record typecasting' do
+ result = described_class.new(public_group, user, visibility_level: 'public').execute
+
+ expect(result).to eq(true)
+ expect(public_group.errors.count).to eq(0)
+ expect(public_group).to be_public
+ end
+ end
+ end
+
context 'when updating #emails_disabled' do
let(:service) { described_class.new(internal_group, user, emails_disabled: true) }
diff --git a/spec/services/members/invite_service_spec.rb b/spec/services/members/invite_service_spec.rb
index 7a1512970b4..d25c8996931 100644
--- a/spec/services/members/invite_service_spec.rb
+++ b/spec/services/members/invite_service_spec.rb
@@ -30,8 +30,8 @@ RSpec.describe Members::InviteService, :aggregate_failures, :clean_gitlab_redis_
end
end
- context 'when email belongs to an existing user as a secondary email' do
- let(:secondary_email) { create(:email, email: 'secondary@example.com', user: project_user) }
+ context 'when email belongs to an existing user as a confirmed secondary email' do
+ let(:secondary_email) { create(:email, :confirmed, email: 'secondary@example.com', user: project_user) }
let(:params) { { email: secondary_email.email } }
it 'adds an existing user to members', :aggregate_failures do
@@ -42,6 +42,18 @@ RSpec.describe Members::InviteService, :aggregate_failures, :clean_gitlab_redis_
end
end
+ context 'when email belongs to an existing user as an unconfirmed secondary email' do
+ let(:unconfirmed_secondary_email) { create(:email, email: 'secondary@example.com', user: project_user) }
+ let(:params) { { email: unconfirmed_secondary_email.email } }
+
+ it 'does not link the email with any user and successfully creates a member as an invite for that email' do
+ expect_to_create_members(count: 1)
+ expect(result[:status]).to eq(:success)
+ expect(project.users).not_to include project_user
+ expect(project.members.last).to be_invite
+ end
+ end
+
context 'when invites are passed as array' do
context 'with emails' do
let(:params) { { email: %w[email@example.org email2@example.org] } }
@@ -291,6 +303,19 @@ RSpec.describe Members::InviteService, :aggregate_failures, :clean_gitlab_redis_
end
end
+ context 'with unconfirmed primary email' do
+ let_it_be(:unconfirmed_user) { create(:user, :unconfirmed) }
+
+ let(:params) { { email: unconfirmed_user.email } }
+
+ it 'adds an existing user to members' do
+ expect_to_create_members(count: 1)
+ expect(result[:status]).to eq(:success)
+ expect(project.users).to include unconfirmed_user
+ expect(project.members.last).not_to be_invite
+ end
+ end
+
context 'with user_id' do
let(:params) { { user_id: project_user.id } }
@@ -376,8 +401,8 @@ RSpec.describe Members::InviteService, :aggregate_failures, :clean_gitlab_redis_
expect(existing_member.reset.access_level).to eq ProjectMember::MAINTAINER
end
- context 'when email belongs to an existing user as a secondary email' do
- let(:secondary_email) { create(:email, email: 'secondary@example.com', user: existing_member.user) }
+ context 'when email belongs to an existing user as a confirmed secondary email' do
+ let(:secondary_email) { create(:email, :confirmed, email: 'secondary@example.com', user: existing_member.user) }
let(:params) { { email: "#{secondary_email.email}" } }
it 'allows re-invite to an already invited email' do
diff --git a/spec/services/projects/update_service_spec.rb b/spec/services/projects/update_service_spec.rb
index f019434a4fe..ca838be0fa8 100644
--- a/spec/services/projects/update_service_spec.rb
+++ b/spec/services/projects/update_service_spec.rb
@@ -120,6 +120,65 @@ RSpec.describe Projects::UpdateService do
end
end
+ context 'when user is not project owner' do
+ let_it_be(:maintainer) { create(:user) }
+
+ before do
+ project.add_maintainer(maintainer)
+ end
+
+ context 'when project is private' do
+ it 'does not update the project to public' do
+ result = update_project(project, maintainer, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+
+ expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
+ expect(project).to be_private
+ end
+
+ it 'does not update the project to public with tricky value' do
+ result = update_project(project, maintainer, visibility_level: Gitlab::VisibilityLevel::PUBLIC.to_s + 'r')
+
+ expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
+ expect(project).to be_private
+ end
+ end
+
+ context 'when project is public' do
+ before do
+ project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+ end
+
+ it 'does not update the project to private' do
+ result = update_project(project, maintainer, visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+
+ expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
+ expect(project).to be_public
+ end
+
+ it 'does not update the project to private with invalid string value' do
+ result = update_project(project, maintainer, visibility_level: 'invalid')
+
+ expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
+ expect(project).to be_public
+ end
+
+ it 'does not update the project to private with valid string value' do
+ result = update_project(project, maintainer, visibility_level: 'private')
+
+ expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
+ expect(project).to be_public
+ end
+
+ # See https://gitlab.com/gitlab-org/gitlab/-/issues/359910
+ it 'does not update the project to private because of Active Record typecasting' do
+ result = update_project(project, maintainer, visibility_level: 'public')
+
+ expect(result).to eq({ status: :success })
+ expect(project).to be_public
+ end
+ end
+ end
+
context 'when updating shared runners' do
context 'can enable shared runners' do
let(:group) { create(:group, shared_runners_enabled: true) }