Add latest changes from gitlab-org/security/gitlab@15-2-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-07-27 19:03:35 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-07-27 19:03:56 +0000
commit: d625f4e9fe78a69be0d481c20cba33b6dd88ef1a (patch)
tree: 510ee7d62fa2d6084a5058446cf61d328900325a /spec/services
parent: 9b60052467242bbc071bcb0f74b7437fb3dfc870 (diff)
download: gitlab-ce-d625f4e9fe78a69be0d481c20cba33b6dd88ef1a.tar.gz
3 files changed, 151 insertions, 4 deletions
diff --git a/spec/services/groups/update_service_spec.rb b/spec/services/groups/update_service_spec.rb
index c0e1691fe26..856dd4a2567 100644
--- a/spec/services/groups/update_service_spec.rb
+++ b/spec/services/groups/update_service_spec.rb
@@ -242,6 +242,69 @@ RSpec.describe Groups::UpdateService do
     end
   end
 
+  context 'when user is not group owner' do
+    context 'when group is private' do
+      before do
+        private_group.add_maintainer(user)
+      end
+
+      it 'does not update the group to public' do
+        result = described_class.new(private_group, user, visibility_level: Gitlab::VisibilityLevel::PUBLIC).execute
+
+        expect(result).to eq(false)
+        expect(private_group.errors.count).to eq(1)
+        expect(private_group).to be_private
+      end
+
+      it 'does not update the group to public with tricky value' do
+        result = described_class.new(private_group, user, visibility_level: Gitlab::VisibilityLevel::PUBLIC.to_s + 'r').execute
+
+        expect(result).to eq(false)
+        expect(private_group.errors.count).to eq(1)
+        expect(private_group).to be_private
+      end
+    end
+
+    context 'when group is public' do
+      before do
+        public_group.add_maintainer(user)
+      end
+
+      it 'does not update the group to private' do
+        result = described_class.new(public_group, user, visibility_level: Gitlab::VisibilityLevel::PRIVATE).execute
+
+        expect(result).to eq(false)
+        expect(public_group.errors.count).to eq(1)
+        expect(public_group).to be_public
+      end
+
+      it 'does not update the group to private with invalid string value' do
+        result = described_class.new(public_group, user, visibility_level: 'invalid').execute
+
+        expect(result).to eq(false)
+        expect(public_group.errors.count).to eq(1)
+        expect(public_group).to be_public
+      end
+
+      it 'does not update the group to private with valid string value' do
+        result = described_class.new(public_group, user, visibility_level: 'private').execute
+
+        expect(result).to eq(false)
+        expect(public_group.errors.count).to eq(1)
+        expect(public_group).to be_public
+      end
+
+      # See https://gitlab.com/gitlab-org/gitlab/-/issues/359910
+      it 'does not update the group to private because of Active Record typecasting' do
+        result = described_class.new(public_group, user, visibility_level: 'public').execute
+
+        expect(result).to eq(true)
+        expect(public_group.errors.count).to eq(0)
+        expect(public_group).to be_public
+      end
+    end
+  end
+
   context 'when updating #emails_disabled' do
     let(:service) { described_class.new(internal_group, user, emails_disabled: true) }
 
diff --git a/spec/services/members/invite_service_spec.rb b/spec/services/members/invite_service_spec.rb
index 7a1512970b4..d25c8996931 100644
--- a/spec/services/members/invite_service_spec.rb
+++ b/spec/services/members/invite_service_spec.rb
@@ -30,8 +30,8 @@ RSpec.describe Members::InviteService, :aggregate_failures, :clean_gitlab_redis_
     end
   end
 
-  context 'when email belongs to an existing user as a secondary email' do
-    let(:secondary_email) { create(:email, email: 'secondary@example.com', user: project_user) }
+  context 'when email belongs to an existing user as a confirmed secondary email' do
+    let(:secondary_email) { create(:email, :confirmed, email: 'secondary@example.com', user: project_user) }
     let(:params) { { email: secondary_email.email } }
 
     it 'adds an existing user to members', :aggregate_failures do
@@ -42,6 +42,18 @@ RSpec.describe Members::InviteService, :aggregate_failures, :clean_gitlab_redis_
     end
   end
 
+  context 'when email belongs to an existing user as an unconfirmed secondary email' do
+    let(:unconfirmed_secondary_email) { create(:email, email: 'secondary@example.com', user: project_user) }
+    let(:params) { { email: unconfirmed_secondary_email.email } }
+
+    it 'does not link the email with any user and successfully creates a member as an invite for that email' do
+      expect_to_create_members(count: 1)
+      expect(result[:status]).to eq(:success)
+      expect(project.users).not_to include project_user
+      expect(project.members.last).to be_invite
+    end
+  end
+
   context 'when invites are passed as array' do
     context 'with emails' do
       let(:params) { { email: %w[email@example.org email2@example.org] } }
@@ -291,6 +303,19 @@ RSpec.describe Members::InviteService, :aggregate_failures, :clean_gitlab_redis_
       end
     end
 
+    context 'with unconfirmed primary email' do
+      let_it_be(:unconfirmed_user) { create(:user, :unconfirmed) }
+
+      let(:params) { { email: unconfirmed_user.email } }
+
+      it 'adds an existing user to members' do
+        expect_to_create_members(count: 1)
+        expect(result[:status]).to eq(:success)
+        expect(project.users).to include unconfirmed_user
+        expect(project.members.last).not_to be_invite
+      end
+    end
+
     context 'with user_id' do
       let(:params) { { user_id: project_user.id } }
 
@@ -376,8 +401,8 @@ RSpec.describe Members::InviteService, :aggregate_failures, :clean_gitlab_redis_
         expect(existing_member.reset.access_level).to eq ProjectMember::MAINTAINER
       end
 
-      context 'when email belongs to an existing user as a secondary email' do
-        let(:secondary_email) { create(:email, email: 'secondary@example.com', user: existing_member.user) }
+      context 'when email belongs to an existing user as a confirmed secondary email' do
+        let(:secondary_email) { create(:email, :confirmed, email: 'secondary@example.com', user: existing_member.user) }
         let(:params) { { email: "#{secondary_email.email}" } }
 
         it 'allows re-invite to an already invited email' do
diff --git a/spec/services/projects/update_service_spec.rb b/spec/services/projects/update_service_spec.rb
index f019434a4fe..ca838be0fa8 100644
--- a/spec/services/projects/update_service_spec.rb
+++ b/spec/services/projects/update_service_spec.rb
@@ -120,6 +120,65 @@ RSpec.describe Projects::UpdateService do
         end
       end
 
+      context 'when user is not project owner' do
+        let_it_be(:maintainer) { create(:user) }
+
+        before do
+          project.add_maintainer(maintainer)
+        end
+
+        context 'when project is private' do
+          it 'does not update the project to public' do
+            result = update_project(project, maintainer, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+
+            expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
+            expect(project).to be_private
+          end
+
+          it 'does not update the project to public with tricky value' do
+            result = update_project(project, maintainer, visibility_level: Gitlab::VisibilityLevel::PUBLIC.to_s + 'r')
+
+            expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
+            expect(project).to be_private
+          end
+        end
+
+        context 'when project is public' do
+          before do
+            project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+          end
+
+          it 'does not update the project to private' do
+            result = update_project(project, maintainer, visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+
+            expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
+            expect(project).to be_public
+          end
+
+          it 'does not update the project to private with invalid string value' do
+            result = update_project(project, maintainer, visibility_level: 'invalid')
+
+            expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
+            expect(project).to be_public
+          end
+
+          it 'does not update the project to private with valid string value' do
+            result = update_project(project, maintainer, visibility_level: 'private')
+
+            expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
+            expect(project).to be_public
+          end
+
+          # See https://gitlab.com/gitlab-org/gitlab/-/issues/359910
+          it 'does not update the project to private because of Active Record typecasting' do
+            result = update_project(project, maintainer, visibility_level: 'public')
+
+            expect(result).to eq({ status: :success })
+            expect(project).to be_public
+          end
+        end
+      end
+
       context 'when updating shared runners' do
         context 'can enable shared runners' do
           let(:group) { create(:group, shared_runners_enabled: true) }
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-07-27 19:03:35 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-07-27 19:03:56 +0000
commit	d625f4e9fe78a69be0d481c20cba33b6dd88ef1a (patch)
tree	510ee7d62fa2d6084a5058446cf61d328900325a /spec/services
parent	9b60052467242bbc071bcb0f74b7437fb3dfc870 (diff)
download	gitlab-ce-d625f4e9fe78a69be0d481c20cba33b6dd88ef1a.tar.gz