diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:21:38 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:21:38 +0000 |
| commit | 11e9b7b58837da351f08c18e6f0f4faba4d7d301 (patch) | |
| tree | d9b28159a53c3814c8a2e6b33a5f01557b757439 /spec/support | |
| parent | 2b0b97e746e327c6168505df7740e667b690a27f (diff) | |
| download | gitlab-ce-11e9b7b58837da351f08c18e6f0f4faba4d7d301.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-1-stable-ee
Diffstat (limited to 'spec/support')
| -rw-r--r-- | spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb b/spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb index 53183ac89f8..fb6d6603beb 100644 --- a/spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb @@ -4,6 +4,16 @@ RSpec.shared_examples 'an unauthorized API user' do it { is_expected.to eq(403) } end +RSpec.shared_examples 'API user with insufficient permissions' do + context 'with non member that is the author' do + before do + issuable.update!(author: non_member) # an external author can't admin issuable + end + + it_behaves_like 'an unauthorized API user' + end +end + RSpec.shared_examples 'time tracking endpoints' do |issuable_name| let(:non_member) { create(:user) } @@ -14,6 +24,7 @@ RSpec.shared_examples 'time tracking endpoints' do |issuable_name| subject { post(api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.iid}/time_estimate", non_member), params: { duration: '1w' }) } it_behaves_like 'an unauthorized API user' + it_behaves_like 'API user with insufficient permissions' end it "sets the time estimate for #{issuable_name}" do @@ -53,6 +64,7 @@ RSpec.shared_examples 'time tracking endpoints' do |issuable_name| subject { post(api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.iid}/reset_time_estimate", non_member)) } it_behaves_like 'an unauthorized API user' + it_behaves_like 'API user with insufficient permissions' end it "resets the time estimate for #{issuable_name}" do @@ -70,6 +82,7 @@ RSpec.shared_examples 'time tracking endpoints' do |issuable_name| end it_behaves_like 'an unauthorized API user' + it_behaves_like 'API user with insufficient permissions' end it "add spent time for #{issuable_name}" do @@ -119,6 +132,7 @@ RSpec.shared_examples 'time tracking endpoints' do |issuable_name| subject { post(api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.iid}/reset_spent_time", non_member)) } it_behaves_like 'an unauthorized API user' + it_behaves_like 'API user with insufficient permissions' end it "resets spent time for #{issuable_name}" do |