diff options
author | Nick Thomas <nick@gitlab.com> | 2019-11-19 16:17:35 +0000 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-11-25 11:44:16 +0000 |
commit | b1dad8b2525b81f473bafbe69a3e2dfe24d90f49 (patch) | |
tree | 782bf18f1fc8b942c38655fafe49bd1c766444b2 /spec/views | |
parent | dbd50b6e203994cdb393494faa8fc1b2fb406487 (diff) | |
download | gitlab-ce-b1dad8b2525b81f473bafbe69a3e2dfe24d90f49.tar.gz |
Check permissions before showing a forked project's source
Diffstat (limited to 'spec/views')
-rw-r--r-- | spec/views/projects/_home_panel.html.haml_spec.rb | 34 | ||||
-rw-r--r-- | spec/views/projects/edit.html.haml_spec.rb | 56 |
2 files changed, 90 insertions, 0 deletions
diff --git a/spec/views/projects/_home_panel.html.haml_spec.rb b/spec/views/projects/_home_panel.html.haml_spec.rb index 4d5b369e88e..9956144b601 100644 --- a/spec/views/projects/_home_panel.html.haml_spec.rb +++ b/spec/views/projects/_home_panel.html.haml_spec.rb @@ -3,6 +3,8 @@ require 'spec_helper' describe 'projects/_home_panel' do + include ProjectForksHelper + context 'notifications' do let(:project) { create(:project) } @@ -144,4 +146,36 @@ describe 'projects/_home_panel' do end end end + + context 'forks' do + let(:source_project) { create(:project, :repository) } + let(:project) { fork_project(source_project) } + let(:user) { create(:user) } + + before do + assign(:project, project) + + allow(view).to receive(:current_user).and_return(user) + end + + context 'user can read fork source' do + it 'shows the forked-from project' do + allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(true) + + render + + expect(rendered).to have_content("Forked from #{source_project.full_name}") + end + end + + context 'user cannot read fork source' do + it 'does not show the forked-from project' do + allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(false) + + render + + expect(rendered).to have_content("Forked from an inaccessible project") + end + end + end end diff --git a/spec/views/projects/edit.html.haml_spec.rb b/spec/views/projects/edit.html.haml_spec.rb index f576093ab45..40927a22dc4 100644 --- a/spec/views/projects/edit.html.haml_spec.rb +++ b/spec/views/projects/edit.html.haml_spec.rb @@ -4,6 +4,7 @@ require 'spec_helper' describe 'projects/edit' do include Devise::Test::ControllerHelpers + include ProjectForksHelper let(:project) { create(:project) } let(:user) { create(:admin) } @@ -26,4 +27,59 @@ describe 'projects/edit' do expect(rendered).not_to have_content('Export project') end end + + context 'forking' do + before do + assign(:project, project) + + allow(view).to receive(:current_user).and_return(user) + end + + context 'project is not a fork' do + it 'hides the remove fork relationship settings' do + render + + expect(rendered).not_to have_content('Remove fork relationship') + end + end + + context 'project is a fork' do + let(:source_project) { create(:project) } + let(:project) { fork_project(source_project) } + + it 'shows the remove fork relationship settings to an authorized user' do + allow(view).to receive(:can?).with(user, :remove_fork_project, project).and_return(true) + + render + + expect(rendered).to have_content('Remove fork relationship') + end + + it 'hides the fork relationship settings from an unauthorized user' do + allow(view).to receive(:can?).with(user, :remove_fork_project, project).and_return(false) + + render + + expect(rendered).not_to have_content('Remove fork relationship') + end + + it 'hides the fork source from an unauthorized user' do + allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(false) + + render + + expect(rendered).to have_content('Remove fork relationship') + expect(rendered).not_to have_content(source_project.full_name) + end + + it 'shows the fork source to an authorized user' do + allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(true) + + render + + expect(rendered).to have_content('Remove fork relationship') + expect(rendered).to have_content(source_project.full_name) + end + end + end end |