diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-06 22:30:08 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-06 22:30:24 +0000 |
commit | b9b8440df6afd24ba540343c612e522f52bea0db (patch) | |
tree | aecce7c15523692907d333edeb7c4f1a6d1044fc /spec | |
parent | e4a92d342784ccbb929e7d2b1faa42d6c2f591a3 (diff) | |
download | gitlab-ce-b9b8440df6afd24ba540343c612e522f52bea0db.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-7-stable-ee
Diffstat (limited to 'spec')
3 files changed, 49 insertions, 36 deletions
diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb index e128db8d1c1..3e9c56d3274 100644 --- a/spec/controllers/uploads_controller_spec.rb +++ b/spec/controllers/uploads_controller_spec.rb @@ -268,17 +268,35 @@ RSpec.describe UploadsController do end context "when not signed in" do - it "responds with status 200" do - get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" } + context "when restricted visibility level is not set to public" do + before do + stub_application_setting(restricted_visibility_levels: []) + end - expect(response).to have_gitlab_http_status(:ok) + it "responds with status 200" do + get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" } + + expect(response).to have_gitlab_http_status(:ok) + end + + it_behaves_like 'content publicly cached' do + subject do + get :show, params: { model: 'user', mounted_as: 'avatar', id: user.id, filename: 'dk.png' } + + response + end + end end - it_behaves_like 'content publicly cached' do - subject do - get :show, params: { model: 'user', mounted_as: 'avatar', id: user.id, filename: 'dk.png' } + context "when restricted visibility level is set to public" do + before do + stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC]) + end - response + it "responds with status 401" do + get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" } + + expect(response).to have_gitlab_http_status(:unauthorized) end end end diff --git a/spec/services/error_tracking/list_projects_service_spec.rb b/spec/services/error_tracking/list_projects_service_spec.rb index ce391bd1ca0..8408adcc21d 100644 --- a/spec/services/error_tracking/list_projects_service_spec.rb +++ b/spec/services/error_tracking/list_projects_service_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe ErrorTracking::ListProjectsService do +RSpec.describe ErrorTracking::ListProjectsService, feature_category: :integrations do let_it_be(:user) { create(:user) } let_it_be(:project, reload: true) { create(:project) } @@ -51,15 +51,33 @@ RSpec.describe ErrorTracking::ListProjectsService do end context 'masked param token' do - let(:params) { ActionController::Parameters.new(token: "*********", api_host: new_api_host) } + let(:params) { ActionController::Parameters.new(token: "*********", api_host: api_host) } - before do - expect(error_tracking_setting).to receive(:list_sentry_projects) + context 'with the current api host' do + let(:api_host) { 'https://sentrytest.gitlab.com' } + + before do + expect(error_tracking_setting).to receive(:list_sentry_projects) .and_return({ projects: [] }) + end + + it 'uses database token' do + expect { subject.execute }.not_to change { error_tracking_setting.token } + end end - it 'uses database token' do - expect { subject.execute }.not_to change { error_tracking_setting.token } + context 'with a new api host' do + let(:api_host) { new_api_host } + + it 'returns an error' do + expect(result[:message]).to start_with('Token is a required field') + expect(error_tracking_setting).not_to be_valid + expect(error_tracking_setting).not_to receive(:list_sentry_projects) + end + + it 'resets the token' do + expect { subject.execute }.to change { error_tracking_setting.token }.from(token).to(nil) + end end end diff --git a/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb b/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb index 337ad024fc0..cc91b73449a 100644 --- a/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb +++ b/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb @@ -71,26 +71,3 @@ RSpec.shared_examples 'Self-managed Core resource access tokens' do end end end - -RSpec.shared_examples 'GitLab.com Core resource access tokens' do - before do - allow(::Gitlab).to receive(:com?).and_return(true) - stub_ee_application_setting(should_check_namespace_plan: true) - end - - context 'with owner access' do - let(:current_user) { owner } - - context 'create resource access tokens' do - it { is_expected.not_to be_allowed(:create_resource_access_tokens) } - end - - context 'read resource access tokens' do - it { is_expected.not_to be_allowed(:read_resource_access_tokens) } - end - - context 'destroy resource access tokens' do - it { is_expected.not_to be_allowed(:destroy_resource_access_tokens) } - end - end -end |