summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-02-25 16:54:51 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2022-02-25 16:54:51 +0000
commitcdc3d9991b0cca2d2243bdf452f61aae40d778cd (patch)
treef05b5b8c2e3fd10e210c35637292f3d28ac6f510 /spec
parente92c90758eb4126acc84962d37bb273d6d87b27b (diff)
downloadgitlab-ce-cdc3d9991b0cca2d2243bdf452f61aae40d778cd.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-8-stable-ee
Diffstat (limited to 'spec')
-rw-r--r--spec/graphql/resolvers/users_resolver_spec.rb19
-rw-r--r--spec/requests/api/graphql/users_spec.rb24
2 files changed, 30 insertions, 13 deletions
diff --git a/spec/graphql/resolvers/users_resolver_spec.rb b/spec/graphql/resolvers/users_resolver_spec.rb
index 031d7c99eef..29947c33430 100644
--- a/spec/graphql/resolvers/users_resolver_spec.rb
+++ b/spec/graphql/resolvers/users_resolver_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe Resolvers::UsersResolver do
let_it_be(:user1) { create(:user, name: "SomePerson") }
let_it_be(:user2) { create(:user, username: "someone123784") }
+ let_it_be(:current_user) { create(:user) }
specify do
expect(described_class).to have_nullable_graphql_type(Types::UserType.connection_type)
@@ -14,14 +15,14 @@ RSpec.describe Resolvers::UsersResolver do
describe '#resolve' do
it 'raises an error when read_users_list is not authorized' do
- expect(Ability).to receive(:allowed?).with(nil, :read_users_list).and_return(false)
+ expect(Ability).to receive(:allowed?).with(current_user, :read_users_list).and_return(false)
expect { resolve_users }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when no arguments are passed' do
it 'returns all users' do
- expect(resolve_users).to contain_exactly(user1, user2)
+ expect(resolve_users).to contain_exactly(user1, user2, current_user)
end
end
@@ -65,9 +66,21 @@ RSpec.describe Resolvers::UsersResolver do
expect(resolve_users( args: { search: "someperson" } )).to contain_exactly(user1)
end
end
+
+ context 'with anonymous access' do
+ let_it_be(:current_user) { nil }
+
+ it 'prohibits search without usernames passed' do
+ expect { resolve_users }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+ end
+
+ it 'allows to search by username' do
+ expect(resolve_users(args: { usernames: [user1.username] })).to contain_exactly(user1)
+ end
+ end
end
def resolve_users(args: {}, ctx: {})
- resolve(described_class, args: args, ctx: ctx)
+ resolve(described_class, args: args, ctx: { current_user: current_user }.merge(ctx))
end
end
diff --git a/spec/requests/api/graphql/users_spec.rb b/spec/requests/api/graphql/users_spec.rb
index 67cd35ee545..fe824834a2c 100644
--- a/spec/requests/api/graphql/users_spec.rb
+++ b/spec/requests/api/graphql/users_spec.rb
@@ -5,11 +5,13 @@ require 'spec_helper'
RSpec.describe 'Users' do
include GraphqlHelpers
- let_it_be(:current_user) { create(:user, created_at: 1.day.ago) }
+ let_it_be(:user0) { create(:user, created_at: 1.day.ago) }
let_it_be(:user1) { create(:user, created_at: 2.days.ago) }
let_it_be(:user2) { create(:user, created_at: 3.days.ago) }
let_it_be(:user3) { create(:user, created_at: 4.days.ago) }
+ let(:current_user) { user0 }
+
describe '.users' do
shared_examples 'a working users query' do
it_behaves_like 'a working graphql query' do
@@ -19,7 +21,7 @@ RSpec.describe 'Users' do
end
it 'includes a list of users' do
- post_graphql(query)
+ post_graphql(query, current_user: current_user)
expect(graphql_data.dig('users', 'nodes')).not_to be_empty
end
@@ -47,7 +49,7 @@ RSpec.describe 'Users' do
let_it_be(:query) { graphql_query_for(:users, { ids: user1.to_global_id.to_s, usernames: user1.username }, 'nodes { id }') }
it 'displays an error' do
- post_graphql(query)
+ post_graphql(query, current_user: current_user)
expect(graphql_errors).to include(
a_hash_including('message' => a_string_matching(%r{Provide either a list of usernames or ids}))
@@ -66,14 +68,14 @@ RSpec.describe 'Users' do
it_behaves_like 'a working users query'
- it 'includes all non-admin users', :aggregate_failures do
- post_graphql(query)
+ it 'includes all users', :aggregate_failures do
+ post_query
expect(graphql_data.dig('users', 'nodes')).to include(
+ { "id" => user0.to_global_id.to_s },
{ "id" => user1.to_global_id.to_s },
{ "id" => user2.to_global_id.to_s },
{ "id" => user3.to_global_id.to_s },
- { "id" => current_user.to_global_id.to_s },
{ "id" => admin.to_global_id.to_s },
{ "id" => another_admin.to_global_id.to_s }
)
@@ -81,10 +83,12 @@ RSpec.describe 'Users' do
end
context 'when current user is an admin' do
+ let(:current_user) { admin }
+
it_behaves_like 'a working users query'
it 'includes only admins', :aggregate_failures do
- post_graphql(query, current_user: admin)
+ post_graphql(query, current_user: current_user)
expect(graphql_data.dig('users', 'nodes')).to include(
{ "id" => another_admin.to_global_id.to_s },
@@ -92,10 +96,10 @@ RSpec.describe 'Users' do
)
expect(graphql_data.dig('users', 'nodes')).not_to include(
+ { "id" => user0.to_global_id.to_s },
{ "id" => user1.to_global_id.to_s },
{ "id" => user2.to_global_id.to_s },
- { "id" => user3.to_global_id.to_s },
- { "id" => current_user.to_global_id.to_s }
+ { "id" => user3.to_global_id.to_s }
)
end
end
@@ -110,7 +114,7 @@ RSpec.describe 'Users' do
end
context 'when sorting by created_at' do
- let_it_be(:ascending_users) { [user3, user2, user1, current_user].map { |u| global_id_of(u) } }
+ let_it_be(:ascending_users) { [user3, user2, user1, user0].map { |u| global_id_of(u) } }
context 'when ascending' do
it_behaves_like 'sorted paginated query' do