diff options
| author | Bob Van Landuyt <bob@vanlanduyt.co> | 2017-09-26 20:06:08 +0200 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2017-10-04 22:49:42 +0200 |
| commit | 7a3ba8e9845b89c9f3f37d43e8edfeaa9093cfdf (patch) | |
| tree | b882d6f373aa7ab40a428ac2d365f28925870494 /spec | |
| parent | b92e7103fcced2d62000ed382848219016484f7b (diff) | |
| download | gitlab-ce-7a3ba8e9845b89c9f3f37d43e8edfeaa9093cfdf.tar.gz | |
Make sure the user only sees groups he's allowed to see
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/finders/group_descendants_finder_spec.rb | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/spec/finders/group_descendants_finder_spec.rb b/spec/finders/group_descendants_finder_spec.rb index 09a773aaf68..7b9dfcbfad0 100644 --- a/spec/finders/group_descendants_finder_spec.rb +++ b/spec/finders/group_descendants_finder_spec.rb @@ -58,6 +58,19 @@ describe GroupDescendantsFinder do expect(found_group.preloaded_member_count).to eq(1) end + it 'does not include subgroups the user does not have access to' do + subgroup.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + + public_subgroup = create(:group, :public, parent: group, path: 'public-group') + other_subgroup = create(:group, :private, parent: group, path: 'visible-private-group') + other_user = create(:user) + other_subgroup.add_developer(other_user) + + finder = described_class.new(current_user: other_user, parent_group: group) + + expect(finder.execute).to contain_exactly(public_subgroup, other_subgroup) + end + context 'with a filter' do let(:params) { { filter: 'test' } } @@ -68,6 +81,21 @@ describe GroupDescendantsFinder do expect(finder.execute).to contain_exactly(matching_subgroup, matching_project) end + it 'does not include subgroups the user does not have access to' do + _invisible_subgroup = create(:group, :private, parent: group, name: 'test1') + other_subgroup = create(:group, :private, parent: group, name: 'test2') + public_subgroup = create(:group, :public, parent: group, name: 'test3') + other_subsubgroup = create(:group, :private, parent: other_subgroup, name: 'test4') + other_user = create(:user) + other_subgroup.add_developer(other_user) + + finder = described_class.new(current_user: other_user, + parent_group: group, + params: params) + + expect(finder.execute).to contain_exactly(other_subgroup, public_subgroup, other_subsubgroup) + end + context 'with matching children' do it 'includes a group that has a subgroup matching the query and its parent' do matching_subgroup = create(:group, name: 'testgroup', parent: subgroup) |