diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-05-25 20:28:17 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2016-05-25 20:28:17 +0000 |
commit | 997178220008696576ffb5cdee6cb9d0e7a44055 (patch) | |
tree | b2476fed3952a8df889995756d2c172adb50013f /spec | |
parent | 7fa1ab469f40dfced988a75b95e484e40615e32d (diff) | |
parent | b359d5d57f4b836c04e9e2ef7e1fcb3775bd5305 (diff) | |
download | gitlab-ce-997178220008696576ffb5cdee6cb9d0e7a44055.tar.gz |
Merge branch 'fix-issue-17496' into 'master'
Fix groups API to list only user's accessible projects
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/17496
See merge request !1966
Diffstat (limited to 'spec')
-rw-r--r-- | spec/requests/api/groups_spec.rb | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index 37ddab83c30..7ecefce80d6 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -12,6 +12,7 @@ describe API::API, api: true do let!(:group2) { create(:group, :private) } let!(:project1) { create(:project, namespace: group1) } let!(:project2) { create(:project, namespace: group2) } + let!(:project3) { create(:project, namespace: group1, path: 'test', visibility_level: Gitlab::VisibilityLevel::PRIVATE) } before do group1.add_owner(user1) @@ -147,9 +148,11 @@ describe API::API, api: true do context "when authenticated as user" do it "should return the group's projects" do get api("/groups/#{group1.id}/projects", user1) + expect(response.status).to eq(200) - expect(json_response.length).to eq(1) - expect(json_response.first['name']).to eq(project1.name) + expect(json_response.length).to eq(2) + project_names = json_response.map { |proj| proj['name' ] } + expect(project_names).to match_array([project1.name, project3.name]) end it "should not return a non existing group" do @@ -162,6 +165,16 @@ describe API::API, api: true do expect(response.status).to eq(404) end + + it "should only return projects to which user has access" do + project3.team << [user3, :developer] + + get api("/groups/#{group1.id}/projects", user3) + + expect(response.status).to eq(200) + expect(json_response.length).to eq(1) + expect(json_response.first['name']).to eq(project3.name) + end end context "when authenticated as admin" do @@ -181,8 +194,10 @@ describe API::API, api: true do context 'when using group path in URL' do it 'should return any existing group' do get api("/groups/#{group1.path}/projects", admin) + expect(response.status).to eq(200) - expect(json_response.first['name']).to eq(project1.name) + project_names = json_response.map { |proj| proj['name' ] } + expect(project_names).to match_array([project1.name, project3.name]) end it 'should not return a non existing group' do |