Merge branch 'fix-api-mr-permissions' into 'security'

Ensure that only privileged users can access merge requests in the API See merge request !2053
author: Robert Speicher <robert@gitlab.com> 2017-01-03 18:03:13 +0000
committer: Robert Speicher <rspeicher@gmail.com> 2017-01-23 13:54:35 -0500
commit: 3a5df1d8fc518900d8e33a6be8a2243e399c754a (patch)
tree: 73e2ef9be53a013e3756a8d0e5ba9d9309bb5918 /spec
parent: d7755ede246988e3186a46b2c9fbd1b70660b529 (diff)
download: gitlab-ce-3a5df1d8fc518900d8e33a6be8a2243e399c754a.tar.gz
2 files changed, 43 insertions, 1 deletions
diff --git a/spec/requests/api/merge_requests_spec.rb b/spec/requests/api/merge_requests_spec.rb
index 6f20ac49269..71a7994e544 100644
--- a/spec/requests/api/merge_requests_spec.rb
+++ b/spec/requests/api/merge_requests_spec.rb
@@ -627,6 +627,17 @@ describe API::MergeRequests, api: true  do
       expect(json_response.first['title']).to eq(issue.title)
       expect(json_response.first['id']).to eq(issue.id)
     end
+
+    it 'returns 403 if the user has no access to the merge request' do
+      project = create(:empty_project, :private)
+      merge_request = create(:merge_request, :simple, source_project: project)
+      guest = create(:user)
+      project.team << [guest, :guest]
+
+      get api("/projects/#{project.id}/merge_requests/#{merge_request.id}/closes_issues", guest)
+
+      expect(response).to have_http_status(403)
+    end
   end
 
   describe 'POST :id/merge_requests/:merge_request_id/subscription' do
@@ -648,6 +659,15 @@ describe API::MergeRequests, api: true  do
 
       expect(response).to have_http_status(404)
     end
+
+    it 'returns 403 if user has no access to read code' do
+      guest = create(:user)
+      project.team << [guest, :guest]
+
+      post api("/projects/#{project.id}/merge_requests/#{merge_request.id}/subscription", guest)
+
+      expect(response).to have_http_status(403)
+    end
   end
 
   describe 'DELETE :id/merge_requests/:merge_request_id/subscription' do
@@ -669,6 +689,15 @@ describe API::MergeRequests, api: true  do
 
       expect(response).to have_http_status(404)
     end
+
+    it 'returns 403 if user has no access to read code' do
+      guest = create(:user)
+      project.team << [guest, :guest]
+
+      delete api("/projects/#{project.id}/merge_requests/#{merge_request.id}/subscription", guest)
+
+      expect(response).to have_http_status(403)
+    end
   end
 
   describe 'Time tracking' do
diff --git a/spec/requests/api/todos_spec.rb b/spec/requests/api/todos_spec.rb
index 6fe695626ca..56dc017ce54 100644
--- a/spec/requests/api/todos_spec.rb
+++ b/spec/requests/api/todos_spec.rb
@@ -183,12 +183,25 @@ describe API::Todos, api: true do
 
       expect(response.status).to eq(404)
     end
+
+    it 'returns an error if the issuable is not accessible' do
+      guest = create(:user)
+      project_1.team << [guest, :guest]
+
+      post api("/projects/#{project_1.id}/#{issuable_type}/#{issuable.id}/todo", guest)
+
+      if issuable_type == 'merge_requests'
+        expect(response).to have_http_status(403)
+      else
+        expect(response).to have_http_status(404)
+      end
+    end
   end
 
   describe 'POST :id/issuable_type/:issueable_id/todo' do
     context 'for an issue' do
       it_behaves_like 'an issuable', 'issues' do
-        let(:issuable) { create(:issue, author: author_1, project: project_1) }
+        let(:issuable) { create(:issue, :confidential, author: author_1, project: project_1) }
       end
     end
author	Robert Speicher <robert@gitlab.com>	2017-01-03 18:03:13 +0000
committer	Robert Speicher <rspeicher@gmail.com>	2017-01-23 13:54:35 -0500
commit	3a5df1d8fc518900d8e33a6be8a2243e399c754a (patch)
tree	73e2ef9be53a013e3756a8d0e5ba9d9309bb5918 /spec
parent	d7755ede246988e3186a46b2c9fbd1b70660b529 (diff)
download	gitlab-ce-3a5df1d8fc518900d8e33a6be8a2243e399c754a.tar.gz