diff options
author | Nick Thomas <nick@gitlab.com> | 2019-03-05 16:12:27 +0000 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-03-06 09:05:03 +0000 |
commit | e05a86cecdf52a0ec1f0f4ce4f30287f881b8ea2 (patch) | |
tree | bf11e94a8cd21c43affadcd8fd00f9f5d23d0d6e /spec | |
parent | 42d3117f9c3371e07e8b0aafab6f504e87251c2a (diff) | |
download | gitlab-ce-e05a86cecdf52a0ec1f0f4ce4f30287f881b8ea2.tar.gz |
Allow all personal snippets to be accessed by API
Previously, you could only access personal snippets in the API if you
had authored them. The documentation doesn't state that this is the
case, and it's quite surprising.
Diffstat (limited to 'spec')
-rw-r--r-- | spec/requests/api/snippets_spec.rb | 76 |
1 files changed, 64 insertions, 12 deletions
diff --git a/spec/requests/api/snippets_spec.rb b/spec/requests/api/snippets_spec.rb index 7c8512f7589..d600076e9fb 100644 --- a/spec/requests/api/snippets_spec.rb +++ b/spec/requests/api/snippets_spec.rb @@ -84,10 +84,17 @@ describe API::Snippets do end describe 'GET /snippets/:id/raw' do - let(:snippet) { create(:personal_snippet, author: user) } + set(:author) { create(:user) } + set(:snippet) { create(:personal_snippet, :private, author: author) } + + it 'requires authentication' do + get api("/snippets/#{snippet.id}", nil) + + expect(response).to have_gitlab_http_status(401) + end it 'returns raw text' do - get api("/snippets/#{snippet.id}/raw", user) + get api("/snippets/#{snippet.id}/raw", author) expect(response).to have_gitlab_http_status(200) expect(response.content_type).to eq 'text/plain' @@ -95,38 +102,83 @@ describe API::Snippets do end it 'forces attachment content disposition' do - get api("/snippets/#{snippet.id}/raw", user) + get api("/snippets/#{snippet.id}/raw", author) expect(headers['Content-Disposition']).to match(/^attachment/) end it 'returns 404 for invalid snippet id' do - get api("/snippets/1234/raw", user) + snippet.destroy + + get api("/snippets/#{snippet.id}/raw", author) expect(response).to have_gitlab_http_status(404) expect(json_response['message']).to eq('404 Snippet Not Found') end + + it 'hides private snippets from ordinary users' do + get api("/snippets/#{snippet.id}/raw", user) + + expect(response).to have_gitlab_http_status(404) + end + + it 'shows internal snippets to ordinary users' do + internal_snippet = create(:personal_snippet, :internal, author: author) + + get api("/snippets/#{internal_snippet.id}/raw", user) + + expect(response).to have_gitlab_http_status(200) + end end describe 'GET /snippets/:id' do - let(:snippet) { create(:personal_snippet, author: user) } + set(:admin) { create(:user, :admin) } + set(:author) { create(:user) } + set(:private_snippet) { create(:personal_snippet, :private, author: author) } + set(:internal_snippet) { create(:personal_snippet, :internal, author: author) } + + it 'requires authentication' do + get api("/snippets/#{private_snippet.id}", nil) + + expect(response).to have_gitlab_http_status(401) + end it 'returns snippet json' do - get api("/snippets/#{snippet.id}", user) + get api("/snippets/#{private_snippet.id}", author) expect(response).to have_gitlab_http_status(200) - expect(json_response['title']).to eq(snippet.title) - expect(json_response['description']).to eq(snippet.description) - expect(json_response['file_name']).to eq(snippet.file_name) - expect(json_response['visibility']).to eq(snippet.visibility) + expect(json_response['title']).to eq(private_snippet.title) + expect(json_response['description']).to eq(private_snippet.description) + expect(json_response['file_name']).to eq(private_snippet.file_name) + expect(json_response['visibility']).to eq(private_snippet.visibility) + end + + it 'shows private snippets to an admin' do + get api("/snippets/#{private_snippet.id}", admin) + + expect(response).to have_gitlab_http_status(200) + end + + it 'hides private snippets from an ordinary user' do + get api("/snippets/#{private_snippet.id}", user) + + expect(response).to have_gitlab_http_status(404) + end + + it 'shows internal snippets to an ordinary user' do + get api("/snippets/#{internal_snippet.id}", user) + + expect(response).to have_gitlab_http_status(200) end it 'returns 404 for invalid snippet id' do - get api("/snippets/1234", user) + private_snippet.destroy + + get api("/snippets/#{private_snippet.id}", admin) expect(response).to have_gitlab_http_status(404) - expect(json_response['message']).to eq('404 Not found') + expect(json_response['message']).to eq('404 Snippet Not Found') end end |