diff options
| author | Mike Ricketts <rickettm@uk.ibm.com> | 2017-06-20 14:54:29 +0000 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2017-06-20 14:54:29 +0000 |
| commit | 0e7478064f3cf91fec8cffb86a74503ab3e0322d (patch) | |
| tree | be88ac18b51372e72855355e935489591a9d3775 /spec | |
| parent | 745d46bc88be45066d4abb448f1308f11f970e26 (diff) | |
| download | gitlab-ce-0e7478064f3cf91fec8cffb86a74503ab3e0322d.tar.gz | |
Re-instate is_admin flag in users API is current user is an admin
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/requests/api/users_spec.rb | 9 | ||||
| -rw-r--r-- | spec/requests/api/v3/users_spec.rb | 32 |
2 files changed, 40 insertions, 1 deletions
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb index bc869ea1108..750682bde52 100644 --- a/spec/requests/api/users_spec.rb +++ b/spec/requests/api/users_spec.rb @@ -11,7 +11,7 @@ describe API::Users do let(:not_existing_user_id) { (User.maximum('id') || 0 ) + 10 } let(:not_existing_pat_id) { (PersonalAccessToken.maximum('id') || 0 ) + 10 } - describe "GET /users" do + describe 'GET /users' do context "when unauthenticated" do it "returns authentication error" do get api("/users") @@ -76,6 +76,12 @@ describe API::Users do expect(response).to have_http_status(403) end + + it 'does not reveal the `is_admin` flag of the user' do + get api('/users', user) + + expect(json_response.first.keys).not_to include 'is_admin' + end end context "when admin" do @@ -92,6 +98,7 @@ describe API::Users do expect(json_response.first.keys).to include 'two_factor_enabled' expect(json_response.first.keys).to include 'last_sign_in_at' expect(json_response.first.keys).to include 'confirmed_at' + expect(json_response.first.keys).to include 'is_admin' end it "returns an array of external users" do diff --git a/spec/requests/api/v3/users_spec.rb b/spec/requests/api/v3/users_spec.rb index e9c57f7c6c3..6d7401f9764 100644 --- a/spec/requests/api/v3/users_spec.rb +++ b/spec/requests/api/v3/users_spec.rb @@ -7,6 +7,38 @@ describe API::V3::Users do let(:email) { create(:email, user: user) } let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') } + describe 'GET /users' do + context 'when authenticated' do + it 'returns an array of users' do + get v3_api('/users', user) + + expect(response).to have_http_status(200) + expect(response).to include_pagination_headers + expect(json_response).to be_an Array + username = user.username + expect(json_response.detect do |user| + user['username'] == username + end['username']).to eq(username) + end + end + + context 'when authenticated as user' do + it 'does not reveal the `is_admin` flag of the user' do + get v3_api('/users', user) + + expect(json_response.first.keys).not_to include 'is_admin' + end + end + + context 'when authenticated as admin' do + it 'reveals the `is_admin` flag of the user' do + get v3_api('/users', admin) + + expect(json_response.first.keys).to include 'is_admin' + end + end + end + describe 'GET /user/:id/keys' do before { admin } |