summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorFelipe Artur <fcardozo@gitlab.com>2019-03-27 14:59:02 +0000
committerNick Thomas <nick@gitlab.com>2019-03-27 14:59:02 +0000
commit73b553a42a1dec7bd38e0aeeb5514c2a566a98c9 (patch)
treea763b5e4a28ba39c0bff6abd9804063f8d1f2cf9 /spec
parentb78aa81f323d16b71af40e2f6fc201d7e7a9a855 (diff)
downloadgitlab-ce-73b553a42a1dec7bd38e0aeeb5514c2a566a98c9.tar.gz
Add API access check to Graphql
Check if user can access API on GraphqlController
Diffstat (limited to 'spec')
-rw-r--r--spec/controllers/graphql_controller_spec.rb45
1 files changed, 45 insertions, 0 deletions
diff --git a/spec/controllers/graphql_controller_spec.rb b/spec/controllers/graphql_controller_spec.rb
new file mode 100644
index 00000000000..c19a752b07b
--- /dev/null
+++ b/spec/controllers/graphql_controller_spec.rb
@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe GraphqlController do
+ before do
+ stub_feature_flags(graphql: true)
+ end
+
+ describe 'POST #execute' do
+ context 'when user is logged in' do
+ let(:user) { create(:user) }
+
+ before do
+ sign_in(user)
+ end
+
+ it 'returns 200 when user can access API' do
+ post :execute
+
+ expect(response).to have_gitlab_http_status(200)
+ end
+
+ it 'returns access denied template when user cannot access API' do
+ # User cannot access API in a couple of cases
+ # * When user is internal(like ghost users)
+ # * When user is blocked
+ expect(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false)
+
+ post :execute
+
+ expect(response.status).to eq(403)
+ expect(response).to render_template('errors/access_denied')
+ end
+ end
+
+ context 'when user is not logged in' do
+ it 'returns 200' do
+ post :execute
+
+ expect(response).to have_gitlab_http_status(200)
+ end
+ end
+ end
+end
View Lorry Controller Status