diff options
| author | Sebastian Ziebell <sebastian.ziebell@asquera.de> | 2013-02-16 14:42:49 +0100 |
|---|---|---|
| committer | Sebastian Ziebell <sebastian.ziebell@asquera.de> | 2013-02-16 14:42:49 +0100 |
| commit | e9d3b9659525c23a1d8c3b755c792040a5b41148 (patch) | |
| tree | c2a1b4ef6b8a1e2a092ed2d52cfa44251e04be69 /spec | |
| parent | ed3f44085e01f50864ce840f007a50d2154df6f5 (diff) | |
| download | gitlab-ce-e9d3b9659525c23a1d8c3b755c792040a5b41148.tar.gz | |
API: fixes visibility of project hook
When a user is not authorized to see the list of hooks for a project, he is
still able to access the hooks separately. For example if access to
`GET /projects/:id/hooks` fails and returns a `403 Unauthorized` error it is
still possible to access a hook directly via `GET /projects/:id/hooks/:hook_id`.
Fixes access, also added tests to check access and status codes of hooks.
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/requests/api/projects_spec.rb | 42 |
1 files changed, 32 insertions, 10 deletions
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index 16fd1b9307c..4ac1e7cc31c 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -196,22 +196,44 @@ describe Gitlab::API do end describe "GET /projects/:id/hooks" do - it "should return project hooks" do - get api("/projects/#{project.id}/hooks", user) + context "authorized user" do + it "should return project hooks" do + get api("/projects/#{project.id}/hooks", user) + response.status.should == 200 - response.status.should == 200 + json_response.should be_an Array + json_response.count.should == 1 + json_response.first['url'].should == "http://example.com" + end + end - json_response.should be_an Array - json_response.count.should == 1 - json_response.first['url'].should == "http://example.com" + context "unauthorized user" do + it "should not access project hooks" do + get api("/projects/#{project.id}/hooks", user3) + response.status.should == 403 + end end end describe "GET /projects/:id/hooks/:hook_id" do - it "should return a project hook" do - get api("/projects/#{project.id}/hooks/#{hook.id}", user) - response.status.should == 200 - json_response['url'].should == hook.url + context "authorized user" do + it "should return a project hook" do + get api("/projects/#{project.id}/hooks/#{hook.id}", user) + response.status.should == 200 + json_response['url'].should == hook.url + end + + it "should return a 404 error if hook id is not available" do + get api("/projects/#{project.id}/hooks/1234", user) + response.status.should == 404 + end + end + + context "unauthorized user" do + it "should not access an existing hook" do + get api("/projects/#{project.id}/hooks/#{hook.id}", user3) + response.status.should == 403 + end end end |