diff options
author | Tiago Botelho <tiagonbotelho@hotmail.com> | 2018-12-10 13:58:34 +0000 |
---|---|---|
committer | Tiago Botelho <tiagonbotelho@hotmail.com> | 2018-12-10 15:11:28 +0000 |
commit | 837812d3249bcd916733d484a1a750ae31c28b6c (patch) | |
tree | a4b32f9c0817bcbcfd8cb3971c0689141b24f7e6 /spec | |
parent | d2120ff1e705799752e7d9704cae3f1896d8e186 (diff) | |
download | gitlab-ce-837812d3249bcd916733d484a1a750ae31c28b6c.tar.gz |
Project guests no longer are able to see refs page
Adds download_code authorization check to ProjectsController#refs
action, to prevent a project guest from seeing branch, tags and
commits information
Diffstat (limited to 'spec')
-rw-r--r-- | spec/controllers/projects_controller_spec.rb | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb index 7849bec4762..febbced6054 100644 --- a/spec/controllers/projects_controller_spec.rb +++ b/spec/controllers/projects_controller_spec.rb @@ -590,10 +590,10 @@ describe ProjectsController do end describe "GET refs" do - let(:public_project) { create(:project, :public, :repository) } + let(:project) { create(:project, :public, :repository) } it 'gets a list of branches and tags' do - get :refs, namespace_id: public_project.namespace, id: public_project, sort: 'updated_desc' + get :refs, namespace_id: project.namespace, id: project, sort: 'updated_desc' parsed_body = JSON.parse(response.body) expect(parsed_body['Branches']).to include('master') @@ -603,7 +603,7 @@ describe ProjectsController do end it "gets a list of branches, tags and commits" do - get :refs, namespace_id: public_project.namespace, id: public_project, ref: "123456" + get :refs, namespace_id: project.namespace, id: project, ref: "123456" parsed_body = JSON.parse(response.body) expect(parsed_body["Branches"]).to include("master") @@ -618,7 +618,7 @@ describe ProjectsController do end it "gets a list of branches, tags and commits" do - get :refs, namespace_id: public_project.namespace, id: public_project, ref: "123456" + get :refs, namespace_id: project.namespace, id: project, ref: "123456" parsed_body = JSON.parse(response.body) expect(parsed_body["Branches"]).to include("master") @@ -626,6 +626,22 @@ describe ProjectsController do expect(parsed_body["Commits"]).to include("123456") end end + + context 'when private project' do + let(:project) { create(:project, :repository) } + + context 'as a guest' do + it 'renders forbidden' do + user = create(:user) + project.add_guest(user) + + sign_in(user) + get :refs, namespace_id: project.namespace, id: project + + expect(response).to have_gitlab_http_status(404) + end + end + end end describe 'POST #preview_markdown' do |