summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-10-27 10:13:35 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2021-10-27 10:13:35 +0000
commite8ae58a7c189407375b3f575b7aa8fb17a1e4f99 (patch)
tree027bb4d3f911b7a07c7552f142d9b3fad32e9318 /spec
parent51b27ab58055b65e14e68b19604e4823389adb73 (diff)
downloadgitlab-ce-e8ae58a7c189407375b3f575b7aa8fb17a1e4f99.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-4-stable-ee
Diffstat (limited to 'spec')
-rw-r--r--spec/graphql/mutations/issues/set_severity_spec.rb54
-rw-r--r--spec/lib/gitlab/import_export/project/relation_factory_spec.rb29
-rw-r--r--spec/lib/gitlab/import_export/project/tree_restorer_spec.rb2
-rw-r--r--spec/lib/gitlab/import_export/safe_model_attributes.yml1
-rw-r--r--spec/services/issues/update_service_spec.rb36
5 files changed, 95 insertions, 27 deletions
diff --git a/spec/graphql/mutations/issues/set_severity_spec.rb b/spec/graphql/mutations/issues/set_severity_spec.rb
index 7ce9c7f6621..84736fe7ee6 100644
--- a/spec/graphql/mutations/issues/set_severity_spec.rb
+++ b/spec/graphql/mutations/issues/set_severity_spec.rb
@@ -3,26 +3,58 @@
require 'spec_helper'
RSpec.describe Mutations::Issues::SetSeverity do
- let_it_be(:user) { create(:user) }
- let_it_be(:issue) { create(:incident) }
+ let_it_be(:project) { create(:project) }
+ let_it_be(:guest) { create(:user) }
+ let_it_be(:reporter) { create(:user) }
+ let_it_be(:issue) { create(:incident, project: project) }
let(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
- specify { expect(described_class).to require_graphql_authorizations(:update_issue) }
+ specify { expect(described_class).to require_graphql_authorizations(:update_issue, :admin_issue) }
+
+ before_all do
+ project.add_guest(guest)
+ project.add_reporter(reporter)
+ end
describe '#resolve' do
let(:severity) { 'critical' }
- let(:mutated_incident) { subject[:issue] }
- subject(:resolve) { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, severity: severity) }
+ subject(:resolve) do
+ mutation.resolve(
+ project_path: issue.project.full_path,
+ iid: issue.iid,
+ severity: severity
+ )
+ end
- it_behaves_like 'permission level for issue mutation is correctly verified'
+ context 'as guest' do
+ let(:user) { guest }
- context 'when the user can update the issue' do
- before do
- issue.project.add_developer(user)
+ it 'raises an error' do
+ expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+ end
+
+ context 'and also author' do
+ let!(:issue) { create(:incident, project: project, author: user) }
+
+ it 'raises an error' do
+ expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+ end
end
+ context 'and also assignee' do
+ let!(:issue) { create(:incident, project: project, assignee_ids: [user.id]) }
+
+ it 'raises an error' do
+ expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+ end
+ end
+ end
+
+ context 'as reporter' do
+ let(:user) { reporter }
+
context 'when issue type is incident' do
context 'when severity has a correct value' do
it 'updates severity' do
@@ -48,9 +80,9 @@ RSpec.describe Mutations::Issues::SetSeverity do
end
context 'when issue type is not incident' do
- let!(:issue) { create(:issue) }
+ let!(:issue) { create(:issue, project: project) }
- it 'does not updates the issue' do
+ it 'does not update the issue' do
expect { resolve }.not_to change { issue.updated_at }
end
end
diff --git a/spec/lib/gitlab/import_export/project/relation_factory_spec.rb b/spec/lib/gitlab/import_export/project/relation_factory_spec.rb
index 88bd71d3d64..49df2313924 100644
--- a/spec/lib/gitlab/import_export/project/relation_factory_spec.rb
+++ b/spec/lib/gitlab/import_export/project/relation_factory_spec.rb
@@ -267,6 +267,35 @@ RSpec.describe Gitlab::ImportExport::Project::RelationFactory, :use_clean_rails_
end
end
+ context 'pipeline_schedule' do
+ let(:relation_sym) { :pipeline_schedules }
+ let(:relation_hash) do
+ {
+ "id": 3,
+ "created_at": "2016-07-22T08:55:44.161Z",
+ "updated_at": "2016-07-22T08:55:44.161Z",
+ "description": "pipeline schedule",
+ "ref": "main",
+ "cron": "0 4 * * 0",
+ "cron_timezone": "UTC",
+ "active": value,
+ "project_id": project.id
+ }
+ end
+
+ subject { created_object.active }
+
+ [true, false].each do |v|
+ context "when relation_hash has active set to #{v}" do
+ let(:value) { v }
+
+ it "the created object is not active" do
+ expect(created_object.active).to eq(false)
+ end
+ end
+ end
+ end
+
# `project_id`, `described_class.USER_REFERENCES`, noteable_id, target_id, and some project IDs are already
# re-assigned by described_class.
context 'Potentially hazardous foreign keys' do
diff --git a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
index 518a9337826..f512f49764d 100644
--- a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
+++ b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
@@ -376,7 +376,7 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do
expect(pipeline_schedule.ref).to eq('master')
expect(pipeline_schedule.cron).to eq('0 4 * * 0')
expect(pipeline_schedule.cron_timezone).to eq('UTC')
- expect(pipeline_schedule.active).to eq(true)
+ expect(pipeline_schedule.active).to eq(false)
end
end
diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml
index 287be24d11f..4b125cab49b 100644
--- a/spec/lib/gitlab/import_export/safe_model_attributes.yml
+++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml
@@ -556,7 +556,6 @@ Project:
- merge_requests_rebase_enabled
- jobs_cache_index
- external_authorization_classification_label
-- external_webhook_token
- pages_https_only
- merge_requests_disable_committers_approval
- require_password_to_approve
diff --git a/spec/services/issues/update_service_spec.rb b/spec/services/issues/update_service_spec.rb
index 331cf291f21..83c17f051eb 100644
--- a/spec/services/issues/update_service_spec.rb
+++ b/spec/services/issues/update_service_spec.rb
@@ -6,6 +6,7 @@ RSpec.describe Issues::UpdateService, :mailer do
let_it_be(:user) { create(:user) }
let_it_be(:user2) { create(:user) }
let_it_be(:user3) { create(:user) }
+ let_it_be(:guest) { create(:user) }
let_it_be(:group) { create(:group, :public) }
let_it_be(:project, reload: true) { create(:project, :repository, group: group) }
let_it_be(:label) { create(:label, project: project) }
@@ -24,6 +25,7 @@ RSpec.describe Issues::UpdateService, :mailer do
project.add_maintainer(user)
project.add_developer(user2)
project.add_developer(user3)
+ project.add_guest(guest)
end
describe 'execute' do
@@ -95,9 +97,7 @@ RSpec.describe Issues::UpdateService, :mailer do
end
context 'user is a guest' do
- before do
- project.add_guest(user)
- end
+ let(:user) { guest }
it 'does not assign the sentry error' do
update_issue(opts)
@@ -258,11 +258,7 @@ RSpec.describe Issues::UpdateService, :mailer do
context 'from issue to restricted issue types' do
context 'without sufficient permissions' do
- let(:user) { create(:user) }
-
- before do
- project.add_guest(user)
- end
+ let(:user) { guest }
it 'does nothing to the labels' do
expect { update_issue(issue_type: 'issue') }.not_to change(issue.labels, :count)
@@ -407,12 +403,6 @@ RSpec.describe Issues::UpdateService, :mailer do
end
context 'when current user cannot admin issues in the project' do
- let(:guest) { create(:user) }
-
- before do
- project.add_guest(guest)
- end
-
it 'filters out params that cannot be set without the :admin_issue permission' do
described_class.new(
project: project, current_user: guest, params: opts.merge(
@@ -1113,6 +1103,24 @@ RSpec.describe Issues::UpdateService, :mailer do
it_behaves_like 'does not change the severity'
end
+
+ context 'as guest' do
+ let(:user) { guest }
+
+ it_behaves_like 'does not change the severity'
+
+ context 'and also author' do
+ let(:issue) { create(:incident, project: project, author: user) }
+
+ it_behaves_like 'does not change the severity'
+ end
+
+ context 'and also assignee' do
+ let(:issue) { create(:incident, project: project, assignee_ids: [user.id]) }
+
+ it_behaves_like 'does not change the severity'
+ end
+ end
end
context 'when severity has been set before' do