diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-09-28 14:44:11 +0000 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-09-28 18:21:56 +0200 |
commit | b7a6ad82cbadb6b3d9cb842be8b269ef5a8a05e2 (patch) | |
tree | 5f1a6ef0f95a52a1efd8fa913e5fad1566e0eec9 /spec | |
parent | 50562ab87ea555252552e20639b1eff56c656abd (diff) | |
download | gitlab-ce-b7a6ad82cbadb6b3d9cb842be8b269ef5a8a05e2.tar.gz |
Merge branch '22435-no-api-state-change-via-rails-session' into 'security'
API: disable rails session auth for non-GET/HEAD requests
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22435
See merge request !1999
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'spec')
-rw-r--r-- | spec/requests/api/api_helpers_spec.rb | 39 |
1 files changed, 33 insertions, 6 deletions
diff --git a/spec/requests/api/api_helpers_spec.rb b/spec/requests/api/api_helpers_spec.rb index 90a26d56a90..9457eafe622 100644 --- a/spec/requests/api/api_helpers_spec.rb +++ b/spec/requests/api/api_helpers_spec.rb @@ -9,7 +9,8 @@ describe API::Helpers, api: true do let(:key) { create(:key, user: user) } let(:params) { {} } - let(:env) { {} } + let(:env) { { 'REQUEST_METHOD' => 'GET' } } + let(:request) { Rack::Request.new(env) } def set_env(token_usr, identifier) clear_env @@ -51,17 +52,43 @@ describe API::Helpers, api: true do describe ".current_user" do subject { current_user } - describe "when authenticating via Warden" do + describe "Warden authentication" do before { doorkeeper_guard_returns false } - context "fails" do - it { is_expected.to be_nil } + context "with invalid credentials" do + context "GET request" do + before { env['REQUEST_METHOD'] = 'GET' } + it { is_expected.to be_nil } + end end - context "succeeds" do + context "with valid credentials" do before { warden_authenticate_returns user } - it { is_expected.to eq(user) } + context "GET request" do + before { env['REQUEST_METHOD'] = 'GET' } + it { is_expected.to eq(user) } + end + + context "HEAD request" do + before { env['REQUEST_METHOD'] = 'HEAD' } + it { is_expected.to eq(user) } + end + + context "PUT request" do + before { env['REQUEST_METHOD'] = 'PUT' } + it { is_expected.to be_nil } + end + + context "POST request" do + before { env['REQUEST_METHOD'] = 'POST' } + it { is_expected.to be_nil } + end + + context "DELETE request" do + before { env['REQUEST_METHOD'] = 'DELETE' } + it { is_expected.to be_nil } + end end end |