diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-05-07 21:15:06 +0000 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-05-31 03:56:59 +0000 |
| commit | 664ee81486a3205675cfadf3c98f9654d256f538 (patch) | |
| tree | 366aef2511b33312fe99be57ae658ed7e02424a8 /spec | |
| parent | 6a9efdc502b26337477b8ec55bbe7240b349891c (diff) | |
| download | gitlab-ce-664ee81486a3205675cfadf3c98f9654d256f538.tar.gz | |
Merge branch 'dz-restrict-autocomplete' into 'security-9-1'
Allow users autocomplete by author_id only for authenticated users
See merge request !2100
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/controllers/autocomplete_controller_spec.rb | 30 |
1 files changed, 20 insertions, 10 deletions
diff --git a/spec/controllers/autocomplete_controller_spec.rb b/spec/controllers/autocomplete_controller_spec.rb index 7d2f6dd9d0a..14b105c69e5 100644 --- a/spec/controllers/autocomplete_controller_spec.rb +++ b/spec/controllers/autocomplete_controller_spec.rb @@ -156,22 +156,32 @@ describe AutocompleteController do end context 'author of issuable included' do - before do - sign_in(user) - end - let(:body) { JSON.parse(response.body) } - it 'includes the author' do - get(:users, author_id: non_member.id) + context 'authenticated' do + before do + sign_in(user) + end + + it 'includes the author' do + get(:users, author_id: non_member.id) + + expect(body.first["username"]).to eq non_member.username + end + + it 'rejects non existent user ids' do + get(:users, author_id: 99999) - expect(body.first["username"]).to eq non_member.username + expect(body.collect { |u| u['id'] }).not_to include(99999) + end end - it 'rejects non existent user ids' do - get(:users, author_id: 99999) + context 'without authenticating' do + it 'returns empty result' do + get(:users, author_id: non_member.id) - expect(body.collect { |u| u['id'] }).not_to include(99999) + expect(body).to be_empty + end end end |