diff options
Diffstat (limited to 'qa')
-rw-r--r-- | qa/qa/specs/features/browser_ui/2_plan/issue/check_mentions_for_xss_spec.rb | 35 |
1 files changed, 16 insertions, 19 deletions
diff --git a/qa/qa/specs/features/browser_ui/2_plan/issue/check_mentions_for_xss_spec.rb b/qa/qa/specs/features/browser_ui/2_plan/issue/check_mentions_for_xss_spec.rb index 784f474a7d5..ec88042673c 100644 --- a/qa/qa/specs/features/browser_ui/2_plan/issue/check_mentions_for_xss_spec.rb +++ b/qa/qa/specs/features/browser_ui/2_plan/issue/check_mentions_for_xss_spec.rb @@ -2,35 +2,32 @@ module QA RSpec.describe 'Plan', :reliable do - describe 'check xss occurence in @mentions in issues', :requires_admin do - it 'mentions a user in a comment' do - QA::Runtime::Env.personal_access_token = QA::Runtime::Env.admin_personal_access_token - - unless QA::Runtime::Env.personal_access_token - Flow::Login.sign_in_as_admin - end - - user = Resource::User.fabricate_via_api! do |user| - user.name = "eve <img src=x onerror=alert(2)<img src=x onerror=alert(1)>" - user.password = "test1234" - end - - QA::Runtime::Env.personal_access_token = nil + let!(:user) do + Resource::User.fabricate_via_api! do |user| + user.name = "eve <img src=x onerror=alert(2)<img src=x onerror=alert(1)>" + user.password = "test1234" + user.api_client = Runtime::API::Client.as_admin + end + end - Page::Main::Menu.perform(&:sign_out) if Page::Main::Menu.perform { |p| p.has_personal_area?(wait: 0) } + let!(:project) do + Resource::Project.fabricate_via_api! do |project| + project.name = 'xss-test-for-mentions-project' + end + end + describe 'check xss occurence in @mentions in issues', :requires_admin do + before do Flow::Login.sign_in - project = Resource::Project.fabricate_via_api! do |project| - project.name = 'xss-test-for-mentions-project' - end - Flow::Project.add_member(project: project, username: user.username) Resource::Issue.fabricate_via_api! do |issue| issue.project = project end.visit! + end + it 'mentions a user in a comment' do Page::Project::Issue::Show.perform do |show| show.select_all_activities_filter show.comment("cc-ing you here @#{user.username}") |