diff options
Diffstat (limited to 'spec/controllers/uploads_controller_spec.rb')
-rw-r--r-- | spec/controllers/uploads_controller_spec.rb | 59 |
1 files changed, 37 insertions, 22 deletions
diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb index 1bcf3bb106b..ff15e685007 100644 --- a/spec/controllers/uploads_controller_spec.rb +++ b/spec/controllers/uploads_controller_spec.rb @@ -196,24 +196,39 @@ describe UploadsController do describe "GET show" do context 'Content-Disposition security measures' do + let(:expected_disposition) { 'inline;' } let(:project) { create(:project, :public) } - context 'for PNG files' do - it 'returns Content-Disposition: inline' do - note = create(:note, :with_attachment, project: project) - get :show, params: { model: 'note', mounted_as: 'attachment', id: note.id, filename: 'dk.png' } + shared_examples_for 'uploaded file with disposition' do + it 'returns correct Content-Disposition' do + get :show, params: { model: 'note', mounted_as: 'attachment', id: note.id, filename: filename } - expect(response['Content-Disposition']).to start_with('inline;') + expect(response['Content-Disposition']).to start_with(expected_disposition) end end + context 'for PNG files' do + let(:filename) { 'dk.png' } + let(:expected_disposition) { 'inline;' } + let(:note) { create(:note, :with_attachment, project: project) } + + it_behaves_like 'uploaded file with disposition' + end + + context 'for PDF files' do + let(:filename) { 'git-cheat-sheet.pdf' } + let(:expected_disposition) { 'inline;' } + let(:note) { create(:note, :with_pdf_attachment, project: project) } + + it_behaves_like 'uploaded file with disposition' + end + context 'for SVG files' do - it 'returns Content-Disposition: attachment' do - note = create(:note, :with_svg_attachment, project: project) - get :show, params: { model: 'note', mounted_as: 'attachment', id: note.id, filename: 'unsanitized.svg' } + let(:filename) { 'unsanitized.svg' } + let(:expected_disposition) { 'attachment;' } + let(:note) { create(:note, :with_svg_attachment, project: project) } - expect(response['Content-Disposition']).to start_with('attachment;') - end + it_behaves_like 'uploaded file with disposition' end end @@ -228,10 +243,10 @@ describe UploadsController do user.block end - it "redirects to the sign in page" do + it "responds with status 401" do get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" } - expect(response).to redirect_to(new_user_session_path) + expect(response).to have_gitlab_http_status(401) end end @@ -320,10 +335,10 @@ describe UploadsController do end context "when not signed in" do - it "redirects to the sign in page" do + it "responds with status 401" do get :show, params: { model: "project", mounted_as: "avatar", id: project.id, filename: "dk.png" } - expect(response).to redirect_to(new_user_session_path) + expect(response).to have_gitlab_http_status(401) end end @@ -343,10 +358,10 @@ describe UploadsController do project.add_maintainer(user) end - it "redirects to the sign in page" do + it "responds with status 401" do get :show, params: { model: "project", mounted_as: "avatar", id: project.id, filename: "dk.png" } - expect(response).to redirect_to(new_user_session_path) + expect(response).to have_gitlab_http_status(401) end end @@ -439,10 +454,10 @@ describe UploadsController do user.block end - it "redirects to the sign in page" do + it "responds with status 401" do get :show, params: { model: "group", mounted_as: "avatar", id: group.id, filename: "dk.png" } - expect(response).to redirect_to(new_user_session_path) + expect(response).to have_gitlab_http_status(401) end end @@ -526,10 +541,10 @@ describe UploadsController do end context "when not signed in" do - it "redirects to the sign in page" do + it "responds with status 401" do get :show, params: { model: "note", mounted_as: "attachment", id: note.id, filename: "dk.png" } - expect(response).to redirect_to(new_user_session_path) + expect(response).to have_gitlab_http_status(401) end end @@ -549,10 +564,10 @@ describe UploadsController do project.add_maintainer(user) end - it "redirects to the sign in page" do + it "responds with status 401" do get :show, params: { model: "note", mounted_as: "attachment", id: note.id, filename: "dk.png" } - expect(response).to redirect_to(new_user_session_path) + expect(response).to have_gitlab_http_status(401) end end |