7 files changed, 92 insertions, 46 deletions

diff --git a/spec/controllers/admin/application_settings_controller_spec.rb b/spec/controllers/admin/application_settings_controller_spec.rb
new file mode 100644
index 00000000000..84a1ce773a1
--- /dev/null
+++ b/spec/controllers/admin/application_settings_controller_spec.rb
@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+describe Admin::ApplicationSettingsController do
+  include StubENV
+
+  let(:admin) { create(:admin) }
+
+  before do
+    sign_in(admin)
+    stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
+  end
+
+  describe 'PATCH #update' do
+    it 'updates the default_project_visibility for string value' do
+      patch :update, application_setting: { default_project_visibility: "20" }
+
+      expect(response).to redirect_to(admin_application_settings_path)
+      expect(ApplicationSetting.current.default_project_visibility).to eq Gitlab::VisibilityLevel::PUBLIC
+    end
+
+    it 'falls back to default with default_project_visibility setting is omitted' do
+      patch :update, application_setting: {}
+
+      expect(response).to redirect_to(admin_application_settings_path)
+      expect(ApplicationSetting.current.default_project_visibility).to eq Gitlab::VisibilityLevel::PRIVATE
+    end
+  end
+end
diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb
index 7072bd5e87c..71a4a2c43c7 100644
--- a/spec/controllers/dashboard/todos_controller_spec.rb
+++ b/spec/controllers/dashboard/todos_controller_spec.rb
@@ -49,4 +49,18 @@ describe Dashboard::TodosController do
       expect(json_response).to eq({ "count" => "1", "done_count" => "0" })
     end
   end
+
+  describe 'PATCH #bulk_restore' do
+    let(:todos) { create_list(:todo, 2, :done, user: user, project: project, author: author) }
+
+    it 'restores the todos to pending state' do
+      patch :bulk_restore, ids: todos.map(&:id)
+
+      todos.each do |todo|
+        expect(todo.reload).to be_pending
+      end
+      expect(response).to have_http_status(200)
+      expect(json_response).to eq({ 'count' => '2', 'done_count' => '0' })
+    end
+  end
 end
diff --git a/spec/controllers/profiles/notifications_controller_spec.rb b/spec/controllers/profiles/notifications_controller_spec.rb
deleted file mode 100644
index 58caf7999cf..00000000000
--- a/spec/controllers/profiles/notifications_controller_spec.rb
+++ /dev/null
@@ -1,45 +0,0 @@
-require 'spec_helper'
-
-describe Profiles::NotificationsController do
-  let(:user) do
-    create(:user) do |user|
-      user.emails.create(email: 'original@example.com')
-      user.emails.create(email: 'new@example.com')
-      user.update(notification_email: 'original@example.com')
-      user.save!
-    end
-  end
-
-  describe 'GET show' do
-    it 'renders' do
-      sign_in(user)
-
-      get :show
-
-      expect(response).to render_template :show
-    end
-  end
-
-  describe 'POST update' do
-    it 'updates only permitted attributes' do
-      sign_in(user)
-
-      put :update, user: { notification_email: 'new@example.com', notified_of_own_activity: true, admin: true }
-
-      user.reload
-      expect(user.notification_email).to eq('new@example.com')
-      expect(user.notified_of_own_activity).to eq(true)
-      expect(user.admin).to eq(false)
-      expect(controller).to set_flash[:notice].to('Notification settings saved')
-    end
-
-    it 'shows an error message if the params are invalid' do
-      sign_in(user)
-
-      put :update, user: { notification_email: '' }
-
-      expect(user.reload.notification_email).to eq('original@example.com')
-      expect(controller).to set_flash[:alert].to('Failed to save new settings')
-    end
-  end
-end
diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb
index 6ceaf96f78f..57a921e3676 100644
--- a/spec/controllers/projects/issues_controller_spec.rb
+++ b/spec/controllers/projects/issues_controller_spec.rb
@@ -87,6 +87,12 @@ describe Projects::IssuesController do
   end
 
   describe 'GET #new' do
+    it 'redirects to signin if not logged in' do
+      get :new, namespace_id: project.namespace, project_id: project
+
+      expect(response).to redirect_to(new_user_session_path)
+    end
+
     context 'internal issue tracker' do
       before do
         sign_in(user)
@@ -121,6 +127,11 @@ describe Projects::IssuesController do
     end
 
     context 'external issue tracker' do
+      before do
+        sign_in(user)
+        project.team << [user, :developer]
+      end
+
       it 'redirects to the external issue tracker' do
         external = double(new_issue_path: 'https://example.com/issues/new')
         allow(project).to receive(:external_issue_tracker).and_return(external)
@@ -141,6 +152,24 @@ describe Projects::IssuesController do
 
     it_behaves_like 'update invalid issuable', Issue
 
+    context 'changing the assignee' do
+      it 'limits the attributes exposed on the assignee' do
+        assignee = create(:user)
+        project.add_developer(assignee)
+
+        put :update,
+          namespace_id: project.namespace.to_param,
+          project_id: project,
+          id: issue.iid,
+          issue: { assignee_id: assignee.id },
+          format: :json
+        body = JSON.parse(response.body)
+
+        expect(body['assignee'].keys)
+          .to match_array(%w(name username avatar_url))
+      end
+    end
+
     context 'when moving issue to another private project' do
       let(:another_project) { create(:empty_project, :private) }
 
diff --git a/spec/controllers/projects/merge_requests_controller_spec.rb b/spec/controllers/projects/merge_requests_controller_spec.rb
index 250d64f7055..c310d830e81 100644
--- a/spec/controllers/projects/merge_requests_controller_spec.rb
+++ b/spec/controllers/projects/merge_requests_controller_spec.rb
@@ -203,6 +203,24 @@ describe Projects::MergeRequestsController do
   end
 
   describe 'PUT update' do
+    context 'changing the assignee' do
+      it 'limits the attributes exposed on the assignee' do
+        assignee = create(:user)
+        project.add_developer(assignee)
+
+        put :update,
+          namespace_id: project.namespace.to_param,
+          project_id: project,
+          id: merge_request.iid,
+          merge_request: { assignee_id: assignee.id },
+          format: :json
+        body = JSON.parse(response.body)
+
+        expect(body['assignee'].keys)
+          .to match_array(%w(name username avatar_url))
+      end
+    end
+
     context 'there is no source project' do
       let(:project)       { create(:project) }
       let(:fork_project)  { create(:forked_project_with_submodules) }
diff --git a/spec/controllers/projects/variables_controller_spec.rb b/spec/controllers/projects/variables_controller_spec.rb
index e3f3b4fe8eb..1ecfe48475c 100644
--- a/spec/controllers/projects/variables_controller_spec.rb
+++ b/spec/controllers/projects/variables_controller_spec.rb
@@ -35,7 +35,7 @@ describe Projects::VariablesController do
 
     context 'updating a variable with valid characters' do
       before do
-        variable.gl_project_id = project.id
+        variable.project_id = project.id
         project.variables << variable
       end
 
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index a1ec41322ad..a88ffc1ea6a 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -78,10 +78,12 @@ describe ProjectsController do
 
         it 'shows issues list page if wiki is disabled' do
           project.project_feature.update_attribute(:wiki_access_level, ProjectFeature::DISABLED)
+          create(:issue, project: project)
 
           get :show, namespace_id: project.namespace, id: project
 
           expect(response).to render_template('projects/issues/_issues')
+          expect(assigns(:issuable_meta_data)).not_to be_nil
         end
 
         it 'shows customize workflow page if wiki and issues are disabled' do