1 files changed, 42 insertions, 9 deletions

diff --git a/spec/features/groups_spec.rb b/spec/features/groups_spec.rb
index 144d069b632..7670c4caea4 100644
--- a/spec/features/groups_spec.rb
+++ b/spec/features/groups_spec.rb
@@ -86,20 +86,53 @@ feature 'Group', feature: true do
   describe 'create a nested group' do
     let(:group) { create(:group, path: 'foo') }
 
-    before do
-      visit subgroups_group_path(group)
-      click_link 'New Subgroup'
+    context 'as admin' do
+      before do
+        visit subgroups_group_path(group)
+        click_link 'New Subgroup'
+      end
+
+      it 'creates a nested group' do
+        fill_in 'Group path', with: 'bar'
+        click_button 'Create group'
+
+        expect(current_path).to eq(group_path('foo/bar'))
+        expect(page).to have_content("Group 'bar' was successfully created.")
+      end
     end
 
-    it 'creates a nested group' do
-      fill_in 'Group path', with: 'bar'
-      click_button 'Create group'
+    context 'as group owner' do
+      let(:user) { create(:user) }
+
+      before do
+        group.add_owner(user)
+        logout
+        login_as(user)
 
-      expect(current_path).to eq(group_path('foo/bar'))
-      expect(page).to have_content("Group 'bar' was successfully created.")
+        visit subgroups_group_path(group)
+        click_link 'New Subgroup'
+      end
+
+      it 'creates a nested group' do
+        fill_in 'Group path', with: 'bar'
+        click_button 'Create group'
+
+        expect(current_path).to eq(group_path('foo/bar'))
+        expect(page).to have_content("Group 'bar' was successfully created.")
+      end
     end
   end
 
+  it 'checks permissions to avoid exposing groups by parent_id' do
+    group = create(:group, :private, path: 'secret-group')
+
+    logout
+    login_as(:user)
+    visit new_group_path(parent_id: group.id)
+
+    expect(page).not_to have_content('secret-group')
+  end
+
   describe 'group edit' do
     let(:group) { create(:group) }
     let(:path)  { edit_group_path(group) }
@@ -120,7 +153,7 @@ feature 'Group', feature: true do
     end
 
     it 'removes group' do
-      click_link 'Remove Group'
+      click_link 'Remove group'
 
       expect(page).to have_content "scheduled for deletion"
     end