1 files changed, 106 insertions, 6 deletions

diff --git a/spec/requests/api/invitations_spec.rb b/spec/requests/api/invitations_spec.rb
index 2ea237469b1..98a7aa63b16 100644
--- a/spec/requests/api/invitations_spec.rb
+++ b/spec/requests/api/invitations_spec.rb
@@ -3,14 +3,14 @@
 require 'spec_helper'
 
 RSpec.describe API::Invitations do
-  let(:maintainer) { create(:user, username: 'maintainer_user') }
-  let(:developer) { create(:user) }
-  let(:access_requester) { create(:user) }
-  let(:stranger) { create(:user) }
+  let_it_be(:maintainer) { create(:user, username: 'maintainer_user') }
+  let_it_be(:developer) { create(:user) }
+  let_it_be(:access_requester) { create(:user) }
+  let_it_be(:stranger) { create(:user) }
   let(:email) { 'email1@example.com' }
   let(:email2) { 'email2@example.com' }
 
-  let(:project) do
+  let_it_be(:project) do
     create(:project, :public, creator_id: maintainer.id, namespace: maintainer.namespace) do |project|
       project.add_developer(developer)
       project.add_maintainer(maintainer)
@@ -18,7 +18,7 @@ RSpec.describe API::Invitations do
     end
   end
 
-  let!(:group) do
+  let_it_be(:group, reload: true) do
     create(:group, :public) do |group|
       group.add_developer(developer)
       group.add_owner(maintainer)
@@ -374,4 +374,104 @@ RSpec.describe API::Invitations do
       let(:source) { group }
     end
   end
+
+  shared_examples 'PUT /:source_type/:id/invitations/:email' do |source_type|
+    def update_api(source, user, email)
+      api("/#{source.model_name.plural}/#{source.id}/invitations/#{email}", user)
+    end
+
+    context "with :source_type == #{source_type.pluralize}" do
+      let!(:invite) { invite_member_by_email(source, source_type, developer.email, maintainer) }
+
+      it_behaves_like 'a 404 response when source is private' do
+        let(:route) do
+          put update_api(source, stranger, invite.invite_email), params: { access_level: Member::MAINTAINER }
+        end
+      end
+
+      context 'when authenticated as a non-member or member with insufficient rights' do
+        %i[access_requester stranger].each do |type|
+          context "as a #{type}" do
+            it 'returns 403' do
+              user = public_send(type)
+
+              put update_api(source, user, invite.invite_email), params: { access_level: Member::MAINTAINER }
+
+              expect(response).to have_gitlab_http_status(:forbidden)
+            end
+          end
+        end
+      end
+
+      context 'when authenticated as a maintainer/owner' do
+        context 'updating access level' do
+          it 'updates the invitation' do
+            put update_api(source, maintainer, invite.invite_email), params: { access_level: Member::MAINTAINER }
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(json_response['access_level']).to eq(Member::MAINTAINER)
+            expect(invite.reload.access_level).to eq(Member::MAINTAINER)
+          end
+        end
+
+        it 'returns 409 if member does not exist' do
+          put update_api(source, maintainer, non_existing_record_id), params: { access_level: Member::MAINTAINER }
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+
+        it 'returns 400 when access_level is not given and there are no other params' do
+          put update_api(source, maintainer, invite.invite_email)
+
+          expect(response).to have_gitlab_http_status(:bad_request)
+        end
+
+        it 'returns 400 when access level is not valid' do
+          put update_api(source, maintainer, invite.invite_email), params: { access_level: non_existing_record_access_level }
+
+          expect(response).to have_gitlab_http_status(:bad_request)
+        end
+      end
+
+      context 'updating access expiry date' do
+        subject do
+          put update_api(source, maintainer, invite.invite_email), params: { expires_at: expires_at }
+        end
+
+        context 'when set to a date in the past' do
+          let(:expires_at) { 2.days.ago.to_date }
+
+          it 'does not update the member' do
+            subject
+
+            expect(response).to have_gitlab_http_status(:bad_request)
+            expect(json_response['message']).to eq({ 'expires_at' => ['cannot be a date in the past'] })
+          end
+        end
+
+        context 'when set to a date in the future' do
+          let(:expires_at) { 2.days.from_now.to_date }
+
+          it 'updates the member' do
+            subject
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(json_response['expires_at']).to eq(expires_at.to_s)
+          end
+        end
+      end
+    end
+  end
+
+  describe 'PUT /projects/:id/invitations' do
+    it_behaves_like 'PUT /:source_type/:id/invitations/:email', 'project' do
+      let(:source) { project }
+    end
+  end
+
+  describe 'PUT /groups/:id/invitations' do
+    it_behaves_like 'PUT /:source_type/:id/invitations/:email', 'group' do
+      let(:source) { group }
+    end
+  end
 end