1 files changed, 113 insertions, 50 deletions

diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index a2aae257352..5465fe0c366 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -46,8 +46,6 @@ shared_examples 'languages and percentages JSON response' do
 end
 
 describe API::Projects do
-  include ExternalAuthorizationServiceHelpers
-
   let(:user) { create(:user) }
   let(:user2) { create(:user) }
   let(:user3) { create(:user) }
@@ -840,6 +838,28 @@ describe API::Projects do
     end
   end
 
+  describe 'GET /users/:user_id/starred_projects/' do
+    before do
+      user3.update(starred_projects: [project, project2, project3])
+    end
+
+    it 'returns error when user not found' do
+      get api('/users/9999/starred_projects/')
+
+      expect(response).to have_gitlab_http_status(404)
+      expect(json_response['message']).to eq('404 User Not Found')
+    end
+
+    it 'returns projects filtered by user' do
+      get api("/users/#{user3.id}/starred_projects/", user)
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(response).to include_pagination_headers
+      expect(json_response).to be_an Array
+      expect(json_response.map { |project| project['id'] }).to contain_exactly(project.id, project2.id, project3.id)
+    end
+  end
+
   describe 'POST /projects/user/:id' do
     it 'creates new project without path but with name and return 201' do
       expect { post api("/projects/user/#{user.id}", admin), params: { name: 'Foo Project' } }.to change { Project.count }.by(1)
@@ -1359,7 +1379,7 @@ describe API::Projects do
           end
         end
 
-        context 'nested group project', :nested_groups do
+        context 'nested group project' do
           let(:group) { create(:group) }
           let(:nested_group) { create(:group, parent: group) }
           let(:project2) { create(:project, group: nested_group) }
@@ -1425,39 +1445,6 @@ describe API::Projects do
         end
       end
     end
-
-    context 'with external authorization' do
-      let(:project) do
-        create(:project,
-               namespace: user.namespace,
-               external_authorization_classification_label: 'the-label')
-      end
-
-      context 'when the user has access to the project' do
-        before do
-          external_service_allow_access(user, project)
-        end
-
-        it 'includes the label in the response' do
-          get api("/projects/#{project.id}", user)
-
-          expect(response).to have_gitlab_http_status(200)
-          expect(json_response['external_authorization_classification_label']).to eq('the-label')
-        end
-      end
-
-      context 'when the external service denies access' do
-        before do
-          external_service_deny_access(user, project)
-        end
-
-        it 'returns a 404' do
-          get api("/projects/#{project.id}", user)
-
-          expect(response).to have_gitlab_http_status(404)
-        end
-      end
-    end
   end
 
   describe 'GET /projects/:id/users' do
@@ -1507,6 +1494,17 @@ describe API::Projects do
 
         expect(response).to have_gitlab_http_status(404)
       end
+
+      it 'filters out users listed in skip_users' do
+        other_user = create(:user)
+        project.team.add_developer(other_user)
+
+        get api("/projects/#{project.id}/users?skip_users=#{user.id}", user)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response.size).to eq(1)
+        expect(json_response[0]['id']).to eq(other_user.id)
+      end
     end
   end
 
@@ -2061,20 +2059,6 @@ describe API::Projects do
         expect(response).to have_gitlab_http_status(403)
       end
     end
-
-    context 'when updating external classification' do
-      before do
-        enable_external_authorization_service_check
-      end
-
-      it 'updates the classification label' do
-        put(api("/projects/#{project.id}", user), params: { external_authorization_classification_label: 'new label' })
-
-        expect(response).to have_gitlab_http_status(200)
-
-        expect(project.reload.external_authorization_classification_label).to eq('new label')
-      end
-    end
   end
 
   describe 'POST /projects/:id/archive' do
@@ -2197,6 +2181,85 @@ describe API::Projects do
     end
   end
 
+  describe 'GET /projects/:id/starrers' do
+    shared_examples_for 'project starrers response' do
+      it 'returns an array of starrers' do
+        get api("/projects/#{public_project.id}/starrers", current_user)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to include_pagination_headers
+        expect(json_response).to be_an Array
+        expect(json_response[0]['starred_since']).to be_present
+        expect(json_response[0]['user']).to be_present
+      end
+
+      it 'returns the proper security headers' do
+        get api('/projects/1/starrers', current_user)
+
+        expect(response).to include_security_headers
+      end
+    end
+
+    let(:public_project) { create(:project, :public) }
+    let(:private_user) { create(:user, private_profile: true) }
+
+    before do
+      user.update(starred_projects: [public_project])
+      private_user.update(starred_projects: [public_project])
+    end
+
+    it 'returns not_found(404) for not existing project' do
+      get api("/projects/9999999999/starrers", user)
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+
+    context 'public project without user' do
+      it_behaves_like 'project starrers response' do
+        let(:current_user) { nil }
+      end
+
+      it 'returns only starrers with a public profile' do
+        get api("/projects/#{public_project.id}/starrers", nil)
+
+        user_ids = json_response.map { |s| s['user']['id'] }
+        expect(user_ids).to include(user.id)
+        expect(user_ids).not_to include(private_user.id)
+      end
+    end
+
+    context 'public project with user with private profile' do
+      it_behaves_like 'project starrers response' do
+        let(:current_user) { private_user }
+      end
+
+      it 'returns current user with a private profile' do
+        get api("/projects/#{public_project.id}/starrers", private_user)
+
+        user_ids = json_response.map { |s| s['user']['id'] }
+        expect(user_ids).to include(user.id, private_user.id)
+      end
+    end
+
+    context 'private project' do
+      context 'with unauthorized user' do
+        it 'returns not_found for existing but unauthorized project' do
+          get api("/projects/#{project3.id}/starrers", user3)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'without user' do
+        it 'returns not_found for existing but unauthorized project' do
+          get api("/projects/#{project3.id}/starrers", nil)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+  end
+
   describe 'GET /projects/:id/languages' do
     context 'with an authorized user' do
       it_behaves_like 'languages and percentages JSON response' do