3 files changed, 106 insertions, 24 deletions

diff --git a/spec/requests/api/ci/jobs_spec.rb b/spec/requests/api/ci/jobs_spec.rb
index 875bfc5b94f..f8a71792ad5 100644
--- a/spec/requests/api/ci/jobs_spec.rb
+++ b/spec/requests/api/ci/jobs_spec.rb
@@ -752,11 +752,7 @@ RSpec.describe API::Ci::Jobs, feature_category: :continuous_integration do
       end
     end
 
-    context 'when ci_debug_trace is set to true' do
-      before_all do
-        create(:ci_instance_variable, key: 'CI_DEBUG_TRACE', value: true)
-      end
-
+    shared_examples_for "additional access criteria" do
       where(:public_builds, :user_project_role, :expected_status) do
         true         | 'developer'     | :ok
         true         | 'guest'         | :forbidden
@@ -778,30 +774,28 @@ RSpec.describe API::Ci::Jobs, feature_category: :continuous_integration do
       end
     end
 
-    context 'when ci_debug_services is set to true' do
-      before_all do
-        create(:ci_instance_variable, key: 'CI_DEBUG_SERVICES', value: true)
+    describe 'when metadata debug_trace_enabled is set to true' do
+      before do
+        job.metadata.update!(debug_trace_enabled: true)
       end
 
-      where(:public_builds, :user_project_role, :expected_status) do
-        true         | 'developer'     | :ok
-        true         | 'guest'         | :forbidden
-        false        | 'developer'     | :ok
-        false        | 'guest'         | :forbidden
-      end
+      it_behaves_like "additional access criteria"
+    end
 
-      with_them do
-        before do
-          project.update!(public_builds: public_builds)
-          project.add_role(user, user_project_role)
+    context 'when ci_debug_trace is set to true' do
+      before_all do
+        create(:ci_instance_variable, key: 'CI_DEBUG_TRACE', value: true)
+      end
 
-          get api("/projects/#{project.id}/jobs/#{job.id}/trace", api_user)
-        end
+      it_behaves_like "additional access criteria"
+    end
 
-        it 'renders successfully to authorized users' do
-          expect(response).to have_gitlab_http_status(expected_status)
-        end
+    context 'when ci_debug_services is set to true' do
+      before_all do
+        create(:ci_instance_variable, key: 'CI_DEBUG_SERVICES', value: true)
       end
+
+      it_behaves_like "additional access criteria"
     end
   end
 
diff --git a/spec/requests/api/commits_spec.rb b/spec/requests/api/commits_spec.rb
index 3932abd20cc..bcc27a80cf8 100644
--- a/spec/requests/api/commits_spec.rb
+++ b/spec/requests/api/commits_spec.rb
@@ -249,6 +249,18 @@ RSpec.describe API::Commits, feature_category: :source_code_management do
               end
             end
 
+            context 'when per_page is over 100' do
+              let(:per_page) { 101 }
+
+              it 'returns 100 commits (maximum)' do
+                expect(Gitlab::Git::Commit).to receive(:where).with(
+                  hash_including(ref: ref_name, limit: 100, offset: 0)
+                )
+
+                request
+              end
+            end
+
             context 'when pagination params are invalid' do
               let_it_be(:project) { create(:project, :repository) }
 
@@ -279,7 +291,7 @@ RSpec.describe API::Commits, feature_category: :source_code_management do
 
                 where(:page, :per_page, :error_message, :status) do
                   0   | nil  | nil                               | :success
-                  -10 | nil  | nil                               | :internal_server_error
+                  -10 | nil  | nil                               | :success
                   'a' | nil | 'page is invalid'                  | :bad_request
                   nil | 0   | 'per_page has a value not allowed' | :bad_request
                   nil | -1  | nil                                | :success
@@ -297,6 +309,18 @@ RSpec.describe API::Commits, feature_category: :source_code_management do
                     end
                   end
                 end
+
+                context 'when per_page is below 0' do
+                  let(:per_page) { -100 }
+
+                  it 'returns 20 commits (default)' do
+                    expect(Gitlab::Git::Commit).to receive(:where).with(
+                      hash_including(ref: ref_name, limit: 20, offset: 0)
+                    )
+
+                    request
+                  end
+                end
               end
             end
           end
diff --git a/spec/requests/api/tags_spec.rb b/spec/requests/api/tags_spec.rb
index b02c7135b7b..ab5e04246e8 100644
--- a/spec/requests/api/tags_spec.rb
+++ b/spec/requests/api/tags_spec.rb
@@ -111,6 +111,22 @@ RSpec.describe API::Tags, feature_category: :source_code_management do
       let(:project) { create(:project, :public, :repository) }
 
       it_behaves_like 'repository tags'
+
+      context 'and releases are private' do
+        before do
+          create(:release, project: project, tag: tag_name)
+          project.project_feature.update!(releases_access_level: ProjectFeature::PRIVATE)
+        end
+
+        it 'returns the repository tags without release information' do
+          get api(route, current_user)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to match_response_schema('public_api/v4/tags')
+          expect(response).to include_pagination_headers
+          expect(json_response.map { |r| r.has_key?('release') }).to all(be_falsey)
+        end
+      end
     end
 
     context 'when unauthenticated', 'and project is private' do
@@ -251,6 +267,21 @@ RSpec.describe API::Tags, feature_category: :source_code_management do
 
         it_behaves_like "cache expired"
       end
+
+      context 'when user is not allowed to :read_release' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+          project.project_feature.update!(releases_access_level: ProjectFeature::PRIVATE)
+
+          get api(route, user) # Cache as a user allowed to :read_release
+        end
+
+        it "isn't cached" do
+          expect(API::Entities::Tag).to receive(:represent).exactly(3).times
+
+          get api(route, nil)
+        end
+      end
     end
 
     context 'when gitaly is unavailable' do
@@ -302,6 +333,21 @@ RSpec.describe API::Tags, feature_category: :source_code_management do
       let(:project) { create(:project, :public, :repository) }
 
       it_behaves_like 'repository tag'
+
+      context 'and releases are private' do
+        before do
+          create(:release, project: project, tag: tag_name)
+          project.project_feature.update!(releases_access_level: ProjectFeature::PRIVATE)
+        end
+
+        it 'returns the repository tags without release information' do
+          get api(route, current_user)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to match_response_schema('public_api/v4/tag')
+          expect(json_response.has_key?('release')).to be_falsey
+        end
+      end
     end
 
     context 'when unauthenticated', 'and project is private' do
@@ -328,6 +374,24 @@ RSpec.describe API::Tags, feature_category: :source_code_management do
         let(:request) { get api(route, guest) }
       end
     end
+
+    context 'with releases' do
+      let(:description) { 'Awesome release!' }
+
+      before do
+        create(:release, project: project, tag: tag_name, description: description)
+      end
+
+      it 'returns release information' do
+        get api(route, user)
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to match_response_schema('public_api/v4/tag')
+
+        expect(json_response['message']).to eq(tag_message)
+        expect(json_response.dig('release', 'description')).to eq(description)
+      end
+    end
   end
 
   describe 'POST /projects/:id/repository/tags' do