From a5baa12bfff6c41f6c9cf156edcf8e621f71848e Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Jun 2022 14:14:01 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee

---
 spec/requests/api/labels_spec.rb | 61 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

(limited to 'spec/requests/api')

diff --git a/spec/requests/api/labels_spec.rb b/spec/requests/api/labels_spec.rb
index 48f2c45bd98..c1217292d5c 100644
--- a/spec/requests/api/labels_spec.rb
+++ b/spec/requests/api/labels_spec.rb
@@ -483,6 +483,29 @@ RSpec.describe API::Labels do
       let(:request) { api("/projects/#{project.id}/labels", user) }
       let(:params) { { name: valid_label_title_1 } }
     end
+
+    context 'with group label' do
+      let_it_be(:group) { create(:group) }
+      let_it_be(:group_label) { create(:group_label, title: valid_group_label_title_1, group: group) }
+
+      before do
+        project.update!(group: group)
+      end
+
+      it 'returns 401 if user does not have access' do
+        delete api("/projects/#{project.id}/labels/#{group_label.id}", user)
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+
+      it 'returns 204 if user has access' do
+        group.add_developer(user)
+
+        delete api("/projects/#{project.id}/labels/#{group_label.id}", user)
+
+        expect(response).to have_gitlab_http_status(:no_content)
+      end
+    end
   end
 
   describe 'PUT /projects/:id/labels' do
@@ -537,6 +560,44 @@ RSpec.describe API::Labels do
 
       expect(response).to have_gitlab_http_status(:bad_request)
     end
+
+    context 'with group label' do
+      let_it_be(:group) { create(:group) }
+      let_it_be(:group_label) { create(:group_label, title: valid_group_label_title_1, group: group) }
+
+      before do
+        project.update!(group: group)
+      end
+
+      it 'allows updating of group label priority' do
+        put api("/projects/#{project.id}/labels/#{group_label.id}", user), params: { priority: 5 }
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['priority']).to eq(5)
+      end
+
+      it 'returns 401 when updating other fields' do
+        put api("/projects/#{project.id}/labels/#{group_label.id}", user), params: {
+          priority: 5,
+          new_name: 'new label name'
+        }
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+
+      it 'returns 200 when user has access to the group label' do
+        group.add_developer(user)
+
+        put api("/projects/#{project.id}/labels/#{group_label.id}", user), params: {
+          priority: 5,
+          new_name: 'new label name'
+        }
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['priority']).to eq(5)
+        expect(json_response['name']).to eq('new label name')
+      end
+    end
   end
 
   describe 'PUT /projects/:id/labels/promote' do
-- 
cgit v1.2.1