From 91f43587a8c05a5c2955f0b5c464f03688552cb6 Mon Sep 17 00:00:00 2001
From: Sean McGivern <sean@gitlab.com>
Date: Tue, 28 Mar 2017 11:09:44 +0000
Subject: Merge branch 'jej-group-name-disclosure' into 'security'

Prevent private group disclosure via parent_id

See merge request !2077
---
 spec/services/groups/update_service_spec.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'spec/services/groups')

diff --git a/spec/services/groups/update_service_spec.rb b/spec/services/groups/update_service_spec.rb
index 91ec224d1c4..f6ad5cebd2c 100644
--- a/spec/services/groups/update_service_spec.rb
+++ b/spec/services/groups/update_service_spec.rb
@@ -36,6 +36,20 @@ describe Groups::UpdateService, services: true do
         end
       end
     end
+
+    context "with parent_id user doesn't have permissions for" do
+      let(:service) { described_class.new(public_group, user, parent_id: private_group.id) }
+
+      before do
+        service.execute
+      end
+
+      it 'does not update parent_id' do
+        updated_group = public_group.reload
+
+        expect(updated_group.parent_id).to be_nil
+      end
+    end
   end
 
   context "unauthorized visibility_level validation" do
-- 
cgit v1.2.1