From 8f9b64c720d55ee40066d5a6b1017ab95dbd9781 Mon Sep 17 00:00:00 2001 From: Douglas Barbosa Alexandre Date: Wed, 22 Jun 2016 17:44:24 -0300 Subject: Fix internal snippets can be searched by anyone --- spec/services/search/snippet_service_spec.rb | 37 ++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 spec/services/search/snippet_service_spec.rb (limited to 'spec/services') diff --git a/spec/services/search/snippet_service_spec.rb b/spec/services/search/snippet_service_spec.rb new file mode 100644 index 00000000000..85721b61cff --- /dev/null +++ b/spec/services/search/snippet_service_spec.rb @@ -0,0 +1,37 @@ +require 'spec_helper' + +describe Search::SnippetService, services: true do + let(:author) { create(:author) } + let(:internal_user) { create(:user) } + + let!(:public_snippet) { create(:snippet, :public, content: 'password: XXX') } + let!(:internal_snippet) { create(:snippet, :internal, content: 'password: XXX') } + let!(:private_snippet) { create(:snippet, :private, content: 'password: XXX', author: author) } + + describe '#execute' do + context 'unauthenticated' do + it 'should return public snippets only' do + search = described_class.new(nil, search: 'password') + results = search.execute + + expect(results.objects('snippet_blobs')).to match_array [public_snippet] + end + end + + context 'authenticated' do + it 'should return only public & internal snippets' do + search = described_class.new(internal_user, search: 'password') + results = search.execute + + expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet] + end + + it 'should return public, internal and private snippets for author' do + search = described_class.new(author, search: 'password') + results = search.execute + + expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet] + end + end + end +end -- cgit v1.2.1 From 256cd8e498edfcbb8199abfb2b54d2d2905f030e Mon Sep 17 00:00:00 2001 From: Douglas Barbosa Alexandre Date: Wed, 22 Jun 2016 19:29:40 -0300 Subject: Fix visibility of private project snippets for members when searching --- spec/services/search/snippet_service_spec.rb | 38 ++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 8 deletions(-) (limited to 'spec/services') diff --git a/spec/services/search/snippet_service_spec.rb b/spec/services/search/snippet_service_spec.rb index 85721b61cff..14f3301d9f4 100644 --- a/spec/services/search/snippet_service_spec.rb +++ b/spec/services/search/snippet_service_spec.rb @@ -2,35 +2,57 @@ require 'spec_helper' describe Search::SnippetService, services: true do let(:author) { create(:author) } - let(:internal_user) { create(:user) } + let(:project) { create(:empty_project) } let!(:public_snippet) { create(:snippet, :public, content: 'password: XXX') } let!(:internal_snippet) { create(:snippet, :internal, content: 'password: XXX') } let!(:private_snippet) { create(:snippet, :private, content: 'password: XXX', author: author) } + let!(:project_public_snippet) { create(:snippet, :public, project: project, content: 'password: XXX') } + let!(:project_internal_snippet) { create(:snippet, :internal, project: project, content: 'password: XXX') } + let!(:project_private_snippet) { create(:snippet, :private, project: project, content: 'password: XXX') } + describe '#execute' do context 'unauthenticated' do - it 'should return public snippets only' do + it 'returns public snippets only' do search = described_class.new(nil, search: 'password') results = search.execute - expect(results.objects('snippet_blobs')).to match_array [public_snippet] + expect(results.objects('snippet_blobs')).to match_array [public_snippet, project_public_snippet] end end context 'authenticated' do - it 'should return only public & internal snippets' do - search = described_class.new(internal_user, search: 'password') + it 'returns only public & internal snippets for regular users' do + user = create(:user) + search = described_class.new(user, search: 'password') + results = search.execute + + expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet] + end + + it 'returns public, internal snippets and project private snippets for project members' do + member = create(:user) + project.team << [member, :developer] + search = described_class.new(member, search: 'password') results = search.execute - expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet] + expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet, project_private_snippet] end - it 'should return public, internal and private snippets for author' do + it 'returns public, internal and private snippets where user is the author' do search = described_class.new(author, search: 'password') results = search.execute - expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet] + expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet] + end + + it 'returns all snippets when user is admin' do + admin = create(:admin) + search = described_class.new(admin, search: 'password') + results = search.execute + + expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet, project_private_snippet] end end end -- cgit v1.2.1