Merge branch 'dbalexandre/gitlab-ce-fix-raw-personal-snippet-access-workflow'

author: Douwe Maan <douwe@gitlab.com> 2015-11-26 16:03:51 +0300
committer: Douwe Maan <douwe@gitlab.com> 2015-11-26 16:03:51 +0300
commit: c887045cd297eda2d5a428b896d51c05323b6431 (patch)
tree: ed466d5f02807760128f27e12c326abc75143e75
parent: 1befbbf57dddc23761558f21017294c950d6d3b7 (diff)
parent: 8dcef120cd94717b4f82db864191698826ca02a5 (diff)
3 files changed, 117 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 18381984177..0e1e1a3671d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 v 8.3.0 (unreleased)
   - Fix: Assignee selector is empty when 'Unassigned' is selected (Jose Corcuera)
   - Fix 500 error when update group member permission
+  - Fix: Raw private snippets access workflow
 
 v 8.2.1
   - Forcefully update builds that didn't want to update with state machine
diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb
index 08f2483af33..c72df73af46 100644
--- a/app/controllers/snippets_controller.rb
+++ b/app/controllers/snippets_controller.rb
@@ -2,7 +2,7 @@ class SnippetsController < ApplicationController
   before_action :snippet, only: [:show, :edit, :destroy, :update, :raw]
 
   # Allow read snippet
-  before_action :authorize_read_snippet!, only: [:show]
+  before_action :authorize_read_snippet!, only: [:show, :raw]
 
   # Allow modify snippet
   before_action :authorize_update_snippet!, only: [:edit, :update]
diff --git a/spec/controllers/snippets_controller_spec.rb b/spec/controllers/snippets_controller_spec.rb
index e9b823c523c..b3dcb52c500 100644
--- a/spec/controllers/snippets_controller_spec.rb
+++ b/spec/controllers/snippets_controller_spec.rb
@@ -115,4 +115,119 @@ describe SnippetsController do
       end
     end
   end
+
+  describe 'GET #raw' do
+    let(:user) { create(:user) }
+
+    context 'when the personal snippet is private' do
+      let(:personal_snippet) { create(:personal_snippet, :private, author: user) }
+
+      context 'when signed in' do
+        before do
+          sign_in(user)
+        end
+
+        context 'when signed in user is not the author' do
+          let(:other_author) { create(:author) }
+          let(:other_personal_snippet) { create(:personal_snippet, :private, author: other_author) }
+
+          it 'responds with status 404' do
+            get :raw, id: other_personal_snippet.to_param
+
+            expect(response.status).to eq(404)
+          end
+        end
+
+        context 'when signed in user is the author' do
+          it 'renders the raw snippet' do
+            get :raw, id: personal_snippet.to_param
+
+            expect(assigns(:snippet)).to eq(personal_snippet)
+            expect(response.status).to eq(200)
+          end
+        end
+      end
+
+      context 'when not signed in' do
+        it 'redirects to the sign in page' do
+          get :raw, id: personal_snippet.to_param
+
+          expect(response).to redirect_to(new_user_session_path)
+        end
+      end
+    end
+
+    context 'when the personal snippet is internal' do
+      let(:personal_snippet) { create(:personal_snippet, :internal, author: user) }
+
+      context 'when signed in' do
+        before do
+          sign_in(user)
+        end
+
+        it 'renders the raw snippet' do
+          get :raw, id: personal_snippet.to_param
+
+          expect(assigns(:snippet)).to eq(personal_snippet)
+          expect(response.status).to eq(200)
+        end
+      end
+
+      context 'when not signed in' do
+        it 'redirects to the sign in page' do
+          get :raw, id: personal_snippet.to_param
+
+          expect(response).to redirect_to(new_user_session_path)
+        end
+      end
+    end
+
+    context 'when the personal snippet is public' do
+      let(:personal_snippet) { create(:personal_snippet, :public, author: user) }
+
+      context 'when signed in' do
+        before do
+          sign_in(user)
+        end
+
+        it 'renders the raw snippet' do
+          get :raw, id: personal_snippet.to_param
+
+          expect(assigns(:snippet)).to eq(personal_snippet)
+          expect(response.status).to eq(200)
+        end
+      end
+
+      context 'when not signed in' do
+        it 'renders the raw snippet' do
+          get :raw, id: personal_snippet.to_param
+
+          expect(assigns(:snippet)).to eq(personal_snippet)
+          expect(response.status).to eq(200)
+        end
+      end
+    end
+
+    context 'when the personal snippet does not exist' do
+      context 'when signed in' do
+        before do
+          sign_in(user)
+        end
+
+        it 'responds with status 404' do
+          get :raw, id: 'doesntexist'
+
+          expect(response.status).to eq(404)
+        end
+      end
+
+      context 'when not signed in' do
+        it 'responds with status 404' do
+          get :raw, id: 'doesntexist'
+
+          expect(response.status).to eq(404)
+        end
+      end
+    end
+  end
 end
author	Douwe Maan <douwe@gitlab.com>	2015-11-26 16:03:51 +0300
committer	Douwe Maan <douwe@gitlab.com>	2015-11-26 16:03:51 +0300
commit	c887045cd297eda2d5a428b896d51c05323b6431 (patch)
tree	ed466d5f02807760128f27e12c326abc75143e75
parent	1befbbf57dddc23761558f21017294c950d6d3b7 (diff)
parent	8dcef120cd94717b4f82db864191698826ca02a5 (diff)