Merge branch 'security-private-group' into 'master'

[master] Fixed read private group names See merge request gitlab/gitlabhq!2589
author: Cindy Pallares <cindy@gitlab.com> 2018-11-28 21:36:59 +0300
committer: Cindy Pallares <cindy@gitlab.com> 2018-11-29 03:07:15 +0300
commit: 1be0174b6aaab1c0cfe86a8b1c91b8ea6fa3db72 (patch)
tree: 1004efdbf23a8dfedbcfc08786f5afa1fcc09dd4 /spec/controllers/dashboard
parent: 3881285c2b901cfeac58b5e6bdf54ec7bd46612f (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb
index b4a731fd3a3..e2c799f5205 100644
--- a/spec/controllers/dashboard/todos_controller_spec.rb
+++ b/spec/controllers/dashboard/todos_controller_spec.rb
@@ -42,6 +42,16 @@ describe Dashboard::TodosController do
       end
     end
 
+    context 'group authorization' do
+      it 'renders 404 when user does not have read access on given group' do
+        unauthorized_group = create(:group, :private)
+
+        get :index, group_id: unauthorized_group.id
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
     context 'when using pagination' do
       let(:last_page) { user.todos.page.total_pages }
       let!(:issues) { create_list(:issue, 3, project: project, assignees: [user]) }
author	Cindy Pallares <cindy@gitlab.com>	2018-11-28 21:36:59 +0300
committer	Cindy Pallares <cindy@gitlab.com>	2018-11-29 03:07:15 +0300
commit	1be0174b6aaab1c0cfe86a8b1c91b8ea6fa3db72 (patch)
tree	1004efdbf23a8dfedbcfc08786f5afa1fcc09dd4 /spec/controllers/dashboard
parent	3881285c2b901cfeac58b5e6bdf54ec7bd46612f (diff)