Restrict MergeRequests#test_reports to authenticated users with read-access on Builds

author: drew cimino <dcimino@gitlab.com> 2019-08-21 08:42:28 +0300
committer: drew cimino <dcimino@gitlab.com> 2019-08-22 10:16:32 +0300
commit: f7fbf49929e24e2f9bfec0a68fd450c3547f7a78 (patch)
tree: d49d62cb7f89a0e3557980975c1130b943c89401 /spec/controllers
parent: 80c57bf6d13d6025a9568afb9cca36c279fac593 (diff)
1 files changed, 52 insertions, 8 deletions
diff --git a/spec/controllers/projects/merge_requests_controller_spec.rb b/spec/controllers/projects/merge_requests_controller_spec.rb
index 11b1eaf11b7..9cc76eb8c28 100644
--- a/spec/controllers/projects/merge_requests_controller_spec.rb
+++ b/spec/controllers/projects/merge_requests_controller_spec.rb
@@ -719,19 +719,63 @@ describe Projects::MergeRequestsController do
   end
 
   describe 'GET test_reports' do
+    let(:merge_request) do
+      create(:merge_request,
+        :with_diffs,
+        :with_merge_request_pipeline,
+        target_project: project,
+        source_project: project
+      )
+    end
+
     subject do
-      get :test_reports,
-          params: {
-            namespace_id: project.namespace.to_param,
-            project_id: project,
-            id: merge_request.iid
-          },
-          format: :json
+      get :test_reports, params: {
+        namespace_id: project.namespace.to_param,
+        project_id: project,
+        id: merge_request.iid
+      },
+      format: :json
     end
 
     before do
       allow_any_instance_of(MergeRequest)
-        .to receive(:compare_test_reports).and_return(comparison_status)
+        .to receive(:compare_test_reports)
+        .and_return(comparison_status)
+
+      allow_any_instance_of(MergeRequest)
+        .to receive(:actual_head_pipeline)
+        .and_return(merge_request.all_pipelines.take)
+    end
+
+    describe 'permissions on a public project with private CI/CD' do
+      let(:project) { create :project, :repository, :public, :builds_private }
+      let(:comparison_status) { { status: :parsed, data: { summary: 1 } } }
+
+      context 'while signed out' do
+        before do
+          sign_out(user)
+        end
+
+        it 'responds with a 404' do
+          subject
+
+          expect(response).to have_gitlab_http_status(404)
+          expect(response.body).to be_blank
+        end
+      end
+
+      context 'while signed in as an unrelated user' do
+        before do
+          sign_in(create(:user))
+        end
+
+        it 'responds with a 404' do
+          subject
+
+          expect(response).to have_gitlab_http_status(404)
+          expect(response.body).to be_blank
+        end
+      end
     end
 
     context 'when comparison is being processed' do
author	drew cimino <dcimino@gitlab.com>	2019-08-21 08:42:28 +0300
committer	drew cimino <dcimino@gitlab.com>	2019-08-22 10:16:32 +0300
commit	f7fbf49929e24e2f9bfec0a68fd450c3547f7a78 (patch)
tree	d49d62cb7f89a0e3557980975c1130b943c89401 /spec/controllers
parent	80c57bf6d13d6025a9568afb9cca36c279fac593 (diff)