diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 18:41:13 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 18:41:13 +0300 |
| commit | 1e61fc763e645038f2da69fc9af6fe166a6b101a (patch) | |
| tree | 76053795a637d056347c1891d98935c0361a331d /spec/controllers | |
| parent | 57b9b49b27a730294ae37d2ac25cab943f4b801d (diff) | |
Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee
Diffstat (limited to 'spec/controllers')
| -rw-r--r-- | spec/controllers/profiles/notifications_controller_spec.rb | 4 | ||||
| -rw-r--r-- | spec/controllers/projects/deploy_keys_controller_spec.rb | 38 |
2 files changed, 39 insertions, 3 deletions
diff --git a/spec/controllers/profiles/notifications_controller_spec.rb b/spec/controllers/profiles/notifications_controller_spec.rb index 47d6f11fecf..343f29ef687 100644 --- a/spec/controllers/profiles/notifications_controller_spec.rb +++ b/spec/controllers/profiles/notifications_controller_spec.rb @@ -5,8 +5,8 @@ require 'spec_helper' describe Profiles::NotificationsController do let(:user) do create(:user) do |user| - user.emails.create(email: 'original@example.com') - user.emails.create(email: 'new@example.com') + user.emails.create(email: 'original@example.com', confirmed_at: Time.current) + user.emails.create(email: 'new@example.com', confirmed_at: Time.current) user.notification_email = 'original@example.com' user.save! end diff --git a/spec/controllers/projects/deploy_keys_controller_spec.rb b/spec/controllers/projects/deploy_keys_controller_spec.rb index 1b2b326b6e9..9d41e2f59cb 100644 --- a/spec/controllers/projects/deploy_keys_controller_spec.rb +++ b/spec/controllers/projects/deploy_keys_controller_spec.rb @@ -256,7 +256,7 @@ describe Projects::DeployKeysController do end def deploy_key_params(title, can_push) - deploy_keys_projects_attributes = { '0' => { id: deploy_keys_project, can_push: can_push } } + deploy_keys_projects_attributes = { '0' => { can_push: can_push } } { deploy_key: { title: title, deploy_keys_projects_attributes: deploy_keys_projects_attributes } } end @@ -300,6 +300,42 @@ describe Projects::DeployKeysController do expect { subject }.to change { deploy_keys_project.reload.can_push }.from(false).to(true) end end + + context 'when a different deploy key id param is injected' do + let(:extra_params) { deploy_key_params('updated title', '1') } + let(:hacked_params) do + extra_params.reverse_merge(id: other_deploy_key_id, + namespace_id: project.namespace, + project_id: project) + end + + subject { put :update, params: hacked_params } + + context 'and that deploy key id exists' do + let(:other_project) { create(:project) } + let(:other_deploy_key) do + key = create(:deploy_key) + project.deploy_keys << key + key + end + + let(:other_deploy_key_id) { other_deploy_key.id } + + it 'does not update the can_push attribute' do + expect { subject }.not_to change { deploy_key.deploy_keys_project_for(project).can_push } + end + end + + context 'and that deploy key id does not exist' do + let(:other_deploy_key_id) { 9999 } + + it 'returns 404' do + subject + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end end context 'with admin as project maintainer' do |