Merge dev.gitlab.org master into GitLab.com master

6 files changed, 228 insertions, 12 deletions

diff --git a/spec/controllers/concerns/import_url_params_spec.rb b/spec/controllers/concerns/import_url_params_spec.rb
new file mode 100644
index 00000000000..fc5dfb5263f
--- /dev/null
+++ b/spec/controllers/concerns/import_url_params_spec.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ImportUrlParams do
+  let(:import_url_params) do
+    controller = OpenStruct.new(params: params).extend(described_class)
+    controller.import_url_params
+  end
+
+  context 'url and password separately provided' do
+    let(:params) do
+      ActionController::Parameters.new(project: {
+        import_url: 'https://url.com',
+        import_url_user: 'user', import_url_password: 'password'
+      })
+    end
+
+    describe '#import_url_params' do
+      it 'returns hash with import_url' do
+        expect(import_url_params).to eq(
+          import_url: "https://user:password@url.com"
+        )
+      end
+    end
+  end
+
+  context 'url with provided empty credentials' do
+    let(:params) do
+      ActionController::Parameters.new(project: {
+        import_url: 'https://user:password@url.com',
+        import_url_user: '', import_url_password: ''
+      })
+    end
+
+    describe '#import_url_params' do
+      it 'does not change the url' do
+        expect(import_url_params).to eq(
+          import_url: "https://user:password@url.com"
+        )
+      end
+    end
+  end
+end
diff --git a/spec/controllers/projects/ci/lints_controller_spec.rb b/spec/controllers/projects/ci/lints_controller_spec.rb
index 323a32575af..cc6ac83ca38 100644
--- a/spec/controllers/projects/ci/lints_controller_spec.rb
+++ b/spec/controllers/projects/ci/lints_controller_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 describe Projects::Ci::LintsController do
+  include StubRequests
+
   let(:project) { create(:project, :repository) }
   let(:user) { create(:user) }
 
@@ -70,7 +72,7 @@ describe Projects::Ci::LintsController do
 
     context 'with a valid gitlab-ci.yml' do
       before do
-        WebMock.stub_request(:get, remote_file_path).to_return(body: remote_file_content)
+        stub_full_request(remote_file_path).to_return(body: remote_file_content)
         project.add_developer(user)
 
         post :create, params: { namespace_id: project.namespace, project_id: project, content: content }
diff --git a/spec/controllers/projects/imports_controller_spec.rb b/spec/controllers/projects/imports_controller_spec.rb
index 8d88ee7dfd6..bdc81efe3bc 100644
--- a/spec/controllers/projects/imports_controller_spec.rb
+++ b/spec/controllers/projects/imports_controller_spec.rb
@@ -122,4 +122,19 @@ describe Projects::ImportsController do
       end
     end
   end
+
+  describe 'POST #create' do
+    let(:params) { { import_url: 'https://github.com/vim/vim.git', import_url_user: 'user', import_url_password: 'password' } }
+    let(:project) { create(:project) }
+
+    before do
+      allow(RepositoryImportWorker).to receive(:perform_async)
+
+      post :create, params: { project: params, namespace_id: project.namespace.to_param, project_id: project }
+    end
+
+    it 'sets import_url to the project' do
+      expect(project.reload.import_url).to eq('https://user:password@github.com/vim/vim.git')
+    end
+  end
 end
diff --git a/spec/controllers/projects/milestones_controller_spec.rb b/spec/controllers/projects/milestones_controller_spec.rb
index f8470a94f98..767cee7d54a 100644
--- a/spec/controllers/projects/milestones_controller_spec.rb
+++ b/spec/controllers/projects/milestones_controller_spec.rb
@@ -175,6 +175,40 @@ describe Projects::MilestonesController do
       end
     end
 
+    describe '#labels' do
+      render_views
+
+      context 'as json' do
+        let!(:guest) { create(:user, username: 'guest1') }
+        let!(:group) { create(:group, :public) }
+        let!(:project) { create(:project, :public, group: group) }
+        let!(:label) { create(:label, title: 'test_label_on_private_issue', project: project) }
+        let!(:confidential_issue) { create(:labeled_issue, confidential: true, project: project, milestone: milestone, labels: [label]) }
+
+        it 'does not render labels of private issues if user has no access' do
+          sign_in(guest)
+
+          get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response.content_type).to eq 'application/json'
+
+          expect(json_response['html']).not_to include(label.title)
+        end
+
+        it 'does render labels of private issues if user has access' do
+          sign_in(user)
+
+          get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response.content_type).to eq 'application/json'
+
+          expect(json_response['html']).to include(label.title)
+        end
+      end
+    end
+
     context 'promotion succeeds' do
       before do
         group.add_developer(user)
diff --git a/spec/controllers/sent_notifications_controller_spec.rb b/spec/controllers/sent_notifications_controller_spec.rb
index 2b9df71aa3a..89857a9d21b 100644
--- a/spec/controllers/sent_notifications_controller_spec.rb
+++ b/spec/controllers/sent_notifications_controller_spec.rb
@@ -4,15 +4,31 @@ require 'rails_helper'
 
 describe SentNotificationsController do
   let(:user) { create(:user) }
-  let(:project) { create(:project) }
-  let(:sent_notification) { create(:sent_notification, project: project, noteable: issue, recipient: user) }
+  let(:project) { create(:project, :public) }
+  let(:private_project) { create(:project, :private) }
+  let(:sent_notification) { create(:sent_notification, project: target_project, noteable: noteable, recipient: user) }
 
   let(:issue) do
-    create(:issue, project: project, author: user) do |issue|
-      issue.subscriptions.create(user: user, project: project, subscribed: true)
+    create(:issue, project: target_project) do |issue|
+      issue.subscriptions.create(user: user, project: target_project, subscribed: true)
     end
   end
 
+  let(:confidential_issue) do
+    create(:issue, project: target_project, confidential: true) do |issue|
+      issue.subscriptions.create(user: user, project: target_project, subscribed: true)
+    end
+  end
+
+  let(:merge_request) do
+    create(:merge_request, source_project: target_project, target_project: target_project) do |mr|
+      mr.subscriptions.create(user: user, project: target_project, subscribed: true)
+    end
+  end
+
+  let(:noteable) { issue }
+  let(:target_project) { project }
+
   describe 'GET unsubscribe' do
     context 'when the user is not logged in' do
       context 'when the force param is passed' do
@@ -34,20 +50,93 @@ describe SentNotificationsController do
       end
 
       context 'when the force param is not passed' do
+        render_views
+
         before do
           get(:unsubscribe, params: { id: sent_notification.reply_key })
         end
 
-        it 'does not unsubscribe the user' do
-          expect(issue.subscribed?(user, project)).to be_truthy
+        shared_examples 'unsubscribing as anonymous' do
+          it 'does not unsubscribe the user' do
+            expect(noteable.subscribed?(user, target_project)).to be_truthy
+          end
+
+          it 'does not set the flash message' do
+            expect(controller).not_to set_flash[:notice]
+          end
+
+          it 'renders unsubscribe page' do
+            expect(response.status).to eq(200)
+            expect(response).to render_template :unsubscribe
+          end
         end
 
-        it 'does not set the flash message' do
-          expect(controller).not_to set_flash[:notice]
+        context 'when project is public' do
+          context 'when unsubscribing from issue' do
+            let(:noteable) { issue }
+
+            it 'shows issue title' do
+              expect(response.body).to include(issue.title)
+            end
+
+            it_behaves_like 'unsubscribing as anonymous'
+          end
+
+          context 'when unsubscribing from confidential issue' do
+            let(:noteable) { confidential_issue }
+
+            it 'does not show issue title' do
+              expect(response.body).not_to include(confidential_issue.title)
+              expect(response.body).to include(confidential_issue.to_reference)
+            end
+
+            it_behaves_like 'unsubscribing as anonymous'
+          end
+
+          context 'when unsubscribing from merge request' do
+            let(:noteable) { merge_request }
+
+            it 'shows merge request title' do
+              expect(response.body).to include(merge_request.title)
+            end
+
+            it_behaves_like 'unsubscribing as anonymous'
+          end
         end
 
-        it 'redirects to the login page' do
-          expect(response).to render_template :unsubscribe
+        context 'when project is not public' do
+          let(:target_project) { private_project }
+
+          context 'when unsubscribing from issue' do
+            let(:noteable) { issue }
+
+            it 'shows issue title' do
+              expect(response.body).not_to include(issue.title)
+            end
+
+            it_behaves_like 'unsubscribing as anonymous'
+          end
+
+          context 'when unsubscribing from confidential issue' do
+            let(:noteable) { confidential_issue }
+
+            it 'does not show issue title' do
+              expect(response.body).not_to include(confidential_issue.title)
+              expect(response.body).to include(confidential_issue.to_reference)
+            end
+
+            it_behaves_like 'unsubscribing as anonymous'
+          end
+
+          context 'when unsubscribing from merge request' do
+            let(:noteable) { merge_request }
+
+            it 'shows merge request title' do
+              expect(response.body).not_to include(merge_request.title)
+            end
+
+            it_behaves_like 'unsubscribing as anonymous'
+          end
         end
       end
     end
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index 6bcff7f975c..9c4ddce5409 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -58,7 +58,26 @@ describe SessionsController do
         it 'authenticates user correctly' do
           post(:create, params: { user: user_params })
 
-          expect(subject.current_user). to eq user
+          expect(subject.current_user).to eq user
+        end
+
+        context 'with password authentication disabled' do
+          before do
+            stub_application_setting(password_authentication_enabled_for_web: false)
+          end
+
+          it 'does not sign in the user' do
+            post(:create, params: { user: user_params })
+
+            expect(@request.env['warden']).not_to be_authenticated
+            expect(subject.current_user).to be_nil
+          end
+
+          it 'returns status 403' do
+            post(:create, params: { user: user_params })
+
+            expect(response.status).to eq 403
+          end
         end
 
         it 'creates an audit log record' do
@@ -153,6 +172,19 @@ describe SessionsController do
         end
       end
 
+      context 'with password authentication disabled' do
+        before do
+          stub_application_setting(password_authentication_enabled_for_web: false)
+        end
+
+        it 'allows 2FA stage of non-password login' do
+          authenticate_2fa(otp_attempt: user.current_otp)
+
+          expect(@request.env['warden']).to be_authenticated
+          expect(subject.current_user).to eq user
+        end
+      end
+
       ##
       # See #14900 issue
       #