Avoid setting Gitlab::Session on sessionless requests

author: James Edwards-Jones <jedwardsjones@gitlab.com> 2019-06-04 18:21:05 +0300
committer: James Edwards-Jones <jedwardsjones@gitlab.com> 2019-06-05 21:07:20 +0300
commit: 866f544c3e29c66ab47ddd9266898cb64d615967 (patch)
tree: 1509ddd37633ed254ce5cba14ff2ebe5271d6862 /spec/controllers
parent: dbcbfc2638c289307c6e421fa6a5ca48603b1d53 (diff)
1 files changed, 34 insertions, 0 deletions
diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb
index 5ecd1b6b7c8..40669ec5451 100644
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -691,4 +691,38 @@ describe ApplicationController do
       end
     end
   end
+
+  context 'Gitlab::Session' do
+    controller(described_class) do
+      prepend_before_action do
+        authenticate_sessionless_user!(:rss)
+      end
+
+      def index
+        if Gitlab::Session.current
+          head :created
+        else
+          head :not_found
+        end
+      end
+    end
+
+    it 'is set on web requests' do
+      sign_in(user)
+
+      get :index
+
+      expect(response).to have_gitlab_http_status(:created)
+    end
+
+    context 'with sessionless user' do
+      it 'is not set' do
+        personal_access_token = create(:personal_access_token, user: user)
+
+        get :index, format: :atom, params: { private_token: personal_access_token.token }
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
 end
author	James Edwards-Jones <jedwardsjones@gitlab.com>	2019-06-04 18:21:05 +0300
committer	James Edwards-Jones <jedwardsjones@gitlab.com>	2019-06-05 21:07:20 +0300
commit	866f544c3e29c66ab47ddd9266898cb64d615967 (patch)
tree	1509ddd37633ed254ce5cba14ff2ebe5271d6862 /spec/controllers
parent	dbcbfc2638c289307c6e421fa6a5ca48603b1d53 (diff)