diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 21:36:52 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 21:36:52 +0300 |
commit | b50ad884608668c5db50eb1b0287f613e32aef25 (patch) | |
tree | 0e2fd877999ae2d3ab1e83b62a4d69ad4ab2e9ea /spec/controllers | |
parent | 03340f0987ac61ef4c884d4730e2fd3cbff113c5 (diff) | |
parent | 211c4e5985bf40afe7cf2391c76a6cfde153fb49 (diff) |
Merge branch '2802-security-add-public-internal-groups-as-members-to-your-project-idor' into 'master'
Add public/internal groups as members to your Project(IDOR)
See merge request gitlab/gitlabhq!2898
Diffstat (limited to 'spec/controllers')
-rw-r--r-- | spec/controllers/groups/shared_projects_controller_spec.rb | 2 | ||||
-rw-r--r-- | spec/controllers/projects/group_links_controller_spec.rb | 37 |
2 files changed, 39 insertions, 0 deletions
diff --git a/spec/controllers/groups/shared_projects_controller_spec.rb b/spec/controllers/groups/shared_projects_controller_spec.rb index dab7700cf64..b0c20fb5a90 100644 --- a/spec/controllers/groups/shared_projects_controller_spec.rb +++ b/spec/controllers/groups/shared_projects_controller_spec.rb @@ -6,6 +6,8 @@ describe Groups::SharedProjectsController do end def share_project(project) + group.add_developer(user) + Projects::GroupLinks::CreateService.new( project, user, diff --git a/spec/controllers/projects/group_links_controller_spec.rb b/spec/controllers/projects/group_links_controller_spec.rb index 675eeff8d12..ce021b2f085 100644 --- a/spec/controllers/projects/group_links_controller_spec.rb +++ b/spec/controllers/projects/group_links_controller_spec.rb @@ -65,8 +65,24 @@ describe Projects::GroupLinksController do end end + context 'when user does not have access to the public group' do + let(:group) { create(:group, :public) } + + include_context 'link project to group' + + it 'renders 404' do + expect(response.status).to eq 404 + end + + it 'does not share project with that group' do + expect(group.shared_projects).not_to include project + end + end + context 'when project group id equal link group id' do before do + group2.add_developer(user) + post(:create, params: { namespace_id: project.namespace, project_id: project, @@ -102,5 +118,26 @@ describe Projects::GroupLinksController do expect(flash[:alert]).to eq('Please select a group.') end end + + context 'when link is not persisted in the database' do + before do + allow(::Projects::GroupLinks::CreateService).to receive_message_chain(:new, :execute) + .and_return({ status: :error, http_status: 409, message: 'error' }) + + post(:create, params: { + namespace_id: project.namespace, + project_id: project, + link_group_id: group.id, + link_group_access: ProjectGroupLink.default_access + }) + end + + it 'redirects to project group links page' do + expect(response).to redirect_to( + project_project_members_path(project) + ) + expect(flash[:alert]).to eq('error') + end + end end end |