Merge branch '2802-security-add-public-internal-groups-as-members-to-your-project-idor' into 'master'

Add public/internal groups as members to your Project(IDOR) See merge request gitlab/gitlabhq!2898
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 21:36:52 +0300
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 21:36:52 +0300
commit: b50ad884608668c5db50eb1b0287f613e32aef25 (patch)
tree: 0e2fd877999ae2d3ab1e83b62a4d69ad4ab2e9ea /spec/controllers
parent: 03340f0987ac61ef4c884d4730e2fd3cbff113c5 (diff)
parent: 211c4e5985bf40afe7cf2391c76a6cfde153fb49 (diff)
2 files changed, 39 insertions, 0 deletions
diff --git a/spec/controllers/groups/shared_projects_controller_spec.rb b/spec/controllers/groups/shared_projects_controller_spec.rb
index dab7700cf64..b0c20fb5a90 100644
--- a/spec/controllers/groups/shared_projects_controller_spec.rb
+++ b/spec/controllers/groups/shared_projects_controller_spec.rb
@@ -6,6 +6,8 @@ describe Groups::SharedProjectsController do
   end
 
   def share_project(project)
+    group.add_developer(user)
+
     Projects::GroupLinks::CreateService.new(
       project,
       user,
diff --git a/spec/controllers/projects/group_links_controller_spec.rb b/spec/controllers/projects/group_links_controller_spec.rb
index 675eeff8d12..ce021b2f085 100644
--- a/spec/controllers/projects/group_links_controller_spec.rb
+++ b/spec/controllers/projects/group_links_controller_spec.rb
@@ -65,8 +65,24 @@ describe Projects::GroupLinksController do
       end
     end
 
+    context 'when user does not have access to the public group' do
+      let(:group) { create(:group, :public) }
+
+      include_context 'link project to group'
+
+      it 'renders 404' do
+        expect(response.status).to eq 404
+      end
+
+      it 'does not share project with that group' do
+        expect(group.shared_projects).not_to include project
+      end
+    end
+
     context 'when project group id equal link group id' do
       before do
+        group2.add_developer(user)
+
         post(:create, params: {
                         namespace_id: project.namespace,
                         project_id: project,
@@ -102,5 +118,26 @@ describe Projects::GroupLinksController do
         expect(flash[:alert]).to eq('Please select a group.')
       end
     end
+
+    context 'when link is not persisted in the database' do
+      before do
+        allow(::Projects::GroupLinks::CreateService).to receive_message_chain(:new, :execute)
+          .and_return({ status: :error, http_status: 409, message: 'error' })
+
+        post(:create, params: {
+                        namespace_id: project.namespace,
+                        project_id: project,
+                        link_group_id: group.id,
+                        link_group_access: ProjectGroupLink.default_access
+                      })
+      end
+
+      it 'redirects to project group links page' do
+        expect(response).to redirect_to(
+          project_project_members_path(project)
+        )
+        expect(flash[:alert]).to eq('error')
+      end
+    end
   end
 end
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 21:36:52 +0300
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 21:36:52 +0300
commit	b50ad884608668c5db50eb1b0287f613e32aef25 (patch)
tree	0e2fd877999ae2d3ab1e83b62a4d69ad4ab2e9ea /spec/controllers
parent	03340f0987ac61ef4c884d4730e2fd3cbff113c5 (diff)
parent	211c4e5985bf40afe7cf2391c76a6cfde153fb49 (diff)