diff options
| author | Sean McGivern <sean@gitlab.com> | 2017-03-28 14:09:44 +0300 |
|---|---|---|
| committer | DJ Mountney <david@twkie.net> | 2017-03-30 05:18:38 +0300 |
| commit | 91f43587a8c05a5c2955f0b5c464f03688552cb6 (patch) | |
| tree | dba32618ae3452ae117df78184ad38d3b5ff26b1 /spec/features/groups_spec.rb | |
| parent | 60c0c0f3d08aa2c2a5be68aa784a86304fdb9c99 (diff) | |
Merge branch 'jej-group-name-disclosure' into 'security'
Prevent private group disclosure via parent_id
See merge request !2077
Diffstat (limited to 'spec/features/groups_spec.rb')
| -rw-r--r-- | spec/features/groups_spec.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/spec/features/groups_spec.rb b/spec/features/groups_spec.rb index 144d069b632..c90cc06a8f5 100644 --- a/spec/features/groups_spec.rb +++ b/spec/features/groups_spec.rb @@ -100,6 +100,16 @@ feature 'Group', feature: true do end end + it 'checks permissions to avoid exposing groups by parent_id' do + group = create(:group, :private, path: 'secret-group') + + logout + login_as(:user) + visit new_group_path(parent_id: group.id) + + expect(page).not_to have_content('secret-group') + end + describe 'group edit' do let(:group) { create(:group) } let(:path) { edit_group_path(group) } |