diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-07-26 16:40:49 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-07-26 16:40:49 +0300 |
| commit | cfc327b0c0cd59bd1283eda752f452dd9cbd1729 (patch) | |
| tree | 04b3752dfa707944da5b0a5cce15e0c17265b766 /spec/features/merge_request | |
| parent | 85104fc81f7663fb77114cc6bf99ca095adf7701 (diff) | |
| parent | 6c27c0d394b70be4f2a2e0fa047f6844199c2661 (diff) | |
Merge branch 'security-bvl-filter-mr-params' into 'master'
Filter params in MR build service
Closes #2879
See merge request gitlab/gitlabhq!3237
Diffstat (limited to 'spec/features/merge_request')
| -rw-r--r-- | spec/features/merge_request/user_tries_to_access_private_project_info_through_new_mr_spec.rb (renamed from spec/features/merge_request/user_tries_to_access_private_repository_through_new_mr_spec.rb) | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/spec/features/merge_request/user_tries_to_access_private_repository_through_new_mr_spec.rb b/spec/features/merge_request/user_tries_to_access_private_project_info_through_new_mr_spec.rb index 9318b5f1ebb..1ebe9e2e409 100644 --- a/spec/features/merge_request/user_tries_to_access_private_repository_through_new_mr_spec.rb +++ b/spec/features/merge_request/user_tries_to_access_private_project_info_through_new_mr_spec.rb @@ -1,6 +1,8 @@ +# frozen_string_literal: true + require 'spec_helper' -describe 'Merge Request > Tries to access private repo of public project' do +describe 'Merge Request > User tries to access private project information through the new mr page' do let(:current_user) { create(:user) } let(:private_project) do create(:project, :public, :repository, @@ -33,5 +35,22 @@ describe 'Merge Request > Tries to access private repo of public project' do it "does not mention the project the user can't see the repo of" do expect(page).not_to have_content('nothing-to-see-here') end + + context 'when the user enters label information from the private project in the querystring' do + let(:inaccessible_label) { create(:label, project: private_project) } + let(:mr_path) do + project_new_merge_request_path( + owned_project, + merge_request: { + label_ids: [inaccessible_label.id], + source_branch: 'feature' + } + ) + end + + it 'does not expose the label name' do + expect(page).not_to have_content(inaccessible_label.name) + end + end end end |