diff options
author | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 21:38:24 +0300 |
---|---|---|
committer | Cindy Pallares <cindy@gitlab.com> | 2018-11-29 03:08:42 +0300 |
commit | 17f837267dc7e9e995885d9d161c7b035719de41 (patch) | |
tree | 86964ac47fbf6e4f2f193a261e9c82fb006a7e34 /spec/features/milestones | |
parent | 94ab2d5fc80d71df5637e6bbe1f5272daf6aa38c (diff) |
Merge branch 'security-issue_51301' into 'master'
[master] Resolve: Promoting a milestone is missing an authorization check
See merge request gitlab/gitlabhq!2598
Diffstat (limited to 'spec/features/milestones')
-rw-r--r-- | spec/features/milestones/user_promotes_milestone_spec.rb | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/spec/features/milestones/user_promotes_milestone_spec.rb b/spec/features/milestones/user_promotes_milestone_spec.rb new file mode 100644 index 00000000000..df1bc502134 --- /dev/null +++ b/spec/features/milestones/user_promotes_milestone_spec.rb @@ -0,0 +1,32 @@ +require 'rails_helper' + +describe 'User promotes milestone' do + set(:group) { create(:group) } + set(:user) { create(:user) } + set(:project) { create(:project, namespace: group) } + set(:milestone) { create(:milestone, project: project) } + + context 'when user can admin group milestones' do + before do + group.add_developer(user) + sign_in(user) + visit(project_milestones_path(project)) + end + + it "shows milestone promote button" do + expect(page).to have_selector('.js-promote-project-milestone-button') + end + end + + context 'when user cannot admin group milestones' do + before do + project.add_developer(user) + sign_in(user) + visit(project_milestones_path(project)) + end + + it "does not show milestone promote button" do + expect(page).not_to have_selector('.js-promote-project-milestone-button') + end + end +end |