diff options
| author | Felipe Artur <felipefac@gmail.com> | 2016-05-10 01:35:37 +0300 |
|---|---|---|
| committer | Felipe Artur <felipefac@gmail.com> | 2016-05-10 01:35:37 +0300 |
| commit | e56e3cdc62f96541b9bd8b7814204e92f1909253 (patch) | |
| tree | fc3872d2ba8c02ae552fc583cbdbb163d3340b20 /spec/requests/api/notes_spec.rb | |
| parent | ae25c19ee5dcfae8ea977b2014657ecc6c3eaf3d (diff) | |
Fix api leaking notes when user is not authorized to read noteable
Diffstat (limited to 'spec/requests/api/notes_spec.rb')
| -rw-r--r-- | spec/requests/api/notes_spec.rb | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/spec/requests/api/notes_spec.rb b/spec/requests/api/notes_spec.rb index 49091fc0f49..f5b31be1ba3 100644 --- a/spec/requests/api/notes_spec.rb +++ b/spec/requests/api/notes_spec.rb @@ -57,6 +57,15 @@ describe API::API, api: true do expect(json_response).to be_empty end + context "and issue is confidential" do + before { ext_issue.update_attributes(confidential: true) } + + it "returns 404" do + get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", user) + expect(response.status).to eq(404) + end + end + context "and current user can view the note" do it "should return an empty array" do get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", private_user) @@ -80,6 +89,11 @@ describe API::API, api: true do get api("/projects/#{project.id}/snippets/42/notes", user) expect(response.status).to eq(404) end + + it "returns 404 when not authorized" do + get api("/projects/#{project.id}/snippets/#{snippet.id}/notes", private_user) + expect(response.status).to eq(404) + end end context "when noteable is a Merge Request" do @@ -94,6 +108,11 @@ describe API::API, api: true do get api("/projects/#{project.id}/merge_requests/4444/notes", user) expect(response.status).to eq(404) end + + it "returns 404 when not authorized" do + get api("/projects/#{project.id}/merge_requests/4444/notes", private_user) + expect(response.status).to eq(404) + end end end |