diff options
author | Felipe Artur <felipefac@gmail.com> | 2019-05-20 17:08:31 +0300 |
---|---|---|
committer | Felipe Artur <felipefac@gmail.com> | 2019-05-20 17:08:34 +0300 |
commit | b70b43d07ec27c6410e4a8d7ad417662a8823f8f (patch) | |
tree | f2ce52b008b39683db353f07723d14e104b0b250 /spec/requests/api/search_spec.rb | |
parent | 1602ce28c65125f045e36c4420dafd6a7788d37c (diff) |
Resolve: Milestones leaked via search API
Fix milestone titles being leaked using search API
when users cannot read milestones
Diffstat (limited to 'spec/requests/api/search_spec.rb')
-rw-r--r-- | spec/requests/api/search_spec.rb | 46 |
1 files changed, 42 insertions, 4 deletions
diff --git a/spec/requests/api/search_spec.rb b/spec/requests/api/search_spec.rb index 49672591b3b..42e0efa10b7 100644 --- a/spec/requests/api/search_spec.rb +++ b/spec/requests/api/search_spec.rb @@ -70,11 +70,30 @@ describe API::Search do context 'for milestones scope' do before do create(:milestone, project: project, title: 'awesome milestone') + end + + context 'when user can read project milestones' do + before do + get api('/search', user), params: { scope: 'milestones', search: 'awesome' } + end - get api('/search', user), params: { scope: 'milestones', search: 'awesome' } + it_behaves_like 'response is correct', schema: 'public_api/v4/milestones' end - it_behaves_like 'response is correct', schema: 'public_api/v4/milestones' + context 'when user cannot read project milestones' do + before do + project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE) + project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE) + end + + it 'returns empty array' do + get api('/search', user), params: { scope: 'milestones', search: 'awesome' } + + milestones = JSON.parse(response.body) + + expect(milestones).to be_empty + end + end end context 'for users scope' do @@ -318,11 +337,30 @@ describe API::Search do context 'for milestones scope' do before do create(:milestone, project: project, title: 'awesome milestone') + end + + context 'when user can read milestones' do + before do + get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' } + end - get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' } + it_behaves_like 'response is correct', schema: 'public_api/v4/milestones' end - it_behaves_like 'response is correct', schema: 'public_api/v4/milestones' + context 'when user cannot read project milestones' do + before do + project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE) + project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE) + end + + it 'returns empty array' do + get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' } + + milestones = JSON.parse(response.body) + + expect(milestones).to be_empty + end + end end context 'for users scope' do |