Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4'

[Port for security-10-4]: Makes SnippetFinder ensure feature visibility
author: Douwe Maan <douwe@gitlab.com> 2018-01-18 19:07:06 +0300
committer: Robert Speicher <rspeicher@gmail.com> 2018-02-09 21:04:05 +0300
commit: 5e9e56924a56dcb84c3ae4ae6fc308f635f39f66 (patch)
tree: b7160c4277521c309d1f3cc97580c62474cfa759 /spec/requests/api/snippets_spec.rb
parent: 721fab661de4a01c2d73e88bdd000dfe2e094ced (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/spec/requests/api/snippets_spec.rb b/spec/requests/api/snippets_spec.rb
index 74198c8eb4f..b3e253befc6 100644
--- a/spec/requests/api/snippets_spec.rb
+++ b/spec/requests/api/snippets_spec.rb
@@ -32,6 +32,27 @@ describe API::Snippets do
       expect(json_response).to be_an Array
       expect(json_response.size).to eq(0)
     end
+
+    it 'returns 404 for non-authenticated' do
+      create(:personal_snippet, :internal)
+
+      get api("/snippets/")
+
+      expect(response).to have_gitlab_http_status(401)
+    end
+
+    it 'does not return snippets related to a project with disable feature visibility' do
+      project = create(:project)
+      create(:project_member, project: project, user: user)
+      public_snippet = create(:personal_snippet, :public, author: user, project: project)
+      project.project_feature.update_attribute(:snippets_access_level, 0)
+
+      get api("/snippets/", user)
+
+      json_response.each do |snippet|
+        expect(snippet["id"]).not_to eq(public_snippet.id)
+      end
+    end
   end
 
   describe 'GET /snippets/public' do
author	Douwe Maan <douwe@gitlab.com>	2018-01-18 19:07:06 +0300
committer	Robert Speicher <rspeicher@gmail.com>	2018-02-09 21:04:05 +0300
commit	5e9e56924a56dcb84c3ae4ae6fc308f635f39f66 (patch)
tree	b7160c4277521c309d1f3cc97580c62474cfa759 /spec/requests/api/snippets_spec.rb
parent	721fab661de4a01c2d73e88bdd000dfe2e094ced (diff)