diff options
| author | Robert Speicher <robert@gitlab.com> | 2018-01-19 02:10:19 +0300 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2018-02-09 21:16:25 +0300 |
| commit | fec9fb05a5775b864ef6768df166d39fcb2be4bc (patch) | |
| tree | 9274b1aba3720ae0204be7294000bb8f22b77a48 /spec/requests/api/todos_spec.rb | |
| parent | 603fa7c14193d37e3953225501d2108f0c581df5 (diff) | |
Merge branch 'security-10-4-todo-api-reveals-sensitive-information' into 'security-10-4'
Restrict Todo API mark_as_done endpoint to the user's todos only
Diffstat (limited to 'spec/requests/api/todos_spec.rb')
| -rw-r--r-- | spec/requests/api/todos_spec.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/spec/requests/api/todos_spec.rb b/spec/requests/api/todos_spec.rb index fb3a33cadff..2ee8d150dc8 100644 --- a/spec/requests/api/todos_spec.rb +++ b/spec/requests/api/todos_spec.rb @@ -129,6 +129,12 @@ describe API::Todos do post api("/todos/#{pending_1.id}/mark_as_done", john_doe) end + + it 'returns 404 if the todo does not belong to the current user' do + post api("/todos/#{pending_1.id}/mark_as_done", author_1) + + expect(response.status).to eq(404) + end end end |