diff options
| author | Grzegorz Bizon <grzegorz@gitlab.com> | 2018-12-05 14:34:06 +0300 |
|---|---|---|
| committer | Grzegorz Bizon <grzegorz@gitlab.com> | 2018-12-05 14:34:06 +0300 |
| commit | 1c9b10016a30dc8b8a7aa2a64eb0175973661087 (patch) | |
| tree | 4bcfadcb045855e3d143100d23679eeb18556f15 /spec/requests | |
| parent | 5ea6b08e7c223fe9ca9d12f62e83a847d065bb42 (diff) | |
| parent | 9f4a3111e4111bc22a4f90e1e7059de4ce5f7bc4 (diff) | |
Merge branch '54826-use-read_repository-scope-on-read-only-files-endpoints' into 'master'
Resolve "Use read_repository scope on read-only files endpoints"
Closes #54826
See merge request gitlab-org/gitlab-ce!23534
Diffstat (limited to 'spec/requests')
| -rw-r--r-- | spec/requests/api/files_spec.rb | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/spec/requests/api/files_spec.rb b/spec/requests/api/files_spec.rb index 334dbb1c34c..620f9f5e1d6 100644 --- a/spec/requests/api/files_spec.rb +++ b/spec/requests/api/files_spec.rb @@ -121,6 +121,13 @@ describe API::Files do end end + context 'when PATs are used' do + it_behaves_like 'repository files' do + let(:token) { create(:personal_access_token, scopes: ['read_repository'], user: user) } + let(:current_user) { { personal_access_token: token } } + end + end + context 'when authenticated', 'as a developer' do it_behaves_like 'repository files' do let(:current_user) { user } @@ -217,6 +224,13 @@ describe API::Files do end end + context 'when PATs are used' do + it_behaves_like 'repository files' do + let(:token) { create(:personal_access_token, scopes: ['read_repository'], user: user) } + let(:current_user) { { personal_access_token: token } } + end + end + context 'when unauthenticated', 'and project is private' do it_behaves_like '404 response' do let(:request) { get api(route(file_path)), params } @@ -317,6 +331,21 @@ describe API::Files do let(:request) { get api(route(file_path), guest), params } end end + + context 'when PATs are used' do + it 'returns file by commit sha' do + token = create(:personal_access_token, scopes: ['read_repository'], user: user) + + # This file is deleted on HEAD + file_path = "files%2Fjs%2Fcommit%2Ejs%2Ecoffee" + params[:ref] = "6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9" + expect(Gitlab::Workhorse).to receive(:send_git_blob) + + get api(route(file_path) + "/raw", personal_access_token: token), params + + expect(response).to have_gitlab_http_status(200) + end + end end describe "POST /projects/:id/repository/files/:file_path" do @@ -362,6 +391,24 @@ describe API::Files do expect(response).to have_gitlab_http_status(400) end + context 'with PATs' do + it 'returns 403 with `read_repository` scope' do + token = create(:personal_access_token, scopes: ['read_repository'], user: user) + + post api(route(file_path), personal_access_token: token), params + + expect(response).to have_gitlab_http_status(403) + end + + it 'returns 201 with `api` scope' do + token = create(:personal_access_token, scopes: ['api'], user: user) + + post api(route(file_path), personal_access_token: token), params + + expect(response).to have_gitlab_http_status(201) + end + end + context "when specifying an author" do it "creates a new file with the specified author" do params.merge!(author_email: author_email, author_name: author_name) |