Add latest changes from gitlab-org/security/gitlab@14-0-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-06-30 14:44:06 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-06-30 14:44:27 +0300
commit: aa5a29806f359945ec3483906a4e40ec71362a61 (patch)
tree: 316da62ab44dcd8fbb4515d7b967605234613384 /spec/requests
parent: 16fa5cf183d9f59a66c1e258ce36cd3f09c8d3fd (diff)
1 files changed, 65 insertions, 54 deletions
diff --git a/spec/requests/ide_controller_spec.rb b/spec/requests/ide_controller_spec.rb
index 9b0d8dcd828..4bf1e43ba40 100644
--- a/spec/requests/ide_controller_spec.rb
+++ b/spec/requests/ide_controller_spec.rb
@@ -3,7 +3,14 @@
 require 'spec_helper'
 
 RSpec.describe IdeController do
-  let_it_be(:project) { create(:project, :public) }
+  let_it_be(:reporter) { create(:user) }
+
+  let_it_be(:project) do
+    create(:project, :private).tap do |p|
+      p.add_reporter(reporter)
+    end
+  end
+
   let_it_be(:creator) { project.creator }
   let_it_be(:other_user) { create(:user) }
 
@@ -14,48 +21,62 @@ RSpec.describe IdeController do
     sign_in(user)
   end
 
-  it 'increases the views counter' do
-    expect(Gitlab::UsageDataCounters::WebIdeCounter).to receive(:increment_views_count)
-
-    get ide_url
-  end
-
   describe '#index', :aggregate_failures do
     subject { get route }
 
-    shared_examples 'user cannot push code' do
-      include ProjectForksHelper
-
-      let(:user) { other_user }
+    shared_examples 'user access rights check' do
+      context 'user can read project' do
+        it 'increases the views counter' do
+          expect(Gitlab::UsageDataCounters::WebIdeCounter).to receive(:increment_views_count)
 
-      context 'when user does not have fork' do
-        it 'instantiates fork_info instance var with fork_path and return 200' do
           subject
-
-          expect(response).to have_gitlab_http_status(:ok)
-          expect(assigns(:project)).to eq project
-          expect(assigns(:fork_info)).to eq({ fork_path: controller.helpers.ide_fork_and_edit_path(project, branch, '', with_notice: false) })
         end
 
-        it 'has nil fork_info if user cannot fork' do
-          project.project_feature.update!(forking_access_level: ProjectFeature::DISABLED)
+        context 'user can read project but cannot push code' do
+          include ProjectForksHelper
 
-          subject
+          let(:user) { reporter }
 
-          expect(response).to have_gitlab_http_status(:ok)
-          expect(assigns(:fork_info)).to be_nil
+          context 'when user does not have fork' do
+            it 'instantiates fork_info instance var with fork_path and returns 200' do
+              subject
+
+              expect(response).to have_gitlab_http_status(:ok)
+              expect(assigns(:project)).to eq project
+              expect(assigns(:fork_info)).to eq({ fork_path: controller.helpers.ide_fork_and_edit_path(project, branch, '', with_notice: false) })
+            end
+
+            it 'has nil fork_info if user cannot fork' do
+              project.project_feature.update!(forking_access_level: ProjectFeature::DISABLED)
+
+              subject
+
+              expect(response).to have_gitlab_http_status(:ok)
+              expect(assigns(:fork_info)).to be_nil
+            end
+          end
+
+          context 'when user has fork' do
+            let!(:fork) { fork_project(project, user, repository: true, namespace: user.namespace) }
+
+            it 'instantiates fork_info instance var with ide_path and returns 200' do
+              subject
+
+              expect(response).to have_gitlab_http_status(:ok)
+              expect(assigns(:project)).to eq project
+              expect(assigns(:fork_info)).to eq({ ide_path: controller.helpers.ide_edit_path(fork, branch, '') })
+            end
+          end
         end
       end
 
-      context 'when user has fork' do
-        let!(:fork) { fork_project(project, user, repository: true, namespace: user.namespace) }
+      context 'user cannot read project' do
+        let(:user) { other_user }
 
-        it 'instantiates fork_info instance var with ide_path and return 200' do
+        it 'returns 404' do
           subject
 
-          expect(response).to have_gitlab_http_status(:ok)
-          expect(assigns(:project)).to eq project
-          expect(assigns(:fork_info)).to eq({ ide_path: controller.helpers.ide_edit_path(fork, branch, '') })
+          expect(response).to have_gitlab_http_status(:not_found)
         end
       end
     end
@@ -63,37 +84,27 @@ RSpec.describe IdeController do
     context '/-/ide' do
       let(:route) { '/-/ide' }
 
-      it 'does not instantiate any instance var and return 200' do
+      it 'returns 404' do
         subject
 
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(assigns(:project)).to be_nil
-        expect(assigns(:branch)).to be_nil
-        expect(assigns(:path)).to be_nil
-        expect(assigns(:merge_request)).to be_nil
-        expect(assigns(:fork_info)).to be_nil
+        expect(response).to have_gitlab_http_status(:not_found)
       end
     end
 
     context '/-/ide/project' do
       let(:route) { '/-/ide/project' }
 
-      it 'does not instantiate any instance var and return 200' do
+      it 'returns 404' do
         subject
 
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(assigns(:project)).to be_nil
-        expect(assigns(:branch)).to be_nil
-        expect(assigns(:path)).to be_nil
-        expect(assigns(:merge_request)).to be_nil
-        expect(assigns(:fork_info)).to be_nil
+        expect(response).to have_gitlab_http_status(:not_found)
       end
     end
 
     context '/-/ide/project/:project' do
       let(:route) { "/-/ide/project/#{project.full_path}" }
 
-      it 'instantiates project instance var and return 200' do
+      it 'instantiates project instance var and returns 200' do
         subject
 
         expect(response).to have_gitlab_http_status(:ok)
@@ -104,13 +115,13 @@ RSpec.describe IdeController do
         expect(assigns(:fork_info)).to be_nil
       end
 
-      it_behaves_like 'user cannot push code'
+      it_behaves_like 'user access rights check'
 
       %w(edit blob tree).each do |action|
         context "/-/ide/project/:project/#{action}" do
           let(:route) { "/-/ide/project/#{project.full_path}/#{action}" }
 
-          it 'instantiates project instance var and return 200' do
+          it 'instantiates project instance var and returns 200' do
             subject
 
             expect(response).to have_gitlab_http_status(:ok)
@@ -121,13 +132,13 @@ RSpec.describe IdeController do
             expect(assigns(:fork_info)).to be_nil
           end
 
-          it_behaves_like 'user cannot push code'
+          it_behaves_like 'user access rights check'
 
           context "/-/ide/project/:project/#{action}/:branch" do
             let(:branch) { 'master' }
             let(:route) { "/-/ide/project/#{project.full_path}/#{action}/#{branch}" }
 
-            it 'instantiates project and branch instance vars and return 200' do
+            it 'instantiates project and branch instance vars and returns 200' do
               subject
 
               expect(response).to have_gitlab_http_status(:ok)
@@ -138,13 +149,13 @@ RSpec.describe IdeController do
               expect(assigns(:fork_info)).to be_nil
             end
 
-            it_behaves_like 'user cannot push code'
+            it_behaves_like 'user access rights check'
 
             context "/-/ide/project/:project/#{action}/:branch/-" do
               let(:branch) { 'branch/slash' }
               let(:route) { "/-/ide/project/#{project.full_path}/#{action}/#{branch}/-" }
 
-              it 'instantiates project and branch instance vars and return 200' do
+              it 'instantiates project and branch instance vars and returns 200' do
                 subject
 
                 expect(response).to have_gitlab_http_status(:ok)
@@ -155,13 +166,13 @@ RSpec.describe IdeController do
                 expect(assigns(:fork_info)).to be_nil
               end
 
-              it_behaves_like 'user cannot push code'
+              it_behaves_like 'user access rights check'
 
               context "/-/ide/project/:project/#{action}/:branch/-/:path" do
                 let(:branch) { 'master' }
                 let(:route) { "/-/ide/project/#{project.full_path}/#{action}/#{branch}/-/foo/.bar" }
 
-                it 'instantiates project, branch, and path instance vars and return 200' do
+                it 'instantiates project, branch, and path instance vars and returns 200' do
                   subject
 
                   expect(response).to have_gitlab_http_status(:ok)
@@ -172,7 +183,7 @@ RSpec.describe IdeController do
                   expect(assigns(:fork_info)).to be_nil
                 end
 
-                it_behaves_like 'user cannot push code'
+                it_behaves_like 'user access rights check'
               end
             end
           end
@@ -184,7 +195,7 @@ RSpec.describe IdeController do
 
         let(:route) { "/-/ide/project/#{project.full_path}/merge_requests/#{merge_request.id}" }
 
-        it 'instantiates project and merge_request instance vars and return 200' do
+        it 'instantiates project and merge_request instance vars and returns 200' do
           subject
 
           expect(response).to have_gitlab_http_status(:ok)
@@ -195,7 +206,7 @@ RSpec.describe IdeController do
           expect(assigns(:fork_info)).to be_nil
         end
 
-        it_behaves_like 'user cannot push code'
+        it_behaves_like 'user access rights check'
       end
     end
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-06-30 14:44:06 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-06-30 14:44:27 +0300
commit	aa5a29806f359945ec3483906a4e40ec71362a61 (patch)
tree	316da62ab44dcd8fbb4515d7b967605234613384 /spec/requests
parent	16fa5cf183d9f59a66c1e258ce36cd3f09c8d3fd (diff)