Merge branch 'fix-guest-access-posting-to-notes' into 'security'

Prevent users from creating notes on resources they can't access See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2054
author: Robert Speicher <robert@gitlab.com> 2017-01-20 00:00:47 +0300
committer: Robert Speicher <rspeicher@gmail.com> 2017-01-23 21:54:52 +0300
commit: a1f959430b752aca21f798d37d338e11afaa6110 (patch)
tree: f2a94b85c04789589e9691867969052bc7b977ef /spec/requests
parent: 3a5df1d8fc518900d8e33a6be8a2243e399c754a (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/spec/requests/api/notes_spec.rb b/spec/requests/api/notes_spec.rb
index 0f8d054b31e..0353ebea9e5 100644
--- a/spec/requests/api/notes_spec.rb
+++ b/spec/requests/api/notes_spec.rb
@@ -264,6 +264,18 @@ describe API::Notes, api: true  do
       end
     end
 
+    context 'when user does not have access to read the noteable' do
+      it 'responds with 404' do
+        project = create(:empty_project, :private) { |p| p.add_guest(user) }
+        issue = create(:issue, :confidential, project: project)
+
+        post api("/projects/#{project.id}/issues/#{issue.id}/notes", user),
+          body: 'Foo'
+
+        expect(response).to have_http_status(404)
+      end
+    end
+
     context 'when user does not have access to create noteable' do
       let(:private_issue) { create(:issue, project: create(:empty_project, :private)) }
author	Robert Speicher <robert@gitlab.com>	2017-01-20 00:00:47 +0300
committer	Robert Speicher <rspeicher@gmail.com>	2017-01-23 21:54:52 +0300
commit	a1f959430b752aca21f798d37d338e11afaa6110 (patch)
tree	f2a94b85c04789589e9691867969052bc7b977ef /spec/requests
parent	3a5df1d8fc518900d8e33a6be8a2243e399c754a (diff)