diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-03 13:00:26 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-03 13:00:56 +0300 |
| commit | 7418d0b3ebed03b22d42b1714f8de064b95aa425 (patch) | |
| tree | db850d1ad45ac91912d52ce2affb0e984990f3e4 /spec/requests | |
| parent | 6aefeb24873b0957456ae0deacbb431fc79a6a28 (diff) | |
Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee
Diffstat (limited to 'spec/requests')
| -rw-r--r-- | spec/requests/api/todos_spec.rb | 38 |
1 files changed, 22 insertions, 16 deletions
diff --git a/spec/requests/api/todos_spec.rb b/spec/requests/api/todos_spec.rb index c9deb84ff98..c6b4f50afae 100644 --- a/spec/requests/api/todos_spec.rb +++ b/spec/requests/api/todos_spec.rb @@ -378,30 +378,36 @@ RSpec.describe API::Todos do expect(response).to have_gitlab_http_status(:not_found) end end - - it 'returns an error if the issuable author does not have access' do - project_1.add_guest(issuable.author) - - post api("/projects/#{project_1.id}/#{issuable_type}/#{issuable.iid}/todo", issuable.author) - - expect(response).to have_gitlab_http_status(:not_found) - end end describe 'POST :id/issuable_type/:issueable_id/todo' do context 'for an issue' do - it_behaves_like 'an issuable', 'issues' do - let_it_be(:issuable) do - create(:issue, :confidential, author: author_1, project: project_1) - end + let_it_be(:issuable) do + create(:issue, :confidential, project: project_1) + end + + it_behaves_like 'an issuable', 'issues' + + it 'returns an error if the issue author does not have access' do + post api("/projects/#{project_1.id}/issues/#{issuable.iid}/todo", issuable.author) + + expect(response).to have_gitlab_http_status(:not_found) end end context 'for a merge request' do - it_behaves_like 'an issuable', 'merge_requests' do - let_it_be(:issuable) do - create(:merge_request, :simple, source_project: project_1) - end + let_it_be(:issuable) do + create(:merge_request, :simple, source_project: project_1) + end + + it_behaves_like 'an issuable', 'merge_requests' + + it 'returns an error if the merge request author does not have access' do + project_1.add_guest(issuable.author) + + post api("/projects/#{project_1.id}/merge_requests/#{issuable.iid}/todo", issuable.author) + + expect(response).to have_gitlab_http_status(:forbidden) end end end |