diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-08-17 21:11:29 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-08-17 21:11:29 +0300 |
| commit | f1503ea64b21497db21094355ac574248dc243c4 (patch) | |
| tree | 55e580a3494031039a9e65711d27b176dec6d342 /spec/requests | |
| parent | 5ff5438a0674c1e8217f78d2000c61c9d550c503 (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/requests')
| -rw-r--r-- | spec/requests/api/merge_requests_spec.rb | 91 | ||||
| -rw-r--r-- | spec/requests/api/project_packages_spec.rb | 76 |
2 files changed, 165 insertions, 2 deletions
diff --git a/spec/requests/api/merge_requests_spec.rb b/spec/requests/api/merge_requests_spec.rb index 2a03ae89389..320e9e0cd66 100644 --- a/spec/requests/api/merge_requests_spec.rb +++ b/spec/requests/api/merge_requests_spec.rb @@ -1120,6 +1120,44 @@ RSpec.describe API::MergeRequests do end.not_to exceed_query_limit(control) end end + + context 'when user is an inherited member from the group' do + let_it_be(:group) { create(:group) } + + shared_examples 'user cannot view merge requests' do + it 'returns 403 forbidden' do + get api("/projects/#{group_project.id}/merge_requests", inherited_user) + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'and user is a guest' do + let_it_be(:inherited_user) { create(:user) } + + before_all do + group.add_guest(inherited_user) + end + + context 'when project is public with private merge requests' do + let(:group_project) do + create(:project, + :public, + :repository, + group: group, + merge_requests_access_level: ProjectFeature::DISABLED) + end + + it_behaves_like 'user cannot view merge requests' + end + + context 'when project is private' do + let(:group_project) { create(:project, :private, :repository, group: group) } + + it_behaves_like 'user cannot view merge requests' + end + end + end end describe "GET /groups/:id/merge_requests" do @@ -2219,6 +2257,59 @@ RSpec.describe API::MergeRequests do expect(response).to have_gitlab_http_status(:created) end end + + context 'when user is an inherited member from the group' do + let_it_be(:group) { create(:group) } + + shared_examples 'user cannot create merge requests' do + it 'returns 403 forbidden' do + post api("/projects/#{group_project.id}/merge_requests", inherited_user), params: params + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'and user is a guest' do + let_it_be(:inherited_user) { create(:user) } + let_it_be(:params) do + { + title: 'Test merge request', + source_branch: 'feature_conflict', + target_branch: 'master', + author_id: inherited_user.id + } + end + + before_all do + group.add_guest(inherited_user) + end + + context 'when project is public with private merge requests' do + let(:group_project) do + create(:project, + :public, + :repository, + group: group, + merge_requests_access_level: ProjectFeature::DISABLED, + only_allow_merge_if_pipeline_succeeds: false) + end + + it_behaves_like 'user cannot create merge requests' + end + + context 'when project is private' do + let(:group_project) do + create(:project, + :private, + :repository, + group: group, + only_allow_merge_if_pipeline_succeeds: false) + end + + it_behaves_like 'user cannot create merge requests' + end + end + end end describe 'PUT /projects/:id/merge_requests/:merge_request_iid' do diff --git a/spec/requests/api/project_packages_spec.rb b/spec/requests/api/project_packages_spec.rb index 5f4b8899a33..7a05da8e13f 100644 --- a/spec/requests/api/project_packages_spec.rb +++ b/spec/requests/api/project_packages_spec.rb @@ -86,6 +86,18 @@ RSpec.describe API::ProjectPackages do expect(json_response).to include(a_hash_including('_links' => a_hash_including('web_path' => include(nested_project.namespace.full_path)))) end end + + context 'with JOB-TOKEN auth' do + let(:job) { create(:ci_build, :running, user: user) } + + subject { get api(url, job_token: job.token) } + + it_behaves_like 'returns packages', :project, :maintainer + it_behaves_like 'returns packages', :project, :developer + it_behaves_like 'returns packages', :project, :reporter + it_behaves_like 'returns packages', :project, :no_type + it_behaves_like 'returns packages', :project, :guest + end end context 'project is private' do @@ -116,6 +128,19 @@ RSpec.describe API::ProjectPackages do end end end + + context 'with JOB-TOKEN auth' do + let(:job) { create(:ci_build, :running, user: user) } + + subject { get api(url, job_token: job.token) } + + it_behaves_like 'returns packages', :project, :maintainer + it_behaves_like 'returns packages', :project, :developer + it_behaves_like 'returns packages', :project, :reporter + it_behaves_like 'rejects packages access', :project, :no_type, :not_found + # TODO uncomment when https://gitlab.com/gitlab-org/gitlab/-/issues/370998 is resolved + # it_behaves_like 'rejects packages access', :project, :guest, :not_found + end end context 'with pagination params' do @@ -177,6 +202,8 @@ RSpec.describe API::ProjectPackages do end describe 'GET /projects/:id/packages/:package_id' do + let(:single_package_schema) { 'public_api/v4/packages/package' } + subject { get api(package_url, user) } shared_examples 'no destroy url' do @@ -217,7 +244,7 @@ RSpec.describe API::ProjectPackages do subject expect(response).to have_gitlab_http_status(:ok) - expect(response).to match_response_schema('public_api/v4/packages/package') + expect(response).to match_response_schema(single_package_schema) end it 'returns 404 when the package does not exist' do @@ -233,6 +260,18 @@ RSpec.describe API::ProjectPackages do end it_behaves_like 'no destroy url' + + context 'with JOB-TOKEN auth' do + let(:job) { create(:ci_build, :running, user: user) } + + subject { get api(package_url, job_token: job.token) } + + it_behaves_like 'returns package', :project, :maintainer + it_behaves_like 'returns package', :project, :developer + it_behaves_like 'returns package', :project, :reporter + it_behaves_like 'returns package', :project, :no_type + it_behaves_like 'returns package', :project, :guest + end end context 'project is private' do @@ -259,7 +298,7 @@ RSpec.describe API::ProjectPackages do subject expect(response).to have_gitlab_http_status(:ok) - expect(response).to match_response_schema('public_api/v4/packages/package') + expect(response).to match_response_schema(single_package_schema) end it_behaves_like 'no destroy url' @@ -273,6 +312,19 @@ RSpec.describe API::ProjectPackages do it_behaves_like 'destroy url' end + context 'with JOB-TOKEN auth' do + let(:job) { create(:ci_build, :running, user: user) } + + subject { get api(package_url, job_token: job.token) } + + it_behaves_like 'returns package', :project, :maintainer + it_behaves_like 'returns package', :project, :developer + it_behaves_like 'returns package', :project, :reporter + # TODO uncomment when https://gitlab.com/gitlab-org/gitlab/-/issues/370998 is resolved + # it_behaves_like 'rejects packages access', :project, :guest, :not_found + it_behaves_like 'rejects packages access', :project, :no_type, :not_found + end + context 'with pipeline' do let!(:package1) { create(:npm_package, :with_build, project: project) } @@ -355,6 +407,26 @@ RSpec.describe API::ProjectPackages do expect(response).to have_gitlab_http_status(:no_content) end + + context 'with JOB-TOKEN auth' do + let(:job) { create(:ci_build, :running, user: user) } + + it 'returns 403 for a user without enough permissions' do + project.add_developer(user) + + expect { delete api(package_url, job_token: job.token) }.not_to change { ::Packages::Package.pending_destruction.count } + + expect(response).to have_gitlab_http_status(:forbidden) + end + + it 'returns 204' do + project.add_maintainer(user) + + expect { delete api(package_url, job_token: job.token) }.to change { ::Packages::Package.pending_destruction.count }.by(1) + + expect(response).to have_gitlab_http_status(:no_content) + end + end end context 'with a maven package' do |