Merge branch '41567-projectfix' into 'security-10-3'

check project access on MR create See merge request gitlab/gitlabhq!2273 (cherry picked from commit 1fe2325d6ef2bced4c5e97b57691c894f38b2834) 43e85f49 check project access on MR create
author: Sean McGivern <sean@gitlab.com> 2018-01-05 20:55:37 +0300
committer: Stan Hu <stanhu@gmail.com> 2018-01-17 04:04:38 +0300
commit: 3fc0564ae09a9edf87a71a8c85ff9bf8ad35121d (patch)
tree: 85ac8103dc85140d6a5e2d13b5949dd7f37cdd81 /spec/services/merge_requests/create_service_spec.rb
parent: 954a44574fd7a0be232a194d503032e16b8f3094 (diff)
1 files changed, 61 insertions, 0 deletions
diff --git a/spec/services/merge_requests/create_service_spec.rb b/spec/services/merge_requests/create_service_spec.rb
index dd8c803a2f7..5d226f34d2d 100644
--- a/spec/services/merge_requests/create_service_spec.rb
+++ b/spec/services/merge_requests/create_service_spec.rb
@@ -263,5 +263,66 @@ describe MergeRequests::CreateService do
         expect(issue_ids).to match_array([first_issue.id, second_issue.id])
       end
     end
+
+    context 'when source and target projects are different' do
+      let(:target_project) { create(:project) }
+
+      let(:opts) do
+        {
+          title: 'Awesome merge_request',
+          source_branch: 'feature',
+          target_branch: 'master',
+          target_project_id: target_project.id
+        }
+      end
+
+      context 'when user can not access source project' do
+        before do
+          target_project.add_developer(assignee)
+          target_project.add_master(user)
+        end
+
+        it 'raises an error' do
+          expect { described_class.new(project, user, opts).execute }
+            .to raise_error Gitlab::Access::AccessDeniedError
+        end
+      end
+
+      context 'when user can not access target project' do
+        before do
+          target_project.add_developer(assignee)
+          target_project.add_master(user)
+        end
+
+        it 'raises an error' do
+          expect { described_class.new(project, user, opts).execute }
+            .to raise_error Gitlab::Access::AccessDeniedError
+        end
+      end
+    end
+
+    context 'when user sets source project id' do
+      let(:another_project) { create(:project) }
+
+      let(:opts) do
+        {
+          title: 'Awesome merge_request',
+          source_branch: 'feature',
+          target_branch: 'master',
+          source_project_id: another_project.id
+        }
+      end
+
+      before do
+        project.add_developer(assignee)
+        project.add_master(user)
+      end
+
+      it 'ignores source_project_id' do
+        merge_request = described_class.new(project, user, opts).execute
+
+        expect(merge_request.source_project_id).to eq(project.id)
+      end
+    end
   end
 end
author	Sean McGivern <sean@gitlab.com>	2018-01-05 20:55:37 +0300
committer	Stan Hu <stanhu@gmail.com>	2018-01-17 04:04:38 +0300
commit	3fc0564ae09a9edf87a71a8c85ff9bf8ad35121d (patch)
tree	85ac8103dc85140d6a5e2d13b5949dd7f37cdd81 /spec/services/merge_requests/create_service_spec.rb
parent	954a44574fd7a0be232a194d503032e16b8f3094 (diff)