diff options
| author | Bob Van Landuyt <bob@vanlanduyt.co> | 2019-09-25 19:25:40 +0300 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2019-10-24 13:19:56 +0300 |
| commit | 20cb4f7ab567062fd67ccd40cd29ff1d2e85d8f0 (patch) | |
| tree | 9a6c1fc7836513723d2948ec1cd53dc268b25bf7 /spec/services/merge_requests | |
| parent | dc0622dbe3cd552abca4107557c6c09edb23625c (diff) | |
Only assign merge params when allowed
When a user updates a merge request coming from a fork, they should
not be able to set `force_remove_source_branch` if they cannot push
code to the source project.
Otherwise developers of the target project could remove the source
branch of the source project by setting this flag through the API.
Diffstat (limited to 'spec/services/merge_requests')
| -rw-r--r-- | spec/services/merge_requests/build_service_spec.rb | 3 | ||||
| -rw-r--r-- | spec/services/merge_requests/update_service_spec.rb | 24 |
2 files changed, 26 insertions, 1 deletions
diff --git a/spec/services/merge_requests/build_service_spec.rb b/spec/services/merge_requests/build_service_spec.rb index 46e86d5b4cb..9b358839c06 100644 --- a/spec/services/merge_requests/build_service_spec.rb +++ b/spec/services/merge_requests/build_service_spec.rb @@ -83,8 +83,9 @@ describe MergeRequests::BuildService do expect(merge_request.force_remove_source_branch?).to be_truthy end - context 'with force_remove_source_branch parameter' do + context 'with force_remove_source_branch parameter when the user is authorized' do let(:mr_params) { params.merge(force_remove_source_branch: '1') } + let(:source_project) { fork_project(project, user) } let(:merge_request) { described_class.new(project, user, mr_params).execute } it 'assigns force_remove_source_branch' do diff --git a/spec/services/merge_requests/update_service_spec.rb b/spec/services/merge_requests/update_service_spec.rb index 8c796475de0..741420d76a7 100644 --- a/spec/services/merge_requests/update_service_spec.rb +++ b/spec/services/merge_requests/update_service_spec.rb @@ -646,5 +646,29 @@ describe MergeRequests::UpdateService, :mailer do expect(merge_request.allow_collaboration).to be_truthy end end + + context 'updating `force_remove_source_branch`' do + let(:target_project) { create(:project, :repository, :public) } + let(:source_project) { fork_project(target_project, nil, repository: true) } + let(:user) { target_project.owner } + let(:merge_request) do + create(:merge_request, + source_project: source_project, + source_branch: 'fixes', + target_project: target_project) + end + + it "cannot be done by members of the target project when they don't have access" do + expect { update_merge_request(force_remove_source_branch: true) } + .not_to change { merge_request.reload.force_remove_source_branch? }.from(nil) + end + + it 'can be done by members of the target project if they can push to the source project' do + source_project.add_developer(user) + + expect { update_merge_request(force_remove_source_branch: true) } + .to change { merge_request.reload.force_remove_source_branch? }.from(nil).to(true) + end + end end end |