diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-07-26 16:40:49 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-07-26 16:40:49 +0300 |
| commit | cfc327b0c0cd59bd1283eda752f452dd9cbd1729 (patch) | |
| tree | 04b3752dfa707944da5b0a5cce15e0c17265b766 /spec/services/merge_requests | |
| parent | 85104fc81f7663fb77114cc6bf99ca095adf7701 (diff) | |
| parent | 6c27c0d394b70be4f2a2e0fa047f6844199c2661 (diff) | |
Merge branch 'security-bvl-filter-mr-params' into 'master'
Filter params in MR build service
Closes #2879
See merge request gitlab/gitlabhq!3237
Diffstat (limited to 'spec/services/merge_requests')
| -rw-r--r-- | spec/services/merge_requests/build_service_spec.rb | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/spec/services/merge_requests/build_service_spec.rb b/spec/services/merge_requests/build_service_spec.rb index 5c3b209086c..f18239f6d39 100644 --- a/spec/services/merge_requests/build_service_spec.rb +++ b/spec/services/merge_requests/build_service_spec.rb @@ -1,5 +1,4 @@ # frozen_string_literal: true - require 'spec_helper' describe MergeRequests::BuildService do @@ -225,6 +224,11 @@ describe MergeRequests::BuildService do let(:label_ids) { [label2.id] } let(:milestone_id) { milestone2.id } + before do + # Guests are not able to assign labels or milestones to an issue + project.add_developer(user) + end + it 'assigns milestone_id and label_ids instead of issue labels and milestone' do expect(merge_request.milestone).to eq(milestone2) expect(merge_request.labels).to match_array([label2]) @@ -479,4 +483,35 @@ describe MergeRequests::BuildService do end end end + + context 'when assigning labels' do + let(:label_ids) { [create(:label, project: project).id] } + + context 'for members with less than developer access' do + it 'is not allowed' do + expect(merge_request.label_ids).to be_empty + end + end + + context 'for users allowed to assign labels' do + before do + project.add_developer(user) + end + + context 'for labels in the project' do + it 'is allowed for developers' do + expect(merge_request.label_ids).to contain_exactly(*label_ids) + end + end + + context 'for unrelated labels' do + let(:project_label) { create(:label, project: project) } + let(:label_ids) { [create(:label).id, project_label.id] } + + it 'only assigns related labels' do + expect(merge_request.label_ids).to contain_exactly(project_label.id) + end + end + end + end end |