Merge branch 'jej-group-name-disclosure' into 'security'

Prevent private group disclosure via parent_id See merge request !2077
author: Sean McGivern <sean@gitlab.com> 2017-03-28 14:09:44 +0300
committer: DJ Mountney <david@twkie.net> 2017-03-30 05:18:38 +0300
commit: 91f43587a8c05a5c2955f0b5c464f03688552cb6 (patch)
tree: dba32618ae3452ae117df78184ad38d3b5ff26b1 /spec/services
parent: 60c0c0f3d08aa2c2a5be68aa784a86304fdb9c99 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/spec/services/groups/update_service_spec.rb b/spec/services/groups/update_service_spec.rb
index 91ec224d1c4..f6ad5cebd2c 100644
--- a/spec/services/groups/update_service_spec.rb
+++ b/spec/services/groups/update_service_spec.rb
@@ -36,6 +36,20 @@ describe Groups::UpdateService, services: true do
         end
       end
     end
+
+    context "with parent_id user doesn't have permissions for" do
+      let(:service) { described_class.new(public_group, user, parent_id: private_group.id) }
+
+      before do
+        service.execute
+      end
+
+      it 'does not update parent_id' do
+        updated_group = public_group.reload
+
+        expect(updated_group.parent_id).to be_nil
+      end
+    end
   end
 
   context "unauthorized visibility_level validation" do
author	Sean McGivern <sean@gitlab.com>	2017-03-28 14:09:44 +0300
committer	DJ Mountney <david@twkie.net>	2017-03-30 05:18:38 +0300
commit	91f43587a8c05a5c2955f0b5c464f03688552cb6 (patch)
tree	dba32618ae3452ae117df78184ad38d3b5ff26b1 /spec/services
parent	60c0c0f3d08aa2c2a5be68aa784a86304fdb9c99 (diff)