diff options
author | John Jarvis <jarv@gitlab.com> | 2019-01-01 23:38:54 +0300 |
---|---|---|
committer | John Jarvis <jarv@gitlab.com> | 2019-01-01 23:38:54 +0300 |
commit | ec4ade500e5eb7060b4b79f6bed2f474ce03a851 (patch) | |
tree | 21ccbfaf52dc63f7b58211eec27faa2a7f5d28b2 /spec/services | |
parent | 3fca973e339e9bbf7a2e993bb36e0d800d4e1041 (diff) | |
parent | 52feca595a3311fc12a6f35191a24ff61c33e440 (diff) |
Merge branch 'security-53543-user-keeps-access-to-mr-issue-when-removed-from-team' into 'master'
[master] Adds validation to check if user can read project
See merge request gitlab/gitlabhq!2645
Diffstat (limited to 'spec/services')
-rw-r--r-- | spec/services/issuable/bulk_update_service_spec.rb | 27 | ||||
-rw-r--r-- | spec/services/todo_service_spec.rb | 1 |
2 files changed, 28 insertions, 0 deletions
diff --git a/spec/services/issuable/bulk_update_service_spec.rb b/spec/services/issuable/bulk_update_service_spec.rb index f0b0f7956ce..ca366cdf1df 100644 --- a/spec/services/issuable/bulk_update_service_spec.rb +++ b/spec/services/issuable/bulk_update_service_spec.rb @@ -28,6 +28,33 @@ describe Issuable::BulkUpdateService do expect(project.issues.opened).to be_empty expect(project.issues.closed).not_to be_empty end + + context 'when issue for a different project is created' do + let(:private_project) { create(:project, :private) } + let(:issue) { create(:issue, project: private_project, author: user) } + + context 'when user has access to the project' do + it 'closes all issues passed' do + private_project.add_maintainer(user) + + bulk_update(issues + [issue], state_event: 'close') + + expect(project.issues.opened).to be_empty + expect(project.issues.closed).not_to be_empty + expect(private_project.issues.closed).not_to be_empty + end + end + + context 'when user does not have access to project' do + it 'only closes all issues that the user has access to' do + bulk_update(issues + [issue], state_event: 'close') + + expect(project.issues.opened).to be_empty + expect(project.issues.closed).not_to be_empty + expect(private_project.issues.closed).to be_empty + end + end + end end describe 'reopen issues' do diff --git a/spec/services/todo_service_spec.rb b/spec/services/todo_service_spec.rb index c52515aefd8..253f2e44d10 100644 --- a/spec/services/todo_service_spec.rb +++ b/spec/services/todo_service_spec.rb @@ -19,6 +19,7 @@ describe TodoService do before do project.add_guest(guest) project.add_developer(author) + project.add_developer(assignee) project.add_developer(member) project.add_developer(john_doe) project.add_developer(skipped) |