Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-03-30 02:49:08 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-03-30 02:49:18 +0300
commit: 38dadcee569adfbbb1c9dc99634bba4e9a9128bc (patch)
tree: 32661c6c5a8585196d1c84b7f4efcdc166cb8240 /spec/services
parent: 05bbfffcd3692a70849628ff36ecb8eeac4902af (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/spec/services/merge_requests/push_options_handler_service_spec.rb b/spec/services/merge_requests/push_options_handler_service_spec.rb
index 251bf6f0d9d..03f3d56cdd2 100644
--- a/spec/services/merge_requests/push_options_handler_service_spec.rb
+++ b/spec/services/merge_requests/push_options_handler_service_spec.rb
@@ -861,6 +861,21 @@ RSpec.describe MergeRequests::PushOptionsHandlerService do
     end
   end
 
+  describe 'when user does not have access to target project' do
+    let(:push_options) { { create: true, target: 'my-branch' } }
+    let(:changes) { default_branch_changes }
+
+    before do
+      allow(user1).to receive(:can?).with(:read_code, project).and_return(false)
+    end
+
+    it 'records an error', :sidekiq_inline do
+      service.execute
+
+      expect(service.errors).to eq(["User access was denied"])
+    end
+  end
+
   describe 'when MRs are not enabled' do
     let(:project) { create(:project, :public, :repository).tap { |pr| pr.add_developer(user1) } }
     let(:push_options) { { create: true } }
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-03-30 02:49:08 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-03-30 02:49:18 +0300
commit	38dadcee569adfbbb1c9dc99634bba4e9a9128bc (patch)
tree	32661c6c5a8585196d1c84b7f4efcdc166cb8240 /spec/services
parent	05bbfffcd3692a70849628ff36ecb8eeac4902af (diff)