diff options
| author | DJ Mountney <dj@gitlab.com> | 2017-03-18 07:23:15 +0300 |
|---|---|---|
| committer | Ruben Davila <rdavila84@gmail.com> | 2017-03-18 21:48:23 +0300 |
| commit | cdf396f456472ef8decd9598daa8dc0097cd30c5 (patch) | |
| tree | 1c5455e7411b5965b01cf42988dff1329e8d2073 /spec | |
| parent | fe2feaa7dd8cfba2d8148150811f6d6ec106b160 (diff) | |
Merge branch 'render-json-leak' into 'security'
fix for render json include leaks
See merge request !2074
Conflicts:
app/controllers/projects/merge_requests_controller.rb
spec/controllers/projects/issues_controller_spec.rb
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/controllers/projects/issues_controller_spec.rb | 23 | ||||
| -rw-r--r-- | spec/controllers/projects/merge_requests_controller_spec.rb | 18 |
2 files changed, 41 insertions, 0 deletions
diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb index b5987a83df0..ebd9272dfc2 100644 --- a/spec/controllers/projects/issues_controller_spec.rb +++ b/spec/controllers/projects/issues_controller_spec.rb @@ -123,6 +123,29 @@ describe Projects::IssuesController do end describe 'PUT #update' do + before do + sign_in(user) + project.team << [user, :developer] + end + + context 'changing the assignee' do + it 'limits the attributes exposed on the assignee' do + assignee = create(:user) + project.add_developer(assignee) + + put :update, + namespace_id: project.namespace.to_param, + project_id: project, + id: issue.iid, + issue: { assignee_id: assignee.id }, + format: :json + body = JSON.parse(response.body) + + expect(body['assignee'].keys) + .to match_array(%w(name username avatar_url)) + end + end + context 'when moving issue to another private project' do let(:another_project) { create(:project, :private) } diff --git a/spec/controllers/projects/merge_requests_controller_spec.rb b/spec/controllers/projects/merge_requests_controller_spec.rb index c4d599def03..263cb009e62 100644 --- a/spec/controllers/projects/merge_requests_controller_spec.rb +++ b/spec/controllers/projects/merge_requests_controller_spec.rb @@ -177,6 +177,24 @@ describe Projects::MergeRequestsController do end describe 'PUT update' do + context 'changing the assignee' do + it 'limits the attributes exposed on the assignee' do + assignee = create(:user) + project.add_developer(assignee) + + put :update, + namespace_id: project.namespace.to_param, + project_id: project, + id: merge_request.iid, + merge_request: { assignee_id: assignee.id }, + format: :json + body = JSON.parse(response.body) + + expect(body['assignee'].keys) + .to match_array(%w(name username avatar_url)) + end + end + context 'there is no source project' do let(:project) { create(:project) } let(:fork_project) { create(:forked_project_with_submodules) } |