diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-28 15:11:16 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-28 15:11:16 +0300 |
commit | 48c36378567b3dbadd780b03ecda571652cff400 (patch) | |
tree | f1d4accd3942a27e6c27a9a7f34c99d893d8794b /spec | |
parent | 7b848eda5589ff5fa1bc3c6f782fc907c59a4417 (diff) |
Add latest changes from gitlab-org/security/gitlab@16-1-stable-ee
Diffstat (limited to 'spec')
-rw-r--r-- | spec/features/admin/users/user_spec.rb | 8 | ||||
-rw-r--r-- | spec/lib/api/entities/issue_spec.rb | 47 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 46 | ||||
-rw-r--r-- | spec/requests/api/npm_project_packages_spec.rb | 4 | ||||
-rw-r--r-- | spec/requests/lfs_http_spec.rb | 6 |
5 files changed, 71 insertions, 40 deletions
diff --git a/spec/features/admin/users/user_spec.rb b/spec/features/admin/users/user_spec.rb index 18d62cb585f..f8f1fdaabb4 100644 --- a/spec/features/admin/users/user_spec.rb +++ b/spec/features/admin/users/user_spec.rb @@ -504,7 +504,9 @@ RSpec.describe 'Admin::Users::User', feature_category: :user_management do end context 'when user has an unconfirmed email', :js do - let(:unconfirmed_user) { create(:user, :unconfirmed) } + # Email address contains HTML to ensure email address is displayed in an HTML safe way. + let_it_be(:unconfirmed_email) { "#{generate(:email)}<h2>testing<img/src=http://localhost:8000/test.png>" } + let_it_be(:unconfirmed_user) { create(:user, :unconfirmed, unconfirmed_email: unconfirmed_email) } where(:path_helper) do [ @@ -524,7 +526,9 @@ RSpec.describe 'Admin::Users::User', feature_category: :user_management do within_modal do expect(page).to have_content("Confirm user #{unconfirmed_user.name}?") - expect(page).to have_content('This user has an unconfirmed email address. You may force a confirmation.') + expect(page).to have_content( + "This user has an unconfirmed email address (#{unconfirmed_email}). You may force a confirmation." + ) click_button 'Confirm user' end diff --git a/spec/lib/api/entities/issue_spec.rb b/spec/lib/api/entities/issue_spec.rb new file mode 100644 index 00000000000..15886542571 --- /dev/null +++ b/spec/lib/api/entities/issue_spec.rb @@ -0,0 +1,47 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe ::API::Entities::Issue, feature_category: :team_planning do + let_it_be(:project) { create(:project) } + let(:issue) { build_stubbed(:issue, project: project) } + let(:current_user) { build_stubbed(:user) } + let(:options) { { current_user: current_user }.merge(option_addons) } + let(:option_addons) { {} } + let(:entity) { described_class.new(issue, options) } + + subject(:json) { entity.as_json } + + describe '#service_desk_reply_to', feature_category: :service_desk do + # Setting to true (default) doesn't play nice with stubs + let(:option_addons) { { include_subscribed: false } } + let(:issue) { build_stubbed(:issue, project: project, service_desk_reply_to: email) } + let(:email) { 'creator@example.com' } + let(:role) { :developer } + + subject { json[:service_desk_reply_to] } + + context 'as developer' do + before do + stub_member_access_level(issue.project, developer: current_user) + end + + it { is_expected.to eq(email) } + end + + context 'as guest' do + before do + stub_member_access_level(issue.project, guest: current_user) + end + + it { is_expected.to eq('cr*****@e*****.c**') } + end + + context 'without email' do + let(:email) { nil } + + specify { expect(json).to have_key(:service_desk_reply_to) } + it { is_expected.to eq(nil) } + end + end +end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index ee8d811971a..200e2025517 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -2552,42 +2552,24 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do describe 'when user is authenticated via CI_JOB_TOKEN', :request_store do using RSpec::Parameterized::TableSyntax - where(:project_visibility, :user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do - :private | :reporter | false | :same | true | true - :private | :reporter | false | :same | false | true - :private | :reporter | false | :different | true | false - :private | :reporter | false | :different | false | true - :private | :guest | false | :same | true | true - :private | :guest | false | :same | false | true - :private | :guest | false | :different | true | false - :private | :guest | false | :different | false | true - - :internal | :reporter | false | :same | true | true - :internal | :reporter | true | :same | true | true - :internal | :reporter | false | :same | false | true - :internal | :reporter | false | :different | true | true - :internal | :reporter | true | :different | true | false - :internal | :reporter | false | :different | false | true - :internal | :guest | false | :same | true | true - :internal | :guest | true | :same | true | true - :internal | :guest | false | :same | false | true - :internal | :guest | false | :different | true | true - :internal | :guest | true | :different | true | false - :internal | :guest | false | :different | false | true - - :public | :reporter | false | :same | true | true - :public | :reporter | false | :same | false | true - :public | :reporter | false | :different | true | true - :public | :reporter | false | :different | false | true - :public | :guest | false | :same | true | true - :public | :guest | false | :same | false | true - :public | :guest | false | :different | true | true - :public | :guest | false | :different | false | true + where(:user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do + :reporter | false | :same | true | true + :reporter | true | :same | true | true + :reporter | false | :same | false | true + :reporter | false | :different | true | false + :reporter | true | :different | true | false + :reporter | false | :different | false | true + :guest | false | :same | true | true + :guest | true | :same | true | true + :guest | false | :same | false | true + :guest | false | :different | true | false + :guest | true | :different | true | false + :guest | false | :different | false | true end with_them do let(:current_user) { public_send(user_role) } - let(:project) { public_send("#{project_visibility}_project") } + let(:project) { public_project } let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) } let(:scope_project) do diff --git a/spec/requests/api/npm_project_packages_spec.rb b/spec/requests/api/npm_project_packages_spec.rb index 60d4bddc502..b18d99ca884 100644 --- a/spec/requests/api/npm_project_packages_spec.rb +++ b/spec/requests/api/npm_project_packages_spec.rb @@ -111,7 +111,7 @@ RSpec.describe API::NpmProjectPackages, feature_category: :package_registry do context 'with a job token for a different user' do let_it_be(:other_user) { create(:user) } - let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user) } + let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user, project: project) } let(:headers) { build_token_auth_header(other_job.token) } @@ -160,7 +160,7 @@ RSpec.describe API::NpmProjectPackages, feature_category: :package_registry do context 'with a job token for a different user' do let_it_be(:other_user) { create(:user) } - let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user) } + let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user, project: project) } let(:headers) { build_token_auth_header(other_job.token) } diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb index b07296a0df2..81d6b5465e3 100644 --- a/spec/requests/lfs_http_spec.rb +++ b/spec/requests/lfs_http_spec.rb @@ -677,8 +677,7 @@ RSpec.describe 'Git LFS API and storage', feature_category: :source_code_managem context 'tries to push to other project' do let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } - # I'm not sure what this tests that is different from the previous test - it_behaves_like 'LFS http 403 response' + it_behaves_like 'LFS http 404 response' end end @@ -1198,8 +1197,7 @@ RSpec.describe 'Git LFS API and storage', feature_category: :source_code_managem context 'tries to push to other project' do let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } - # I'm not sure what this tests that is different from the previous test - it_behaves_like 'LFS http 403 response' + it_behaves_like 'LFS http 404 response' end end |