Add latest changes from gitlab-org/security/gitlab@16-2-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-08-30 22:43:58 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-08-30 22:44:08 +0300
commit: 43aa6e8b1b1010f9de06a946eec4a645bac6e96d (patch)
tree: a8f5312b7982f732ec72213b2f255950610487f5 /spec
parent: ba25c7ef51673db933439a6a2b1503d7c12bec14 (diff)
2 files changed, 69 insertions, 13 deletions
diff --git a/spec/controllers/groups/labels_controller_spec.rb b/spec/controllers/groups/labels_controller_spec.rb
index 916b2cf10dd..3ade85eee9d 100644
--- a/spec/controllers/groups/labels_controller_spec.rb
+++ b/spec/controllers/groups/labels_controller_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe Groups::LabelsController, feature_category: :team_planning do
   let_it_be(:group) { create(:group) }
   let_it_be(:user)  { create(:user) }
+  let_it_be(:another_user) { create(:user) }
   let_it_be(:project) { create(:project, namespace: group) }
 
   before do
@@ -66,6 +67,46 @@ RSpec.describe Groups::LabelsController, feature_category: :team_planning do
     end
   end
 
+  shared_examples 'when current_user does not have ability to modify the label' do
+    before do
+      sign_in(another_user)
+    end
+
+    it 'responds with status 404' do
+      group_request
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+
+    # No matter what permissions you have in a sub-group, you need the proper
+    # permissions in the group in order to modify a group label
+    # See https://gitlab.com/gitlab-org/gitlab/-/issues/387531
+    context 'when trying to edit a parent group label from inside a subgroup' do
+      it 'responds with status 404' do
+        sub_group.add_owner(another_user)
+        sub_group_request
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+
+  describe 'GET #edit' do
+    let_it_be(:label) { create(:group_label, group: group) }
+
+    it 'shows the edit page' do
+      get :edit, params: { group_id: group.to_param, id: label.to_param }
+
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+
+    it_behaves_like 'when current_user does not have ability to modify the label' do
+      let_it_be(:sub_group) { create(:group, parent: group) }
+      let(:group_request) { get :edit, params: { group_id: group.to_param, id: label.to_param } }
+      let(:sub_group_request) { get :edit, params: { group_id: sub_group.to_param, id: label.to_param } }
+    end
+  end
+
   describe 'POST #toggle_subscription' do
     it 'allows user to toggle subscription on group labels' do
       label = create(:group_label, group: group)
@@ -99,19 +140,20 @@ RSpec.describe Groups::LabelsController, feature_category: :team_planning do
       end
     end
 
-    context 'when current_user does not have ability to destroy the label' do
-      let(:another_user) { create(:user) }
-
-      before do
-        sign_in(another_user)
-      end
-
-      it 'responds with status 404' do
-        label = create(:group_label, group: group)
-        delete :destroy, params: { group_id: group.to_param, id: label.to_param }
+    it_behaves_like 'when current_user does not have ability to modify the label' do
+      let_it_be(:label) { create(:group_label, group: group) }
+      let_it_be(:sub_group) { create(:group, parent: group) }
+      let(:group_request) { delete :destroy, params: { group_id: group.to_param, id: label.to_param } }
+      let(:sub_group_request) { delete :destroy, params: { group_id: sub_group.to_param, id: label.to_param } }
+    end
+  end
 
-        expect(response).to have_gitlab_http_status(:not_found)
-      end
+  describe 'PUT #update' do
+    it_behaves_like 'when current_user does not have ability to modify the label' do
+      let_it_be(:label) { create(:group_label, group: group) }
+      let_it_be(:sub_group) { create(:group, parent: group) }
+      let(:group_request) { put :update, params: { group_id: group.to_param, id: label.to_param, label: { title: 'Test' } } }
+      let(:sub_group_request) { put :update, params: { group_id: sub_group.to_param, id: label.to_param, label: { title: 'Test' } } }
     end
   end
 end
diff --git a/spec/services/error_tracking/list_projects_service_spec.rb b/spec/services/error_tracking/list_projects_service_spec.rb
index 8408adcc21d..d91808edc8d 100644
--- a/spec/services/error_tracking/list_projects_service_spec.rb
+++ b/spec/services/error_tracking/list_projects_service_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe ErrorTracking::ListProjectsService, feature_category: :integratio
   let_it_be(:user) { create(:user) }
   let_it_be(:project, reload: true) { create(:project) }
 
-  let(:sentry_url) { 'https://sentrytest.gitlab.com/api/0/projects/sentry-org/sentry-project' }
+  let(:sentry_url) { 'https://sentrytest.gitlab.com/api/0/projects/org/proj/' }
   let(:token) { 'test-token' }
   let(:new_api_host) { 'https://gitlab.com/' }
   let(:new_token) { 'new-token' }
@@ -66,6 +66,20 @@ RSpec.describe ErrorTracking::ListProjectsService, feature_category: :integratio
           end
         end
 
+        context 'with the similar api host' do
+          let(:api_host) { 'https://sentrytest.gitlab.co' }
+
+          it 'returns an error' do
+            expect(result[:message]).to start_with('Token is a required field')
+            expect(error_tracking_setting).not_to be_valid
+            expect(error_tracking_setting).not_to receive(:list_sentry_projects)
+          end
+
+          it 'resets the token' do
+            expect { subject.execute }.to change { error_tracking_setting.token }.from(token).to(nil)
+          end
+        end
+
         context 'with a new api host' do
           let(:api_host) { new_api_host }
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-08-30 22:43:58 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-08-30 22:44:08 +0300
commit	43aa6e8b1b1010f9de06a946eec4a645bac6e96d (patch)
tree	a8f5312b7982f732ec72213b2f255950610487f5 /spec
parent	ba25c7ef51673db933439a6a2b1503d7c12bec14 (diff)