Merge remote-tracking branch 'dev/master'

4 files changed, 135 insertions, 1 deletions

diff --git a/spec/features/groups/members/user_requests_access_spec.rb b/spec/features/groups/members/user_requests_access_spec.rb
index 1ea607cbca0..4944301c938 100644
--- a/spec/features/groups/members/user_requests_access_spec.rb
+++ b/spec/features/groups/members/user_requests_access_spec.rb
@@ -4,6 +4,7 @@ feature 'Groups > Members > User requests access', feature: true do
   let(:user) { create(:user) }
   let(:owner) { create(:user) }
   let(:group) { create(:group, :public) }
+  let!(:project) { create(:project, :private, namespace: group) }
 
   background do
     group.add_owner(owner)
@@ -24,6 +25,20 @@ feature 'Groups > Members > User requests access', feature: true do
     expect(page).not_to have_content 'Leave Group'
   end
 
+  scenario 'user does not see private projects' do
+    perform_enqueued_jobs { click_link 'Request Access' }
+
+    expect(page).not_to have_content project.name
+  end
+
+  scenario 'user does not see group in the Dashboard > Groups page' do
+    perform_enqueued_jobs { click_link 'Request Access' }
+
+    visit dashboard_groups_path
+
+    expect(page).not_to have_content group.name
+  end
+
   scenario 'user is not listed in the group members page' do
     click_link 'Request Access'
 
diff --git a/spec/models/snippet_spec.rb b/spec/models/snippet_spec.rb
index 789816bf2c7..0621c6a06ce 100644
--- a/spec/models/snippet_spec.rb
+++ b/spec/models/snippet_spec.rb
@@ -72,7 +72,7 @@ describe Snippet, models: true do
     end
   end
 
-  describe '#search_code' do
+  describe '.search_code' do
     let(:snippet) { create(:snippet, content: 'class Foo; end') }
 
     it 'returns snippets with matching content' do
@@ -88,6 +88,46 @@ describe Snippet, models: true do
     end
   end
 
+  describe '.accessible_to' do
+    let(:author)  { create(:author) }
+    let(:project) { create(:empty_project) }
+
+    let!(:public_snippet)   { create(:snippet, :public) }
+    let!(:internal_snippet) { create(:snippet, :internal) }
+    let!(:private_snippet)  { create(:snippet, :private, author: author) }
+
+    let!(:project_public_snippet)   { create(:snippet, :public, project: project) }
+    let!(:project_internal_snippet) { create(:snippet, :internal, project: project) }
+    let!(:project_private_snippet)  { create(:snippet, :private, project: project) }
+
+    it 'returns only public snippets when user is blank' do
+      expect(described_class.accessible_to(nil)).to match_array [public_snippet, project_public_snippet]
+    end
+
+    it 'returns only public, and internal snippets for regular users' do
+      user = create(:user)
+
+      expect(described_class.accessible_to(user)).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet]
+    end
+
+    it 'returns public, internal snippets and project private snippets for project members' do
+      member = create(:user)
+      project.team << [member, :developer]
+
+      expect(described_class.accessible_to(member)).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
+    end
+
+    it 'returns private snippets where the user is the author' do
+      expect(described_class.accessible_to(author)).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet]
+    end
+
+    it 'returns all snippets when for admins' do
+      admin = create(:admin)
+
+      expect(described_class.accessible_to(admin)).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
+    end
+  end
+
   describe '#participants' do
     let(:project) { create(:project, :public) }
     let(:snippet) { create(:snippet, content: 'foo', project: project) }
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 73bee535fe3..328254ed56b 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -31,6 +31,26 @@ describe User, models: true do
     it { is_expected.to have_many(:spam_logs).dependent(:destroy) }
     it { is_expected.to have_many(:todos).dependent(:destroy) }
     it { is_expected.to have_many(:award_emoji).dependent(:destroy) }
+
+    describe '#group_members' do
+      it 'does not include group memberships for which user is a requester' do
+        user = create(:user)
+        group = create(:group, :public)
+        group.request_access(user)
+
+        expect(user.group_members).to be_empty
+      end
+    end
+
+    describe '#project_members' do
+      it 'does not include project memberships for which user is a requester' do
+        user = create(:user)
+        project = create(:project, :public)
+        project.request_access(user)
+
+        expect(user.project_members).to be_empty
+      end
+    end
   end
 
   describe 'validations' do
diff --git a/spec/services/search/snippet_service_spec.rb b/spec/services/search/snippet_service_spec.rb
new file mode 100644
index 00000000000..14f3301d9f4
--- /dev/null
+++ b/spec/services/search/snippet_service_spec.rb
@@ -0,0 +1,59 @@
+require 'spec_helper'
+
+describe Search::SnippetService, services: true do
+  let(:author) { create(:author) }
+  let(:project) { create(:empty_project) }
+
+  let!(:public_snippet)   { create(:snippet, :public, content: 'password: XXX') }
+  let!(:internal_snippet) { create(:snippet, :internal, content: 'password: XXX') }
+  let!(:private_snippet)  { create(:snippet, :private, content: 'password: XXX', author: author) }
+
+  let!(:project_public_snippet)   { create(:snippet, :public, project: project, content: 'password: XXX') }
+  let!(:project_internal_snippet) { create(:snippet, :internal, project: project, content: 'password: XXX') }
+  let!(:project_private_snippet)  { create(:snippet, :private, project: project, content: 'password: XXX') }
+
+  describe '#execute' do
+    context 'unauthenticated' do
+      it 'returns public snippets only' do
+        search = described_class.new(nil, search: 'password')
+        results = search.execute
+
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, project_public_snippet]
+      end
+    end
+
+    context 'authenticated' do
+      it 'returns only public & internal snippets for regular users' do
+        user = create(:user)
+        search = described_class.new(user, search: 'password')
+        results = search.execute
+
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet]
+      end
+
+      it 'returns public, internal snippets and project private snippets for project members' do
+        member = create(:user)
+        project.team << [member, :developer]
+        search = described_class.new(member, search: 'password')
+        results = search.execute
+
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
+      end
+
+      it 'returns public, internal and private snippets where user is the author' do
+        search = described_class.new(author, search: 'password')
+        results = search.execute
+
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet]
+      end
+
+      it 'returns all snippets when user is admin' do
+        admin = create(:admin)
+        search = described_class.new(admin, search: 'password')
+        results = search.execute
+
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
+      end
+    end
+  end
+end