Merge branch 'ce-revert-d5ce84fd' into 'master'

Revert "Merge branch 'revert-82d7b5a0-ce' into 'master'" Closes #57857 and #50747 See merge request gitlab-org/gitlab-ce!25559
author: Lin Jen-Shin <godfat@godfat.org> 2019-02-26 19:02:28 +0300
committer: Lin Jen-Shin <godfat@godfat.org> 2019-02-26 19:02:28 +0300
commit: 13c723f1dd99a6488df0efc89f46cdae1e57126d (patch)
tree: 55d0bb4af6cd99695cc8a5f03d011d027475f7c4 /spec
parent: f26cd63b0f7e9acc29a72d81ad2ed327ac93b816 (diff)
parent: f49aeacdd0b20cc270423409efaf82b26ced4836 (diff)
10 files changed, 117 insertions, 7 deletions
diff --git a/spec/controllers/concerns/issuable_collections_spec.rb b/spec/controllers/concerns/issuable_collections_spec.rb
index 307c5d60c57..8580900215c 100644
--- a/spec/controllers/concerns/issuable_collections_spec.rb
+++ b/spec/controllers/concerns/issuable_collections_spec.rb
@@ -112,7 +112,8 @@ describe IssuableCollections do
         assignee_username: 'user1',
         author_id: '2',
         author_username: 'user2',
-        authorized_only: 'true',
+        authorized_only: 'yes',
+        confidential: true,
         due_date: '2017-01-01',
         group_id: '3',
         iids: '4',
@@ -140,6 +141,7 @@ describe IssuableCollections do
         'assignee_username' => 'user1',
         'author_id' => '2',
         'author_username' => 'user2',
+        'confidential' => true,
         'label_name' => 'foo',
         'milestone_title' => 'bar',
         'my_reaction_emoji' => 'thumbsup',
diff --git a/spec/features/issues/filtered_search/dropdown_hint_spec.rb b/spec/features/issues/filtered_search/dropdown_hint_spec.rb
index 0e296ab2109..096756f19cc 100644
--- a/spec/features/issues/filtered_search/dropdown_hint_spec.rb
+++ b/spec/features/issues/filtered_search/dropdown_hint_spec.rb
@@ -66,7 +66,7 @@ describe 'Dropdown hint', :js do
       it 'filters with text' do
         filtered_search.set('a')
 
-        expect(find(js_dropdown_hint)).to have_selector('.filter-dropdown .filter-dropdown-item', count: 4)
+        expect(find(js_dropdown_hint)).to have_selector('.filter-dropdown .filter-dropdown-item', count: 5)
       end
     end
 
@@ -119,6 +119,15 @@ describe 'Dropdown hint', :js do
         expect_tokens([{ name: 'my-reaction' }])
         expect_filtered_search_input_empty
       end
+
+      it 'opens the yes-no dropdown when you click on confidential' do
+        click_hint('confidential')
+
+        expect(page).to have_css(js_dropdown_hint, visible: false)
+        expect(page).to have_css('#js-dropdown-confidential', visible: true)
+        expect_tokens([{ name: 'confidential' }])
+        expect_filtered_search_input_empty
+      end
     end
 
     describe 'selecting from dropdown with some input' do
diff --git a/spec/features/issues/filtered_search/search_bar_spec.rb b/spec/features/issues/filtered_search/search_bar_spec.rb
index 891ef884682..da23aea1fc9 100644
--- a/spec/features/issues/filtered_search/search_bar_spec.rb
+++ b/spec/features/issues/filtered_search/search_bar_spec.rb
@@ -100,7 +100,7 @@ describe 'Search bar', :js do
       find('.filtered-search-box .clear-search').click
       filtered_search.click
 
-      expect(find('#js-dropdown-hint')).to have_selector('.filter-dropdown .filter-dropdown-item', count: 5)
+      expect(find('#js-dropdown-hint')).to have_selector('.filter-dropdown .filter-dropdown-item', count: 6)
       expect(get_left_style(find('#js-dropdown-hint')['style'])).to eq(hint_offset)
     end
   end
diff --git a/spec/features/issues/gfm_autocomplete_spec.rb b/spec/features/issues/gfm_autocomplete_spec.rb
index c22ad0d20ef..986f3823275 100644
--- a/spec/features/issues/gfm_autocomplete_spec.rb
+++ b/spec/features/issues/gfm_autocomplete_spec.rb
@@ -278,7 +278,7 @@ describe 'GFM autocomplete', :js do
     end
   end
 
-  # This context has jsut one example in each contexts in order to improve spec performance.
+  # This context has just one example in each contexts in order to improve spec performance.
   context 'labels', :quarantine do
     let!(:backend)          { create(:label, project: project, title: 'backend') }
     let!(:bug)              { create(:label, project: project, title: 'bug') }
diff --git a/spec/features/projects/blobs/edit_spec.rb b/spec/features/projects/blobs/edit_spec.rb
index 6e6c299ee2e..1522a3361a1 100644
--- a/spec/features/projects/blobs/edit_spec.rb
+++ b/spec/features/projects/blobs/edit_spec.rb
@@ -77,7 +77,7 @@ describe 'Editing file blob', :js do
         click_link 'Preview'
         wait_for_requests
 
-        # the above generates two seperate lists (not embedded) in CommonMark
+        # the above generates two separate lists (not embedded) in CommonMark
         expect(page).to have_content("sublist")
         expect(page).not_to have_xpath("//ol//li//ul")
       end
diff --git a/spec/features/projects/wiki/markdown_preview_spec.rb b/spec/features/projects/wiki/markdown_preview_spec.rb
index 49244c53a91..49058d1372a 100644
--- a/spec/features/projects/wiki/markdown_preview_spec.rb
+++ b/spec/features/projects/wiki/markdown_preview_spec.rb
@@ -170,7 +170,7 @@ describe 'Projects > Wiki > User previews markdown changes', :js do
         fill_in :wiki_content, with: "1. one\n  - sublist\n"
         click_on "Preview"
 
-        # the above generates two seperate lists (not embedded) in CommonMark
+        # the above generates two separate lists (not embedded) in CommonMark
         expect(page).to have_content("sublist")
         expect(page).not_to have_xpath("//ol//li//ul")
       end
diff --git a/spec/finders/issues_finder_spec.rb b/spec/finders/issues_finder_spec.rb
index fe8000e419b..47e2548c3d6 100644
--- a/spec/finders/issues_finder_spec.rb
+++ b/spec/finders/issues_finder_spec.rb
@@ -490,6 +490,32 @@ describe IssuesFinder do
         end
       end
 
+      context 'filtering by confidential' do
+        set(:confidential_issue) { create(:issue, project: project1, confidential: true) }
+
+        context 'no filtering' do
+          it 'returns all issues' do
+            expect(issues).to contain_exactly(issue1, issue2, issue3, issue4, confidential_issue)
+          end
+        end
+
+        context 'user filters confidential issues' do
+          let(:params) { { confidential: true } }
+
+          it 'returns only confdential issues' do
+            expect(issues).to contain_exactly(confidential_issue)
+          end
+        end
+
+        context 'user filters only public issues' do
+          let(:params) { { confidential: false } }
+
+          it 'returns only confdential issues' do
+            expect(issues).to contain_exactly(issue1, issue2, issue3, issue4)
+          end
+        end
+      end
+
       context 'when the user is unauthorized' do
         let(:search_user) { nil }
 
@@ -556,7 +582,7 @@ describe IssuesFinder do
     it 'returns the number of rows for the default state' do
       finder = described_class.new(user)
 
-      expect(finder.row_count).to eq(4)
+      expect(finder.row_count).to eq(5)
     end
 
     it 'returns the number of rows for a given state' do
diff --git a/spec/models/issue_spec.rb b/spec/models/issue_spec.rb
index 5d18e085a6f..6101df2e099 100644
--- a/spec/models/issue_spec.rb
+++ b/spec/models/issue_spec.rb
@@ -765,6 +765,15 @@ describe Issue do
     end
   end
 
+  describe '.confidential_only' do
+    it 'only returns confidential_only issues' do
+      create(:issue)
+      confidential_issue = create(:issue, confidential: true)
+
+      expect(described_class.confidential_only).to eq([confidential_issue])
+    end
+  end
+
   it_behaves_like 'throttled touch' do
     subject { create(:issue, updated_at: 1.hour.ago) }
   end
diff --git a/spec/requests/api/issues_spec.rb b/spec/requests/api/issues_spec.rb
index d10ee6cc320..1a4be2bd30f 100644
--- a/spec/requests/api/issues_spec.rb
+++ b/spec/requests/api/issues_spec.rb
@@ -183,6 +183,18 @@ describe API::Issues do
         expect_paginated_array_response([issue.id, confidential_issue.id, closed_issue.id])
       end
 
+      it 'returns only confidential issues' do
+        get api('/issues', user), params: { confidential: true, scope: 'all' }
+
+        expect_paginated_array_response(confidential_issue.id)
+      end
+
+      it 'returns only public issues' do
+        get api('/issues', user), params: { confidential: false }
+
+        expect_paginated_array_response([issue.id, closed_issue.id])
+      end
+
       it 'returns issues reacted by the authenticated user' do
         issue2 = create(:issue, project: project, author: user, assignees: [user])
         create(:award_emoji, awardable: issue2, user: user2, name: 'star')
@@ -557,6 +569,18 @@ describe API::Issues do
         expect_paginated_array_response([group_confidential_issue.id, group_issue.id])
       end
 
+      it 'returns only confidential issues' do
+        get api(base_url, user), params: { confidential: true }
+
+        expect_paginated_array_response(group_confidential_issue.id)
+      end
+
+      it 'returns only public issues' do
+        get api(base_url, user), params: { confidential: false }
+
+        expect_paginated_array_response([group_closed_issue.id, group_issue.id])
+      end
+
       it 'returns an array of labeled group issues' do
         get api(base_url, user), params: { labels: group_label.title }
 
@@ -782,6 +806,18 @@ describe API::Issues do
       expect_paginated_array_response([issue.id, confidential_issue.id, closed_issue.id])
     end
 
+    it 'returns only confidential issues' do
+      get api("#{base_url}/issues", author), params: { confidential: true }
+
+      expect_paginated_array_response(confidential_issue.id)
+    end
+
+    it 'returns only public issues' do
+      get api("#{base_url}/issues", author), params: { confidential: false }
+
+      expect_paginated_array_response([issue.id, closed_issue.id])
+    end
+
     it 'returns project confidential issues for assignee' do
       get api("#{base_url}/issues", assignee)
 
diff --git a/spec/requests/api/project_templates_spec.rb b/spec/requests/api/project_templates_spec.rb
index ab5d4de7ff7..80e5033dab4 100644
--- a/spec/requests/api/project_templates_spec.rb
+++ b/spec/requests/api/project_templates_spec.rb
@@ -92,6 +92,22 @@ describe API::ProjectTemplates do
       expect(json_response['name']).to eq('Actionscript')
     end
 
+    it 'returns C++ gitignore' do
+      get api("/projects/#{public_project.id}/templates/gitignores/C++")
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(response).to match_response_schema('public_api/v4/template')
+      expect(json_response['name']).to eq('C++')
+    end
+
+    it 'returns C++ gitignore for URL-encoded names' do
+      get api("/projects/#{public_project.id}/templates/gitignores/C%2B%2B")
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(response).to match_response_schema('public_api/v4/template')
+      expect(json_response['name']).to eq('C++')
+    end
+
     it 'returns a specific gitlab_ci_yml' do
       get api("/projects/#{public_project.id}/templates/gitlab_ci_ymls/Android")
 
@@ -125,6 +141,18 @@ describe API::ProjectTemplates do
       expect(response).to have_gitlab_http_status(200)
       expect(response).to match_response_schema('public_api/v4/license')
     end
+
+    shared_examples 'path traversal attempt' do |template_type|
+      it 'rejects invalid filenames' do
+        get api("/projects/#{public_project.id}/templates/#{template_type}/%2e%2e%2fPython%2ea")
+
+        expect(response).to have_gitlab_http_status(500)
+      end
+    end
+
+    TemplateFinder::VENDORED_TEMPLATES.each do |template_type, _|
+      it_behaves_like 'path traversal attempt', template_type
+    end
   end
 
   describe 'GET /projects/:id/templates/licenses/:key' do
author	Lin Jen-Shin <godfat@godfat.org>	2019-02-26 19:02:28 +0300
committer	Lin Jen-Shin <godfat@godfat.org>	2019-02-26 19:02:28 +0300
commit	13c723f1dd99a6488df0efc89f46cdae1e57126d (patch)
tree	55d0bb4af6cd99695cc8a5f03d011d027475f7c4 /spec
parent	f26cd63b0f7e9acc29a72d81ad2ed327ac93b816 (diff)
parent	f49aeacdd0b20cc270423409efaf82b26ced4836 (diff)