Merge branch 'security-refs-available-to-project-guest' into 'master'

[master] Project guests no longer are able to see refs page See merge request gitlab/gitlabhq!2685
author: John Jarvis <jarv@gitlab.com> 2019-01-01 23:38:39 +0300
committer: John Jarvis <jarv@gitlab.com> 2019-01-01 23:38:39 +0300
commit: 0058c97a1b564b7050e17bbf015ca2482f04657f (patch)
tree: 36a5ab5cde0320d2d864c39b210350a8d1fa3471 /spec
parent: e4dabec82a8f375389b9bb52b8fe6b1ac304d74e (diff)
parent: 8772bdabb2f48e9868971d8349f6e36985bffec0 (diff)
1 files changed, 20 insertions, 4 deletions
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index ea067a01295..4747d837273 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -621,10 +621,10 @@ describe ProjectsController do
   end
 
   describe "GET refs" do
-    let(:public_project) { create(:project, :public, :repository) }
+    let(:project) { create(:project, :public, :repository) }
 
     it 'gets a list of branches and tags' do
-      get :refs, params: { namespace_id: public_project.namespace, id: public_project, sort: 'updated_desc' }
+      get :refs, params: { namespace_id: project.namespace, id: project, sort: 'updated_desc' }
 
       parsed_body = JSON.parse(response.body)
       expect(parsed_body['Branches']).to include('master')
@@ -634,7 +634,7 @@ describe ProjectsController do
     end
 
     it "gets a list of branches, tags and commits" do
-      get :refs, params: { namespace_id: public_project.namespace, id: public_project, ref: "123456" }
+      get :refs, params: { namespace_id: project.namespace, id: project, ref: "123456" }
 
       parsed_body = JSON.parse(response.body)
       expect(parsed_body["Branches"]).to include("master")
@@ -649,7 +649,7 @@ describe ProjectsController do
       end
 
       it "gets a list of branches, tags and commits" do
-        get :refs, params: { namespace_id: public_project.namespace, id: public_project, ref: "123456" }
+        get :refs, params: { namespace_id: project.namespace, id: project, ref: "123456" }
 
         parsed_body = JSON.parse(response.body)
         expect(parsed_body["Branches"]).to include("master")
@@ -657,6 +657,22 @@ describe ProjectsController do
         expect(parsed_body["Commits"]).to include("123456")
       end
     end
+
+    context 'when private project' do
+      let(:project) { create(:project, :repository) }
+
+      context 'as a guest' do
+        it 'renders forbidden' do
+          user = create(:user)
+          project.add_guest(user)
+
+          sign_in(user)
+          get :refs, namespace_id: project.namespace, id: project
+
+          expect(response).to have_gitlab_http_status(404)
+        end
+      end
+    end
   end
 
   describe 'POST #preview_markdown' do
author	John Jarvis <jarv@gitlab.com>	2019-01-01 23:38:39 +0300
committer	John Jarvis <jarv@gitlab.com>	2019-01-01 23:38:39 +0300
commit	0058c97a1b564b7050e17bbf015ca2482f04657f (patch)
tree	36a5ab5cde0320d2d864c39b210350a8d1fa3471 /spec
parent	e4dabec82a8f375389b9bb52b8fe6b1ac304d74e (diff)
parent	8772bdabb2f48e9868971d8349f6e36985bffec0 (diff)