Project guests no longer are able to see refs page

Adds download_code authorization check to ProjectsController#refs action, to prevent a project guest from seeing branch, tags and commits information
author: Tiago Botelho <tiagonbotelho@hotmail.com> 2018-12-10 16:58:34 +0300
committer: Tiago Botelho <tiagonbotelho@hotmail.com> 2018-12-19 13:21:02 +0300
commit: 8772bdabb2f48e9868971d8349f6e36985bffec0 (patch)
tree: 2de07720b461ed2bd03b5cd201a7b63739ddf779 /spec
parent: ffef28ccd6d37ade2c3ee3ca46679749f9cf09aa (diff)
1 files changed, 20 insertions, 4 deletions
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index ea067a01295..4747d837273 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -621,10 +621,10 @@ describe ProjectsController do
   end
 
   describe "GET refs" do
-    let(:public_project) { create(:project, :public, :repository) }
+    let(:project) { create(:project, :public, :repository) }
 
     it 'gets a list of branches and tags' do
-      get :refs, params: { namespace_id: public_project.namespace, id: public_project, sort: 'updated_desc' }
+      get :refs, params: { namespace_id: project.namespace, id: project, sort: 'updated_desc' }
 
       parsed_body = JSON.parse(response.body)
       expect(parsed_body['Branches']).to include('master')
@@ -634,7 +634,7 @@ describe ProjectsController do
     end
 
     it "gets a list of branches, tags and commits" do
-      get :refs, params: { namespace_id: public_project.namespace, id: public_project, ref: "123456" }
+      get :refs, params: { namespace_id: project.namespace, id: project, ref: "123456" }
 
       parsed_body = JSON.parse(response.body)
       expect(parsed_body["Branches"]).to include("master")
@@ -649,7 +649,7 @@ describe ProjectsController do
       end
 
       it "gets a list of branches, tags and commits" do
-        get :refs, params: { namespace_id: public_project.namespace, id: public_project, ref: "123456" }
+        get :refs, params: { namespace_id: project.namespace, id: project, ref: "123456" }
 
         parsed_body = JSON.parse(response.body)
         expect(parsed_body["Branches"]).to include("master")
@@ -657,6 +657,22 @@ describe ProjectsController do
         expect(parsed_body["Commits"]).to include("123456")
       end
     end
+
+    context 'when private project' do
+      let(:project) { create(:project, :repository) }
+
+      context 'as a guest' do
+        it 'renders forbidden' do
+          user = create(:user)
+          project.add_guest(user)
+
+          sign_in(user)
+          get :refs, namespace_id: project.namespace, id: project
+
+          expect(response).to have_gitlab_http_status(404)
+        end
+      end
+    end
   end
 
   describe 'POST #preview_markdown' do
author	Tiago Botelho <tiagonbotelho@hotmail.com>	2018-12-10 16:58:34 +0300
committer	Tiago Botelho <tiagonbotelho@hotmail.com>	2018-12-19 13:21:02 +0300
commit	8772bdabb2f48e9868971d8349f6e36985bffec0 (patch)
tree	2de07720b461ed2bd03b5cd201a7b63739ddf779 /spec
parent	ffef28ccd6d37ade2c3ee3ca46679749f9cf09aa (diff)