diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 22:30:00 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 22:30:00 +0300 |
commit | c59bc73c0d9749751192c4282bd7e96ecde371c1 (patch) | |
tree | db76e514cd23bbc5ac6ae4a01fb34b1be3e6f1cf /spec | |
parent | 5b4f92ef7a4e402bb59834dfea7aa1b043b78017 (diff) |
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
Diffstat (limited to 'spec')
-rw-r--r-- | spec/controllers/projects/wikis_controller_spec.rb | 38 | ||||
-rw-r--r-- | spec/finders/events_finder_spec.rb | 7 | ||||
-rw-r--r-- | spec/models/merge_request_spec.rb | 38 | ||||
-rw-r--r-- | spec/requests/api/events_spec.rb | 13 |
4 files changed, 60 insertions, 36 deletions
diff --git a/spec/controllers/projects/wikis_controller_spec.rb b/spec/controllers/projects/wikis_controller_spec.rb index 91ca71d20dc..57a7f1fbe40 100644 --- a/spec/controllers/projects/wikis_controller_spec.rb +++ b/spec/controllers/projects/wikis_controller_spec.rb @@ -141,43 +141,19 @@ describe Projects::WikisController do context 'when page is a file' do include WikiHelpers - let(:id) { upload_file_to_wiki(project, user, file_name) } + where(:file_name) { ['dk.png', 'unsanitized.svg', 'git-cheat-sheet.pdf'] } - context 'when file is an image' do - let(:file_name) { 'dk.png' } + with_them do + let(:id) { upload_file_to_wiki(project, user, file_name) } - it 'delivers the image' do + it 'delivers the file with the correct headers' do subject expect(response.headers['Content-Disposition']).to match(/^inline/) - expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq "true" + expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq('true') + expect(response.cache_control[:public]).to be(false) + expect(response.cache_control[:extras]).to include('no-store') end - - context 'when file is a svg' do - let(:file_name) { 'unsanitized.svg' } - - it 'delivers the image' do - subject - - expect(response.headers['Content-Disposition']).to match(/^inline/) - expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq "true" - end - end - - it_behaves_like 'project cache control headers' - end - - context 'when file is a pdf' do - let(:file_name) { 'git-cheat-sheet.pdf' } - - it 'sets the content type to sets the content response headers' do - subject - - expect(response.headers['Content-Disposition']).to match(/^inline/) - expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq "true" - end - - it_behaves_like 'project cache control headers' end end end diff --git a/spec/finders/events_finder_spec.rb b/spec/finders/events_finder_spec.rb index 443e9ab4bc4..224b4289f51 100644 --- a/spec/finders/events_finder_spec.rb +++ b/spec/finders/events_finder_spec.rb @@ -4,6 +4,7 @@ require 'spec_helper' describe EventsFinder do let_it_be(:user) { create(:user) } + let(:private_user) { create(:user, private_profile: true) } let(:other_user) { create(:user) } let(:project1) { create(:project, :private, creator_id: user.id, namespace: user.namespace) } @@ -57,6 +58,12 @@ describe EventsFinder do expect(events).to be_empty end + + it 'returns nothing when the target profile is private' do + events = described_class.new(source: private_user, current_user: other_user).execute + + expect(events).to be_empty + end end describe 'wiki events feature flag' do diff --git a/spec/models/merge_request_spec.rb b/spec/models/merge_request_spec.rb index cbb837c139e..e66437d3035 100644 --- a/spec/models/merge_request_spec.rb +++ b/spec/models/merge_request_spec.rb @@ -3458,7 +3458,7 @@ describe MergeRequest do describe '#merge_participants' do it 'contains author' do - expect(subject.merge_participants).to eq([subject.author]) + expect(subject.merge_participants).to contain_exactly(subject.author) end describe 'when merge_when_pipeline_succeeds? is true' do @@ -3472,8 +3472,20 @@ describe MergeRequest do author: user) end - it 'contains author only' do - expect(subject.merge_participants).to eq([subject.author]) + context 'author is not a project member' do + it 'is empty' do + expect(subject.merge_participants).to be_empty + end + end + + context 'author is a project member' do + before do + subject.project.team.add_reporter(user) + end + + it 'contains author only' do + expect(subject.merge_participants).to contain_exactly(subject.author) + end end end @@ -3486,8 +3498,24 @@ describe MergeRequest do merge_user: merge_user) end - it 'contains author and merge user' do - expect(subject.merge_participants).to eq([subject.author, merge_user]) + before do + subject.project.team.add_reporter(subject.author) + end + + context 'merge user is not a member' do + it 'contains author only' do + expect(subject.merge_participants).to contain_exactly(subject.author) + end + end + + context 'both author and merge users are project members' do + before do + subject.project.team.add_reporter(merge_user) + end + + it 'contains author and merge user' do + expect(subject.merge_participants).to contain_exactly(subject.author, merge_user) + end end end end diff --git a/spec/requests/api/events_spec.rb b/spec/requests/api/events_spec.rb index decdcc66327..dd03a784c96 100644 --- a/spec/requests/api/events_spec.rb +++ b/spec/requests/api/events_spec.rb @@ -192,6 +192,19 @@ describe API::Events do end end + context 'when target users profile is private' do + it 'returns no events' do + user.update!(private_profile: true) + private_project.add_developer(non_member) + + get api("/users/#{user.username}/events", non_member) + + expect(response).to have_gitlab_http_status(:ok) + expect(response).to include_pagination_headers + expect(json_response).to eq([]) + end + end + context 'when scope is passed' do context 'when unauthenticated' do it 'returns no user events' do |