diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-07-24 20:46:41 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-07-24 20:46:41 +0300 |
commit | 31a7d2bcd6e3caffbe1edf5baa9cd2692150d998 (patch) | |
tree | 2f00e8760be2b65c90d3bafaaa3e284088cd8640 /spec | |
parent | 8bc768d86f1fd341a6ee9cc38fecacbff2d63cdd (diff) | |
parent | d42a52aaef0031e5c7ecd70f2efc438b7bb19a56 (diff) |
Merge branch 'security-hide_moved_issue_id-12-0' into '12-0-stable'
Do not show moved issue ids for user not authorized
See merge request gitlab/gitlabhq!3260
Diffstat (limited to 'spec')
-rw-r--r-- | spec/serializers/issue_entity_spec.rb | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/spec/serializers/issue_entity_spec.rb b/spec/serializers/issue_entity_spec.rb index caa3e41402b..0e05b3c84f4 100644 --- a/spec/serializers/issue_entity_spec.rb +++ b/spec/serializers/issue_entity_spec.rb @@ -17,4 +17,37 @@ describe IssueEntity do it 'has time estimation attributes' do expect(subject).to include(:time_estimate, :total_time_spent, :human_time_estimate, :human_total_time_spent) end + + context 'when issue got moved' do + let(:public_project) { create(:project, :public) } + let(:member) { create(:user) } + let(:non_member) { create(:user) } + let(:issue) { create(:issue, project: public_project) } + + before do + project.add_developer(member) + public_project.add_developer(member) + Issues::MoveService.new(public_project, member).execute(issue, project) + end + + context 'when user cannot read target project' do + it 'does not return moved_to_id' do + request = double('request', current_user: non_member) + + response = described_class.new(issue, request: request).as_json + + expect(response[:moved_to_id]).to be_nil + end + end + + context 'when user can read target project' do + it 'returns moved moved_to_id' do + request = double('request', current_user: member) + + response = described_class.new(issue, request: request).as_json + + expect(response[:moved_to_id]).to eq(issue.moved_to_id) + end + end + end end |