Add latest changes from gitlab-org/gitlab@master

8 files changed, 173 insertions, 8 deletions

diff --git a/spec/controllers/admin/application_settings_controller_spec.rb b/spec/controllers/admin/application_settings_controller_spec.rb
index fa575ba2eae..e2bded3f176 100644
--- a/spec/controllers/admin/application_settings_controller_spec.rb
+++ b/spec/controllers/admin/application_settings_controller_spec.rb
@@ -102,6 +102,13 @@ describe Admin::ApplicationSettingsController do
       expect(ApplicationSetting.current.minimum_password_length).to eq(10)
     end
 
+    it 'updates updating_name_disabled_for_users setting' do
+      put :update, params: { application_setting: { updating_name_disabled_for_users: true } }
+
+      expect(response).to redirect_to(admin_application_settings_path)
+      expect(ApplicationSetting.current.updating_name_disabled_for_users).to eq(true)
+    end
+
     context 'external policy classification settings' do
       let(:settings) do
         {
diff --git a/spec/controllers/admin/users_controller_spec.rb b/spec/controllers/admin/users_controller_spec.rb
index ebdfbe14dec..54ba7a6fb6c 100644
--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@@ -257,6 +257,28 @@ describe Admin::UsersController do
   end
 
   describe 'POST update' do
+    context 'updating name' do
+      context 'when the ability to update their name is disabled for users' do
+        before do
+          stub_application_setting(updating_name_disabled_for_users: true)
+        end
+
+        it 'updates the name' do
+          params = {
+            id: user.to_param,
+            user: {
+              name: 'New Name'
+            }
+          }
+
+          put :update, params: params
+
+          expect(response).to redirect_to(admin_user_path(user))
+          expect(user.reload.name).to eq('New Name')
+        end
+      end
+    end
+
     context 'when the password has changed' do
       def update_password(user, password, password_confirmation = nil)
         params = {
diff --git a/spec/controllers/profiles_controller_spec.rb b/spec/controllers/profiles_controller_spec.rb
index 265f941e146..85b3ba286a1 100644
--- a/spec/controllers/profiles_controller_spec.rb
+++ b/spec/controllers/profiles_controller_spec.rb
@@ -81,6 +81,54 @@ describe ProfilesController, :request_store do
       expect(ldap_user.location).to eq('City, Country')
     end
 
+    context 'updating name' do
+      subject { put :update, params: { user: { name: 'New Name' } } }
+
+      context 'when the ability to update thier name is not disabled for users' do
+        before do
+          stub_application_setting(updating_name_disabled_for_users: false)
+          sign_in(user)
+        end
+
+        it 'updates the name' do
+          subject
+
+          expect(response.status).to eq(302)
+          expect(user.reload.name).to eq('New Name')
+        end
+      end
+
+      context 'when the ability to update their name is disabled for users' do
+        before do
+          stub_application_setting(updating_name_disabled_for_users: true)
+        end
+
+        context 'as a regular user' do
+          it 'does not update the name' do
+            sign_in(user)
+
+            subject
+
+            expect(response.status).to eq(302)
+            expect(user.reload.name).not_to eq('New Name')
+          end
+        end
+
+        context 'as an admin user' do
+          it 'updates the name' do
+            admin = create(:admin)
+
+            sign_in(admin)
+
+            subject
+
+            expect(response.status).to eq(302)
+            expect(admin.reload.name).to eq('New Name')
+          end
+        end
+      end
+    end
+
     it 'allows setting a user status' do
       sign_in(user)
 
diff --git a/spec/features/issues/user_comments_on_issue_spec.rb b/spec/features/issues/user_comments_on_issue_spec.rb
index 829f945c47f..363906b017a 100644
--- a/spec/features/issues/user_comments_on_issue_spec.rb
+++ b/spec/features/issues/user_comments_on_issue_spec.rb
@@ -43,17 +43,17 @@ describe "User comments on issue", :js do
       expect(page.find('pre code').text).to eq code_block_content
     end
 
-    it "renders escaped HTML content in Mermaid" do
+    it "renders HTML content as text in Mermaid" do
       html_content = "<img onerror=location=`javascript\\u003aalert\\u0028document.domain\\u0029` src=x>"
       mermaid_content = "graph LR\n  B-->D(#{html_content});"
-      escaped_content = CGI.escapeHTML(html_content).gsub('=', "&equals;")
       comment = "```mermaid\n#{mermaid_content}\n```"
 
       add_note(comment)
 
       wait_for_requests
 
-      expect(page.find('svg.mermaid')).to have_content escaped_content
+      expect(page.find('svg.mermaid')).to have_content html_content
+      within('svg.mermaid') { expect(page).not_to have_selector('img') }
     end
 
     it 'opens autocomplete menu for quick actions and have `/label` first choice' do
diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
index 9da9d2ce49b..0af58e96c5e 100644
--- a/spec/policies/user_policy_spec.rb
+++ b/spec/policies/user_policy_spec.rb
@@ -48,4 +48,36 @@ describe UserPolicy do
   describe "updating a user" do
     it_behaves_like 'changing a user', :update_user
   end
+
+  describe "updating a user's name" do
+    context 'when the ability to update their name is not disabled for users' do
+      before do
+        stub_application_setting(updating_name_disabled_for_users: false)
+      end
+
+      it_behaves_like 'changing a user', :update_name
+    end
+
+    context 'when the ability to update their name is disabled for users' do
+      before do
+        stub_application_setting(updating_name_disabled_for_users: true)
+      end
+
+      context 'for a regular user' do
+        it { is_expected.not_to be_allowed(:update_name) }
+      end
+
+      context 'for a ghost user' do
+        let(:current_user) { create(:user, :ghost) }
+
+        it { is_expected.not_to be_allowed(:update_name) }
+      end
+
+      context 'for an admin user' do
+        let(:current_user) { create(:admin) }
+
+        it { is_expected.to be_allowed(:update_name) }
+      end
+    end
+  end
 end
diff --git a/spec/requests/api/settings_spec.rb b/spec/requests/api/settings_spec.rb
index af86ba86303..ff443fdd27a 100644
--- a/spec/requests/api/settings_spec.rb
+++ b/spec/requests/api/settings_spec.rb
@@ -136,6 +136,14 @@ describe API::Settings, 'Settings' do
       expect(json_response['performance_bar_allowed_group_id']).to eq(group.id)
     end
 
+    it "supports updating_name_disabled_for_users" do
+      put api("/application/settings", admin),
+        params: { updating_name_disabled_for_users: true }
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(json_response['updating_name_disabled_for_users']).to eq(true)
+    end
+
     it "supports legacy performance_bar_enabled" do
       put api("/application/settings", admin),
         params: {
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 0a22a09b8a6..8b9aab33d67 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -645,6 +645,21 @@ describe API::Users do
       expect(response).to have_gitlab_http_status(200)
     end
 
+    context 'updating name' do
+      context 'when the ability to update their name is disabled for users' do
+        before do
+          stub_application_setting(updating_name_disabled_for_users: true)
+        end
+
+        it 'updates the user with new name' do
+          put api("/users/#{user.id}", admin), params: { name: 'New Name' }
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['name']).to eq('New Name')
+        end
+      end
+    end
+
     it "updates user with new bio" do
       put api("/users/#{user.id}", admin), params: { bio: 'new test bio' }
 
diff --git a/spec/services/users/update_service_spec.rb b/spec/services/users/update_service_spec.rb
index 9384287f98a..f3c15011213 100644
--- a/spec/services/users/update_service_spec.rb
+++ b/spec/services/users/update_service_spec.rb
@@ -6,11 +6,44 @@ describe Users::UpdateService do
   let(:user) { create(:user) }
 
   describe '#execute' do
-    it 'updates the name' do
-      result = update_user(user, name: 'New Name')
-
-      expect(result).to eq(status: :success)
-      expect(user.name).to eq('New Name')
+    context 'updating name' do
+      context 'when the ability to update their name is not disabled for users' do
+        before do
+          stub_application_setting(updating_name_disabled_for_users: false)
+        end
+
+        it 'updates the name' do
+          result = update_user(user, name: 'New Name')
+
+          expect(result).to eq(status: :success)
+          expect(user.name).to eq('New Name')
+        end
+      end
+
+      context 'when the ability to update their name is disabled for users' do
+        before do
+          stub_application_setting(updating_name_disabled_for_users: true)
+        end
+
+        context 'executing as a regular user' do
+          it 'does not update the name' do
+            result = update_user(user, name: 'New Name')
+
+            expect(result).to eq(status: :success)
+            expect(user.name).not_to eq('New Name')
+          end
+        end
+
+        context 'executing as an admin user' do
+          it 'updates the name' do
+            admin = create(:admin)
+            result = described_class.new(admin, { user: user, name: 'New Name' }).execute
+
+            expect(result).to eq(status: :success)
+            expect(user.name).to eq('New Name')
+          end
+        end
+      end
     end
 
     it 'updates time preferences' do