diff options
author | Nick Thomas <nick@gitlab.com> | 2019-11-19 19:17:35 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-11-25 14:48:47 +0300 |
commit | 644d125b9adeb20c0a7dfcd3dee2db7b7c1b6f2e (patch) | |
tree | ee8997f3669991d2cacd672bcc01621d464cddcc /spec | |
parent | 4c442bdda212490c660a4c0acd82d03f60d72dc9 (diff) |
Check permissions before showing a forked project's source
Diffstat (limited to 'spec')
-rw-r--r-- | spec/features/projects_spec.rb | 4 | ||||
-rw-r--r-- | spec/requests/api/projects_spec.rb | 36 | ||||
-rw-r--r-- | spec/views/projects/_home_panel.html.haml_spec.rb | 34 | ||||
-rw-r--r-- | spec/views/projects/edit.html.haml_spec.rb | 56 |
4 files changed, 128 insertions, 2 deletions
diff --git a/spec/features/projects_spec.rb b/spec/features/projects_spec.rb index 90e48f3c230..47f32e0113c 100644 --- a/spec/features/projects_spec.rb +++ b/spec/features/projects_spec.rb @@ -202,13 +202,13 @@ describe 'Project' do expect(page).not_to have_content('Forked from') end - it 'shows the name of the deleted project when the source was deleted', :sidekiq_might_not_need_inline do + it 'does not show the name of the deleted project when the source was deleted', :sidekiq_might_not_need_inline do forked_project Projects::DestroyService.new(base_project, base_project.owner).execute visit project_path(forked_project) - expect(page).to have_content("Forked from #{base_project.full_name} (deleted)") + expect(page).to have_content('Forked from an inaccessible project') end context 'a fork of a fork' do diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index f1447536e0f..cda2dd7d2f4 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -49,6 +49,8 @@ shared_examples 'languages and percentages JSON response' do end describe API::Projects do + include ProjectForksHelper + let(:user) { create(:user) } let(:user2) { create(:user) } let(:user3) { create(:user) } @@ -1163,6 +1165,18 @@ describe API::Projects do expect(json_response.keys).not_to include('permissions') end + context 'the project is a public fork' do + it 'hides details of a public fork parent' do + public_project = create(:project, :repository, :public) + fork = fork_project(public_project) + + get api("/projects/#{fork.id}") + + expect(response).to have_gitlab_http_status(200) + expect(json_response['forked_from_project']).to be_nil + end + end + context 'and the project has a private repository' do let(:project) { create(:project, :repository, :public, :repository_private) } let(:protected_attributes) { %w(default_branch ci_config_path) } @@ -1479,6 +1493,28 @@ describe API::Projects do end end + context 'the project is a fork' do + it 'shows details of a visible fork parent' do + fork = fork_project(project, user) + + get api("/projects/#{fork.id}", user) + + expect(response).to have_gitlab_http_status(200) + expect(json_response['forked_from_project']).to include('id' => project.id) + end + + it 'hides details of a hidden fork parent' do + fork = fork_project(project, user) + fork_user = create(:user) + fork.team.add_developer(fork_user) + + get api("/projects/#{fork.id}", fork_user) + + expect(response).to have_gitlab_http_status(200) + expect(json_response['forked_from_project']).to be_nil + end + end + describe 'permissions' do context 'all projects' do before do diff --git a/spec/views/projects/_home_panel.html.haml_spec.rb b/spec/views/projects/_home_panel.html.haml_spec.rb index 4d5b369e88e..9956144b601 100644 --- a/spec/views/projects/_home_panel.html.haml_spec.rb +++ b/spec/views/projects/_home_panel.html.haml_spec.rb @@ -3,6 +3,8 @@ require 'spec_helper' describe 'projects/_home_panel' do + include ProjectForksHelper + context 'notifications' do let(:project) { create(:project) } @@ -144,4 +146,36 @@ describe 'projects/_home_panel' do end end end + + context 'forks' do + let(:source_project) { create(:project, :repository) } + let(:project) { fork_project(source_project) } + let(:user) { create(:user) } + + before do + assign(:project, project) + + allow(view).to receive(:current_user).and_return(user) + end + + context 'user can read fork source' do + it 'shows the forked-from project' do + allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(true) + + render + + expect(rendered).to have_content("Forked from #{source_project.full_name}") + end + end + + context 'user cannot read fork source' do + it 'does not show the forked-from project' do + allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(false) + + render + + expect(rendered).to have_content("Forked from an inaccessible project") + end + end + end end diff --git a/spec/views/projects/edit.html.haml_spec.rb b/spec/views/projects/edit.html.haml_spec.rb index f576093ab45..40927a22dc4 100644 --- a/spec/views/projects/edit.html.haml_spec.rb +++ b/spec/views/projects/edit.html.haml_spec.rb @@ -4,6 +4,7 @@ require 'spec_helper' describe 'projects/edit' do include Devise::Test::ControllerHelpers + include ProjectForksHelper let(:project) { create(:project) } let(:user) { create(:admin) } @@ -26,4 +27,59 @@ describe 'projects/edit' do expect(rendered).not_to have_content('Export project') end end + + context 'forking' do + before do + assign(:project, project) + + allow(view).to receive(:current_user).and_return(user) + end + + context 'project is not a fork' do + it 'hides the remove fork relationship settings' do + render + + expect(rendered).not_to have_content('Remove fork relationship') + end + end + + context 'project is a fork' do + let(:source_project) { create(:project) } + let(:project) { fork_project(source_project) } + + it 'shows the remove fork relationship settings to an authorized user' do + allow(view).to receive(:can?).with(user, :remove_fork_project, project).and_return(true) + + render + + expect(rendered).to have_content('Remove fork relationship') + end + + it 'hides the fork relationship settings from an unauthorized user' do + allow(view).to receive(:can?).with(user, :remove_fork_project, project).and_return(false) + + render + + expect(rendered).not_to have_content('Remove fork relationship') + end + + it 'hides the fork source from an unauthorized user' do + allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(false) + + render + + expect(rendered).to have_content('Remove fork relationship') + expect(rendered).not_to have_content(source_project.full_name) + end + + it 'shows the fork source to an authorized user' do + allow(view).to receive(:can?).with(user, :read_project, source_project).and_return(true) + + render + + expect(rendered).to have_content('Remove fork relationship') + expect(rendered).to have_content(source_project.full_name) + end + end + end end |