1 files changed, 24 insertions, 2 deletions

diff --git a/spec/requests/api/badges_spec.rb b/spec/requests/api/badges_spec.rb
index 99d224cb8e9..d8a345a79b0 100644
--- a/spec/requests/api/badges_spec.rb
+++ b/spec/requests/api/badges_spec.rb
@@ -332,10 +332,32 @@ RSpec.describe API::Badges do
 
   context 'when deleting a badge' do
     context 'and the source is a project' do
+      let(:badge) { project.group.badges.first }
+
       it 'cannot delete badges owned by the project group' do
-        delete api("/projects/#{project.id}/badges/#{project_group.badges.first.id}", maintainer)
+        expect do
+          delete api("/projects/#{project.id}/badges/#{badge.id}", maintainer)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end.not_to change { badge.reload.persisted? }
+      end
+    end
+  end
+
+  context 'when updating a badge' do
+    context 'and the source is a project' do
+      let(:badge) { project.group.badges.first }
+      let(:example_name) { 'BadgeName' }
+      let(:example_url) { 'http://www.example.com' }
+      let(:example_url2) { 'http://www.example1.com' }
+
+      it 'cannot update badges owned by the project group' do
+        expect do
+          put api("/projects/#{project.id}/badges/#{badge.id}", maintainer),
+            params: { name: example_name, link_url: example_url, image_url: example_url2 }
 
-        expect(response).to have_gitlab_http_status(:forbidden)
+          expect(response).to have_gitlab_http_status(:not_found)
+        end.not_to change { badge.reload.updated_at }
       end
     end
   end