1 files changed, 65 insertions, 12 deletions

diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb
index 327dfd0a76b..6b949962e53 100644
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -660,24 +660,24 @@ RSpec.describe API::Groups, feature_category: :groups_and_projects do
         get api("/groups/#{group1.id}", user1)
         expect(response).to have_gitlab_http_status(:ok)
 
-        control_count = ActiveRecord::QueryRecorder.new do
+        control = ActiveRecord::QueryRecorder.new do
           get api("/groups/#{group1.id}", user1)
-        end.count
+        end
 
         create(:project, namespace: group1)
 
         expect do
           get api("/groups/#{group1.id}", user1)
-        end.not_to exceed_query_limit(control_count)
+        end.not_to exceed_query_limit(control)
       end
 
       it 'avoids N+1 queries with shared group links' do
         # setup at least 1 shared group, so that we record the queries that preload the nested associations too.
         create(:group_group_link, shared_group: group1, shared_with_group: create(:group))
 
-        control_count = ActiveRecord::QueryRecorder.new do
+        control = ActiveRecord::QueryRecorder.new do
           get api("/groups/#{group1.id}", user1)
-        end.count
+        end
 
         # setup "n" more shared groups
         create(:group_group_link, shared_group: group1, shared_with_group: create(:group))
@@ -686,7 +686,7 @@ RSpec.describe API::Groups, feature_category: :groups_and_projects do
         # test that no of queries for 1 shared group is same as for n shared groups
         expect do
           get api("/groups/#{group1.id}", user1)
-        end.not_to exceed_query_limit(control_count)
+        end.not_to exceed_query_limit(control)
       end
     end
 
@@ -1364,15 +1364,15 @@ RSpec.describe API::Groups, feature_category: :groups_and_projects do
         get api("/groups/#{group1.id}/projects", user1)
         expect(response).to have_gitlab_http_status(:ok)
 
-        control_count = ActiveRecord::QueryRecorder.new do
+        control = ActiveRecord::QueryRecorder.new do
           get api("/groups/#{group1.id}/projects", user1)
-        end.count
+        end
 
         create(:project, namespace: group1)
 
         expect do
           get api("/groups/#{group1.id}/projects", user1)
-        end.not_to exceed_query_limit(control_count)
+        end.not_to exceed_query_limit(control)
       end
     end
 
@@ -1563,15 +1563,15 @@ RSpec.describe API::Groups, feature_category: :groups_and_projects do
         subject
         expect(response).to have_gitlab_http_status(:ok)
 
-        control_count = ActiveRecord::QueryRecorder.new do
+        control = ActiveRecord::QueryRecorder.new do
           subject
-        end.count
+        end
 
         create(:project_group_link, project: create(:project), group: group1)
 
         expect do
           subject
-        end.not_to exceed_query_limit(control_count)
+        end.not_to exceed_query_limit(control)
       end
     end
 
@@ -1937,6 +1937,59 @@ RSpec.describe API::Groups, feature_category: :groups_and_projects do
       end
     end
 
+    context 'when group is within a provided organization' do
+      let_it_be(:organization) { create(:organization) }
+
+      context 'when user is an organization user' do
+        before_all do
+          create(:organization_user, user: user3, organization: organization)
+        end
+
+        it 'creates group within organization' do
+          post api('/groups', user3), params: attributes_for_group_api(organization_id: organization.id)
+
+          expect(response).to have_gitlab_http_status(:created)
+          expect(json_response['organization_id']).to eq(organization.id)
+        end
+
+        context 'when parent_group is not part of the organization' do
+          it 'does not create the group with not_found' do
+            post(
+              api('/groups', user3),
+              params: attributes_for_group_api(parent_id: group2.id, organization_id: organization.id)
+            )
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
+
+      context 'when organization does not exist' do
+        it 'does not create the group with not_found' do
+          post api('/groups', user3), params: attributes_for_group_api(organization_id: non_existing_record_id)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'when user is not an organization user' do
+        it 'does not create the group' do
+          post api('/groups', user3), params: attributes_for_group_api(organization_id: organization.id)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+
+      context 'when user is an admin' do
+        it 'creates group within organization' do
+          post api('/groups', admin, admin_mode: true), params: attributes_for_group_api(organization_id: organization.id)
+
+          expect(response).to have_gitlab_http_status(:created)
+          expect(json_response['organization_id']).to eq(organization.id)
+        end
+      end
+    end
+
     context "when authenticated as user with group permissions" do
       it "creates group", :aggregate_failures do
         group = attributes_for_group_api request_access_enabled: false