diff options
Diffstat (limited to 'spec/requests/api/maven_packages_spec.rb')
-rw-r--r-- | spec/requests/api/maven_packages_spec.rb | 58 |
1 files changed, 51 insertions, 7 deletions
diff --git a/spec/requests/api/maven_packages_spec.rb b/spec/requests/api/maven_packages_spec.rb index 578a4821b5e..2110e4a077d 100644 --- a/spec/requests/api/maven_packages_spec.rb +++ b/spec/requests/api/maven_packages_spec.rb @@ -43,7 +43,7 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do project.add_developer(user) end - shared_examples 'handling groups and subgroups for' do |shared_example_name, visibilities: { public: :redirect }| + shared_examples 'handling groups and subgroups for' do |shared_example_name, shared_example_args = {}, visibilities: { public: :redirect }| context 'within a group' do visibilities.each do |visibility, not_found_response| context "that is #{visibility}" do @@ -51,7 +51,7 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do group.update!(visibility_level: Gitlab::VisibilityLevel.level_value(visibility.to_s)) end - it_behaves_like shared_example_name, not_found_response + it_behaves_like shared_example_name, not_found_response, shared_example_args end end end @@ -70,7 +70,7 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do group.update!(visibility_level: Gitlab::VisibilityLevel.level_value(visibility.to_s)) end - it_behaves_like shared_example_name, not_found_response + it_behaves_like shared_example_name, not_found_response, shared_example_args end end end @@ -621,7 +621,15 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do it_behaves_like 'rejecting request with invalid params' - it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: { internal: :unauthorized, public: :redirect } + it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: { internal: :unauthorized, public: :unauthorized } + + context 'when the FF maven_remove_permissions_check_from_finder disabled' do + before do + stub_feature_flags(maven_remove_permissions_check_from_finder: false) + end + + it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: { internal: :unauthorized, public: :redirect } + end end context 'private project' do @@ -631,7 +639,7 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do subject { download_file_with_token(file_name: package_file.file_name) } - shared_examples 'getting a file for a group' do |not_found_response| + shared_examples 'getting a file for a group' do |not_found_response, download_denied_status: :forbidden| it_behaves_like 'tracking the file download event' it_behaves_like 'bumping the package last downloaded at field' it_behaves_like 'successfully returning the file' @@ -641,7 +649,7 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do subject - expect(response).to have_gitlab_http_status(:redirect) + expect(response).to have_gitlab_http_status(download_denied_status) end it 'denies download when no private token' do @@ -682,7 +690,43 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do end end - it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: { private: :unauthorized, internal: :unauthorized, public: :redirect } + context 'with the duplicate packages in the two projects' do + let_it_be(:recent_project) { create(:project, :private, namespace: group) } + + let!(:package_dup) { create(:maven_package, project: recent_project, name: package.name, version: package.version) } + + before do + group.add_guest(user) + project.add_developer(user) + end + + context 'when user does not have enough permission for the recent project' do + it 'tries to download the recent package' do + subject + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'when the FF maven_remove_permissions_check_from_finder disabled' do + before do + stub_feature_flags(maven_remove_permissions_check_from_finder: false) + end + + it_behaves_like 'bumping the package last downloaded at field' + it_behaves_like 'successfully returning the file' + end + end + + it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: { private: :unauthorized, internal: :unauthorized, public: :unauthorized } + + context 'when the FF maven_remove_permissions_check_from_finder disabled' do + before do + stub_feature_flags(maven_remove_permissions_check_from_finder: false) + end + + it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', { download_denied_status: :redirect }, visibilities: { private: :unauthorized, internal: :unauthorized, public: :redirect } + end context 'with a reporter from a subgroup accessing the root group' do let_it_be(:root_group) { create(:group, :private) } |