1 files changed, 81 insertions, 1 deletions

diff --git a/spec/requests/api/releases_spec.rb b/spec/requests/api/releases_spec.rb
index 81a4fcdbcac..03e0954e5ab 100644
--- a/spec/requests/api/releases_spec.rb
+++ b/spec/requests/api/releases_spec.rb
@@ -463,9 +463,23 @@ RSpec.describe API::Releases do
     end
 
     context 'when specified tag is not found in the project' do
-      it 'cannot find the release entry' do
+      it 'returns 404 for maintater' do
         get api("/projects/#{project.id}/releases/non_exist_tag", maintainer)
 
+        expect(response).to have_gitlab_http_status(:not_found)
+        expect(json_response['message']).to eq('404 Not Found')
+      end
+
+      it 'returns project not found for no user' do
+        get api("/projects/#{project.id}/releases/non_exist_tag", nil)
+
+        expect(response).to have_gitlab_http_status(:not_found)
+        expect(json_response['message']).to eq('404 Project Not Found')
+      end
+
+      it 'returns forbidden for guest' do
+        get api("/projects/#{project.id}/releases/non_existing_tag", guest)
+
         expect(response).to have_gitlab_http_status(:forbidden)
       end
     end
@@ -662,6 +676,28 @@ RSpec.describe API::Releases do
       end.not_to change { Project.find_by_id(project.id).repository.tag_count }
     end
 
+    context 'with protected tag' do
+      context 'when user has access to the protected tag' do
+        let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) }
+
+        it 'accepts the request' do
+          post api("/projects/#{project.id}/releases", developer), params: params
+
+          expect(response).to have_gitlab_http_status(:created)
+        end
+      end
+
+      context 'when user does not have access to the protected tag' do
+        let!(:protected_tag) { create(:protected_tag, :maintainers_can_create, name: '*', project: project) }
+
+        it 'forbids the request' do
+          post api("/projects/#{project.id}/releases", developer), params: params
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
     context 'when user is a reporter' do
       it 'forbids the request' do
         post api("/projects/#{project.id}/releases", reporter), params: params
@@ -1000,6 +1036,28 @@ RSpec.describe API::Releases do
       expect(project.releases.last.released_at).to eq('2015-10-10T05:00:00Z')
     end
 
+    context 'with protected tag' do
+      context 'when user has access to the protected tag' do
+        let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) }
+
+        it 'accepts the request' do
+          put api("/projects/#{project.id}/releases/v0.1", developer), params: params
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+
+      context 'when user does not have access to the protected tag' do
+        let!(:protected_tag) { create(:protected_tag, :maintainers_can_create, name: '*', project: project) }
+
+        it 'forbids the request' do
+          put api("/projects/#{project.id}/releases/v0.1", developer), params: params
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
     context 'when user tries to update sha' do
       let(:params) { { sha: 'xxx' } }
 
@@ -1180,6 +1238,28 @@ RSpec.describe API::Releases do
       expect(response).to match_response_schema('public_api/v4/release')
     end
 
+    context 'with protected tag' do
+      context 'when user has access to the protected tag' do
+        let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) }
+
+        it 'accepts the request' do
+          delete api("/projects/#{project.id}/releases/v0.1", developer)
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+
+      context 'when user does not have access to the protected tag' do
+        let!(:protected_tag) { create(:protected_tag, :maintainers_can_create, name: '*', project: project) }
+
+        it 'forbids the request' do
+          delete api("/projects/#{project.id}/releases/v0.1", developer)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
     context 'when there are no corresponding releases' do
       let!(:release) { }