diff options
Diffstat (limited to 'spec/requests/api/snippets_spec.rb')
| -rw-r--r-- | spec/requests/api/snippets_spec.rb | 121 |
1 files changed, 84 insertions, 37 deletions
diff --git a/spec/requests/api/snippets_spec.rb b/spec/requests/api/snippets_spec.rb index 4ba2a768e01..0b97bb5c443 100644 --- a/spec/requests/api/snippets_spec.rb +++ b/spec/requests/api/snippets_spec.rb @@ -13,7 +13,8 @@ RSpec.describe API::Snippets, :aggregate_failures, factory_default: :keep, featu let_it_be_with_refind(:private_snippet) { create(:personal_snippet, :repository, :private, author: user) } let_it_be(:internal_snippet) { create(:personal_snippet, :repository, :internal, author: user) } - let_it_be(:user_token) { create(:personal_access_token, user: user) } + let_it_be(:user_token) { create(:personal_access_token, user: user) } + let_it_be(:admin_token) { create(:personal_access_token, :admin_mode, user: admin, scopes: [:sudo, :api]) } let_it_be(:other_user_token) { create(:personal_access_token, user: other_user) } let_it_be(:project) do create_default(:project, :public).tap do |p| @@ -21,9 +22,17 @@ RSpec.describe API::Snippets, :aggregate_failures, factory_default: :keep, featu end end - describe 'GET /snippets/' do + shared_examples "returns unauthorized when not authenticated" do + it 'returns 401 for non-authenticated' do + get api(path) + + expect(response).to have_gitlab_http_status(:unauthorized) + end + end + + shared_examples "returns filtered snippets for user" do it 'returns snippets available for user' do - get api("/snippets/", personal_access_token: user_token) + get api(path, personal_access_token: user_token) expect(response).to have_gitlab_http_status(:ok) expect(response).to include_pagination_headers @@ -38,8 +47,32 @@ RSpec.describe API::Snippets, :aggregate_failures, factory_default: :keep, featu expect(json_response.last).to have_key('visibility') end + context 'filtering snippets by created_after/created_before' do + let_it_be(:private_snippet_before_time_range) { create(:personal_snippet, :repository, :private, author: user, created_at: Time.parse("2021-08-20T00:00:00Z")) } + let_it_be(:private_snippet_in_time_range1) { create(:personal_snippet, :repository, :private, author: user, created_at: Time.parse("2021-08-22T00:00:00Z")) } + let_it_be(:private_snippet_in_time_range2) { create(:personal_snippet, :repository, :private, author: user, created_at: Time.parse("2021-08-24T00:00:00Z")) } + let_it_be(:private_snippet_after_time_range) { create(:personal_snippet, :repository, :private, author: user, created_at: Time.parse("2021-08-26T00:00:00Z")) } + + let(:path) { "/snippets?created_after=2021-08-21T00:00:00Z&created_before=2021-08-25T00:00:00Z" } + + it 'returns snippets available for user in given time range' do + get api(path, personal_access_token: user_token) + + expect(json_response.map { |snippet| snippet['id'] }).to contain_exactly( + private_snippet_in_time_range1.id, + private_snippet_in_time_range2.id) + end + end + end + + describe 'GET /snippets/' do + let(:path) { "/snippets" } + + it_behaves_like "returns unauthorized when not authenticated" + it_behaves_like "returns filtered snippets for user" + it 'hides private snippets from regular user' do - get api("/snippets/", personal_access_token: other_user_token) + get api(path, personal_access_token: other_user_token) expect(response).to have_gitlab_http_status(:ok) expect(response).to include_pagination_headers @@ -47,39 +80,16 @@ RSpec.describe API::Snippets, :aggregate_failures, factory_default: :keep, featu expect(json_response.size).to eq(0) end - it 'returns 401 for non-authenticated' do - get api("/snippets/") - - expect(response).to have_gitlab_http_status(:unauthorized) - end - it 'does not return snippets related to a project with disable feature visibility' do public_snippet = create(:project_snippet, :public, author: user, project: project) project.project_feature.update_attribute(:snippets_access_level, 0) - get api("/snippets/", personal_access_token: user_token) + get api(path, personal_access_token: user_token) json_response.each do |snippet| expect(snippet["id"]).not_to eq(public_snippet.id) end end - - context 'filtering snippets by created_after/created_before' do - let_it_be(:private_snippet_before_time_range) { create(:personal_snippet, :repository, :private, author: user, created_at: Time.parse("2021-08-20T00:00:00Z")) } - let_it_be(:private_snippet_in_time_range1) { create(:personal_snippet, :repository, :private, author: user, created_at: Time.parse("2021-08-22T00:00:00Z")) } - let_it_be(:private_snippet_in_time_range2) { create(:personal_snippet, :repository, :private, author: user, created_at: Time.parse("2021-08-24T00:00:00Z")) } - let_it_be(:private_snippet_after_time_range) { create(:personal_snippet, :repository, :private, author: user, created_at: Time.parse("2021-08-26T00:00:00Z")) } - - let(:path) { "/snippets?created_after=2021-08-21T00:00:00Z&created_before=2021-08-25T00:00:00Z" } - - it 'returns snippets available for user in given time range' do - get api(path, personal_access_token: user_token) - - expect(json_response.map { |snippet| snippet['id'] }).to contain_exactly( - private_snippet_in_time_range1.id, - private_snippet_in_time_range2.id) - end - end end describe 'GET /snippets/public' do @@ -92,6 +102,8 @@ RSpec.describe API::Snippets, :aggregate_failures, factory_default: :keep, featu let(:path) { "/snippets/public" } + it_behaves_like "returns unauthorized when not authenticated" + it 'returns only public snippets from all users when authenticated' do get api(path, personal_access_token: user_token) @@ -110,12 +122,6 @@ RSpec.describe API::Snippets, :aggregate_failures, factory_default: :keep, featu end end - it 'requires authentication' do - get api(path, nil) - - expect(response).to have_gitlab_http_status(:unauthorized) - end - context 'filtering public snippets by created_after/created_before' do let_it_be(:public_snippet_before_time_range) { create(:personal_snippet, :repository, :public, author: other_user, created_at: Time.parse("2021-08-20T00:00:00Z")) } let_it_be(:public_snippet_in_time_range) { create(:personal_snippet, :repository, :public, author: other_user, created_at: Time.parse("2021-08-22T00:00:00Z")) } @@ -132,6 +138,49 @@ RSpec.describe API::Snippets, :aggregate_failures, factory_default: :keep, featu end end + describe 'GET /snippets/all' do + let(:path) { "/snippets/all" } + + it_behaves_like "returns unauthorized when not authenticated" + it_behaves_like "returns filtered snippets for user" + + context 'with additional snippets' do + let!(:hidden_snippet) { create(:personal_snippet, :repository, :private, author: other_user) } + let!(:viewable_snippet) { create(:personal_snippet, :repository, :internal, author: user) } + + context 'and user is admin', :enable_admin_mode do + it 'returns all snippets' do + get api(path, personal_access_token: admin_token) + + ids = json_response.map { |snippet| snippet['id'] } + + expect(ids).to contain_exactly( + viewable_snippet.id, + hidden_snippet.id, + internal_snippet.id, + private_snippet.id, + public_snippet.id + ) + end + end + + context 'and user is not admin' do + it 'returns all internal and public snippets' do + get api(path, personal_access_token: user_token) + + ids = json_response.map { |snippet| snippet['id'] } + + expect(ids).to contain_exactly( + viewable_snippet.id, + internal_snippet.id, + private_snippet.id, + public_snippet.id + ) + end + end + end + end + describe 'GET /snippets/:id/raw' do let(:snippet) { private_snippet } @@ -448,10 +497,8 @@ RSpec.describe API::Snippets, :aggregate_failures, factory_default: :keep, featu end context "when admin" do - let_it_be(:token) { create(:personal_access_token, :admin_mode, user: admin, scopes: [:sudo]) } - subject do - put api("/snippets/#{snippet.id}", personal_access_token: token), params: { visibility: 'private', sudo: user.id } + put api("/snippets/#{snippet.id}", personal_access_token: admin_token), params: { visibility: 'private', sudo: user.id } end context 'when sudo is defined' do |