8 files changed, 288 insertions, 107 deletions

diff --git a/spec/requests/api/api_helpers_spec.rb b/spec/requests/api/api_helpers_spec.rb
index 36517ad0f8c..3f34309f419 100644
--- a/spec/requests/api/api_helpers_spec.rb
+++ b/spec/requests/api/api_helpers_spec.rb
@@ -153,85 +153,144 @@ describe API::Helpers, api: true do
       end
     end
 
-    it "changes current user to sudo when admin" do
-      set_env(admin, user.id)
-      expect(current_user).to eq(user)
-      set_param(admin, user.id)
-      expect(current_user).to eq(user)
-      set_env(admin, user.username)
-      expect(current_user).to eq(user)
-      set_param(admin, user.username)
-      expect(current_user).to eq(user)
-    end
+    context 'sudo usage' do
+      context 'with admin' do
+        context 'with header' do
+          context 'with id' do
+            it 'changes current_user to sudo' do
+              set_env(admin, user.id)
 
-    it "throws an error when the current user is not an admin and attempting to sudo" do
-      set_env(user, admin.id)
-      expect { current_user }.to raise_error(Exception)
-      set_param(user, admin.id)
-      expect { current_user }.to raise_error(Exception)
-      set_env(user, admin.username)
-      expect { current_user }.to raise_error(Exception)
-      set_param(user, admin.username)
-      expect { current_user }.to raise_error(Exception)
-    end
+              expect(current_user).to eq(user)
+            end
 
-    it "throws an error when the user cannot be found for a given id" do
-      id = user.id + admin.id
-      expect(user.id).not_to eq(id)
-      expect(admin.id).not_to eq(id)
-      set_env(admin, id)
-      expect { current_user }.to raise_error(Exception)
+            it 'handles sudo to oneself' do
+              set_env(admin, admin.id)
 
-      set_param(admin, id)
-      expect { current_user }.to raise_error(Exception)
-    end
+              expect(current_user).to eq(admin)
+            end
 
-    it "throws an error when the user cannot be found for a given username" do
-      username = "#{user.username}#{admin.username}"
-      expect(user.username).not_to eq(username)
-      expect(admin.username).not_to eq(username)
-      set_env(admin, username)
-      expect { current_user }.to raise_error(Exception)
+            it 'throws an error when user cannot be found' do
+              id = user.id + admin.id
+              expect(user.id).not_to eq(id)
+              expect(admin.id).not_to eq(id)
 
-      set_param(admin, username)
-      expect { current_user }.to raise_error(Exception)
-    end
+              set_env(admin, id)
 
-    it "handles sudo's to oneself" do
-      set_env(admin, admin.id)
-      expect(current_user).to eq(admin)
-      set_param(admin, admin.id)
-      expect(current_user).to eq(admin)
-      set_env(admin, admin.username)
-      expect(current_user).to eq(admin)
-      set_param(admin, admin.username)
-      expect(current_user).to eq(admin)
-    end
+              expect { current_user }.to raise_error(Exception)
+            end
+          end
 
-    it "handles multiple sudo's to oneself" do
-      set_env(admin, user.id)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
-      set_env(admin, user.username)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
-
-      set_param(admin, user.id)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
-      set_param(admin, user.username)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
-    end
+          context 'with username' do
+            it 'changes current_user to sudo' do
+              set_env(admin, user.username)
+
+              expect(current_user).to eq(user)
+            end
+
+            it 'handles sudo to oneself' do
+              set_env(admin, admin.username)
+
+              expect(current_user).to eq(admin)
+            end
+
+            it "throws an error when the user cannot be found for a given username" do
+              username = "#{user.username}#{admin.username}"
+              expect(user.username).not_to eq(username)
+              expect(admin.username).not_to eq(username)
+
+              set_env(admin, username)
+
+              expect { current_user }.to raise_error(Exception)
+            end
+          end
+        end
+
+        context 'with param' do
+          context 'with id' do
+            it 'changes current_user to sudo' do
+              set_param(admin, user.id)
+
+              expect(current_user).to eq(user)
+            end
+
+            it 'handles sudo to oneself' do
+              set_param(admin, admin.id)
+
+              expect(current_user).to eq(admin)
+            end
+
+            it 'handles sudo to oneself using string' do
+              set_env(admin, user.id.to_s)
+
+              expect(current_user).to eq(user)
+            end
+
+            it 'throws an error when user cannot be found' do
+              id = user.id + admin.id
+              expect(user.id).not_to eq(id)
+              expect(admin.id).not_to eq(id)
 
-    it "handles multiple sudo's to oneself using string ids" do
-      set_env(admin, user.id.to_s)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
+              set_param(admin, id)
 
-      set_param(admin, user.id.to_s)
-      expect(current_user).to eq(user)
-      expect(current_user).to eq(user)
+              expect { current_user }.to raise_error(Exception)
+            end
+          end
+
+          context 'with username' do
+            it 'changes current_user to sudo' do
+              set_param(admin, user.username)
+
+              expect(current_user).to eq(user)
+            end
+
+            it 'handles sudo to oneself' do
+              set_param(admin, admin.username)
+
+              expect(current_user).to eq(admin)
+            end
+
+            it "throws an error when the user cannot be found for a given username" do
+              username = "#{user.username}#{admin.username}"
+              expect(user.username).not_to eq(username)
+              expect(admin.username).not_to eq(username)
+
+              set_param(admin, username)
+
+              expect { current_user }.to raise_error(Exception)
+            end
+          end
+        end
+      end
+
+      context 'with regular user' do
+        context 'with env' do
+          it 'changes current_user to sudo when admin and user id' do
+            set_env(user, admin.id)
+
+            expect { current_user }.to raise_error(Exception)
+          end
+
+          it 'changes current_user to sudo when admin and user username' do
+            set_env(user, admin.username)
+
+            expect { current_user }.to raise_error(Exception)
+          end
+        end
+
+        context 'with params' do
+          it 'changes current_user to sudo when admin and user id' do
+            set_param(user, admin.id)
+
+            expect { current_user }.to raise_error(Exception)
+          end
+
+          it 'changes current_user to sudo when admin and user username' do
+            set_param(user, admin.username)
+
+            expect { current_user }.to raise_error(Exception)
+          end
+        end
+      end
     end
   end
 
diff --git a/spec/requests/api/builds_spec.rb b/spec/requests/api/builds_spec.rb
index 0ea991b18b8..7be7acebb19 100644
--- a/spec/requests/api/builds_spec.rb
+++ b/spec/requests/api/builds_spec.rb
@@ -5,7 +5,7 @@ describe API::Builds, api: true do
 
   let(:user) { create(:user) }
   let(:api_user) { user }
-  let!(:project) { create(:project, creator_id: user.id) }
+  let!(:project) { create(:project, creator_id: user.id, public_builds: false) }
   let!(:developer) { create(:project_member, :developer, user: user, project: project) }
   let(:reporter) { create(:project_member, :reporter, project: project) }
   let(:guest) { create(:project_member, :guest, project: project) }
diff --git a/spec/requests/api/deploy_keys_spec.rb b/spec/requests/api/deploy_keys_spec.rb
index 5fa7299044e..aabab8e6ae6 100644
--- a/spec/requests/api/deploy_keys_spec.rb
+++ b/spec/requests/api/deploy_keys_spec.rb
@@ -75,7 +75,6 @@ describe API::DeployKeys, api: true  do
       expect(response).to have_http_status(400)
       expect(json_response['message']['key']).to eq([
         'can\'t be blank',
-        'is too short (minimum is 0 characters)',
         'is invalid'
       ])
     end
@@ -85,8 +84,7 @@ describe API::DeployKeys, api: true  do
 
       expect(response).to have_http_status(400)
       expect(json_response['message']['title']).to eq([
-        'can\'t be blank',
-        'is too short (minimum is 0 characters)'
+        'can\'t be blank'
       ])
     end
 
diff --git a/spec/requests/api/issues_spec.rb b/spec/requests/api/issues_spec.rb
index 5700f800c2e..5c80dd98dc7 100644
--- a/spec/requests/api/issues_spec.rb
+++ b/spec/requests/api/issues_spec.rb
@@ -72,13 +72,6 @@ describe API::Issues, api: true  do
         expect(json_response.last).to have_key('web_url')
       end
 
-      it "adds pagination headers and keep query params" do
-        get api("/issues?state=closed&per_page=3", user)
-        expect(response.headers['Link']).to eq(
-          '<http://www.example.com/api/v3/issues?page=1&per_page=3&private_token=%s&state=closed>; rel="first", <http://www.example.com/api/v3/issues?page=1&per_page=3&private_token=%s&state=closed>; rel="last"' % [user.private_token, user.private_token]
-        )
-      end
-
       it 'returns an array of closed issues' do
         get api('/issues?state=closed', user)
         expect(response).to have_http_status(200)
@@ -649,9 +642,8 @@ describe API::Issues, api: true  do
       post api("/projects/#{project.id}/issues", user),
         title: 'new issue', confidential: 'foo'
 
-      expect(response).to have_http_status(201)
-      expect(json_response['title']).to eq('new issue')
-      expect(json_response['confidential']).to be_falsy
+      expect(response).to have_http_status(400)
+      expect(json_response['error']).to eq('confidential is invalid')
     end
 
     it "sends notifications for subscribers of newly added labels" do
@@ -692,6 +684,32 @@ describe API::Issues, api: true  do
       ])
     end
 
+    context 'resolving issues in a merge request' do
+      let(:discussion) { Discussion.for_diff_notes([create(:diff_note_on_merge_request)]).first }
+      let(:merge_request) { discussion.noteable }
+      let(:project) { merge_request.source_project }
+      before do
+        project.team << [user, :master]
+        post api("/projects/#{project.id}/issues", user),
+             title: 'New Issue',
+             merge_request_for_resolving_discussions: merge_request.iid
+      end
+
+      it 'creates a new project issue' do
+        expect(response).to have_http_status(:created)
+      end
+
+      it 'resolves the discussions in a merge request' do
+        discussion.first_note.reload
+
+        expect(discussion.resolved?).to be(true)
+      end
+
+      it 'assigns a description to the issue mentioning the merge request' do
+        expect(json_response['description']).to include(merge_request.to_reference)
+      end
+    end
+
     context 'with due date' do
       it 'creates a new project issue' do
         due_date = 2.weeks.from_now.strftime('%Y-%m-%d')
@@ -836,8 +854,8 @@ describe API::Issues, api: true  do
         put api("/projects/#{project.id}/issues/#{confidential_issue.id}", user),
           confidential: 'foo'
 
-        expect(response).to have_http_status(200)
-        expect(json_response['confidential']).to be_truthy
+        expect(response).to have_http_status(400)
+        expect(json_response['error']).to eq('confidential is invalid')
       end
     end
   end
@@ -959,6 +977,14 @@ describe API::Issues, api: true  do
         expect(json_response['state']).to eq 'opened'
       end
     end
+
+    context 'when issue does not exist' do
+      it 'returns 404 when trying to move an issue' do
+        delete api("/projects/#{project.id}/issues/123", user)
+
+        expect(response).to have_http_status(404)
+      end
+    end
   end
 
   describe '/projects/:id/issues/:issue_id/move' do
@@ -1007,6 +1033,7 @@ describe API::Issues, api: true  do
                  to_project_id: target_project.id
 
         expect(response).to have_http_status(404)
+        expect(json_response['message']).to eq('404 Issue Not Found')
       end
     end
 
@@ -1016,6 +1043,7 @@ describe API::Issues, api: true  do
                  to_project_id: target_project.id
 
         expect(response).to have_http_status(404)
+        expect(json_response['message']).to eq('404 Project Not Found')
       end
     end
 
diff --git a/spec/requests/api/merge_requests_spec.rb b/spec/requests/api/merge_requests_spec.rb
index 894896b95e4..75b270aa93c 100644
--- a/spec/requests/api/merge_requests_spec.rb
+++ b/spec/requests/api/merge_requests_spec.rb
@@ -468,7 +468,7 @@ describe API::MergeRequests, api: true  do
       expect(response).to have_http_status(200)
     end
 
-    it "enables merge when build succeeds if the ci is active" do
+    it "enables merge when pipeline succeeds if the pipeline is active" do
       allow_any_instance_of(MergeRequest).to receive(:head_pipeline).and_return(pipeline)
       allow(pipeline).to receive(:active?).and_return(true)
 
diff --git a/spec/requests/api/tags_spec.rb b/spec/requests/api/tags_spec.rb
index 06fa94fae87..a1c32ae65ba 100644
--- a/spec/requests/api/tags_spec.rb
+++ b/spec/requests/api/tags_spec.rb
@@ -15,6 +15,31 @@ describe API::Tags, api: true  do
     let(:tag_name) { project.repository.tag_names.sort.reverse.first }
     let(:description) { 'Awesome release!' }
 
+    shared_examples_for 'repository tags' do
+      it 'returns the repository tags' do
+        get api("/projects/#{project.id}/repository/tags", current_user)
+
+        expect(response).to have_http_status(200)
+
+        first_tag = json_response.first
+
+        expect(first_tag['name']).to eq(tag_name)
+      end
+    end
+
+    context 'when unauthenticated' do
+      it_behaves_like 'repository tags' do
+        let(:project) { create(:project, :public) }
+        let(:current_user) { nil }
+      end
+    end
+
+    context 'when authenticated' do
+      it_behaves_like 'repository tags' do
+        let(:current_user) { user }
+      end
+    end
+
     context 'without releases' do
       it "returns an array of project tags" do
         get api("/projects/#{project.id}/repository/tags", user)
@@ -45,17 +70,33 @@ describe API::Tags, api: true  do
   describe 'GET /projects/:id/repository/tags/:tag_name' do
     let(:tag_name) { project.repository.tag_names.sort.reverse.first }
 
-    it 'returns a specific tag' do
-      get api("/projects/#{project.id}/repository/tags/#{tag_name}", user)
+    shared_examples_for 'repository tag' do
+      it 'returns the repository tag' do
+        get api("/projects/#{project.id}/repository/tags/#{tag_name}", current_user)
+
+        expect(response).to have_http_status(200)
+
+        expect(json_response['name']).to eq(tag_name)
+      end
+
+      it 'returns 404 for an invalid tag name' do
+        get api("/projects/#{project.id}/repository/tags/foobar", current_user)
 
-      expect(response).to have_http_status(200)
-      expect(json_response['name']).to eq(tag_name)
+        expect(response).to have_http_status(404)
+      end
     end
 
-    it 'returns 404 for an invalid tag name' do
-      get api("/projects/#{project.id}/repository/tags/foobar", user)
+    context 'when unauthenticated' do
+      it_behaves_like 'repository tag' do
+        let(:project) { create(:project, :public) }
+        let(:current_user) { nil }
+      end
+    end
 
-      expect(response).to have_http_status(404)
+    context 'when authenticated' do
+      it_behaves_like 'repository tag' do
+        let(:current_user) { user }
+      end
     end
   end
 
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index f82f52e7399..c37dbfa0a33 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -651,20 +651,75 @@ describe API::Users, api: true  do
   end
 
   describe "GET /user" do
-    it "returns current user" do
-      get api("/user", user)
-      expect(response).to have_http_status(200)
-      expect(json_response['email']).to eq(user.email)
-      expect(json_response['is_admin']).to eq(user.is_admin?)
-      expect(json_response['can_create_project']).to eq(user.can_create_project?)
-      expect(json_response['can_create_group']).to eq(user.can_create_group?)
-      expect(json_response['projects_limit']).to eq(user.projects_limit)
-      expect(json_response['private_token']).to be_blank
+    let(:personal_access_token) { create(:personal_access_token, user: user) }
+    let(:private_token) { user.private_token }
+
+    context 'with regular user' do
+      context 'with personal access token' do
+        it 'returns 403 without private token when sudo is defined' do
+          get api("/user?private_token=#{personal_access_token.token}&sudo=#{user.id}")
+
+          expect(response).to have_http_status(403)
+        end
+      end
+
+      context 'with private token' do
+        it 'returns 403 without private token when sudo defined' do
+          get api("/user?private_token=#{private_token}&sudo=#{user.id}")
+
+          expect(response).to have_http_status(403)
+        end
+      end
+
+      it 'returns current user without private token when sudo not defined' do
+        get api("/user", user)
+
+        expect(response).to have_http_status(200)
+        expect(response).to match_response_schema('user/public')
+      end
     end
 
-    it "returns 401 error if user is unauthenticated" do
-      get api("/user")
-      expect(response).to have_http_status(401)
+    context 'with admin' do
+      let(:user) { create(:admin) }
+
+      context 'with personal access token' do
+        it 'returns 403 without private token when sudo defined' do
+          get api("/user?private_token=#{personal_access_token.token}&sudo=#{user.id}")
+
+          expect(response).to have_http_status(403)
+        end
+
+        it 'returns current user without private token when sudo not defined' do
+          get api("/user?private_token=#{personal_access_token.token}")
+
+          expect(response).to have_http_status(200)
+          expect(response).to match_response_schema('user/public')
+        end
+      end
+
+      context 'with private token' do
+        it 'returns current user with private token when sudo defined' do
+          get api("/user?private_token=#{private_token}&sudo=#{user.id}")
+
+          expect(response).to have_http_status(200)
+          expect(response).to match_response_schema('user/login')
+        end
+
+        it 'returns current user without private token when sudo not defined' do
+          get api("/user?private_token=#{private_token}")
+
+          expect(response).to have_http_status(200)
+          expect(response).to match_response_schema('user/public')
+        end
+      end
+    end
+
+    context 'with unauthenticated user' do
+      it "returns 401 error if user is unauthenticated" do
+        get api("/user")
+
+        expect(response).to have_http_status(401)
+      end
     end
   end
 
diff --git a/spec/requests/projects/cycle_analytics_events_spec.rb b/spec/requests/projects/cycle_analytics_events_spec.rb
index f5e0fdcda2d..e0368e6001f 100644
--- a/spec/requests/projects/cycle_analytics_events_spec.rb
+++ b/spec/requests/projects/cycle_analytics_events_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'
 
 describe 'cycle analytics events' do
   let(:user) { create(:user) }
-  let(:project) { create(:project) }
+  let(:project) { create(:project, public_builds: false) }
   let(:issue) {  create(:issue, project: project, created_at: 2.days.ago) }
 
   describe 'GET /:namespace/:project/cycle_analytics/events/issues' do