From 516fba52cf280b9d5bad08dce9f0150f859b6cea Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 30 Sep 2020 22:02:13 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee

---
 spec/services/issues/create_service_spec.rb        |  7 +++
 spec/services/issues/update_service_spec.rb        | 19 ++++++-
 .../services/merge_requests/update_service_spec.rb | 66 +++++++++++++++++++++-
 3 files changed, 88 insertions(+), 4 deletions(-)

(limited to 'spec/services')

diff --git a/spec/services/issues/create_service_spec.rb b/spec/services/issues/create_service_spec.rb
index e09a7faece5..eeac7fb9923 100644
--- a/spec/services/issues/create_service_spec.rb
+++ b/spec/services/issues/create_service_spec.rb
@@ -25,6 +25,7 @@ RSpec.describe Issues::CreateService do
           assignee_ids: [assignee.id],
           label_ids: labels.map(&:id),
           milestone_id: milestone.id,
+          milestone: milestone,
           due_date: Date.tomorrow }
       end
 
@@ -102,6 +103,12 @@ RSpec.describe Issues::CreateService do
           expect(issue.milestone).to be_nil
           expect(issue.due_date).to be_nil
         end
+
+        it 'creates confidential issues' do
+          issue = described_class.new(project, guest, confidential: true).execute
+
+          expect(issue.confidential).to be_truthy
+        end
       end
 
       it 'creates a pending todo for new assignee' do
diff --git a/spec/services/issues/update_service_spec.rb b/spec/services/issues/update_service_spec.rb
index f0092c35fda..b3e8fba4e9a 100644
--- a/spec/services/issues/update_service_spec.rb
+++ b/spec/services/issues/update_service_spec.rb
@@ -10,6 +10,7 @@ RSpec.describe Issues::UpdateService, :mailer do
   let_it_be(:project, reload: true) { create(:project, :repository, group: group) }
   let_it_be(:label) { create(:label, project: project) }
   let_it_be(:label2) { create(:label, project: project) }
+  let_it_be(:milestone) { create(:milestone, project: project) }
 
   let(:issue) do
     create(:issue, title: 'Old title',
@@ -53,7 +54,8 @@ RSpec.describe Issues::UpdateService, :mailer do
           label_ids: [label.id],
           due_date: Date.tomorrow,
           discussion_locked: true,
-          severity: 'low'
+          severity: 'low',
+          milestone_id: milestone.id
         }
       end
 
@@ -70,6 +72,14 @@ RSpec.describe Issues::UpdateService, :mailer do
         expect(issue.labels).to match_array [label]
         expect(issue.due_date).to eq Date.tomorrow
         expect(issue.discussion_locked).to be_truthy
+        expect(issue.confidential).to be_falsey
+        expect(issue.milestone).to eq milestone
+      end
+
+      it 'updates issue milestone when passing `milestone` param' do
+        update_issue(milestone: milestone)
+
+        expect(issue.milestone).to eq milestone
       end
 
       context 'when issue type is not incident' do
@@ -128,6 +138,8 @@ RSpec.describe Issues::UpdateService, :mailer do
         expect(TodosDestroyer::ConfidentialIssueWorker).to receive(:perform_in).with(Todo::WAIT_FOR_DELETE, issue.id)
 
         update_issue(confidential: true)
+
+        expect(issue.confidential).to be_truthy
       end
 
       it 'does not enqueue ConfidentialIssueWorker when an issue is made non confidential' do
@@ -137,6 +149,8 @@ RSpec.describe Issues::UpdateService, :mailer do
         expect(TodosDestroyer::ConfidentialIssueWorker).not_to receive(:perform_in)
 
         update_issue(confidential: false)
+
+        expect(issue.confidential).to be_falsey
       end
 
       context 'issue in incident type' do
@@ -297,7 +311,7 @@ RSpec.describe Issues::UpdateService, :mailer do
         end
 
         it 'filters out params that cannot be set without the :admin_issue permission' do
-          described_class.new(project, guest, opts).execute(issue)
+          described_class.new(project, guest, opts.merge(confidential: true)).execute(issue)
 
           expect(issue).to be_valid
           expect(issue.title).to eq 'New title'
@@ -307,6 +321,7 @@ RSpec.describe Issues::UpdateService, :mailer do
           expect(issue.milestone).to be_nil
           expect(issue.due_date).to be_nil
           expect(issue.discussion_locked).to be_falsey
+          expect(issue.confidential).to be_falsey
         end
       end
 
diff --git a/spec/services/merge_requests/update_service_spec.rb b/spec/services/merge_requests/update_service_spec.rb
index 6b7463d4996..3c3e10495d3 100644
--- a/spec/services/merge_requests/update_service_spec.rb
+++ b/spec/services/merge_requests/update_service_spec.rb
@@ -6,12 +6,13 @@ RSpec.describe MergeRequests::UpdateService, :mailer do
   include ProjectForksHelper
 
   let(:group) { create(:group, :public) }
-  let(:project) { create(:project, :repository, group: group) }
+  let(:project) { create(:project, :private, :repository, group: group) }
   let(:user) { create(:user) }
   let(:user2) { create(:user) }
   let(:user3) { create(:user) }
   let(:label) { create(:label, project: project) }
   let(:label2) { create(:label) }
+  let(:milestone) { create(:milestone, project: project) }
 
   let(:merge_request) do
     create(:merge_request, :simple, title: 'Old title',
@@ -61,7 +62,8 @@ RSpec.describe MergeRequests::UpdateService, :mailer do
         }
       end
 
-      let(:service) { described_class.new(project, user, opts) }
+      let(:service) { described_class.new(project, current_user, opts) }
+      let(:current_user) { user }
 
       before do
         allow(service).to receive(:execute_hooks)
@@ -85,6 +87,26 @@ RSpec.describe MergeRequests::UpdateService, :mailer do
         expect(@merge_request.discussion_locked).to be_truthy
       end
 
+      context 'updating milestone' do
+        RSpec.shared_examples 'updates milestone' do
+          it 'sets milestone' do
+            expect(@merge_request.milestone).to eq milestone
+          end
+        end
+
+        context 'when milestone_id param' do
+          let(:opts) { { milestone_id: milestone.id } }
+
+          it_behaves_like 'updates milestone'
+        end
+
+        context 'when milestone param' do
+          let(:opts) { { milestone: milestone } }
+
+          it_behaves_like 'updates milestone'
+        end
+      end
+
       it 'executes hooks with update action' do
         expect(service).to have_received(:execute_hooks)
           .with(
@@ -152,6 +174,46 @@ RSpec.describe MergeRequests::UpdateService, :mailer do
         expect(note.note).to eq 'locked this merge request'
       end
 
+      context 'when current user cannot admin issues in the project' do
+        let(:guest) { create(:user) }
+        let(:current_user) { guest }
+
+        before do
+          project.add_guest(guest)
+        end
+
+        it 'filters out params that cannot be set without the :admin_merge_request permission' do
+          expect(@merge_request).to be_valid
+          expect(@merge_request.title).to eq('New title')
+          expect(@merge_request.assignees).to match_array([user3])
+          expect(@merge_request).to be_opened
+          expect(@merge_request.labels.count).to eq(0)
+          expect(@merge_request.target_branch).to eq('target')
+          expect(@merge_request.discussion_locked).to be_falsey
+          expect(@merge_request.milestone).to be_nil
+        end
+
+        context 'updating milestone' do
+          RSpec.shared_examples 'does not update milestone' do
+            it 'sets milestone' do
+              expect(@merge_request.milestone).to be_nil
+            end
+          end
+
+          context 'when milestone_id param' do
+            let(:opts) { { milestone_id: milestone.id } }
+
+            it_behaves_like 'does not update milestone'
+          end
+
+          context 'when milestone param' do
+            let(:opts) { { milestone: milestone } }
+
+            it_behaves_like 'does not update milestone'
+          end
+        end
+      end
+
       context 'when not including source branch removal options' do
         before do
           opts.delete(:force_remove_source_branch)
-- 
cgit v1.2.3