From 78a4412d00e57068b9e375ea138e837771620fa0 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 28 Jun 2023 19:29:09 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@16-1-stable-ee --- spec/policies/project_policy_spec.rb | 46 ++++++++++++++++++-------- spec/requests/api/npm_project_packages_spec.rb | 4 +-- spec/requests/lfs_http_spec.rb | 6 ++-- 3 files changed, 38 insertions(+), 18 deletions(-) (limited to 'spec') diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 200e2025517..ee8d811971a 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -2552,24 +2552,42 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do describe 'when user is authenticated via CI_JOB_TOKEN', :request_store do using RSpec::Parameterized::TableSyntax - where(:user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do - :reporter | false | :same | true | true - :reporter | true | :same | true | true - :reporter | false | :same | false | true - :reporter | false | :different | true | false - :reporter | true | :different | true | false - :reporter | false | :different | false | true - :guest | false | :same | true | true - :guest | true | :same | true | true - :guest | false | :same | false | true - :guest | false | :different | true | false - :guest | true | :different | true | false - :guest | false | :different | false | true + where(:project_visibility, :user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do + :private | :reporter | false | :same | true | true + :private | :reporter | false | :same | false | true + :private | :reporter | false | :different | true | false + :private | :reporter | false | :different | false | true + :private | :guest | false | :same | true | true + :private | :guest | false | :same | false | true + :private | :guest | false | :different | true | false + :private | :guest | false | :different | false | true + + :internal | :reporter | false | :same | true | true + :internal | :reporter | true | :same | true | true + :internal | :reporter | false | :same | false | true + :internal | :reporter | false | :different | true | true + :internal | :reporter | true | :different | true | false + :internal | :reporter | false | :different | false | true + :internal | :guest | false | :same | true | true + :internal | :guest | true | :same | true | true + :internal | :guest | false | :same | false | true + :internal | :guest | false | :different | true | true + :internal | :guest | true | :different | true | false + :internal | :guest | false | :different | false | true + + :public | :reporter | false | :same | true | true + :public | :reporter | false | :same | false | true + :public | :reporter | false | :different | true | true + :public | :reporter | false | :different | false | true + :public | :guest | false | :same | true | true + :public | :guest | false | :same | false | true + :public | :guest | false | :different | true | true + :public | :guest | false | :different | false | true end with_them do let(:current_user) { public_send(user_role) } - let(:project) { public_project } + let(:project) { public_send("#{project_visibility}_project") } let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) } let(:scope_project) do diff --git a/spec/requests/api/npm_project_packages_spec.rb b/spec/requests/api/npm_project_packages_spec.rb index b18d99ca884..60d4bddc502 100644 --- a/spec/requests/api/npm_project_packages_spec.rb +++ b/spec/requests/api/npm_project_packages_spec.rb @@ -111,7 +111,7 @@ RSpec.describe API::NpmProjectPackages, feature_category: :package_registry do context 'with a job token for a different user' do let_it_be(:other_user) { create(:user) } - let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user, project: project) } + let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user) } let(:headers) { build_token_auth_header(other_job.token) } @@ -160,7 +160,7 @@ RSpec.describe API::NpmProjectPackages, feature_category: :package_registry do context 'with a job token for a different user' do let_it_be(:other_user) { create(:user) } - let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user, project: project) } + let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user) } let(:headers) { build_token_auth_header(other_job.token) } diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb index 81d6b5465e3..b07296a0df2 100644 --- a/spec/requests/lfs_http_spec.rb +++ b/spec/requests/lfs_http_spec.rb @@ -677,7 +677,8 @@ RSpec.describe 'Git LFS API and storage', feature_category: :source_code_managem context 'tries to push to other project' do let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } - it_behaves_like 'LFS http 404 response' + # I'm not sure what this tests that is different from the previous test + it_behaves_like 'LFS http 403 response' end end @@ -1197,7 +1198,8 @@ RSpec.describe 'Git LFS API and storage', feature_category: :source_code_managem context 'tries to push to other project' do let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } - it_behaves_like 'LFS http 404 response' + # I'm not sure what this tests that is different from the previous test + it_behaves_like 'LFS http 403 response' end end -- cgit v1.2.3