summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFelipe Artur <felipefac@gmail.com>2019-03-26 15:20:06 -0300
committerFelipe Artur <felipefac@gmail.com>2019-03-26 15:20:06 -0300
commitfcc90a5a516e6e678db3820f75d57a841504c12e (patch)
tree9381bd4f9223f801b1a315791328c766ece326ac
parent02c167c66443871234b543188c1ca3e56a8fdb3b (diff)
downloadgitlab-ce-issue_58547.tar.gz
Improve specs and use 403 instead of 404 statusissue_58547
-rw-r--r--app/controllers/graphql_controller.rb2
-rw-r--r--spec/controllers/graphql_controller_spec.rb9
2 files changed, 7 insertions, 4 deletions
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
index 6681182ba3e..7b5dc22815c 100644
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -39,7 +39,7 @@ class GraphqlController < ApplicationController
private
def authorize_access_api!
- render_404 unless can?(current_user, :access_api)
+ access_denied!("API not accessible for user.") unless can?(current_user, :access_api)
end
# Overridden from the ApplicationController to make the response look like
diff --git a/spec/controllers/graphql_controller_spec.rb b/spec/controllers/graphql_controller_spec.rb
index b071d01de5d..c19a752b07b 100644
--- a/spec/controllers/graphql_controller_spec.rb
+++ b/spec/controllers/graphql_controller_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
require 'spec_helper'
describe GraphqlController do
@@ -19,15 +21,16 @@ describe GraphqlController do
expect(response).to have_gitlab_http_status(200)
end
- it 'returns 404 when user cannot access API' do
+ it 'returns access denied template when user cannot access API' do
# User cannot access API in a couple of cases
# * When user is internal(like ghost users)
# * When user is blocked
- allow(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false)
+ expect(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false)
post :execute
- expect(response).to have_gitlab_http_status(404)
+ expect(response.status).to eq(403)
+ expect(response).to render_template('errors/access_denied')
end
end