diff options
| author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-10-29 13:38:00 +0200 |
|---|---|---|
| committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-10-29 13:38:00 +0200 |
| commit | eea6a8a17deb384bfe6b9b83462df6cb5f7f17ad (patch) | |
| tree | f45090e565e5fd3bacd90070a7cc673d69fa74cf | |
| parent | f6491508fe54c75c8db8db17b27d6d7912198a7a (diff) | |
| download | gitlab-ce-eea6a8a17deb384bfe6b9b83462df6cb5f7f17ad.tar.gz | |
Dont allow guests..developers to manage group members
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
| -rw-r--r-- | lib/api/group_members.rb | 10 | ||||
| -rw-r--r-- | spec/requests/api/group_members_spec.rb | 12 |
2 files changed, 17 insertions, 5 deletions
diff --git a/lib/api/group_members.rb b/lib/api/group_members.rb index 24c141e9b71..d596517c816 100644 --- a/lib/api/group_members.rb +++ b/lib/api/group_members.rb @@ -39,14 +39,18 @@ module API # Example Request: # POST /groups/:id/members post ":id/members" do + group = find_group(params[:id]) + authorize! :manage_group, group required_attributes! [:user_id, :access_level] + unless validate_access_level?(params[:access_level]) render_api_error!("Wrong access level", 422) end - group = find_group(params[:id]) + if group.group_members.find_by(user_id: params[:user_id]) render_api_error!("Already exists", 409) end + group.add_users([params[:user_id]], params[:access_level]) member = group.group_members.find_by(user_id: params[:user_id]) present member.user, with: Entities::GroupMember, group: group @@ -62,7 +66,9 @@ module API # DELETE /groups/:id/members/:user_id delete ":id/members/:user_id" do group = find_group(params[:id]) - member = group.group_members.find_by(user_id: params[:user_id]) + authorize! :manage_group, group + member = group.group_members.find_by(user_id: params[:user_id]) + if member.nil? render_api_error!("404 Not Found - user_id:#{params[:user_id]} not a member of group #{group.name}",404) else diff --git a/spec/requests/api/group_members_spec.rb b/spec/requests/api/group_members_spec.rb index b266f56a9dd..4957186f605 100644 --- a/spec/requests/api/group_members_spec.rb +++ b/spec/requests/api/group_members_spec.rb @@ -115,16 +115,22 @@ describe API::API, api: true do context "when a member of the group" do it "should delete guest's membership of group" do - count_before=group_with_members.group_members.count - delete api("/groups/#{group_with_members.id}/members/#{guest.id}", owner) + expect { + delete api("/groups/#{group_with_members.id}/members/#{guest.id}", owner) + }.to change { group_with_members.members.count }.by(-1) + response.status.should == 200 - group_with_members.group_members.count.should == count_before - 1 end it "should return a 404 error when user id is not known" do delete api("/groups/#{group_with_members.id}/members/1328", owner) response.status.should == 404 end + + it "should not allow guest to modify group members" do + delete api("/groups/#{group_with_members.id}/members/#{master.id}", guest) + response.status.should == 403 + end end end end |