summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Speicher <robert@gitlab.com>2017-09-28 13:43:05 +0000
committerRobert Speicher <robert@gitlab.com>2017-09-28 13:43:05 +0000
commit06daba75aa6c45543b6b430a50f2efe9d68988d1 (patch)
tree5a10a1c6affdc087f8c4f3a7bc72a22d052372fe
parent576425f029aae35d2489b058595dd40ae2ae6e2c (diff)
parente16878bbef17385d126fe98eb7d14086df86ee25 (diff)
downloadgitlab-ce-06daba75aa6c45543b6b430a50f2efe9d68988d1.tar.gz
Merge branch 'evn-add-neg-tests' into 'master'
Test for what should not be there as well [ci skip] See merge request gitlab-org/gitlab-ce!14492
-rw-r--r--doc/development/testing.md10
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/development/testing.md b/doc/development/testing.md
index c9f14b5fb35..d856b003353 100644
--- a/doc/development/testing.md
+++ b/doc/development/testing.md
@@ -150,6 +150,16 @@ always in-sync with the codebase.
[GitLab QA]: https://gitlab.com/gitlab-org/gitlab-qa
[part of GitLab Rails]: https://gitlab.com/gitlab-org/gitlab-ce/tree/master/qa
+## Test for what should not be there
+
+This is particularly important for permission calls and might be called a
+negative assertion: make sure only the bare minimum is returned and nothing else.
+
+See an issue about [leaking tokens] as an example of a vulnerability that is
+captured by such a test.
+
+[leaking tokens]: https://gitlab.com/gitlab-org/gitlab-ce/issues/37948
+
## How to test at the correct level?
As many things in life, deciding what to test at each level of testing is a