Merge branch 'explicit-requesters-scope' into 'master'

Exclude requesters from Project#members, Group#members and User#members ## What does this MR do? It excludes requesters from the `Project#members`, `Group#members` and `User#members` associations, and adds new `Project#requesters` and `Group#requesters` associations. ## Are there points in the code the reviewer needs to double check? No. ## Why was this MR needed? Without this, if you call `project.members`, requesters are included in the results! This is at best misleading, and at worst can lead to security issues. By excluding requesters from the `#members` associations, we avoid introducing security inadvertently since you have to call the `#requesters` association explicitly to get requesters. ## What are the relevant issue numbers? This is something I realized while fixing the security issue #19102. ## Does this MR meet the acceptance criteria? - [x] I don't think this needs a CHANGELOG since this is an internal change - Tests - [x] Added for this feature/bug - [ ] All builds are passing - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if you do - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) See merge request !4946
author: Douwe Maan <douwe@gitlab.com> 2016-07-01 22:23:26 +0000
committer: Douwe Maan <douwe@gitlab.com> 2016-07-01 22:23:26 +0000
commit: d1c94f034bbf688248f46482b941fe673940c6b0 (patch)
tree: 768ea37a0dd881c4e8bded1532fa6bac06e20d27 /spec/features/groups
parent: 0ccdc631e6f45c0fd327631decb47f80d781302e (diff)
parent: bd78f5733ca546bf940438b84aefa2fa3abacb36 (diff)
download: gitlab-ce-d1c94f034bbf688248f46482b941fe673940c6b0.tar.gz
2 files changed, 5 insertions, 5 deletions
diff --git a/spec/features/groups/members/owner_manages_access_requests_spec.rb b/spec/features/groups/members/owner_manages_access_requests_spec.rb
index 51690e39490..10d3713f19f 100644
--- a/spec/features/groups/members/owner_manages_access_requests_spec.rb
+++ b/spec/features/groups/members/owner_manages_access_requests_spec.rb
@@ -40,7 +40,7 @@ feature 'Groups > Members > Owner manages access requests', feature: true do
   end
 
   def expect_visible_access_request(group, user)
-    expect(group.members.request.exists?(user_id: user)).to be_truthy
+    expect(group.requesters.exists?(user_id: user)).to be_truthy
     expect(page).to have_content "#{group.name} access requests 1"
     expect(page).to have_content user.name
   end
diff --git a/spec/features/groups/members/user_requests_access_spec.rb b/spec/features/groups/members/user_requests_access_spec.rb
index 4944301c938..d1a6a98ab72 100644
--- a/spec/features/groups/members/user_requests_access_spec.rb
+++ b/spec/features/groups/members/user_requests_access_spec.rb
@@ -18,7 +18,7 @@ feature 'Groups > Members > User requests access', feature: true do
     expect(ActionMailer::Base.deliveries.last.to).to eq [owner.notification_email]
     expect(ActionMailer::Base.deliveries.last.subject).to match "Request to join the #{group.name} group"
 
-    expect(group.members.request.exists?(user_id: user)).to be_truthy
+    expect(group.requesters.exists?(user_id: user)).to be_truthy
     expect(page).to have_content 'Your request for access has been queued for review.'
 
     expect(page).to have_content 'Withdraw Access Request'
@@ -42,7 +42,7 @@ feature 'Groups > Members > User requests access', feature: true do
   scenario 'user is not listed in the group members page' do
     click_link 'Request Access'
 
-    expect(group.members.request.exists?(user_id: user)).to be_truthy
+    expect(group.requesters.exists?(user_id: user)).to be_truthy
 
     click_link 'Members'
 
@@ -54,11 +54,11 @@ feature 'Groups > Members > User requests access', feature: true do
   scenario 'user can withdraw its request for access' do
     click_link 'Request Access'
 
-    expect(group.members.request.exists?(user_id: user)).to be_truthy
+    expect(group.requesters.exists?(user_id: user)).to be_truthy
 
     click_link 'Withdraw Access Request'
 
-    expect(group.members.request.exists?(user_id: user)).to be_falsey
+    expect(group.requesters.exists?(user_id: user)).to be_falsey
     expect(page).to have_content 'Your access request to the group has been withdrawn.'
   end
 end
author	Douwe Maan <douwe@gitlab.com>	2016-07-01 22:23:26 +0000
committer	Douwe Maan <douwe@gitlab.com>	2016-07-01 22:23:26 +0000
commit	d1c94f034bbf688248f46482b941fe673940c6b0 (patch)
tree	768ea37a0dd881c4e8bded1532fa6bac06e20d27 /spec/features/groups
parent	0ccdc631e6f45c0fd327631decb47f80d781302e (diff)
parent	bd78f5733ca546bf940438b84aefa2fa3abacb36 (diff)
download	gitlab-ce-d1c94f034bbf688248f46482b941fe673940c6b0.tar.gz