summaryrefslogtreecommitdiff
path: root/spec/finders
diff options
context:
space:
mode:
authorYorick Peterse <yorickpeterse@gmail.com>2019-01-25 16:44:14 +0000
committerYorick Peterse <yorickpeterse@gmail.com>2019-01-25 16:44:14 +0000
commitddca3ddd9fa2377707faa6e8e15ffa26b2a54cae (patch)
tree83e73be2014852efd6d5ceaac299526cbcb1f4cf /spec/finders
parent40d9900404f9ff4a396dc263954b46387874ff15 (diff)
parent9ec860ea05d5c74387cbff4593ca76072a38ad5f (diff)
downloadgitlab-ce-ddca3ddd9fa2377707faa6e8e15ffa26b2a54cae.tar.gz
Merge branch 'security-guests-can-see-list-of-merge-requests' into 'master'
[master] Group Guests are no longer able to see merge requests See merge request gitlab/gitlabhq!2694
Diffstat (limited to 'spec/finders')
-rw-r--r--spec/finders/merge_requests_finder_spec.rb32
1 files changed, 23 insertions, 9 deletions
diff --git a/spec/finders/merge_requests_finder_spec.rb b/spec/finders/merge_requests_finder_spec.rb
index ff4c6b8dd42..107da08a0a9 100644
--- a/spec/finders/merge_requests_finder_spec.rb
+++ b/spec/finders/merge_requests_finder_spec.rb
@@ -68,20 +68,34 @@ describe MergeRequestsFinder do
expect(merge_requests.size).to eq(2)
end
- it 'filters by group' do
- params = { group_id: group.id }
+ context 'filtering by group' do
+ it 'includes all merge requests when user has access' do
+ params = { group_id: group.id }
- merge_requests = described_class.new(user, params).execute
+ merge_requests = described_class.new(user, params).execute
- expect(merge_requests.size).to eq(3)
- end
+ expect(merge_requests.size).to eq(3)
+ end
- it 'filters by group including subgroups', :nested_groups do
- params = { group_id: group.id, include_subgroups: true }
+ it 'excludes merge requests from projects the user does not have access to' do
+ private_project = create_project_without_n_plus_1(:private, group: group)
+ private_mr = create(:merge_request, :simple, author: user, source_project: private_project, target_project: private_project)
+ params = { group_id: group.id }
- merge_requests = described_class.new(user, params).execute
+ private_project.add_guest(user)
+ merge_requests = described_class.new(user, params).execute
- expect(merge_requests.size).to eq(6)
+ expect(merge_requests.size).to eq(3)
+ expect(merge_requests).not_to include(private_mr)
+ end
+
+ it 'filters by group including subgroups', :nested_groups do
+ params = { group_id: group.id, include_subgroups: true }
+
+ merge_requests = described_class.new(user, params).execute
+
+ expect(merge_requests.size).to eq(6)
+ end
end
it 'filters by non_archived' do