diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-25 16:44:14 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-25 16:44:14 +0000 |
commit | ddca3ddd9fa2377707faa6e8e15ffa26b2a54cae (patch) | |
tree | 83e73be2014852efd6d5ceaac299526cbcb1f4cf /spec/finders | |
parent | 40d9900404f9ff4a396dc263954b46387874ff15 (diff) | |
parent | 9ec860ea05d5c74387cbff4593ca76072a38ad5f (diff) | |
download | gitlab-ce-ddca3ddd9fa2377707faa6e8e15ffa26b2a54cae.tar.gz |
Merge branch 'security-guests-can-see-list-of-merge-requests' into 'master'
[master] Group Guests are no longer able to see merge requests
See merge request gitlab/gitlabhq!2694
Diffstat (limited to 'spec/finders')
-rw-r--r-- | spec/finders/merge_requests_finder_spec.rb | 32 |
1 files changed, 23 insertions, 9 deletions
diff --git a/spec/finders/merge_requests_finder_spec.rb b/spec/finders/merge_requests_finder_spec.rb index ff4c6b8dd42..107da08a0a9 100644 --- a/spec/finders/merge_requests_finder_spec.rb +++ b/spec/finders/merge_requests_finder_spec.rb @@ -68,20 +68,34 @@ describe MergeRequestsFinder do expect(merge_requests.size).to eq(2) end - it 'filters by group' do - params = { group_id: group.id } + context 'filtering by group' do + it 'includes all merge requests when user has access' do + params = { group_id: group.id } - merge_requests = described_class.new(user, params).execute + merge_requests = described_class.new(user, params).execute - expect(merge_requests.size).to eq(3) - end + expect(merge_requests.size).to eq(3) + end - it 'filters by group including subgroups', :nested_groups do - params = { group_id: group.id, include_subgroups: true } + it 'excludes merge requests from projects the user does not have access to' do + private_project = create_project_without_n_plus_1(:private, group: group) + private_mr = create(:merge_request, :simple, author: user, source_project: private_project, target_project: private_project) + params = { group_id: group.id } - merge_requests = described_class.new(user, params).execute + private_project.add_guest(user) + merge_requests = described_class.new(user, params).execute - expect(merge_requests.size).to eq(6) + expect(merge_requests.size).to eq(3) + expect(merge_requests).not_to include(private_mr) + end + + it 'filters by group including subgroups', :nested_groups do + params = { group_id: group.id, include_subgroups: true } + + merge_requests = described_class.new(user, params).execute + + expect(merge_requests.size).to eq(6) + end end it 'filters by non_archived' do |