diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2017-04-21 06:44:47 +0000 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-04-26 08:00:19 +0000 |
| commit | 4dfdef2ddfc3cdeb6f6231e397543d120083a4c2 (patch) | |
| tree | 0c3232d2ab9ea17fdfcadcc84612723188933b99 /spec/requests/api/helpers_spec.rb | |
| parent | 6c65b63ca5fb60ae26c900b4615054d2ff66eeb9 (diff) | |
| download | gitlab-ce-4dfdef2ddfc3cdeb6f6231e397543d120083a4c2.tar.gz | |
Allow admins to sudo to blocked users.29505-allow-admins-sudo-to-blocked-users
- Currently, (for example) admins can't delete snippets for blocked users, which
is an unexpected limitation.
- We modify `authenticate!` to conduct the `access_api` policy check against the
`initial_current_user`, instead of the user being impersonated.
- Update CHANGELOG for !10842
Diffstat (limited to 'spec/requests/api/helpers_spec.rb')
| -rw-r--r-- | spec/requests/api/helpers_spec.rb | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/spec/requests/api/helpers_spec.rb b/spec/requests/api/helpers_spec.rb index 988a57a80ea..6cbe1ffa1a4 100644 --- a/spec/requests/api/helpers_spec.rb +++ b/spec/requests/api/helpers_spec.rb @@ -427,6 +427,7 @@ describe API::Helpers, api: true do context 'current_user is nil' do before do expect_any_instance_of(self.class).to receive(:current_user).and_return(nil) + allow_any_instance_of(self.class).to receive(:initial_current_user).and_return(nil) end it 'returns a 401 response' do @@ -435,13 +436,38 @@ describe API::Helpers, api: true do end context 'current_user is present' do + let(:user) { build(:user) } + before do - expect_any_instance_of(self.class).to receive(:current_user).at_least(:once).and_return(User.new) + expect_any_instance_of(self.class).to receive(:current_user).at_least(:once).and_return(user) + expect_any_instance_of(self.class).to receive(:initial_current_user).and_return(user) end it 'does not raise an error' do expect { authenticate! }.not_to raise_error end end + + context 'current_user is blocked' do + let(:user) { build(:user, :blocked) } + + before do + expect_any_instance_of(self.class).to receive(:current_user).at_least(:once).and_return(user) + end + + it 'raises an error' do + expect_any_instance_of(self.class).to receive(:initial_current_user).and_return(user) + + expect { authenticate! }.to raise_error '401 - {"message"=>"401 Unauthorized"}' + end + + it "doesn't raise an error if an admin user is impersonating a blocked user (via sudo)" do + admin_user = build(:user, :admin) + + expect_any_instance_of(self.class).to receive(:initial_current_user).and_return(admin_user) + + expect { authenticate! }.not_to raise_error + end + end end end |