diff options
| author | Robert Speicher <robert@gitlab.com> | 2018-01-18 23:10:19 +0000 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2018-02-09 12:16:25 -0600 |
| commit | fec9fb05a5775b864ef6768df166d39fcb2be4bc (patch) | |
| tree | 9274b1aba3720ae0204be7294000bb8f22b77a48 /spec/requests/api/v3 | |
| parent | 603fa7c14193d37e3953225501d2108f0c581df5 (diff) | |
| download | gitlab-ce-fec9fb05a5775b864ef6768df166d39fcb2be4bc.tar.gz | |
Merge branch 'security-10-4-todo-api-reveals-sensitive-information' into 'security-10-4'
Restrict Todo API mark_as_done endpoint to the user's todos only
Diffstat (limited to 'spec/requests/api/v3')
| -rw-r--r-- | spec/requests/api/v3/todos_spec.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/spec/requests/api/v3/todos_spec.rb b/spec/requests/api/v3/todos_spec.rb index 53fd962272a..ea648e3917f 100644 --- a/spec/requests/api/v3/todos_spec.rb +++ b/spec/requests/api/v3/todos_spec.rb @@ -38,6 +38,12 @@ describe API::V3::Todos do delete v3_api("/todos/#{pending_1.id}", john_doe) end + + it 'returns 404 if the todo does not belong to the current user' do + delete v3_api("/todos/#{pending_1.id}", author_1) + + expect(response.status).to eq(404) + end end end |