summaryrefslogtreecommitdiff
path: root/spec/requests/api
diff options
context:
space:
mode:
authorRémy Coutable <remy@rymai.me>2016-04-13 11:32:25 +0000
committerRémy Coutable <remy@rymai.me>2016-04-13 11:32:25 +0000
commitcf306b17bfdcc426b635a5f99c972985598a4094 (patch)
tree520cc8d77a8b093cdea114b78e63f5c118d005f6 /spec/requests/api
parent861e685e1853d45dea83bc1d06ebd639b120f36c (diff)
parent4cd04443f5f69665ce1139726751af678e0e55c3 (diff)
downloadgitlab-ce-cf306b17bfdcc426b635a5f99c972985598a4094.tar.gz
Merge branch 'api-group-leaking' into 'master'
API: Return 404 if user does not have access to group Closes #15185 After !3587 is merged, I'll update this one to also fix the return code of the tests in !3587. See merge request !3683
Diffstat (limited to 'spec/requests/api')
-rw-r--r--spec/requests/api/group_members_spec.rb12
-rw-r--r--spec/requests/api/groups_spec.rb19
2 files changed, 19 insertions, 12 deletions
diff --git a/spec/requests/api/group_members_spec.rb b/spec/requests/api/group_members_spec.rb
index 3e8b4aa1f88..96d89e69209 100644
--- a/spec/requests/api/group_members_spec.rb
+++ b/spec/requests/api/group_members_spec.rb
@@ -42,9 +42,10 @@ describe API::API, api: true do
end
end
- it "users not part of the group should get access error" do
+ it 'users not part of the group should get access error' do
get api("/groups/#{group_with_members.id}/members", stranger)
- expect(response.status).to eq(403)
+
+ expect(response.status).to eq(404)
end
end
end
@@ -165,12 +166,13 @@ describe API::API, api: true do
end
end
- describe "DELETE /groups/:id/members/:user_id" do
- context "when not a member of the group" do
+ describe 'DELETE /groups/:id/members/:user_id' do
+ context 'when not a member of the group' do
it "should not delete guest's membership of group_with_members" do
random_user = create(:user)
delete api("/groups/#{group_with_members.id}/members/#{owner.id}", random_user)
- expect(response.status).to eq(403)
+
+ expect(response.status).to eq(404)
end
end
diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb
index 7383c7d11aa..37ddab83c30 100644
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -61,7 +61,8 @@ describe API::API, api: true do
it "should not return a group not attached to user1" do
get api("/groups/#{group2.id}", user1)
- expect(response.status).to eq(403)
+
+ expect(response.status).to eq(404)
end
end
@@ -92,7 +93,8 @@ describe API::API, api: true do
it 'should not return a group not attached to user1' do
get api("/groups/#{group2.path}", user1)
- expect(response.status).to eq(403)
+
+ expect(response.status).to eq(404)
end
end
end
@@ -133,10 +135,10 @@ describe API::API, api: true do
end
context 'when authenticated as an user that cannot see the group' do
- it 'returns 403 when trying to update the group' do
+ it 'returns 404 when trying to update the group' do
put api("/groups/#{group2.id}", user1), name: new_group_name
- expect(response.status).to eq(403)
+ expect(response.status).to eq(404)
end
end
end
@@ -157,7 +159,8 @@ describe API::API, api: true do
it "should not return a group not attached to user1" do
get api("/groups/#{group2.id}/projects", user1)
- expect(response.status).to eq(403)
+
+ expect(response.status).to eq(404)
end
end
@@ -189,7 +192,8 @@ describe API::API, api: true do
it 'should not return a group not attached to user1' do
get api("/groups/#{group2.path}/projects", user1)
- expect(response.status).to eq(403)
+
+ expect(response.status).to eq(404)
end
end
end
@@ -247,7 +251,8 @@ describe API::API, api: true do
it "should not remove a group not attached to user1" do
delete api("/groups/#{group2.id}", user1)
- expect(response.status).to eq(403)
+
+ expect(response.status).to eq(404)
end
end
View Lorry Controller Status