diff options
| author | Robert Schilling <rschilling@student.tugraz.at> | 2014-08-19 00:23:02 +0200 |
|---|---|---|
| committer | Jakub Jirutka <jakub@jirutka.cz> | 2015-03-31 18:32:24 +0200 |
| commit | 9769c2d7fd0728caf951858162ec7df6f93a8a83 (patch) | |
| tree | b7b5d800c0a5c6fe5382788d2cee92aff298fe95 /spec/requests | |
| parent | 0191857fac465fbfb4acad1b923c29f3b05529aa (diff) | |
| download | gitlab-ce-9769c2d7fd0728caf951858162ec7df6f93a8a83.tar.gz | |
Fix #6417: users with group permission should be able to create groups via API
Diffstat (limited to 'spec/requests')
| -rw-r--r-- | spec/requests/api/groups_spec.rb | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index d963dbac9f1..62b42d63fc2 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -3,8 +3,9 @@ require 'spec_helper' describe API::API, api: true do include ApiHelpers - let(:user1) { create(:user) } + let(:user1) { create(:user, can_create_group: false) } let(:user2) { create(:user) } + let(:user3) { create(:user) } let(:admin) { create(:admin) } let!(:group1) { create(:group) } let!(:group2) { create(:group) } @@ -94,32 +95,32 @@ describe API::API, api: true do end describe "POST /groups" do - context "when authenticated as user" do + context "when authenticated as user without group permissions" do it "should not create group" do post api("/groups", user1), attributes_for(:group) expect(response.status).to eq(403) end end - context "when authenticated as admin" do + context "when authenticated as user with group permissions" do it "should create group" do - post api("/groups", admin), attributes_for(:group) + post api("/groups", user3), attributes_for(:group) expect(response.status).to eq(201) end it "should not create group, duplicate" do - post api("/groups", admin), {name: "Duplicate Test", path: group2.path} + post api("/groups", user3), {name: 'Duplicate Test', path: group2.path} expect(response.status).to eq(400) expect(response.message).to eq("Bad Request") end it "should return 400 bad request error if name not given" do - post api("/groups", admin), {path: group2.path} + post api("/groups", user3), {path: group2.path} expect(response.status).to eq(400) end it "should return 400 bad request error if path not given" do - post api("/groups", admin), { name: 'test' } + post api("/groups", user3), {name: 'test'} expect(response.status).to eq(400) end end @@ -133,8 +134,8 @@ describe API::API, api: true do end it "should not remove a group if not an owner" do - user3 = create(:user) - group1.add_user(user3, Gitlab::Access::MASTER) + user4 = create(:user) + group1.add_user(user4, Gitlab::Access::MASTER) delete api("/groups/#{group1.id}", user3) expect(response.status).to eq(403) end |