diff options
author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-09-29 16:04:57 +0300 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-09-29 16:04:57 +0300 |
commit | 726fa6c76afc9162fe046439f7f11b729190aaa6 (patch) | |
tree | 273e4146624e29f0c00e3acf21675248cce78d74 /spec/requests | |
parent | 1df225bb384ad53ca081bdda85a805105a3eff7c (diff) | |
download | gitlab-ce-726fa6c76afc9162fe046439f7f11b729190aaa6.tar.gz |
Respect authorization in Repository API
* dont allow protect/unprotect branches for users without master permissions
* dont allow access to Repository api for guests
Diffstat (limited to 'spec/requests')
-rw-r--r-- | spec/requests/api/repositories_spec.rb | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb index f15abdd3581..2e509ea2933 100644 --- a/spec/requests/api/repositories_spec.rb +++ b/spec/requests/api/repositories_spec.rb @@ -8,7 +8,8 @@ describe API::API do let(:user) { create(:user) } let(:user2) { create(:user) } let!(:project) { create(:project_with_code, creator_id: user.id) } - let!(:users_project) { create(:users_project, user: user, project: project, project_access: UsersProject::MASTER) } + let!(:master) { create(:users_project, user: user, project: project, project_access: UsersProject::MASTER) } + let!(:guest) { create(:users_project, user: user2, project: project, project_access: UsersProject::GUEST) } before { project.team << [user, :reporter] } @@ -32,6 +33,11 @@ describe API::API do json_response['protected'].should == false end + it "should return a 403 error if guest" do + get api("/projects/#{project.id}/repository/branches", user2) + response.status.should == 403 + end + it "should return a 404 error if branch is not available" do get api("/projects/#{project.id}/repository/branches/unknown", user) response.status.should == 404 @@ -53,6 +59,11 @@ describe API::API do response.status.should == 404 end + it "should return a 403 error if guest" do + put api("/projects/#{project.id}/repository/branches/new_design/protect", user2) + response.status.should == 403 + end + it "should return success when protect branch again" do put api("/projects/#{project.id}/repository/branches/new_design/protect", user) put api("/projects/#{project.id}/repository/branches/new_design/protect", user) |