diff options
| author | Marin Jankovski <marin@gitlab.com> | 2019-07-02 06:22:09 +0000 |
|---|---|---|
| committer | Marin Jankovski <marin@gitlab.com> | 2019-07-02 06:22:09 +0000 |
| commit | 7eae0e9b529c5fb28b30857c06cd004dc5ebd74e (patch) | |
| tree | 8f8193f5eeb2fb6ebf37278a881cf23e5086ef4f /spec/requests | |
| parent | f66169b35c29294ecc9f63eeeedc52085d2a3fd7 (diff) | |
| parent | 967cbd083492f72ef59ddc9a98d7f67a7fe85d21 (diff) | |
| download | gitlab-ce-7eae0e9b529c5fb28b30857c06cd004dc5ebd74e.tar.gz | |
Merge branch 'security-bvl-enforce-graphql-type-authorization' into 'master'
Fix type authorizations in GraphQL
See merge request gitlab/gitlabhq!3170
Diffstat (limited to 'spec/requests')
| -rw-r--r-- | spec/requests/api/graphql/namespace/projects_spec.rb | 4 | ||||
| -rw-r--r-- | spec/requests/api/graphql/project/repository_spec.rb | 24 |
2 files changed, 25 insertions, 3 deletions
diff --git a/spec/requests/api/graphql/namespace/projects_spec.rb b/spec/requests/api/graphql/namespace/projects_spec.rb index de1cd9586b6..63fa16c79ca 100644 --- a/spec/requests/api/graphql/namespace/projects_spec.rb +++ b/spec/requests/api/graphql/namespace/projects_spec.rb @@ -58,9 +58,7 @@ describe 'getting projects', :nested_groups do it 'finds only public projects' do post_graphql(query, current_user: nil) - expect(graphql_data['namespace']['projects']['edges'].size).to eq(1) - project = graphql_data['namespace']['projects']['edges'][0]['node'] - expect(project['id']).to eq(public_project.to_global_id.to_s) + expect(graphql_data['namespace']).to be_nil end end end diff --git a/spec/requests/api/graphql/project/repository_spec.rb b/spec/requests/api/graphql/project/repository_spec.rb index 67af612a4a0..261433a3d6a 100644 --- a/spec/requests/api/graphql/project/repository_spec.rb +++ b/spec/requests/api/graphql/project/repository_spec.rb @@ -34,4 +34,28 @@ describe 'getting a repository in a project' do expect(graphql_data['project']).to be(nil) end end + + context 'when the repository is only accessible to members' do + let(:project) do + create(:project, :public, :repository, repository_access_level: ProjectFeature::PRIVATE) + end + + it 'returns a repository for the owner' do + post_graphql(query, current_user: current_user) + + expect(graphql_data['project']['repository']).not_to be_nil + end + + it 'returns nil for the repository for other users' do + post_graphql(query, current_user: create(:user)) + + expect(graphql_data['project']['repository']).to be_nil + end + + it 'returns nil for the repository for other users' do + post_graphql(query, current_user: nil) + + expect(graphql_data['project']['repository']).to be_nil + end + end end |