Restrict MergeRequests#test_reports to authenticated users with read-access on Builds

author: drew cimino <dcimino@gitlab.com> 2019-08-21 01:42:28 -0400
committer: drew cimino <dcimino@gitlab.com> 2019-08-22 03:27:01 -0400
commit: 79b91f6739e88bd4a82a2d2efc125865116f8379 (patch)
tree: a9672504a8e253e07ad36b879ebbb08d0054e032 /spec
parent: 914bed6c7a7182a2affcd8f399e257b950e6bace (diff)
download: gitlab-ce-79b91f6739e88bd4a82a2d2efc125865116f8379.tar.gz
1 files changed, 52 insertions, 8 deletions
diff --git a/spec/controllers/projects/merge_requests_controller_spec.rb b/spec/controllers/projects/merge_requests_controller_spec.rb
index 2408ff1177b..c89e81766b7 100644
--- a/spec/controllers/projects/merge_requests_controller_spec.rb
+++ b/spec/controllers/projects/merge_requests_controller_spec.rb
@@ -721,19 +721,63 @@ describe Projects::MergeRequestsController do
   end
 
   describe 'GET test_reports' do
+    let(:merge_request) do
+      create(:merge_request,
+        :with_diffs,
+        :with_merge_request_pipeline,
+        target_project: project,
+        source_project: project
+      )
+    end
+
     subject do
-      get :test_reports,
-          params: {
-            namespace_id: project.namespace.to_param,
-            project_id: project,
-            id: merge_request.iid
-          },
-          format: :json
+      get :test_reports, params: {
+        namespace_id: project.namespace.to_param,
+        project_id: project,
+        id: merge_request.iid
+      },
+      format: :json
     end
 
     before do
       allow_any_instance_of(MergeRequest)
-        .to receive(:compare_test_reports).and_return(comparison_status)
+        .to receive(:compare_test_reports)
+        .and_return(comparison_status)
+
+      allow_any_instance_of(MergeRequest)
+        .to receive(:actual_head_pipeline)
+        .and_return(merge_request.all_pipelines.take)
+    end
+
+    describe 'permissions on a public project with private CI/CD' do
+      let(:project) { create :project, :repository, :public, :builds_private }
+      let(:comparison_status) { { status: :parsed, data: { summary: 1 } } }
+
+      context 'while signed out' do
+        before do
+          sign_out(user)
+        end
+
+        it 'responds with a 404' do
+          subject
+
+          expect(response).to have_gitlab_http_status(404)
+          expect(response.body).to be_blank
+        end
+      end
+
+      context 'while signed in as an unrelated user' do
+        before do
+          sign_in(create(:user))
+        end
+
+        it 'responds with a 404' do
+          subject
+
+          expect(response).to have_gitlab_http_status(404)
+          expect(response.body).to be_blank
+        end
+      end
     end
 
     context 'when comparison is being processed' do
author	drew cimino <dcimino@gitlab.com>	2019-08-21 01:42:28 -0400
committer	drew cimino <dcimino@gitlab.com>	2019-08-22 03:27:01 -0400
commit	79b91f6739e88bd4a82a2d2efc125865116f8379 (patch)
tree	a9672504a8e253e07ad36b879ebbb08d0054e032 /spec
parent	914bed6c7a7182a2affcd8f399e257b950e6bace (diff)
download	gitlab-ce-79b91f6739e88bd4a82a2d2efc125865116f8379.tar.gz