diff options
| author | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 18:38:24 +0000 |
|---|---|---|
| committer | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 19:08:42 -0500 |
| commit | 17f837267dc7e9e995885d9d161c7b035719de41 (patch) | |
| tree | 86964ac47fbf6e4f2f193a261e9c82fb006a7e34 /spec | |
| parent | 94ab2d5fc80d71df5637e6bbe1f5272daf6aa38c (diff) | |
| download | gitlab-ce-17f837267dc7e9e995885d9d161c7b035719de41.tar.gz | |
Merge branch 'security-issue_51301' into 'master'
[master] Resolve: Promoting a milestone is missing an authorization check
See merge request gitlab/gitlabhq!2598
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/controllers/projects/milestones_controller_spec.rb | 33 | ||||
| -rw-r--r-- | spec/features/milestones/user_promotes_milestone_spec.rb | 32 |
2 files changed, 59 insertions, 6 deletions
diff --git a/spec/controllers/projects/milestones_controller_spec.rb b/spec/controllers/projects/milestones_controller_spec.rb index ccd4fc4db3a..658aa2a6738 100644 --- a/spec/controllers/projects/milestones_controller_spec.rb +++ b/spec/controllers/projects/milestones_controller_spec.rb @@ -143,11 +143,27 @@ describe Projects::MilestonesController do end describe '#promote' do + let(:group) { create(:group) } + + before do + project.update(namespace: group) + end + + context 'when user does not have permission to promote milestone' do + before do + group.add_guest(user) + end + + it 'renders 404' do + post :promote, namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid + + expect(response).to have_gitlab_http_status(404) + end + end + context 'promotion succeeds' do before do - group = create(:group) group.add_developer(user) - milestone.project.update(namespace: group) end it 'shows group milestone' do @@ -166,12 +182,17 @@ describe Projects::MilestonesController do end end - context 'promotion fails' do - it 'shows project milestone' do + context 'when user cannot admin group milestones' do + before do + project.add_developer(user) + end + + it 'renders 404' do + project.update(namespace: user.namespace) + post :promote, namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid - expect(response).to redirect_to(project_milestone_path(project, milestone)) - expect(flash[:alert]).to eq('Promotion failed - Project does not belong to a group.') + expect(response).to have_gitlab_http_status(404) end end end diff --git a/spec/features/milestones/user_promotes_milestone_spec.rb b/spec/features/milestones/user_promotes_milestone_spec.rb new file mode 100644 index 00000000000..df1bc502134 --- /dev/null +++ b/spec/features/milestones/user_promotes_milestone_spec.rb @@ -0,0 +1,32 @@ +require 'rails_helper' + +describe 'User promotes milestone' do + set(:group) { create(:group) } + set(:user) { create(:user) } + set(:project) { create(:project, namespace: group) } + set(:milestone) { create(:milestone, project: project) } + + context 'when user can admin group milestones' do + before do + group.add_developer(user) + sign_in(user) + visit(project_milestones_path(project)) + end + + it "shows milestone promote button" do + expect(page).to have_selector('.js-promote-project-milestone-button') + end + end + + context 'when user cannot admin group milestones' do + before do + project.add_developer(user) + sign_in(user) + visit(project_milestones_path(project)) + end + + it "does not show milestone promote button" do + expect(page).not_to have_selector('.js-promote-project-milestone-button') + end + end +end |