summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--doc/api/groups.md2
-rw-r--r--lib/api/groups.rb4
-rw-r--r--spec/factories.rb1
-rw-r--r--spec/requests/api/groups_spec.rb19
4 files changed, 14 insertions, 12 deletions
diff --git a/doc/api/groups.md b/doc/api/groups.md
index b5a4b05ccaf..c903a850fdd 100644
--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -35,7 +35,7 @@ Parameters:
## New group
-Creates a new project group. Available only for admin.
+Creates a new project group. Available only for users who can create groups.
```
POST /groups
diff --git a/lib/api/groups.rb b/lib/api/groups.rb
index a92abd4b690..218cec40884 100644
--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -20,7 +20,7 @@ module API
present @groups, with: Entities::Group
end
- # Create group. Available only for admin
+ # Create group. Available only for users who can create groups.
#
# Parameters:
# name (required) - The name of the group
@@ -28,7 +28,7 @@ module API
# Example Request:
# POST /groups
post do
- authenticated_as_admin!
+ authorize! :create_group, current_user
required_attributes! [:name, :path]
attrs = attributes_for_keys [:name, :path, :description]
diff --git a/spec/factories.rb b/spec/factories.rb
index fc103e5b133..d2b0eeea083 100644
--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -22,6 +22,7 @@ FactoryGirl.define do
password "12345678"
confirmed_at { Time.now }
confirmation_token { nil }
+ can_create_group true
trait :admin do
admin true
diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb
index d963dbac9f1..62b42d63fc2 100644
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -3,8 +3,9 @@ require 'spec_helper'
describe API::API, api: true do
include ApiHelpers
- let(:user1) { create(:user) }
+ let(:user1) { create(:user, can_create_group: false) }
let(:user2) { create(:user) }
+ let(:user3) { create(:user) }
let(:admin) { create(:admin) }
let!(:group1) { create(:group) }
let!(:group2) { create(:group) }
@@ -94,32 +95,32 @@ describe API::API, api: true do
end
describe "POST /groups" do
- context "when authenticated as user" do
+ context "when authenticated as user without group permissions" do
it "should not create group" do
post api("/groups", user1), attributes_for(:group)
expect(response.status).to eq(403)
end
end
- context "when authenticated as admin" do
+ context "when authenticated as user with group permissions" do
it "should create group" do
- post api("/groups", admin), attributes_for(:group)
+ post api("/groups", user3), attributes_for(:group)
expect(response.status).to eq(201)
end
it "should not create group, duplicate" do
- post api("/groups", admin), {name: "Duplicate Test", path: group2.path}
+ post api("/groups", user3), {name: 'Duplicate Test', path: group2.path}
expect(response.status).to eq(400)
expect(response.message).to eq("Bad Request")
end
it "should return 400 bad request error if name not given" do
- post api("/groups", admin), {path: group2.path}
+ post api("/groups", user3), {path: group2.path}
expect(response.status).to eq(400)
end
it "should return 400 bad request error if path not given" do
- post api("/groups", admin), { name: 'test' }
+ post api("/groups", user3), {name: 'test'}
expect(response.status).to eq(400)
end
end
@@ -133,8 +134,8 @@ describe API::API, api: true do
end
it "should not remove a group if not an owner" do
- user3 = create(:user)
- group1.add_user(user3, Gitlab::Access::MASTER)
+ user4 = create(:user)
+ group1.add_user(user4, Gitlab::Access::MASTER)
delete api("/groups/#{group1.id}", user3)
expect(response.status).to eq(403)
end
View Lorry Controller Status