From 29ceb98b5162677601702704e89d845580372078 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Wed, 30 Nov 2016 08:11:43 +0000
Subject: Merge branch 'issue_25064' into 'security'

Ensure state param has a valid value when filtering issuables.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25064

This fix makes sure we only call safe methods on issuable when filtering by state.

See merge request !2038
---
 spec/finders/issues_finder_spec.rb | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

(limited to 'spec/finders')

diff --git a/spec/finders/issues_finder_spec.rb b/spec/finders/issues_finder_spec.rb
index 40bccb8e50b..7f69e888f32 100644
--- a/spec/finders/issues_finder_spec.rb
+++ b/spec/finders/issues_finder_spec.rb
@@ -10,6 +10,7 @@ describe IssuesFinder do
   let(:issue1) { create(:issue, author: user, assignee: user, project: project1, milestone: milestone, title: 'gitlab') }
   let(:issue2) { create(:issue, author: user, assignee: user, project: project2, description: 'gitlab') }
   let(:issue3) { create(:issue, author: user2, assignee: user2, project: project2) }
+  let(:closed_issue) { create(:issue, author: user2, assignee: user2, project: project2, state: 'closed') }
   let!(:label_link) { create(:label_link, label: label, target: issue2) }
 
   before do
@@ -25,7 +26,7 @@ describe IssuesFinder do
   describe '#execute' do
     let(:search_user) { user }
     let(:params) { {} }
-    let(:issues) { IssuesFinder.new(search_user, params.merge(scope: scope, state: 'opened')).execute }
+    let(:issues) { IssuesFinder.new(search_user, params.reverse_merge(scope: scope, state: 'opened')).execute }
 
     context 'scope: all' do
       let(:scope) { 'all' }
@@ -143,6 +144,40 @@ describe IssuesFinder do
         end
       end
 
+      context 'filtering by state' do
+        context 'with opened' do
+          let(:params) { { state: 'opened' } }
+
+          it 'returns only opened issues' do
+            expect(issues).to contain_exactly(issue1, issue2, issue3)
+          end
+        end
+
+        context 'with closed' do
+          let(:params) { { state: 'closed' } }
+
+          it 'returns only closed issues' do
+            expect(issues).to contain_exactly(closed_issue)
+          end
+        end
+
+        context 'with all' do
+          let(:params) { { state: 'all' } }
+
+          it 'returns all issues' do
+            expect(issues).to contain_exactly(issue1, issue2, issue3, closed_issue)
+          end
+        end
+
+        context 'with invalid state' do
+          let(:params) { { state: 'invalid_state' } }
+
+          it 'returns all issues' do
+            expect(issues).to contain_exactly(issue1, issue2, issue3, closed_issue)
+          end
+        end
+      end
+
       context 'when the user is unauthorized' do
         let(:search_user) { nil }
 
-- 
cgit v1.2.1