From 5e9e56924a56dcb84c3ae4ae6fc308f635f39f66 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Thu, 18 Jan 2018 16:07:06 +0000
Subject: Merge branch
 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into
 'security-10-4'

[Port for security-10-4]: Makes SnippetFinder ensure feature visibility
---
 spec/requests/api/snippets_spec.rb | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'spec/requests/api/snippets_spec.rb')

diff --git a/spec/requests/api/snippets_spec.rb b/spec/requests/api/snippets_spec.rb
index 74198c8eb4f..b3e253befc6 100644
--- a/spec/requests/api/snippets_spec.rb
+++ b/spec/requests/api/snippets_spec.rb
@@ -32,6 +32,27 @@ describe API::Snippets do
       expect(json_response).to be_an Array
       expect(json_response.size).to eq(0)
     end
+
+    it 'returns 404 for non-authenticated' do
+      create(:personal_snippet, :internal)
+
+      get api("/snippets/")
+
+      expect(response).to have_gitlab_http_status(401)
+    end
+
+    it 'does not return snippets related to a project with disable feature visibility' do
+      project = create(:project)
+      create(:project_member, project: project, user: user)
+      public_snippet = create(:personal_snippet, :public, author: user, project: project)
+      project.project_feature.update_attribute(:snippets_access_level, 0)
+
+      get api("/snippets/", user)
+
+      json_response.each do |snippet|
+        expect(snippet["id"]).not_to eq(public_snippet.id)
+      end
+    end
   end
 
   describe 'GET /snippets/public' do
-- 
cgit v1.2.1