From b2f48d8c46cebcf2a576c18b661c3481b3450f3b Mon Sep 17 00:00:00 2001 From: Robert Schilling Date: Tue, 12 Apr 2016 21:34:24 +0200 Subject: API: Return 404 if user does not have access to group --- spec/requests/api/groups_spec.rb | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'spec/requests/api') diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index 7383c7d11aa..083d5c459c6 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -61,7 +61,8 @@ describe API::API, api: true do it "should not return a group not attached to user1" do get api("/groups/#{group2.id}", user1) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end @@ -92,7 +93,8 @@ describe API::API, api: true do it 'should not return a group not attached to user1' do get api("/groups/#{group2.path}", user1) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end end @@ -157,7 +159,8 @@ describe API::API, api: true do it "should not return a group not attached to user1" do get api("/groups/#{group2.id}/projects", user1) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end @@ -189,7 +192,8 @@ describe API::API, api: true do it 'should not return a group not attached to user1' do get api("/groups/#{group2.path}/projects", user1) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end end @@ -247,7 +251,8 @@ describe API::API, api: true do it "should not remove a group not attached to user1" do delete api("/groups/#{group2.id}", user1) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end -- cgit v1.2.1 From ca40479c512f327c12adf51b47be46d75e4e333c Mon Sep 17 00:00:00 2001 From: Robert Schilling Date: Wed, 13 Apr 2016 11:20:45 +0200 Subject: API: Avoid group leak while updating the group --- spec/requests/api/groups_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'spec/requests/api') diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index 083d5c459c6..37ddab83c30 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -135,10 +135,10 @@ describe API::API, api: true do end context 'when authenticated as an user that cannot see the group' do - it 'returns 403 when trying to update the group' do + it 'returns 404 when trying to update the group' do put api("/groups/#{group2.id}", user1), name: new_group_name - expect(response.status).to eq(403) + expect(response.status).to eq(404) end end end -- cgit v1.2.1 From 4cd04443f5f69665ce1139726751af678e0e55c3 Mon Sep 17 00:00:00 2001 From: Robert Schilling Date: Wed, 13 Apr 2016 12:10:12 +0200 Subject: Fix group_member_spec to not leak information --- spec/requests/api/group_members_spec.rb | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'spec/requests/api') diff --git a/spec/requests/api/group_members_spec.rb b/spec/requests/api/group_members_spec.rb index 3e8b4aa1f88..96d89e69209 100644 --- a/spec/requests/api/group_members_spec.rb +++ b/spec/requests/api/group_members_spec.rb @@ -42,9 +42,10 @@ describe API::API, api: true do end end - it "users not part of the group should get access error" do + it 'users not part of the group should get access error' do get api("/groups/#{group_with_members.id}/members", stranger) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end end @@ -165,12 +166,13 @@ describe API::API, api: true do end end - describe "DELETE /groups/:id/members/:user_id" do - context "when not a member of the group" do + describe 'DELETE /groups/:id/members/:user_id' do + context 'when not a member of the group' do it "should not delete guest's membership of group_with_members" do random_user = create(:user) delete api("/groups/#{group_with_members.id}/members/#{owner.id}", random_user) - expect(response.status).to eq(403) + + expect(response.status).to eq(404) end end -- cgit v1.2.1