kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/spec/requests/api/notes_spec.rb

430 lines
15 KiB
Ruby
Raw Normal View History

API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
require 'spec_helper'
Changed API spec files to describe the correct class Restore changes for api spec files Fix error in rspec Users Delete extra space Repositories-spec
2016-11-23 20:14:08 +00:00
describe API::Notes, api: true do
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
include ApiHelpers
let(:user) { create(:user) }
Replace many :project with :empty_projects in API specs Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-01-17 06:15:35 +00:00
let!(:project) { create(:empty_project, :public, namespace: user.namespace) }
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
let!(:issue) { create(:issue, project: project, author: user) }
Merge Request on forked projects The good: - You can do a merge request for a forked commit and it will merge properly (i.e. it does work). - Push events take into account merge requests on forked projects - Tests around merge_actions now present, spinach, and other rspec tests - Satellites now clean themselves up rather then recreate The questionable: - Events only know about target projects - Project's merge requests only hold on to MR's where they are the target - All operations performed in the satellite The bad: - Duplication between project's repositories and satellites (e.g. commits_between) (for reference: http://feedback.gitlab.com/forums/176466-general/suggestions/3456722-merge-requests-between-projects-repos) Fixes: Make test repos/satellites only create when needed -Spinach/Rspec now only initialize test directory, and setup stubs (things that are relatively cheap) -project_with_code, source_project_with_code, and target_project_with_code now create/destroy their repos individually -fixed remote removal -How to merge renders properly -Update emails to show project/branches -Edit MR doesn't set target branch -Fix some failures on editing/creating merge requests, added a test -Added back a test around merge request observer -Clean up project_transfer_spec, Remove duplicate enable/disable observers -Ensure satellite lock files are cleaned up, Attempted to add some testing around these as well -Signifant speed ups for tests -Update formatting ordering in notes_on_merge_requests -Remove wiki schema update Fixes for search/search results -Search results was using by_project for a list of projects, updated this to use in_projects -updated search results to reference the correct (target) project -udpated search results to print both sides of the merge request Change-Id: I19407990a0950945cc95d62089cbcc6262dab1a8
2013-04-25 14:15:33 +00:00
let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) }
Tests fixed
2013-03-25 07:20:14 +00:00
let!(:snippet) { create(:project_snippet, project: project, author: user) }
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
let!(:issue_note) { create(:note, noteable: issue, project: project, author: user) }
add specs for api -> merge request notes
2013-01-31 06:42:11 +00:00
let!(:merge_request_note) { create(:note, noteable: merge_request, project: project, author: user) }
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
let!(:snippet_note) { create(:note, noteable: snippet, project: project, author: user) }
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
# For testing the cross-reference of a private issue in a public issue
let(:private_user) { create(:user) }
Fix specs and rubocop warnings
2016-01-14 09:04:48 +00:00
let(:private_project) do
Replace many :project with :empty_projects in API specs Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-01-17 06:15:35 +00:00
create(:empty_project, namespace: private_user.namespace).
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
tap { |p| p.team << [private_user, :master] }
Fix specs and rubocop warnings
2016-01-14 09:04:48 +00:00
end
let(:private_issue) { create(:issue, project: private_project) }
Replace many :project with :empty_projects in API specs Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-01-17 06:15:35 +00:00
let(:ext_proj) { create(:empty_project, :public) }
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
let(:ext_issue) { create(:issue, project: ext_proj) }
Fix specs and rubocop warnings
2016-01-14 09:04:48 +00:00
let!(:cross_reference_note) do
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
create :note,
noteable: ext_issue, project: ext_proj,
Rephrase some system notes to be compatible with new system note style
2016-11-23 06:55:23 +00:00
note: "mentioned in issue #{private_issue.to_reference(ext_proj)}",
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
system: true
Fix specs and rubocop warnings
2016-01-14 09:04:48 +00:00
end
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
Rspec fixes
2013-01-04 16:50:31 +00:00
before { project.team << [user, :reporter] }
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
describe "GET /projects/:id/noteable/:noteable_id/notes" do
Add pagination headers to already paginated API resources
2016-01-14 11:08:44 +00:00
it_behaves_like 'a paginated resources' do
let(:request) { get api("/projects/#{project.id}/issues/#{issue.id}/notes", user) }
end
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
context "when noteable is an Issue" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns an array of issue notes" do
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
get api("/projects/#{project.id}/issues/#{issue.id}/notes", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
2015-02-12 18:17:35 +00:00
expect(json_response).to be_an Array
expect(json_response.first['body']).to eq(issue_note.note)
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
end
Status code 400 is returned if body is missing on note creation. If a note is created with a POST request via API (`/projects/:id/notes`) status code 400 is returned instead of 404. The resource itself exists but the request is incomplete. Specs added to check different status codes when accessing, creating and updating notes.
2013-02-06 15:34:06 +00:00
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns a 404 error when issue id not found" do
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
get api("/projects/#{project.id}/issues/12345/notes", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Status code 400 is returned if body is missing on note creation. If a note is created with a POST request via API (`/projects/:id/notes`) status code 400 is returned instead of 404. The resource itself exists but the request is incomplete. Specs added to check different status codes when accessing, creating and updating notes.
2013-02-06 15:34:06 +00:00
end
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
Fix single note api request
2016-05-16 19:43:19 +00:00
context "and current user cannot view the notes" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns an empty array" do
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
expect(json_response).to be_an Array
expect(json_response).to be_empty
end
Fix api leaking notes when user is not authorized to read noteable
2016-05-09 22:35:37 +00:00
context "and issue is confidential" do
before { ext_issue.update_attributes(confidential: true) }
it "returns 404" do
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Fix api leaking notes when user is not authorized to read noteable
2016-05-09 22:35:37 +00:00
end
end
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
context "and current user can view the note" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns an empty array" do
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", private_user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
expect(json_response).to be_an Array
expect(json_response.first['body']).to eq(cross_reference_note.note)
end
end
end
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
end
context "when noteable is a Snippet" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns an array of snippet notes" do
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
get api("/projects/#{project.id}/snippets/#{snippet.id}/notes", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
2015-02-12 18:17:35 +00:00
expect(json_response).to be_an Array
expect(json_response.first['body']).to eq(snippet_note.note)
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
end
Status code 400 is returned if body is missing on note creation. If a note is created with a POST request via API (`/projects/:id/notes`) status code 400 is returned instead of 404. The resource itself exists but the request is incomplete. Specs added to check different status codes when accessing, creating and updating notes.
2013-02-06 15:34:06 +00:00
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns a 404 error when snippet id not found" do
Status code 400 is returned if body is missing on note creation. If a note is created with a POST request via API (`/projects/:id/notes`) status code 400 is returned instead of 404. The resource itself exists but the request is incomplete. Specs added to check different status codes when accessing, creating and updating notes.
2013-02-06 15:34:06 +00:00
get api("/projects/#{project.id}/snippets/42/notes", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Status code 400 is returned if body is missing on note creation. If a note is created with a POST request via API (`/projects/:id/notes`) status code 400 is returned instead of 404. The resource itself exists but the request is incomplete. Specs added to check different status codes when accessing, creating and updating notes.
2013-02-06 15:34:06 +00:00
end
Fix api leaking notes when user is not authorized to read noteable
2016-05-09 22:35:37 +00:00
it "returns 404 when not authorized" do
get api("/projects/#{project.id}/snippets/#{snippet.id}/notes", private_user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Fix api leaking notes when user is not authorized to read noteable
2016-05-09 22:35:37 +00:00
end
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
end
add specs for api -> merge request notes
2013-01-31 06:42:11 +00:00
context "when noteable is a Merge Request" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns an array of merge_requests notes" do
add specs for api -> merge request notes
2013-01-31 06:42:11 +00:00
get api("/projects/#{project.id}/merge_requests/#{merge_request.id}/notes", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
2015-02-12 18:17:35 +00:00
expect(json_response).to be_an Array
expect(json_response.first['body']).to eq(merge_request_note.note)
add specs for api -> merge request notes
2013-01-31 06:42:11 +00:00
end
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns a 404 error if merge request id not found" do
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
get api("/projects/#{project.id}/merge_requests/4444/notes", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
end
Fix api leaking notes when user is not authorized to read noteable
2016-05-09 22:35:37 +00:00
it "returns 404 when not authorized" do
get api("/projects/#{project.id}/merge_requests/4444/notes", private_user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Fix api leaking notes when user is not authorized to read noteable
2016-05-09 22:35:37 +00:00
end
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
end
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
end
API: get a single note
2012-11-29 19:33:41 +00:00
describe "GET /projects/:id/noteable/:noteable_id/notes/:note_id" do
context "when noteable is an Issue" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns an issue note by id" do
API: get a single note
2012-11-29 19:33:41 +00:00
get api("/projects/#{project.id}/issues/#{issue.id}/notes/#{issue_note.id}", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
2015-02-12 18:17:35 +00:00
expect(json_response['body']).to eq(issue_note.note)
API: get a single note
2012-11-29 19:33:41 +00:00
end
Status code 400 is returned if body is missing on note creation. If a note is created with a POST request via API (`/projects/:id/notes`) status code 400 is returned instead of 404. The resource itself exists but the request is incomplete. Specs added to check different status codes when accessing, creating and updating notes.
2013-02-06 15:34:06 +00:00
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns a 404 error if issue note not found" do
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
get api("/projects/#{project.id}/issues/#{issue.id}/notes/12345", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Status code 400 is returned if body is missing on note creation. If a note is created with a POST request via API (`/projects/:id/notes`) status code 400 is returned instead of 404. The resource itself exists but the request is incomplete. Specs added to check different status codes when accessing, creating and updating notes.
2013-02-06 15:34:06 +00:00
end
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
Fix single note api request
2016-05-16 19:43:19 +00:00
context "and current user cannot view the note" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns a 404 error" do
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes/#{cross_reference_note.id}", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
end
Fix single note api request
2016-05-16 19:43:19 +00:00
context "when issue is confidential" do
before { issue.update_attributes(confidential: true) }
it "returns 404" do
get api("/projects/#{project.id}/issues/#{issue.id}/notes/#{issue_note.id}", private_user)
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Fix single note api request
2016-05-16 19:43:19 +00:00
end
end
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
context "and current user can view the note" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns an issue note by id" do
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes/#{cross_reference_note.id}", private_user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Ensure the API doesn't return notes that the current user shouldn't see
2016-01-13 18:42:36 +00:00
expect(json_response['body']).to eq(cross_reference_note.note)
end
end
end
API: get a single note
2012-11-29 19:33:41 +00:00
end
context "when noteable is a Snippet" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns a snippet note by id" do
API: get a single note
2012-11-29 19:33:41 +00:00
get api("/projects/#{project.id}/snippets/#{snippet.id}/notes/#{snippet_note.id}", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
2015-02-12 18:17:35 +00:00
expect(json_response['body']).to eq(snippet_note.note)
API: get a single note
2012-11-29 19:33:41 +00:00
end
Status code 400 is returned if body is missing on note creation. If a note is created with a POST request via API (`/projects/:id/notes`) status code 400 is returned instead of 404. The resource itself exists but the request is incomplete. Specs added to check different status codes when accessing, creating and updating notes.
2013-02-06 15:34:06 +00:00
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns a 404 error if snippet note not found" do
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
get api("/projects/#{project.id}/snippets/#{snippet.id}/notes/12345", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Status code 400 is returned if body is missing on note creation. If a note is created with a POST request via API (`/projects/:id/notes`) status code 400 is returned instead of 404. The resource itself exists but the request is incomplete. Specs added to check different status codes when accessing, creating and updating notes.
2013-02-06 15:34:06 +00:00
end
API: get a single note
2012-11-29 19:33:41 +00:00
end
end
API: create new notes
2012-11-29 20:06:24 +00:00
describe "POST /projects/:id/noteable/:noteable_id/notes" do
context "when noteable is an Issue" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "creates a new issue note" do
API: create new notes
2012-11-29 20:06:24 +00:00
post api("/projects/#{project.id}/issues/#{issue.id}/notes", user), body: 'hi!'
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(201)
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
2015-02-12 18:17:35 +00:00
expect(json_response['body']).to eq('hi!')
expect(json_response['author']['username']).to eq(user.username)
API: create new notes
2012-11-29 20:06:24 +00:00
end
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns a 400 bad request error if body not given" do
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
post api("/projects/#{project.id}/issues/#{issue.id}/notes", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(400)
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
end
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns a 401 unauthorized error if user not authenticated" do
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
post api("/projects/#{project.id}/issues/#{issue.id}/notes"), body: 'hi!'
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(401)
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
end
Allow back dating notes on creation
2016-04-05 18:04:11 +00:00
context 'when an admin or owner makes the request' do
it 'accepts the creation date to be set' do
creation_time = 2.weeks.ago
post api("/projects/#{project.id}/issues/#{issue.id}/notes", user),
body: 'hi!', created_at: creation_time
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(201)
Allow back dating notes on creation
2016-04-05 18:04:11 +00:00
expect(json_response['body']).to eq('hi!')
expect(json_response['author']['username']).to eq(user.username)
Add a be_like_time matcher and use it in specs The amount of precision times have in databases is variable, so we need tolerances when comparing in specs. It's better to have the tolerance defined in one place than several.
2016-10-17 12:40:02 +00:00
expect(Time.parse(json_response['created_at'])).to be_like_time(creation_time)
Allow back dating notes on creation
2016-04-05 18:04:11 +00:00
end
end
Fix API notes endpoint when posting only emoji
2016-09-16 12:30:28 +00:00
Fix authored vote from notes Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-09-27 14:24:50 +00:00
context 'when the user is posting an award emoji on an issue created by someone else' do
let(:issue2) { create(:issue, project: project) }
Fix API notes endpoint when posting only emoji
2016-09-16 12:30:28 +00:00
it 'returns an award emoji' do
Fix authored vote from notes Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-09-27 14:24:50 +00:00
post api("/projects/#{project.id}/issues/#{issue2.id}/notes", user), body: ':+1:'
expect(response).to have_http_status(201)
expect(json_response['awardable_id']).to eq issue2.id
end
end
context 'when the user is posting an award emoji on his/her own issue' do
it 'creates a new issue note' do
Fix API notes endpoint when posting only emoji
2016-09-16 12:30:28 +00:00
post api("/projects/#{project.id}/issues/#{issue.id}/notes", user), body: ':+1:'
expect(response).to have_http_status(201)
Fix authored vote from notes Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-09-27 14:24:50 +00:00
expect(json_response['body']).to eq(':+1:')
Fix API notes endpoint when posting only emoji
2016-09-16 12:30:28 +00:00
end
end
API: create new notes
2012-11-29 20:06:24 +00:00
end
context "when noteable is a Snippet" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "creates a new snippet note" do
API: create new notes
2012-11-29 20:06:24 +00:00
post api("/projects/#{project.id}/snippets/#{snippet.id}/notes", user), body: 'hi!'
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(201)
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
2015-02-12 18:17:35 +00:00
expect(json_response['body']).to eq('hi!')
expect(json_response['author']['username']).to eq(user.username)
API: create new notes
2012-11-29 20:06:24 +00:00
end
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns a 400 bad request error if body not given" do
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
post api("/projects/#{project.id}/snippets/#{snippet.id}/notes", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(400)
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
end
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "returns a 401 unauthorized error if user not authenticated" do
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
post api("/projects/#{project.id}/snippets/#{snippet.id}/notes"), body: 'hi!'
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(401)
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API.
2013-02-20 21:17:05 +00:00
end
end
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
Merge branch 'fix-guest-access-posting-to-notes' into 'security' Prevent users from creating notes on resources they can't access See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2054
2017-01-19 21:00:47 +00:00
context 'when user does not have access to read the noteable' do
it 'responds with 404' do
project = create(:empty_project, :private) { |p| p.add_guest(user) }
issue = create(:issue, :confidential, project: project)
post api("/projects/#{project.id}/issues/#{issue.id}/notes", user),
body: 'Foo'
expect(response).to have_http_status(404)
end
end
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
context 'when user does not have access to create noteable' do
Replace many :project with :empty_projects in API specs Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-01-17 06:15:35 +00:00
let(:private_issue) { create(:issue, project: create(:empty_project, :private)) }
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
##
# We are posting to project user has access to, but we use issue id
# from a different project, see #15577
#
before do
post api("/projects/#{project.id}/issues/#{private_issue.id}/notes", user),
body: 'Hi!'
end
Update specs for creating new note without access
2016-04-25 11:19:57 +00:00
it 'responds with resource not found error' do
expect(response.status).to eq 404
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
end
it 'does not create new note' do
expect(private_issue.notes.reload).to be_empty
end
end
API: create new notes
2012-11-29 20:06:24 +00:00
end
Fixing unsafe use of Thread.current variable :current_user
2013-10-04 19:11:50 +00:00
describe "POST /projects/:id/noteable/:noteable_id/notes to test observer on create" do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it "creates an activity event when an issue note is created" do
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
2015-02-12 18:17:35 +00:00
expect(Event).to receive(:create)
Fixing unsafe use of Thread.current variable :current_user
2013-10-04 19:11:50 +00:00
post api("/projects/#{project.id}/issues/#{issue.id}/notes", user), body: 'hi!'
end
end
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
describe 'PUT /projects/:id/noteable/:noteable_id/notes/:note_id' do
context 'when noteable is an Issue' do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it 'returns modified note' do
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
put api("/projects/#{project.id}/issues/#{issue.id}/"\
"notes/#{issue_note.id}", user), body: 'Hello!'
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
2015-02-12 18:17:35 +00:00
expect(json_response['body']).to eq('Hello!')
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
end
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it 'returns a 404 error when note id not found' do
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
put api("/projects/#{project.id}/issues/#{issue.id}/notes/12345", user),
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
body: 'Hello!'
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
end
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it 'returns a 400 bad request error if body not given' do
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
put api("/projects/#{project.id}/issues/#{issue.id}/"\
"notes/#{issue_note.id}", user)
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(400)
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
end
end
context 'when noteable is a Snippet' do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it 'returns modified note' do
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
put api("/projects/#{project.id}/snippets/#{snippet.id}/"\
"notes/#{snippet_note.id}", user), body: 'Hello!'
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
2015-02-12 18:17:35 +00:00
expect(json_response['body']).to eq('Hello!')
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
end
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it 'returns a 404 error when note id not found' do
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
put api("/projects/#{project.id}/snippets/#{snippet.id}/"\
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
"notes/12345", user), body: "Hello!"
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
end
end
context 'when noteable is a Merge Request' do
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it 'returns modified note' do
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
put api("/projects/#{project.id}/merge_requests/#{merge_request.id}/"\
"notes/#{merge_request_note.id}", user), body: 'Hello!'
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
2015-02-12 18:17:35 +00:00
expect(json_response['body']).to eq('Hello!')
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
end
adds second batch of tests changed to active tense
2016-08-01 15:00:44 +00:00
it 'returns a 404 error when note id not found' do
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
put api("/projects/#{project.id}/merge_requests/#{merge_request.id}/"\
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
"notes/12345", user), body: "Hello!"
Fix notes API calls symbol convertions
2016-05-10 19:06:02 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Implemented notes (body) patching in API.
2014-09-02 15:12:13 +00:00
end
end
end
Fix code review issues
2016-04-06 17:04:17 +00:00
describe 'DELETE /projects/:id/noteable/:noteable_id/notes/:note_id' do
Delete notes via API
2016-04-05 23:21:02 +00:00
context 'when noteable is an Issue' do
Adapt tests to new testing guidelines
2016-04-12 13:43:29 +00:00
it 'deletes a note' do
Delete notes via API
2016-04-05 23:21:02 +00:00
delete api("/projects/#{project.id}/issues/#{issue.id}/"\
"notes/#{issue_note.id}", user)
Fix code review issues
2016-04-06 17:04:17 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Fix code review issues
2016-04-06 17:04:17 +00:00
# Check if note is really deleted
delete api("/projects/#{project.id}/issues/#{issue.id}/"\
"notes/#{issue_note.id}", user)
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Delete notes via API
2016-04-05 23:21:02 +00:00
end
Adapt tests to new testing guidelines
2016-04-12 13:43:29 +00:00
it 'returns a 404 error when note id not found' do
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
delete api("/projects/#{project.id}/issues/#{issue.id}/notes/12345", user)
Fix code review issues
2016-04-06 17:04:17 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Delete notes via API
2016-04-05 23:21:02 +00:00
end
end
context 'when noteable is a Snippet' do
Adapt tests to new testing guidelines
2016-04-12 13:43:29 +00:00
it 'deletes a note' do
Delete notes via API
2016-04-05 23:21:02 +00:00
delete api("/projects/#{project.id}/snippets/#{snippet.id}/"\
"notes/#{snippet_note.id}", user)
Fix code review issues
2016-04-06 17:04:17 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Fix code review issues
2016-04-06 17:04:17 +00:00
# Check if note is really deleted
delete api("/projects/#{project.id}/snippets/#{snippet.id}/"\
"notes/#{snippet_note.id}", user)
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Delete notes via API
2016-04-05 23:21:02 +00:00
end
Adapt tests to new testing guidelines
2016-04-12 13:43:29 +00:00
it 'returns a 404 error when note id not found' do
Delete notes via API
2016-04-05 23:21:02 +00:00
delete api("/projects/#{project.id}/snippets/#{snippet.id}/"\
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
"notes/12345", user)
Fix code review issues
2016-04-06 17:04:17 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Delete notes via API
2016-04-05 23:21:02 +00:00
end
end
context 'when noteable is a Merge Request' do
Adapt tests to new testing guidelines
2016-04-12 13:43:29 +00:00
it 'deletes a note' do
Delete notes via API
2016-04-05 23:21:02 +00:00
delete api("/projects/#{project.id}/merge_requests/"\
"#{merge_request.id}/notes/#{merge_request_note.id}", user)
Fix code review issues
2016-04-06 17:04:17 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(200)
Fix code review issues
2016-04-06 17:04:17 +00:00
# Check if note is really deleted
delete api("/projects/#{project.id}/merge_requests/"\
"#{merge_request.id}/notes/#{merge_request_note.id}", user)
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Delete notes via API
2016-04-05 23:21:02 +00:00
end
Adapt tests to new testing guidelines
2016-04-12 13:43:29 +00:00
it 'returns a 404 error when note id not found' do
Delete notes via API
2016-04-05 23:21:02 +00:00
delete api("/projects/#{project.id}/merge_requests/"\
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
2016-04-26 16:55:38 +00:00
"#{merge_request.id}/notes/12345", user)
Fix code review issues
2016-04-06 17:04:17 +00:00
Use HTTP matchers if possible
2016-06-27 18:10:42 +00:00
expect(response).to have_http_status(404)
Delete notes via API
2016-04-05 23:21:02 +00:00
end
end
end
API: list wall, snippet and issue notes
2012-11-27 19:43:39 +00:00
end