gitlab-org--gitlab-foss/spec/requests/api/notes_spec.rb

require 'spec_helper'

describe API::Notes do
  let(:user) { create(:user) }
  let!(:project) { create(:project, :public, namespace: user.namespace) }
  let(:private_user) { create(:user) }

  before do
    project.add_reporter(user)
  end

  context "when noteable is an Issue" do
    let!(:issue) { create(:issue, project: project, author: user) }
    let!(:issue_note) { create(:note, noteable: issue, project: project, author: user) }

    it_behaves_like "noteable API", 'projects', 'issues', 'iid' do
      let(:parent) { project }
      let(:noteable) { issue }
      let(:note) { issue_note }
    end

    context 'when user does not have access to create noteable' do
      let(:private_issue) { create(:issue, project: create(:project, :private)) }

      ##
      # We are posting to project user has access to, but we use issue id
      # from a different project, see #15577
      #
      before do
        post api("/projects/#{private_issue.project.id}/issues/#{private_issue.iid}/notes", user),
             params: { body: 'Hi!' }
      end

      it 'responds with resource not found error' do
        expect(response.status).to eq 404
      end

      it 'does not create new note' do
        expect(private_issue.notes.reload).to be_empty
      end
    end

    context "when referencing other project" do
      # For testing the cross-reference of a private issue in a public project
      let(:private_project) do
        create(:project, namespace: private_user.namespace)
        .tap { |p| p.add_maintainer(private_user) }
      end
      let(:private_issue) { create(:issue, project: private_project) }

      let(:ext_proj)  { create(:project, :public) }
      let(:ext_issue) { create(:issue, project: ext_proj) }

      let!(:cross_reference_note) do
        create :note,
        noteable: ext_issue, project: ext_proj,
        note: "mentioned in issue #{private_issue.to_reference(ext_proj)}",
        system: true
      end

      describe "GET /projects/:id/noteable/:noteable_id/notes" do
        context "current user cannot view the notes" do
          it "returns an empty array" do
            get api("/projects/#{ext_proj.id}/issues/#{ext_issue.iid}/notes", user)

            expect(response).to have_gitlab_http_status(200)
            expect(response).to include_pagination_headers
            expect(json_response).to be_an Array
            expect(json_response).to be_empty
          end

          context "issue is confidential" do
            before do
              ext_issue.update(confidential: true)
            end

            it "returns 404" do
              get api("/projects/#{ext_proj.id}/issues/#{ext_issue.iid}/notes", user)

              expect(response).to have_gitlab_http_status(404)
            end
          end
        end

        context "current user can view the note" do
          it "returns an empty array" do
            get api("/projects/#{ext_proj.id}/issues/#{ext_issue.iid}/notes", private_user)

            expect(response).to have_gitlab_http_status(200)
            expect(response).to include_pagination_headers
            expect(json_response).to be_an Array
            expect(json_response.first['body']).to eq(cross_reference_note.note)
          end
        end
      end

      describe "GET /projects/:id/noteable/:noteable_id/notes/:note_id" do
        context "current user cannot view the notes" do
          it "returns a 404 error" do
            get api("/projects/#{ext_proj.id}/issues/#{ext_issue.iid}/notes/#{cross_reference_note.id}", user)

            expect(response).to have_gitlab_http_status(404)
          end

          context "when issue is confidential" do
            before do
              issue.update(confidential: true)
            end

            it "returns 404" do
              get api("/projects/#{project.id}/issues/#{issue.iid}/notes/#{issue_note.id}", private_user)

              expect(response).to have_gitlab_http_status(404)
            end
          end
        end

        context "current user can view the note" do
          it "returns an issue note by id" do
            get api("/projects/#{ext_proj.id}/issues/#{ext_issue.iid}/notes/#{cross_reference_note.id}", private_user)

            expect(response).to have_gitlab_http_status(200)
            expect(json_response['body']).to eq(cross_reference_note.note)
          end
        end
      end
    end
  end

  context "when noteable is a Snippet" do
    let!(:snippet) { create(:project_snippet, project: project, author: user) }
    let!(:snippet_note) { create(:note, noteable: snippet, project: project, author: user) }

    it_behaves_like "noteable API", 'projects', 'snippets', 'id' do
      let(:parent) { project }
      let(:noteable) { snippet }
      let(:note) { snippet_note }
    end
  end

  context "when noteable is a Merge Request" do
    let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) }
    let!(:merge_request_note) { create(:note, noteable: merge_request, project: project, author: user) }

    it_behaves_like "noteable API", 'projects', 'merge_requests', 'iid' do
      let(:parent) { project }
      let(:noteable) { merge_request }
      let(:note) { merge_request_note }
    end

    context 'when the merge request discussion is locked' do
      before do
        merge_request.update_attribute(:discussion_locked, true)
      end

      context 'when a user is a team member' do
        subject { post api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/notes", user), params: { body: 'Hi!' } }

        it 'returns 200 status' do
          subject

          expect(response).to have_gitlab_http_status(201)
        end

        it 'creates a new note' do
          expect { subject }.to change { Note.count }.by(1)
        end
      end

      context 'when a user is not a team member' do
        subject { post api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/notes", private_user), params: { body: 'Hi!' } }

        it 'returns 403 status' do
          subject

          expect(response).to have_gitlab_http_status(403)
        end

        it 'does not create a new note' do
          expect { subject }.not_to change { Note.count }
        end
      end
    end
  end
end
API: list wall, snippet and issue notes 2012-11-27 14:43:39 -05:00			`require 'spec_helper'`

Unnecessary "include WaitForAjax" and "include ApiHelpers" Removed all the unnecessary include of `WaitForAjax` and `ApiHelpers` in the specs. Removed unnecessary usage of `api:true` 2017-04-21 16:32:02 -04:00			`describe API::Notes do`
API: list wall, snippet and issue notes 2012-11-27 14:43:39 -05:00			`let(:user) { create(:user) }`
Change all `:empty_project` to `:project` 2017-08-02 15:55:11 -04:00			`let!(:project) { create(:project, :public, namespace: user.namespace) }`
Enable the Layout/ExtraSpacing cop Signed-off-by: Rémy Coutable <remy@rymai.me> 2019-01-16 07:09:29 -05:00			`let(:private_user) { create(:user) }`
Ensure the API doesn't return notes that the current user shouldn't see 2016-01-13 13:42:36 -05:00
Correct RSpec/SingleLineHook cop offenses 2017-06-14 14:18:56 -04:00			`before do`
Replace '.team << [user, role]' with 'add_role(user)' in specs 2017-12-22 03:18:28 -05:00			`project.add_reporter(user)`
Correct RSpec/SingleLineHook cop offenses 2017-06-14 14:18:56 -04:00			`end`
API: list wall, snippet and issue notes 2012-11-27 14:43:39 -05:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`context "when noteable is an Issue" do`
			`let!(:issue) { create(:issue, project: project, author: user) }`
			`let!(:issue_note) { create(:note, noteable: issue, project: project, author: user) }`
support ordering of project notes in notes api 2017-11-29 11:22:22 -05:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`it_behaves_like "noteable API", 'projects', 'issues', 'iid' do`
			`let(:parent) { project }`
			`let(:noteable) { issue }`
			`let(:note) { issue_note }`
			`end`
support ordering of project notes in notes api 2017-11-29 11:22:22 -05:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`context 'when user does not have access to create noteable' do`
			`let(:private_issue) { create(:issue, project: create(:project, :private)) }`
support ordering of project notes in notes api 2017-11-29 11:22:22 -05:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`##`
			`# We are posting to project user has access to, but we use issue id`
			`# from a different project, see #15577`
			`#`
			`before do`
			`post api("/projects/#{private_issue.project.id}/issues/#{private_issue.iid}/notes", user),`
Update specs to rails5 format Updates specs to use new rails5 format. The old format: `get :show, { some: params }, { some: headers }` The new format: `get :show, params: { some: params }, headers: { some: headers }` 2018-12-17 17:52:17 -05:00			`params: { body: 'Hi!' }`
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`end`
support ordering of project notes in notes api 2017-11-29 11:22:22 -05:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`it 'responds with resource not found error' do`
			`expect(response.status).to eq 404`
support ordering of project notes in notes api 2017-11-29 11:22:22 -05:00			`end`

Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`it 'does not create new note' do`
			`expect(private_issue.notes.reload).to be_empty`
			`end`
			`end`
Fix notes API calls symbol convertions 2016-05-10 15:06:02 -04:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`context "when referencing other project" do`
			`# For testing the cross-reference of a private issue in a public project`
			`let(:private_project) do`
			`create(:project, namespace: private_user.namespace)`
Resolve "Rename the `Master` role to `Maintainer`" Backend 2018-07-11 10:36:08 -04:00			`.tap { \|p\| p.add_maintainer(private_user) }`
API: list wall, snippet and issue notes 2012-11-27 14:43:39 -05:00			`end`
Enable the Layout/ExtraSpacing cop Signed-off-by: Rémy Coutable <remy@rymai.me> 2019-01-16 07:09:29 -05:00			`let(:private_issue) { create(:issue, project: private_project) }`
Status code 400 is returned if body is missing on note creation. If a note is created with a POST request via API (`/projects/:id/notes`) status code 400 is returned instead of 404. The resource itself exists but the request is incomplete. Specs added to check different status codes when accessing, creating and updating notes. 2013-02-06 10:34:06 -05:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`let(:ext_proj) { create(:project, :public) }`
			`let(:ext_issue) { create(:issue, project: ext_proj) }`
Fix notes API calls symbol convertions 2016-05-10 15:06:02 -04:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`let!(:cross_reference_note) do`
			`create :note,`
			`noteable: ext_issue, project: ext_proj,`
			`note: "mentioned in issue #{private_issue.to_reference(ext_proj)}",`
			`system: true`
Status code 400 is returned if body is missing on note creation. If a note is created with a POST request via API (`/projects/:id/notes`) status code 400 is returned instead of 404. The resource itself exists but the request is incomplete. Specs added to check different status codes when accessing, creating and updating notes. 2013-02-06 10:34:06 -05:00			`end`
Ensure the API doesn't return notes that the current user shouldn't see 2016-01-13 13:42:36 -05:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`describe "GET /projects/:id/noteable/:noteable_id/notes" do`
			`context "current user cannot view the notes" do`
			`it "returns an empty array" do`
			`get api("/projects/#{ext_proj.id}/issues/#{ext_issue.iid}/notes", user)`
Ensure the API doesn't return notes that the current user shouldn't see 2016-01-13 13:42:36 -05:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`expect(response).to have_gitlab_http_status(200)`
			`expect(response).to include_pagination_headers`
			`expect(json_response).to be_an Array`
			`expect(json_response).to be_empty`
Correct RSpec/SingleLineHook cop offenses 2017-06-14 14:18:56 -04:00			`end`
Fix api leaking notes when user is not authorized to read noteable 2016-05-09 18:35:37 -04:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`context "issue is confidential" do`
			`before do`
Updates from `rubocop -a` 2018-07-02 06:43:06 -04:00			`ext_issue.update(confidential: true)`
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`end`
Fix notes API calls symbol convertions 2016-05-10 15:06:02 -04:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`it "returns 404" do`
			`get api("/projects/#{ext_proj.id}/issues/#{ext_issue.iid}/notes", user)`

			`expect(response).to have_gitlab_http_status(404)`
			`end`
Fix api leaking notes when user is not authorized to read noteable 2016-05-09 18:35:37 -04:00			`end`
			`end`

Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`context "current user can view the note" do`
adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it "returns an empty array" do`
API: Make the /notes endpoint work with noteable iid instead of id In API V4 all endpoints were changed so Merge Requests and Issues should be referred by iid, instead of id. Except the /notes endpoint was forgotten. So change the endpoints from: - /projects/:id/issues/:issue_id/notes - /projects/:id/merge_requests/:merge_request_id/notes To: - /projects/:id/issues/:issue_iid/notes - /projects/:id/merge_requests/:merge_request_iid/notes For Project Snippets nothing changes. 2017-03-27 09:01:45 -04:00			`get api("/projects/#{ext_proj.id}/issues/#{ext_issue.iid}/notes", private_user)`
Fix notes API calls symbol convertions 2016-05-10 15:06:02 -04:00
Refactor `have_http_status` into `have_gitlab_http_status` in the specs 2017-10-19 14:28:19 -04:00			`expect(response).to have_gitlab_http_status(200)`
Add a custom pagination matcher 2017-01-24 15:49:10 -05:00			`expect(response).to include_pagination_headers`
Ensure the API doesn't return notes that the current user shouldn't see 2016-01-13 13:42:36 -05:00			`expect(json_response).to be_an Array`
			`expect(json_response.first['body']).to eq(cross_reference_note.note)`
			`end`
			`end`
			`end`
support ordering of project notes in notes api 2017-11-29 11:22:22 -05:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`describe "GET /projects/:id/noteable/:noteable_id/notes/:note_id" do`
			`context "current user cannot view the notes" do`
			`it "returns a 404 error" do`
			`get api("/projects/#{ext_proj.id}/issues/#{ext_issue.iid}/notes/#{cross_reference_note.id}", user)`
support ordering of project notes in notes api 2017-11-29 11:22:22 -05:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`expect(response).to have_gitlab_http_status(404)`
Correct RSpec/SingleLineHook cop offenses 2017-06-14 14:18:56 -04:00			`end`
Fix single note api request 2016-05-16 15:43:19 -04:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`context "when issue is confidential" do`
			`before do`
Updates from `rubocop -a` 2018-07-02 06:43:06 -04:00			`issue.update(confidential: true)`
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`end`
Fix single note api request 2016-05-16 15:43:19 -04:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`it "returns 404" do`
			`get api("/projects/#{project.id}/issues/#{issue.iid}/notes/#{issue_note.id}", private_user)`

			`expect(response).to have_gitlab_http_status(404)`
			`end`
Fix single note api request 2016-05-16 15:43:19 -04:00			`end`
			`end`

Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`context "current user can view the note" do`
adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it "returns an issue note by id" do`
API: Make the /notes endpoint work with noteable iid instead of id In API V4 all endpoints were changed so Merge Requests and Issues should be referred by iid, instead of id. Except the /notes endpoint was forgotten. So change the endpoints from: - /projects/:id/issues/:issue_id/notes - /projects/:id/merge_requests/:merge_request_id/notes To: - /projects/:id/issues/:issue_iid/notes - /projects/:id/merge_requests/:merge_request_iid/notes For Project Snippets nothing changes. 2017-03-27 09:01:45 -04:00			`get api("/projects/#{ext_proj.id}/issues/#{ext_issue.iid}/notes/#{cross_reference_note.id}", private_user)`
Fix notes API calls symbol convertions 2016-05-10 15:06:02 -04:00
Refactor `have_http_status` into `have_gitlab_http_status` in the specs 2017-10-19 14:28:19 -04:00			`expect(response).to have_gitlab_http_status(200)`
Ensure the API doesn't return notes that the current user shouldn't see 2016-01-13 13:42:36 -05:00			`expect(json_response['body']).to eq(cross_reference_note.note)`
			`end`
			`end`
			`end`
API: get a single note 2012-11-29 14:33:41 -05:00			`end`
			`end`
API: create new notes 2012-11-29 15:06:24 -05:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`context "when noteable is a Snippet" do`
			`let!(:snippet) { create(:project_snippet, project: project, author: user) }`
			`let!(:snippet_note) { create(:note, noteable: snippet, project: project, author: user) }`
Fix notes API calls symbol convertions 2016-05-10 15:06:02 -04:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`it_behaves_like "noteable API", 'projects', 'snippets', 'id' do`
			`let(:parent) { project }`
			`let(:noteable) { snippet }`
			`let(:note) { snippet_note }`
API: fixes return codes for notes, documentation updated The notes API documentation updated with return codes. API now returns `400 Bad Request` if required attributes are not present. Return codes are documented now, also tested in added tests. The documentation now reflects the current state of the API. 2013-02-20 16:17:05 -05:00			`end`
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`end`
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577 2016-04-26 12:55:38 -04:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`context "when noteable is a Merge Request" do`
			`let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) }`
			`let!(:merge_request_note) { create(:note, noteable: merge_request, project: project, author: user) }`
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577 2016-04-26 12:55:38 -04:00
Add discussion API * adds basic discussions API for issues and snippets * reorganizes notes specs (so same tests can be used for all noteable types - issues, MRs, snippets) 2018-02-28 02:48:23 -05:00			`it_behaves_like "noteable API", 'projects', 'merge_requests', 'iid' do`
			`let(:parent) { project }`
			`let(:noteable) { merge_request }`
			`let(:note) { merge_request_note }`
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577 2016-04-26 12:55:38 -04:00			`end`
Create system notes for MR too, improve doc + clean up code 2017-09-01 08:03:57 -04:00
			`context 'when the merge request discussion is locked' do`
			`before do`
			`merge_request.update_attribute(:discussion_locked, true)`
			`end`

			`context 'when a user is a team member' do`
Update specs to rails5 format Updates specs to use new rails5 format. The old format: `get :show, { some: params }, { some: headers }` The new format: `get :show, params: { some: params }, headers: { some: headers }` 2018-12-17 17:52:17 -05:00			`subject { post api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/notes", user), params: { body: 'Hi!' } }`
Create system notes for MR too, improve doc + clean up code 2017-09-01 08:03:57 -04:00
			`it 'returns 200 status' do`
			`subject`

Refactor `have_http_status` into `have_gitlab_http_status` in the specs 2017-10-19 14:28:19 -04:00			`expect(response).to have_gitlab_http_status(201)`
Create system notes for MR too, improve doc + clean up code 2017-09-01 08:03:57 -04:00			`end`

			`it 'creates a new note' do`
			`expect { subject }.to change { Note.count }.by(1)`
			`end`
			`end`

			`context 'when a user is not a team member' do`
Update specs to rails5 format Updates specs to use new rails5 format. The old format: `get :show, { some: params }, { some: headers }` The new format: `get :show, params: { some: params }, headers: { some: headers }` 2018-12-17 17:52:17 -05:00			`subject { post api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/notes", private_user), params: { body: 'Hi!' } }`
Create system notes for MR too, improve doc + clean up code 2017-09-01 08:03:57 -04:00
			`it 'returns 403 status' do`
			`subject`

Refactor `have_http_status` into `have_gitlab_http_status` in the specs 2017-10-19 14:28:19 -04:00			`expect(response).to have_gitlab_http_status(403)`
Create system notes for MR too, improve doc + clean up code 2017-09-01 08:03:57 -04:00			`end`

			`it 'does not create a new note' do`
			`expect { subject }.not_to change { Note.count }`
			`end`
			`end`
			`end`
API: create new notes 2012-11-29 15:06:24 -05:00			`end`
API: list wall, snippet and issue notes 2012-11-27 14:43:39 -05:00			`end`