2019-10-28 20:06:10 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-06-23 11:14:31 -04:00
|
|
|
require 'spec_helper'
|
|
|
|
|
2020-06-24 02:09:01 -04:00
|
|
|
RSpec.describe API::AccessRequests do
|
2020-02-17 10:09:01 -05:00
|
|
|
let_it_be(:maintainer) { create(:user) }
|
|
|
|
let_it_be(:developer) { create(:user) }
|
|
|
|
let_it_be(:access_requester) { create(:user) }
|
|
|
|
let_it_be(:stranger) { create(:user) }
|
2016-06-23 11:14:31 -04:00
|
|
|
|
2020-02-17 10:09:01 -05:00
|
|
|
let_it_be(:project) do
|
2019-10-16 08:06:32 -04:00
|
|
|
create(:project, :public, creator_id: maintainer.id, namespace: maintainer.namespace) do |project|
|
2017-12-22 03:18:28 -05:00
|
|
|
project.add_developer(developer)
|
2018-07-11 10:36:08 -04:00
|
|
|
project.add_maintainer(maintainer)
|
2016-11-11 07:51:50 -05:00
|
|
|
project.request_access(access_requester)
|
|
|
|
end
|
2016-06-23 11:14:31 -04:00
|
|
|
end
|
|
|
|
|
2020-02-17 10:09:01 -05:00
|
|
|
let_it_be(:group) do
|
2019-10-16 08:06:32 -04:00
|
|
|
create(:group, :public) do |group|
|
2016-11-11 07:51:50 -05:00
|
|
|
group.add_developer(developer)
|
2018-07-11 10:36:08 -04:00
|
|
|
group.add_owner(maintainer)
|
2016-11-11 07:51:50 -05:00
|
|
|
group.request_access(access_requester)
|
|
|
|
end
|
2016-06-23 11:14:31 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
shared_examples 'GET /:sources/:id/access_requests' do |source_type|
|
|
|
|
context "with :sources == #{source_type.pluralize}" do
|
|
|
|
it_behaves_like 'a 404 response when source is private' do
|
|
|
|
let(:route) { get api("/#{source_type.pluralize}/#{source.id}/access_requests", stranger) }
|
|
|
|
end
|
|
|
|
|
2018-07-11 10:36:08 -04:00
|
|
|
context 'when authenticated as a non-maintainer/owner' do
|
2016-06-23 11:14:31 -04:00
|
|
|
%i[developer access_requester stranger].each do |type|
|
|
|
|
context "as a #{type}" do
|
|
|
|
it 'returns 403' do
|
|
|
|
user = public_send(type)
|
|
|
|
get api("/#{source_type.pluralize}/#{source.id}/access_requests", user)
|
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
2016-06-23 11:14:31 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-07-11 10:36:08 -04:00
|
|
|
context 'when authenticated as a maintainer/owner' do
|
2016-06-23 11:14:31 -04:00
|
|
|
it 'returns access requesters' do
|
2018-07-11 10:36:08 -04:00
|
|
|
get api("/#{source_type.pluralize}/#{source.id}/access_requests", maintainer)
|
2016-06-23 11:14:31 -04:00
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
2017-01-24 15:49:10 -05:00
|
|
|
expect(response).to include_pagination_headers
|
2016-06-23 11:14:31 -04:00
|
|
|
expect(json_response).to be_an Array
|
|
|
|
expect(json_response.size).to eq(1)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
shared_examples 'POST /:sources/:id/access_requests' do |source_type|
|
|
|
|
context "with :sources == #{source_type.pluralize}" do
|
|
|
|
it_behaves_like 'a 404 response when source is private' do
|
|
|
|
let(:route) { post api("/#{source_type.pluralize}/#{source.id}/access_requests", stranger) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when authenticated as a member' do
|
2018-07-11 10:36:08 -04:00
|
|
|
%i[developer maintainer].each do |type|
|
2016-06-23 11:14:31 -04:00
|
|
|
context "as a #{type}" do
|
2016-07-28 13:28:56 -04:00
|
|
|
it 'returns 403' do
|
2016-06-23 11:14:31 -04:00
|
|
|
expect do
|
|
|
|
user = public_send(type)
|
|
|
|
post api("/#{source_type.pluralize}/#{source.id}/access_requests", user)
|
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
2016-06-23 11:14:31 -04:00
|
|
|
end.not_to change { source.requesters.count }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when authenticated as an access requester' do
|
|
|
|
it 'returns 400' do
|
|
|
|
expect do
|
|
|
|
post api("/#{source_type.pluralize}/#{source.id}/access_requests", access_requester)
|
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:bad_request)
|
2016-06-23 11:14:31 -04:00
|
|
|
end.not_to change { source.requesters.count }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when authenticated as a stranger' do
|
2016-07-28 13:28:56 -04:00
|
|
|
context "when access request is disabled for the #{source_type}" do
|
|
|
|
before do
|
2020-09-03 14:08:29 -04:00
|
|
|
source.update!(request_access_enabled: false)
|
2016-07-28 13:28:56 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns 403' do
|
|
|
|
expect do
|
|
|
|
post api("/#{source_type.pluralize}/#{source.id}/access_requests", stranger)
|
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
2016-07-28 13:28:56 -04:00
|
|
|
end.not_to change { source.requesters.count }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-06-23 11:14:31 -04:00
|
|
|
it 'returns 201' do
|
|
|
|
expect do
|
|
|
|
post api("/#{source_type.pluralize}/#{source.id}/access_requests", stranger)
|
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:created)
|
2016-06-23 11:14:31 -04:00
|
|
|
end.to change { source.requesters.count }.by(1)
|
|
|
|
|
|
|
|
# User attributes
|
|
|
|
expect(json_response['id']).to eq(stranger.id)
|
|
|
|
expect(json_response['name']).to eq(stranger.name)
|
|
|
|
expect(json_response['username']).to eq(stranger.username)
|
|
|
|
expect(json_response['state']).to eq(stranger.state)
|
|
|
|
expect(json_response['avatar_url']).to eq(stranger.avatar_url)
|
|
|
|
expect(json_response['web_url']).to eq(Gitlab::Routing.url_helpers.user_url(stranger))
|
|
|
|
|
|
|
|
# Member attributes
|
|
|
|
expect(json_response['requested_at']).to be_present
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
shared_examples 'PUT /:sources/:id/access_requests/:user_id/approve' do |source_type|
|
|
|
|
context "with :sources == #{source_type.pluralize}" do
|
|
|
|
it_behaves_like 'a 404 response when source is private' do
|
|
|
|
let(:route) { put api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}/approve", stranger) }
|
|
|
|
end
|
|
|
|
|
2018-07-11 10:36:08 -04:00
|
|
|
context 'when authenticated as a non-maintainer/owner' do
|
2016-06-23 11:14:31 -04:00
|
|
|
%i[developer access_requester stranger].each do |type|
|
|
|
|
context "as a #{type}" do
|
|
|
|
it 'returns 403' do
|
|
|
|
user = public_send(type)
|
|
|
|
put api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}/approve", user)
|
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
2016-06-23 11:14:31 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-07-11 10:36:08 -04:00
|
|
|
context 'when authenticated as a maintainer/owner' do
|
2016-06-23 11:14:31 -04:00
|
|
|
it 'returns 201' do
|
|
|
|
expect do
|
2018-07-11 10:36:08 -04:00
|
|
|
put api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}/approve", maintainer),
|
2018-12-17 17:52:17 -05:00
|
|
|
params: { access_level: Member::MAINTAINER }
|
2016-06-23 11:14:31 -04:00
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:created)
|
2016-06-23 11:14:31 -04:00
|
|
|
end.to change { source.members.count }.by(1)
|
|
|
|
# User attributes
|
|
|
|
expect(json_response['id']).to eq(access_requester.id)
|
|
|
|
expect(json_response['name']).to eq(access_requester.name)
|
|
|
|
expect(json_response['username']).to eq(access_requester.username)
|
|
|
|
expect(json_response['state']).to eq(access_requester.state)
|
|
|
|
expect(json_response['avatar_url']).to eq(access_requester.avatar_url)
|
|
|
|
expect(json_response['web_url']).to eq(Gitlab::Routing.url_helpers.user_url(access_requester))
|
|
|
|
|
|
|
|
# Member attributes
|
2018-07-11 10:36:08 -04:00
|
|
|
expect(json_response['access_level']).to eq(Member::MAINTAINER)
|
2016-06-23 11:14:31 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'user_id does not match an existing access requester' do
|
|
|
|
it 'returns 404' do
|
|
|
|
expect do
|
2018-07-11 10:36:08 -04:00
|
|
|
put api("/#{source_type.pluralize}/#{source.id}/access_requests/#{stranger.id}/approve", maintainer)
|
2016-06-23 11:14:31 -04:00
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
2016-06-23 11:14:31 -04:00
|
|
|
end.not_to change { source.members.count }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
shared_examples 'DELETE /:sources/:id/access_requests/:user_id' do |source_type|
|
|
|
|
context "with :sources == #{source_type.pluralize}" do
|
|
|
|
it_behaves_like 'a 404 response when source is private' do
|
|
|
|
let(:route) { delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}", stranger) }
|
|
|
|
end
|
|
|
|
|
2018-07-11 10:36:08 -04:00
|
|
|
context 'when authenticated as a non-maintainer/owner' do
|
2016-06-23 11:14:31 -04:00
|
|
|
%i[developer stranger].each do |type|
|
|
|
|
context "as a #{type}" do
|
|
|
|
it 'returns 403' do
|
|
|
|
user = public_send(type)
|
|
|
|
delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}", user)
|
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
2016-06-23 11:14:31 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when authenticated as the access requester' do
|
2016-07-28 13:31:17 -04:00
|
|
|
it 'deletes the access requester' do
|
2016-06-23 11:14:31 -04:00
|
|
|
expect do
|
|
|
|
delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}", access_requester)
|
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:no_content)
|
2016-06-23 11:14:31 -04:00
|
|
|
end.to change { source.requesters.count }.by(-1)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-07-11 10:36:08 -04:00
|
|
|
context 'when authenticated as a maintainer/owner' do
|
2016-07-28 13:31:17 -04:00
|
|
|
it 'deletes the access requester' do
|
2016-06-23 11:14:31 -04:00
|
|
|
expect do
|
2018-07-11 10:36:08 -04:00
|
|
|
delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}", maintainer)
|
2016-06-23 11:14:31 -04:00
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:no_content)
|
2016-06-23 11:14:31 -04:00
|
|
|
end.to change { source.requesters.count }.by(-1)
|
|
|
|
end
|
|
|
|
|
2016-09-16 07:37:21 -04:00
|
|
|
context 'user_id matches a member, not an access requester' do
|
2016-07-28 13:31:17 -04:00
|
|
|
it 'returns 404' do
|
|
|
|
expect do
|
2018-07-11 10:36:08 -04:00
|
|
|
delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{developer.id}", maintainer)
|
2016-07-28 13:31:17 -04:00
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
2016-07-28 13:31:17 -04:00
|
|
|
end.not_to change { source.requesters.count }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-06-23 11:14:31 -04:00
|
|
|
context 'user_id does not match an existing access requester' do
|
|
|
|
it 'returns 404' do
|
|
|
|
expect do
|
2018-07-11 10:36:08 -04:00
|
|
|
delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{stranger.id}", maintainer)
|
2016-06-23 11:14:31 -04:00
|
|
|
|
2020-02-21 07:09:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
2016-06-23 11:14:31 -04:00
|
|
|
end.not_to change { source.requesters.count }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'GET /:sources/:id/access_requests', 'project' do
|
|
|
|
let(:source) { project }
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'GET /:sources/:id/access_requests', 'group' do
|
|
|
|
let(:source) { group }
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'POST /:sources/:id/access_requests', 'project' do
|
|
|
|
let(:source) { project }
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'POST /:sources/:id/access_requests', 'group' do
|
|
|
|
let(:source) { group }
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'PUT /:sources/:id/access_requests/:user_id/approve', 'project' do
|
|
|
|
let(:source) { project }
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'PUT /:sources/:id/access_requests/:user_id/approve', 'group' do
|
|
|
|
let(:source) { group }
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'DELETE /:sources/:id/access_requests/:user_id', 'project' do
|
|
|
|
let(:source) { project }
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'DELETE /:sources/:id/access_requests/:user_id', 'group' do
|
|
|
|
let(:source) { group }
|
|
|
|
end
|
|
|
|
end
|