gitlab-org--gitlab-foss/spec/controllers/projects/todos_controller_spec.rb

require('spec_helper')

describe Projects::TodosController do
  let(:user)          { create(:user) }
  let(:project)       { create(:empty_project) }
  let(:issue)         { create(:issue, project: project) }
  let(:merge_request) { create(:merge_request, source_project: project) }

  context 'Issues' do
    describe 'POST create' do
      def go
        post :create,
          namespace_id: project.namespace,
          project_id: project,
          issuable_id: issue.id,
          issuable_type: 'issue',
          format: 'html'
      end

      context 'when authorized' do
        before do
          sign_in(user)
          project.team << [user, :developer]
        end

        it 'creates todo for issue' do
          expect do
            go
          end.to change { user.todos.count }.by(1)

          expect(response).to have_http_status(200)
        end

        it 'returns todo path and pending count' do
          go

          expect(response).to have_http_status(200)
          expect(json_response['count']).to eq 1
          expect(json_response['delete_path']).to match(/\/dashboard\/todos\/\d{1}/)
        end
      end

      context 'when not authorized for project' do
        it 'does not create todo for issue that user has no access to' do
          sign_in(user)
          expect do
            go
          end.to change { user.todos.count }.by(0)

          expect(response).to have_http_status(404)
        end

        it 'does not create todo for issue when user not logged in' do
          expect do
            go
          end.to change { user.todos.count }.by(0)

          expect(response).to have_http_status(302)
        end
      end

      context 'when not authorized for issue' do
        before do
          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
          project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
          sign_in(user)
        end

        it "doesn't create todo" do
          expect{ go }.not_to change { user.todos.count }
          expect(response).to have_http_status(404)
        end
      end
    end
  end

  context 'Merge Requests' do
    describe 'POST create' do
      def go
        post :create,
          namespace_id: project.namespace,
          project_id: project,
          issuable_id: merge_request.id,
          issuable_type: 'merge_request',
          format: 'html'
      end

      context 'when authorized' do
        before do
          sign_in(user)
          project.team << [user, :developer]
        end

        it 'creates todo for merge request' do
          expect do
            go
          end.to change { user.todos.count }.by(1)

          expect(response).to have_http_status(200)
        end

        it 'returns todo path and pending count' do
          go

          expect(response).to have_http_status(200)
          expect(json_response['count']).to eq 1
          expect(json_response['delete_path']).to match(/\/dashboard\/todos\/\d{1}/)
        end
      end

      context 'when not authorized for project' do
        it 'does not create todo for merge request user has no access to' do
          sign_in(user)
          expect do
            go
          end.to change { user.todos.count }.by(0)

          expect(response).to have_http_status(404)
        end

        it 'does not create todo for merge request user has no access to' do
          expect do
            go
          end.to change { user.todos.count }.by(0)

          expect(response).to have_http_status(302)
        end
      end

      context 'when not authorized for merge_request' do
        before do
          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
          project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
          sign_in(user)
        end

        it "doesn't create todo" do
          expect{ go }.not_to change { user.todos.count }
          expect(response).to have_http_status(404)
        end
      end
    end
  end
end
Improved manual todos Based on feedback from !4502 2016-06-17 08:01:03 +00:00			`require('spec_helper')`

			`describe Projects::TodosController do`
Added todo controller tests for merge requests 2016-06-17 08:13:21 +00:00			`let(:user) { create(:user) }`
Merge branch 'jej-fix-missing-access-check-on-issues' into 'security' Fix missing access checks on issue lookup using IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested - [x] :white_check_mark: app/controllers/projects/branches_controller.rb:39 - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with confidential issues, issues only visible to team, etc. - [x] :traffic_light: app/models/cycle_analytics/summary.rb:9 [`.count`] - [x] :white_check_mark: app/controllers/projects/todos_controller.rb:19 - [x] Potential double render in app/controllers/projects/todos_controller.rb - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24 See merge request !2030 2016-11-18 13:51:52 +00:00			`let(:project) { create(:empty_project) }`
Added todo controller tests for merge requests 2016-06-17 08:13:21 +00:00			`let(:issue) { create(:issue, project: project) }`
			`let(:merge_request) { create(:merge_request, source_project: project) }`

			`context 'Issues' do`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`describe 'POST create' do`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`def go`
			`post :create,`
Use Namespace#full_path instead of #path where appropriate 2017-02-23 23:55:01 +00:00			`namespace_id: project.namespace,`
			`project_id: project,`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`issuable_id: issue.id,`
			`issuable_type: 'issue',`
			`format: 'html'`
			`end`

Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`context 'when authorized' do`
			`before do`
			`sign_in(user)`
			`project.team << [user, :developer]`
			`end`

Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`it 'creates todo for issue' do`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`expect do`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`go`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end.to change { user.todos.count }.by(1)`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00
			`it 'returns todo path and pending count' do`
			`go`

			`expect(response).to have_http_status(200)`
			`expect(json_response['count']).to eq 1`
			`expect(json_response['delete_path']).to match(/\/dashboard\/todos\/\d{1}/)`
			`end`
Added todo controller tests for merge requests 2016-06-17 08:13:21 +00:00			`end`

Merge branch 'jej-fix-missing-access-check-on-issues' into 'security' Fix missing access checks on issue lookup using IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested - [x] :white_check_mark: app/controllers/projects/branches_controller.rb:39 - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with confidential issues, issues only visible to team, etc. - [x] :traffic_light: app/models/cycle_analytics/summary.rb:9 [`.count`] - [x] :white_check_mark: app/controllers/projects/todos_controller.rb:19 - [x] Potential double render in app/controllers/projects/todos_controller.rb - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24 See merge request !2030 2016-11-18 13:51:52 +00:00			`context 'when not authorized for project' do`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`it 'does not create todo for issue that user has no access to' do`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`sign_in(user)`
			`expect do`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`go`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end.to change { user.todos.count }.by(0)`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(404)`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end`

Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`it 'does not create todo for issue when user not logged in' do`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`expect do`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`go`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end.to change { user.todos.count }.by(0)`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(302)`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end`
Added todo controller tests for merge requests 2016-06-17 08:13:21 +00:00			`end`
Merge branch 'jej-fix-missing-access-check-on-issues' into 'security' Fix missing access checks on issue lookup using IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested - [x] :white_check_mark: app/controllers/projects/branches_controller.rb:39 - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with confidential issues, issues only visible to team, etc. - [x] :traffic_light: app/models/cycle_analytics/summary.rb:9 [`.count`] - [x] :white_check_mark: app/controllers/projects/todos_controller.rb:19 - [x] Potential double render in app/controllers/projects/todos_controller.rb - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24 See merge request !2030 2016-11-18 13:51:52 +00:00
			`context 'when not authorized for issue' do`
			`before do`
			`project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)`
			`project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)`
			`sign_in(user)`
			`end`

			`it "doesn't create todo" do`
			`expect{ go }.not_to change { user.todos.count }`
			`expect(response).to have_http_status(404)`
			`end`
			`end`
Improved manual todos Based on feedback from !4502 2016-06-17 08:01:03 +00:00			`end`
			`end`

Added todo controller tests for merge requests 2016-06-17 08:13:21 +00:00			`context 'Merge Requests' do`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`describe 'POST create' do`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`def go`
			`post :create,`
Use Namespace#full_path instead of #path where appropriate 2017-02-23 23:55:01 +00:00			`namespace_id: project.namespace,`
			`project_id: project,`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`issuable_id: merge_request.id,`
			`issuable_type: 'merge_request',`
			`format: 'html'`
			`end`

Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`context 'when authorized' do`
			`before do`
			`sign_in(user)`
			`project.team << [user, :developer]`
			`end`

Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`it 'creates todo for merge request' do`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`expect do`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`go`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end.to change { user.todos.count }.by(1)`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00
			`it 'returns todo path and pending count' do`
			`go`

			`expect(response).to have_http_status(200)`
			`expect(json_response['count']).to eq 1`
			`expect(json_response['delete_path']).to match(/\/dashboard\/todos\/\d{1}/)`
			`end`
Added todo controller tests for merge requests 2016-06-17 08:13:21 +00:00			`end`

Merge branch 'jej-23867-use-mr-finder-instead-of-access-check' into 'security' Replace MR access checks with use of MergeRequestsFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested - [x] :bomb: app/finders/notes_finder.rb:17 - [x] :warning: app/views/layouts/nav/_project.html.haml:80 [`.count`] - [x] :bomb: app/controllers/concerns/creates_commit.rb:84 - [x] :traffic_light: app/controllers/projects/commits_controller.rb:24 - [x] :traffic_light: app/controllers/projects/compare_controller.rb:56 - [x] :vertical_traffic_light: app/controllers/projects/discussions_controller.rb:29 - [x] :white_check_mark: app/controllers/projects/todos_controller.rb:27 - [x] :vertical_traffic_light: app/models/commit.rb:268 - [x] :white_check_mark: lib/gitlab/search_results.rb:71 - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)` - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`. - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use of unchecked `merged_merge_request?` See merge request !2033 2016-11-29 13:47:43 +00:00			`context 'when not authorized for project' do`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`it 'does not create todo for merge request user has no access to' do`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`sign_in(user)`
			`expect do`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`go`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end.to change { user.todos.count }.by(0)`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(404)`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end`

Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`it 'does not create todo for merge request user has no access to' do`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`expect do`
Cache todos pending/done dashboard query counts 2016-07-11 06:10:04 +00:00			`go`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end.to change { user.todos.count }.by(0)`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(302)`
Removed update method Re-structured controller spec Renamed issuable param to issuable_id 2016-06-17 17:31:37 +00:00			`end`
Added todo controller tests for merge requests 2016-06-17 08:13:21 +00:00			`end`
Merge branch 'jej-23867-use-mr-finder-instead-of-access-check' into 'security' Replace MR access checks with use of MergeRequestsFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested - [x] :bomb: app/finders/notes_finder.rb:17 - [x] :warning: app/views/layouts/nav/_project.html.haml:80 [`.count`] - [x] :bomb: app/controllers/concerns/creates_commit.rb:84 - [x] :traffic_light: app/controllers/projects/commits_controller.rb:24 - [x] :traffic_light: app/controllers/projects/compare_controller.rb:56 - [x] :vertical_traffic_light: app/controllers/projects/discussions_controller.rb:29 - [x] :white_check_mark: app/controllers/projects/todos_controller.rb:27 - [x] :vertical_traffic_light: app/models/commit.rb:268 - [x] :white_check_mark: lib/gitlab/search_results.rb:71 - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)` - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`. - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use of unchecked `merged_merge_request?` See merge request !2033 2016-11-29 13:47:43 +00:00
			`context 'when not authorized for merge_request' do`
			`before do`
			`project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)`
			`project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)`
			`sign_in(user)`
			`end`

			`it "doesn't create todo" do`
			`expect{ go }.not_to change { user.todos.count }`
			`expect(response).to have_http_status(404)`
			`end`
			`end`
Correctly checks if user is logged in when adding todo 2016-06-17 08:06:00 +00:00			`end`
			`end`
Improved manual todos Based on feedback from !4502 2016-06-17 08:01:03 +00:00			`end`