gitlab-org--gitlab-foss/spec/requests/api/groups_spec.rb

require 'spec_helper'

describe API::API, api: true  do
  include ApiHelpers

  let(:user1) { create(:user, can_create_group: false) }
  let(:user2) { create(:user) }
  let(:user3) { create(:user) }
  let(:admin) { create(:admin) }
  let!(:group1) { create(:group) }
  let!(:group2) { create(:group) }

  before do
    group1.add_owner(user1)
    group2.add_owner(user2)
  end

  describe "GET /groups" do
    context "when unauthenticated" do
      it "should return authentication error" do
        get api("/groups")
        expect(response.status).to eq(401)
      end
    end

    context "when authenticated as user" do
      it "normal user: should return an array of groups of user1" do
        get api("/groups", user1)
        expect(response.status).to eq(200)
        expect(json_response).to be_an Array
        expect(json_response.length).to eq(1)
        expect(json_response.first['name']).to eq(group1.name)
      end
    end

    context "when authenticated as  admin" do
      it "admin: should return an array of all groups" do
        get api("/groups", admin)
        expect(response.status).to eq(200)
        expect(json_response).to be_an Array
        expect(json_response.length).to eq(2)
      end
    end
  end

  describe "GET /groups/:id" do
    context "when authenticated as user" do
      it "should return one of user1's groups" do
        get api("/groups/#{group1.id}", user1)
        expect(response.status).to eq(200)
        json_response['name'] == group1.name
      end

      it "should not return a non existing group" do
        get api("/groups/1328", user1)
        expect(response.status).to eq(404)
      end

      it "should not return a group not attached to user1" do
        get api("/groups/#{group2.id}", user1)
        expect(response.status).to eq(403)
      end
    end

    context "when authenticated as admin" do
      it "should return any existing group" do
        get api("/groups/#{group2.id}", admin)
        expect(response.status).to eq(200)
        json_response['name'] == group2.name
      end

      it "should not return a non existing group" do
        get api("/groups/1328", admin)
        expect(response.status).to eq(404)
      end
    end

    context 'when using group path in URL' do
      it 'should return any existing group' do
        get api("/groups/#{group1.path}", admin)
        expect(response.status).to eq(200)
        json_response['name'] == group2.name
      end

      it 'should not return a non existing group' do
        get api('/groups/unknown', admin)
        expect(response.status).to eq(404)
      end

      it 'should not return a group not attached to user1' do
        get api("/groups/#{group2.path}", user1)
        expect(response.status).to eq(403)
      end
    end
  end

  describe "POST /groups" do
    context "when authenticated as user without group permissions" do
      it "should not create group" do
        post api("/groups", user1), attributes_for(:group)
        expect(response.status).to eq(403)
      end
    end

    context "when authenticated as user with group permissions" do
      it "should create group" do
        post api("/groups", user3), attributes_for(:group)
        expect(response.status).to eq(201)
      end

      it "should not create group, duplicate" do
        post api("/groups", user3), {name: 'Duplicate Test', path: group2.path}
        expect(response.status).to eq(400)
        expect(response.message).to eq("Bad Request")
      end

      it "should return 400 bad request error if name not given" do
        post api("/groups", user3), {path: group2.path}
        expect(response.status).to eq(400)
      end

      it "should return 400 bad request error if path not given" do
        post api("/groups", user3), {name: 'test'}
        expect(response.status).to eq(400)
      end
    end
  end

  describe "DELETE /groups/:id" do
    context "when authenticated as user" do
      it "should remove group" do
        delete api("/groups/#{group1.id}", user1)
        expect(response.status).to eq(200)
      end

      it "should not remove a group if not an owner" do
        user4 = create(:user)
        group1.add_user(user4, Gitlab::Access::MASTER)
        delete api("/groups/#{group1.id}", user3)
        expect(response.status).to eq(403)
      end

      it "should not remove a non existing group" do
        delete api("/groups/1328", user1)
        expect(response.status).to eq(404)
      end

      it "should not remove a group not attached to user1" do
        delete api("/groups/#{group2.id}", user1)
        expect(response.status).to eq(403)
      end
    end

    context "when authenticated as admin" do
      it "should remove any existing group" do
        delete api("/groups/#{group2.id}", admin)
        expect(response.status).to eq(200)
      end

      it "should not remove a non existing group" do
        delete api("/groups/1328", admin)
        expect(response.status).to eq(404)
      end
    end
  end

  describe "POST /groups/:id/projects/:project_id" do
    let(:project) { create(:project) }
    before(:each) do
      Projects::TransferService.any_instance.stub(execute: true)
      allow(Project).to receive(:find).and_return(project)
    end

    context "when authenticated as user" do
      it "should not transfer project to group" do
        post api("/groups/#{group1.id}/projects/#{project.id}", user2)
        expect(response.status).to eq(403)
      end
    end

    context "when authenticated as admin" do
      it "should transfer project to group" do
        post api("/groups/#{group1.id}/projects/#{project.id}", admin)
        expect(response.status).to eq(201)
      end
    end
  end
end
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`require 'spec_helper'`

Added API testing group 2014-04-11 19:45:56 +00:00			`describe API::API, api: true do`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`include ApiHelpers`

Fix #6417: users with group permission should be able to create groups via API 2014-08-18 22:23:02 +00:00			`let(:user1) { create(:user, can_create_group: false) }`
Add group membership api Change-Id: I5b174bba02856ede788dcb51ec9b0d598ea7d0df 2013-09-04 15:19:03 +00:00			`let(:user2) { create(:user) }`
Fix #6417: users with group permission should be able to create groups via API 2014-08-18 22:23:02 +00:00			`let(:user3) { create(:user) }`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`let(:admin) { create(:admin) }`
Ignore owner_id for Group in tests 2013-09-26 11:52:17 +00:00			`let!(:group1) { create(:group) }`
			`let!(:group2) { create(:group) }`

			`before do`
			`group1.add_owner(user1)`
			`group2.add_owner(user2)`
			`end`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00
			`describe "GET /groups" do`
			`context "when unauthenticated" do`
			`it "should return authentication error" do`
			`get api("/groups")`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(401)`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`end`
			`end`

			`context "when authenticated as user" do`
			`it "normal user: should return an array of groups of user1" do`
			`get api("/groups", user1)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(200)`
			`expect(json_response).to be_an Array`
			`expect(json_response.length).to eq(1)`
			`expect(json_response.first['name']).to eq(group1.name)`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`end`
			`end`
remove trailing spaces 2013-03-20 21:46:30 +00:00
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`context "when authenticated as admin" do`
			`it "admin: should return an array of all groups" do`
			`get api("/groups", admin)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(200)`
			`expect(json_response).to be_an Array`
			`expect(json_response.length).to eq(2)`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`end`
			`end`
			`end`
remove trailing spaces 2013-03-20 21:46:30 +00:00
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`describe "GET /groups/:id" do`
			`context "when authenticated as user" do`
			`it "should return one of user1's groups" do`
			`get api("/groups/#{group1.id}", user1)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(200)`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`json_response['name'] == group1.name`
			`end`
remove trailing spaces 2013-03-20 21:46:30 +00:00
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`it "should not return a non existing group" do`
			`get api("/groups/1328", user1)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(404)`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`end`
remove trailing spaces 2013-03-20 21:46:30 +00:00
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`it "should not return a group not attached to user1" do`
			`get api("/groups/#{group2.id}", user1)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(403)`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`end`
			`end`
remove trailing spaces 2013-03-20 21:46:30 +00:00
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`context "when authenticated as admin" do`
			`it "should return any existing group" do`
			`get api("/groups/#{group2.id}", admin)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(200)`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`json_response['name'] == group2.name`
			`end`
remove trailing spaces 2013-03-20 21:46:30 +00:00
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`it "should not return a non existing group" do`
			`get api("/groups/1328", admin)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(404)`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`end`
			`end`
Acces groups with their path in API 2015-01-30 09:46:08 +00:00
			`context 'when using group path in URL' do`
			`it 'should return any existing group' do`
			`get api("/groups/#{group1.path}", admin)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(200)`
Acces groups with their path in API 2015-01-30 09:46:08 +00:00			`json_response['name'] == group2.name`
			`end`

			`it 'should not return a non existing group' do`
			`get api('/groups/unknown', admin)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(404)`
Acces groups with their path in API 2015-01-30 09:46:08 +00:00			`end`

			`it 'should not return a group not attached to user1' do`
			`get api("/groups/#{group2.path}", user1)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(403)`
Acces groups with their path in API 2015-01-30 09:46:08 +00:00			`end`
			`end`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`end`
remove trailing spaces 2013-03-20 21:46:30 +00:00
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`describe "POST /groups" do`
Fix #6417: users with group permission should be able to create groups via API 2014-08-18 22:23:02 +00:00			`context "when authenticated as user without group permissions" do`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`it "should not create group" do`
			`post api("/groups", user1), attributes_for(:group)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(403)`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`end`
			`end`
remove trailing spaces 2013-03-20 21:46:30 +00:00
Fix #6417: users with group permission should be able to create groups via API 2014-08-18 22:23:02 +00:00			`context "when authenticated as user with group permissions" do`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`it "should create group" do`
Fix #6417: users with group permission should be able to create groups via API 2014-08-18 22:23:02 +00:00			`post api("/groups", user3), attributes_for(:group)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(201)`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`end`
Add test for duplicate group paths 2013-02-01 17:58:53 +00:00
			`it "should not create group, duplicate" do`
Fix #6417: users with group permission should be able to create groups via API 2014-08-18 22:23:02 +00:00			`post api("/groups", user3), {name: 'Duplicate Test', path: group2.path}`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(400)`
			`expect(response.message).to eq("Bad Request")`
Add test for duplicate group paths 2013-02-01 17:58:53 +00:00			`end`
API: groups documentation updated, functions return different status codes Updates the API documentation of groups with infos to return codes. The function calls in the groups API have updated documentation and return `400 Bad Request` status code if a required attribute is missing. 2013-02-27 11:34:45 +00:00
			`it "should return 400 bad request error if name not given" do`
Fix #6417: users with group permission should be able to create groups via API 2014-08-18 22:23:02 +00:00			`post api("/groups", user3), {path: group2.path}`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(400)`
API: groups documentation updated, functions return different status codes Updates the API documentation of groups with infos to return codes. The function calls in the groups API have updated documentation and return `400 Bad Request` status code if a required attribute is missing. 2013-02-27 11:34:45 +00:00			`end`

			`it "should return 400 bad request error if path not given" do`
Fix #6417: users with group permission should be able to create groups via API 2014-08-18 22:23:02 +00:00			`post api("/groups", user3), {name: 'test'}`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(400)`
API: groups documentation updated, functions return different status codes Updates the API documentation of groups with infos to return codes. The function calls in the groups API have updated documentation and return `400 Bad Request` status code if a required attribute is missing. 2013-02-27 11:34:45 +00:00			`end`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`end`
			`end`
Additional Admin APIs 2012-11-14 20:37:52 +00:00
Remove group api specs 2013-10-07 10:18:37 +00:00			`describe "DELETE /groups/:id" do`
			`context "when authenticated as user" do`
			`it "should remove group" do`
			`delete api("/groups/#{group1.id}", user1)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(200)`
Remove group api specs 2013-10-07 10:18:37 +00:00			`end`

			`it "should not remove a group if not an owner" do`
Fix #6417: users with group permission should be able to create groups via API 2014-08-18 22:23:02 +00:00			`user4 = create(:user)`
			`group1.add_user(user4, Gitlab::Access::MASTER)`
Remove group api specs 2013-10-07 10:18:37 +00:00			`delete api("/groups/#{group1.id}", user3)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(403)`
Remove group api specs 2013-10-07 10:18:37 +00:00			`end`

			`it "should not remove a non existing group" do`
			`delete api("/groups/1328", user1)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(404)`
Remove group api specs 2013-10-07 10:18:37 +00:00			`end`

			`it "should not remove a group not attached to user1" do`
			`delete api("/groups/#{group2.id}", user1)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(403)`
Remove group api specs 2013-10-07 10:18:37 +00:00			`end`
			`end`

			`context "when authenticated as admin" do`
			`it "should remove any existing group" do`
			`delete api("/groups/#{group2.id}", admin)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(200)`
Remove group api specs 2013-10-07 10:18:37 +00:00			`end`

			`it "should not remove a non existing group" do`
			`delete api("/groups/1328", admin)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(404)`
Remove group api specs 2013-10-07 10:18:37 +00:00			`end`
			`end`
			`end`

Additional Admin APIs 2012-11-14 20:37:52 +00:00			`describe "POST /groups/:id/projects/:project_id" do`
			`let(:project) { create(:project) }`
			`before(:each) do`
Modify specs for new project transfer code Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-05-28 16:04:18 +00:00			`Projects::TransferService.any_instance.stub(execute: true)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`allow(Project).to receive(:find).and_return(project)`
Additional Admin APIs 2012-11-14 20:37:52 +00:00			`end`

			`context "when authenticated as user" do`
			`it "should not transfer project to group" do`
			`post api("/groups/#{group1.id}/projects/#{project.id}", user2)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(403)`
Additional Admin APIs 2012-11-14 20:37:52 +00:00			`end`
			`end`

			`context "when authenticated as admin" do`
			`it "should transfer project to group" do`
			`post api("/groups/#{group1.id}/projects/#{project.id}", admin)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`expect(response.status).to eq(201)`
Additional Admin APIs 2012-11-14 20:37:52 +00:00			`end`
			`end`
			`end`
Add docs/tests for groups api 2013-02-01 13:59:22 +00:00			`end`