From 9ef50db6279d722caed1ab1e4576275428e6a94f Mon Sep 17 00:00:00 2001
From: Jacob Vosmaer <contact@jacobvosmaer.nl>
Date: Fri, 29 Apr 2016 18:56:53 +0200
Subject: [PATCH] Specify that oauth cannot push code

---
 spec/requests/git_http_spec.rb | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index 20c7357cba5..14d126480a3 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -179,6 +179,25 @@ describe 'Git HTTP requests', lib: true do
               end
             end
 
+            context "when an oauth token is provided" do
+              before do
+                application = Doorkeeper::Application.create!(name: "MyApp", redirect_uri: "https://app.com", owner: user)
+                @token = Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id)
+              end
+
+              it "downloads get status 200" do
+                clone_get "#{project.path_with_namespace}.git", user: 'oauth2', password: @token.token
+
+                expect(response.status).to eq(200)
+              end
+
+              it "uploads get status 401 (no project existence information leak)" do
+                push_get "#{project.path_with_namespace}.git", user: 'oauth2', password: @token.token
+
+                expect(response.status).to eq(401)
+              end
+            end
+
             context "when blank password attempts follow a valid login" do
               def attempt_login(include_password)
                 password = include_password ? user.password : ""