kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Dont allow guests..developers to manage group members

Browse source 
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
This commit is contained in:
Dmitriy Zaporozhets 2014-10-29 13:38:00 +02:00
parent f6491508fe
commit eea6a8a17d
No known key found for this signature in database
GPG key ID: 161B5D6A44D3D88A
2 changed files with 17 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
lib/api/group_members.rb
View file

@ -39,14 +39,18 @@ module API
# Example Request:
# POST /groups/:id/members
post ":id/members" do
group = find_group(params[:id])
authorize! :manage_group, group
required_attributes! [:user_id, :access_level]
unless validate_access_level?(params[:access_level])
render_api_error!("Wrong access level", 422)
end
group = find_group(params[:id])
if group.group_members.find_by(user_id: params[:user_id])
render_api_error!("Already exists", 409)
end
group.add_users([params[:user_id]], params[:access_level])
member = group.group_members.find_by(user_id: params[:user_id])
present member.user, with: Entities::GroupMember, group: group
@ -62,7 +66,9 @@ module API
# DELETE /groups/:id/members/:user_id
delete ":id/members/:user_id" do
group = find_group(params[:id])
member = group.group_members.find_by(user_id: params[:user_id])
authorize! :manage_group, group
member = group.group_members.find_by(user_id: params[:user_id])
if member.nil?
render_api_error!("404 Not Found - user_id:#{params[:user_id]} not a member of group #{group.name}",404)
else

12
spec/requests/api/group_members_spec.rb
View file

@ -115,16 +115,22 @@ describe API::API, api: true do
context "when a member of the group" do
it "should delete guest's membership of group" do
count_before=group_with_members.group_members.count
delete api("/groups/#{group_with_members.id}/members/#{guest.id}", owner)
expect {
delete api("/groups/#{group_with_members.id}/members/#{guest.id}", owner)
}.to change { group_with_members.members.count }.by(-1)
response.status.should == 200
group_with_members.group_members.count.should == count_before - 1
end
it "should return a 404 error when user id is not known" do
delete api("/groups/#{group_with_members.id}/members/1328", owner)
response.status.should == 404
end
it "should not allow guest to modify group members" do
delete api("/groups/#{group_with_members.id}/members/#{master.id}", guest)
response.status.should == 403
end
end
end
end