gitlab-org--gitlab-foss/spec/finders/user_recent_events_finder_spec.rb
Rubén Dávila c1cc4777ca Hide events from internal projects in public feed for anonymous users
This change fixes a bug where an anonymous user was able to see the
activity related to internal projects when visiting the public profile
of a user of the GitLab instance.
2018-06-12 10:02:06 -05:00

50 lines
1.8 KiB
Ruby

require 'spec_helper'
describe UserRecentEventsFinder do
let(:current_user) { create(:user) }
let(:project_owner) { create(:user) }
let(:private_project) { create(:project, :private, creator: project_owner) }
let(:internal_project) { create(:project, :internal, creator: project_owner) }
let(:public_project) { create(:project, :public, creator: project_owner) }
let!(:private_event) { create(:event, project: private_project, author: project_owner) }
let!(:internal_event) { create(:event, project: internal_project, author: project_owner) }
let!(:public_event) { create(:event, project: public_project, author: project_owner) }
subject(:finder) { described_class.new(current_user, project_owner) }
describe '#execute' do
context 'current user does not have access to projects' do
it 'returns public and internal events' do
records = finder.execute
expect(records).to include(public_event, internal_event)
expect(records).not_to include(private_event)
end
end
context 'when current user has access to the projects' do
before do
private_project.add_developer(current_user)
internal_project.add_developer(current_user)
public_project.add_developer(current_user)
end
it 'returns all the events' do
expect(finder.execute).to include(private_event, internal_event, public_event)
end
it 'does not include the events if the user cannot read cross project' do
expect(Ability).to receive(:allowed?).with(current_user, :read_cross_project) { false }
expect(finder.execute).to be_empty
end
end
context 'when current user is anonymous' do
let(:current_user) { nil }
it 'returns public events only' do
expect(finder.execute).to eq([public_event])
end
end
end
end