redacted_events_spec.rb 1.92 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
require 'spec_helper'

describe 'Redacted events in API::Events' do
  shared_examples 'private events are redacted' do
    it 'redacts events the user does not have access to' do
      expect_any_instance_of(Event).to receive(:visible_to_user?).and_call_original

      get api(path), user

      expect(response).to have_gitlab_http_status(200)
      expect(json_response).to contain_exactly(
        'project_id' => nil,
        'action_name' => nil,
        'target_id' => nil,
        'target_iid' => nil,
        'target_type' => nil,
        'author_id' => nil,
        'target_title' => 'Confidential event',
        'created_at' => nil,
        'author_username' => nil
      )
    end
  end

  describe '/users/:id/events' do
    let(:project) { create(:project, :public) }
    let(:path) { "/users/#{project.owner.id}/events" }
    let(:issue) { create(:issue, :confidential, project: project) }

    before do
      EventCreateService.new.open_issue(issue, issue.author)
    end

    context 'unauthenticated user views another user with private events' do
      let(:user) { nil }

      include_examples 'private events are redacted'
    end

    context 'authenticated user without access views another user with private events' do
      let(:user) { create(:user) }

      include_examples 'private events are redacted'
    end
  end

  describe '/projects/:id/events' do
    let(:project) { create(:project, :public) }
    let(:path) { "/projects/#{project.id}/events" }
    let(:issue) { create(:issue, :confidential, project: project) }

    before do
      EventCreateService.new.open_issue(issue, issue.author)
    end

    context 'unauthenticated user views public project' do
      let(:user) { nil }

      include_examples 'private events are redacted'
    end

    context 'authenticated user without access views public project' do
      let(:user) { create(:user) }

      include_examples 'private events are redacted'
    end
  end
end