GitLab steht Mittwoch, den 08. Juli, zwischen 09:00 und 13:00 Uhr aufgrund von Wartungsarbeiten nicht zur Verfügung.

Commit 157c05f4 authored by Timothy Andrew's avatar Timothy Andrew

Test `/users` endpoints for the `read_user` scope.

- Test `GET` endpoints to check that the scope is allowed.
- Test `POST` endpoints to check that the scope is disallowed.
- Test both `v3` and `v4` endpoints.
parent 80c1ebaa
......@@ -50,28 +50,6 @@ describe API::Users do
end['username']).to eq(username)
end
context "scopes" do
context 'when the requesting token has the "read_user" scope' do
let(:token) { create(:personal_access_token, scopes: ['read_user']) }
it 'returns a "200" response' do
get api("/users", user, personal_access_token: token)
expect(response).to have_http_status(200)
end
end
context 'when the requesting token does not have any required scope' do
let(:token) { create(:personal_access_token, scopes: ['read_registry']) }
it 'returns a "401" response' do
get api("/users", user, personal_access_token: token)
expect(response).to have_http_status(401)
end
end
end
it "returns an array of blocked users" do
ldap_blocked_user
create(:user, state: 'blocked')
......@@ -104,6 +82,13 @@ describe API::Users do
expect(json_response.first.keys).not_to include 'is_admin'
end
context "scopes" do
let(:path) { "/users" }
let(:api_call) { method(:api) }
include_examples 'allows the "read_user" scope'
end
end
context "when admin" do
......@@ -186,6 +171,13 @@ describe API::Users do
expect(response).to have_http_status(404)
end
context "scopes" do
let(:path) { "/users/#{user.id}" }
let(:api_call) { method(:api) }
include_examples 'allows the "read_user" scope'
end
end
describe "POST /users" do
......@@ -321,16 +313,6 @@ describe API::Users do
.to eq([Gitlab::PathRegex.namespace_format_message])
end
context 'when the requesting token has the "read_user" scope' do
let(:token) { create(:personal_access_token, scopes: ['read_user'], user: admin) }
it 'returns a "401" response' do
post api("/users", admin, personal_access_token: token), attributes_for(:user, projects_limit: 3)
expect(response).to have_http_status(401)
end
end
it "is not available for non admin users" do
post api("/users", user), attributes_for(:user)
expect(response).to have_http_status(403)
......@@ -377,6 +359,14 @@ describe API::Users do
expect(json_response['identities'].first['provider']).to eq('github')
end
end
context "scopes" do
let(:user) { admin }
let(:path) { '/users' }
let(:api_call) { method(:api) }
include_examples 'does not allow the "read_user" scope'
end
end
describe "GET /users/sign_up" do
......
......@@ -67,6 +67,19 @@ describe API::V3::Users do
expect(json_response.first['title']).to eq(key.title)
end
end
context "scopes" do
let(:user) { admin }
let(:path) { "/users/#{user.id}/keys" }
let(:api_call) { method(:v3_api) }
before do
user.keys << key
user.save
end
include_examples 'allows the "read_user" scope'
end
end
describe 'GET /user/:id/emails' do
......@@ -312,5 +325,13 @@ describe API::V3::Users do
expect(json_response['is_admin']).to be_nil
end
context "scopes" do
let(:user) { admin }
let(:path) { '/users' }
let(:api_call) { method(:v3_api) }
include_examples 'does not allow the "read_user" scope'
end
end
end
shared_examples_for 'allows the "read_user" scope' do
describe 'when the requesting token has the "read_user" scope' do
let(:token) { create(:personal_access_token, scopes: ['read_user'], user: user) }
it 'returns a "200" response' do
get api_call.call(path, user, personal_access_token: token)
expect(response).to have_http_status(200)
end
end
describe 'when the requesting token does not have any required scope' do
let(:token) { create(:personal_access_token, scopes: ['read_registry'], user: user) }
it 'returns a "401" response' do
get api_call.call(path, user, personal_access_token: token)
expect(response).to have_http_status(401)
end
end
end
shared_examples_for 'does not allow the "read_user" scope' do
context 'when the requesting token has the "read_user" scope' do
let(:token) { create(:personal_access_token, scopes: ['read_user'], user: user) }
it 'returns a "401" response' do
post api_call.call(path, user, personal_access_token: token), attributes_for(:user, projects_limit: 3)
expect(response).to have_http_status(401)
end
end
end
......@@ -34,8 +34,8 @@ module ApiHelpers
end
# Temporary helper method for simplifying V3 exclusive API specs
def v3_api(path, user = nil)
api(path, user, version: 'v3')
def v3_api(path, user = nil, personal_access_token: nil)
api(path, user, version: 'v3', personal_access_token: personal_access_token)
end
def ci_api(path, user = nil)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment