Merge pull request #9066 from jirutka/fix-6417

Fix #6417: users with group permission should be able to create groups via API

Merge pull request #9066 from jirutka/fix-6417
Fix #6417: users with group permission should be able to create groups via API
a7ddff87 · Dmitriy Zaporozhets · e097812f · 9769c2d7 · a7ddff87 · a7ddff87
Commit a7ddff87 authored May 03, 2015 by Dmitriy Zaporozhets
Showing with 14 additions and 12 deletions

doc/api/groups.md doc/api/groups.md +1 -1

lib/api/groups.rb lib/api/groups.rb +2 -2

spec/factories.rb spec/factories.rb +1 -0

spec/requests/api/groups_spec.rb spec/requests/api/groups_spec.rb +10 -9

No files found.
--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -35,7 +35,7 @@ Parameters:

 ## New group

-Creates a new project group. Available only for admin.
+Creates a new project group. Available only for users who can create groups.

 ```
 POST /groups

--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -20,7 +20,7 @@ module API
        present @groups, with: Entities::Group
      end

-      # Create group. Available only for admin
+      # Create group. Available only for users who can create groups.
      #
      # Parameters:
      #   name (required) - The name of the group
@@ -28,7 +28,7 @@ module API
      # Example Request:
      #   POST /groups
      post do
-        authenticated_as_admin!
+        authorize! :create_group, current_user
        required_attributes! [:name, :path]

        attrs = attributes_for_keys [:name, :path, :description]

--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -22,6 +22,7 @@ FactoryGirl.define do
    password "12345678"
    confirmed_at { Time.now }
    confirmation_token { nil }
+    can_create_group true

    trait :admin do
      admin true

--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -3,8 +3,9 @@ require 'spec_helper'
 describe API::API, api: true  do
  include ApiHelpers

-  let(:user1) { create(:user) }
+  let(:user1) { create(:user, can_create_group: false) }
  let(:user2) { create(:user) }
+  let(:user3) { create(:user) }
  let(:admin) { create(:admin) }
  let!(:group1) { create(:group) }
  let!(:group2) { create(:group) }
@@ -94,32 +95,32 @@ describe API::API, api: true  do
  end

  describe "POST /groups" do
-    context "when authenticated as user" do
+    context "when authenticated as user without group permissions" do
      it "should not create group" do
        post api("/groups", user1), attributes_for(:group)
        expect(response.status).to eq(403)
      end
    end

-    context "when authenticated as admin" do
+    context "when authenticated as user with group permissions" do
      it "should create group" do
-        post api("/groups", admin), attributes_for(:group)
+        post api("/groups", user3), attributes_for(:group)
        expect(response.status).to eq(201)
      end

      it "should not create group, duplicate" do
-        post api("/groups", admin), {name: "Duplicate Test", path: group2.path}
+        post api("/groups", user3), {name: 'Duplicate Test', path: group2.path}
        expect(response.status).to eq(400)
        expect(response.message).to eq("Bad Request")
      end

      it "should return 400 bad request error if name not given" do
-        post api("/groups", admin), {path: group2.path}
+        post api("/groups", user3), {path: group2.path}
        expect(response.status).to eq(400)
      end

      it "should return 400 bad request error if path not given" do
-        post api("/groups", admin), { name: 'test' }
+        post api("/groups", user3), {name: 'test'}
        expect(response.status).to eq(400)
      end
    end
@@ -133,8 +134,8 @@ describe API::API, api: true  do
      end

      it "should not remove a group if not an owner" do
-        user3 = create(:user)
-        group1.add_user(user3, Gitlab::Access::MASTER)
+        user4 = create(:user)
+        group1.add_user(user4, Gitlab::Access::MASTER)
        delete api("/groups/#{group1.id}", user3)
        expect(response.status).to eq(403)
      end