Commit 0b2b4ca9 authored by Sean McGivern's avatar Sean McGivern

Merge branch 'revert-65d99621' into 'master'

Revert "Merge branch '35289-remove-existence-check-in-url-constrainer' into 'master'"

See merge request gitlab-org/gitlab!19803
parents 7ca18a9b 2366c5bc
...@@ -17,7 +17,7 @@ class ApplicationController < ActionController::Base ...@@ -17,7 +17,7 @@ class ApplicationController < ActionController::Base
include Gitlab::Tracking::ControllerConcern include Gitlab::Tracking::ControllerConcern
include Gitlab::Experimentation::ControllerConcern include Gitlab::Experimentation::ControllerConcern
before_action :authenticate_user! before_action :authenticate_user!, except: [:route_not_found]
before_action :enforce_terms!, if: :should_enforce_terms? before_action :enforce_terms!, if: :should_enforce_terms?
before_action :validate_user_service_ticket! before_action :validate_user_service_ticket!
before_action :check_password_expiration before_action :check_password_expiration
...@@ -95,11 +95,13 @@ class ApplicationController < ActionController::Base ...@@ -95,11 +95,13 @@ class ApplicationController < ActionController::Base
end end
def route_not_found def route_not_found
# We need to call #authenticate_user! here because sometimes this is called from another action if current_user
# and not from our wildcard fallback route
authenticate_user!
not_found not_found
else
store_location_for(:user, request.fullpath) unless request.xhr?
redirect_to new_user_session_path, alert: I18n.t('devise.failure.unauthenticated')
end
end end
def render(*args) def render(*args)
......
---
title: Fix JSON responses returning 302 instead of 401
merge_request: 19412
author:
type: fixed
...@@ -52,7 +52,7 @@ scope(path: '*namespace_id/:project_id', ...@@ -52,7 +52,7 @@ scope(path: '*namespace_id/:project_id',
# /info/refs?service=git-receive-pack, but nothing else. # /info/refs?service=git-receive-pack, but nothing else.
# #
git_http_handshake = lambda do |request| git_http_handshake = lambda do |request|
::Constraints::ProjectUrlConstrainer.new.matches?(request) && ::Constraints::ProjectUrlConstrainer.new.matches?(request, existence_check: false) &&
(request.query_string.blank? || (request.query_string.blank? ||
request.query_string.match(/\Aservice=git-(upload|receive)-pack\z/)) request.query_string.match(/\Aservice=git-(upload|receive)-pack\z/))
end end
......
...@@ -245,6 +245,12 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -245,6 +245,12 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
post :validate_query, on: :collection post :validate_query, on: :collection
end end
end end
Gitlab.ee do
resources :alerts, constraints: { id: /\d+/ }, only: [:index, :create, :show, :update, :destroy] do
post :notify, on: :collection
end
end
end end
resources :merge_requests, concerns: :awardable, except: [:new, :create, :show], constraints: { id: /\d+/ } do resources :merge_requests, concerns: :awardable, except: [:new, :create, :show], constraints: { id: /\d+/ } do
...@@ -347,6 +353,17 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -347,6 +353,17 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
end end
end end
Gitlab.ee do
resources :path_locks, only: [:index, :destroy] do
collection do
post :toggle
end
end
get '/service_desk' => 'service_desk#show', as: :service_desk
put '/service_desk' => 'service_desk#update', as: :service_desk_refresh
end
resource :variables, only: [:show, :update] resource :variables, only: [:show, :update]
resources :triggers, only: [:index, :create, :edit, :update, :destroy] resources :triggers, only: [:index, :create, :edit, :update, :destroy]
...@@ -380,6 +397,11 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -380,6 +397,11 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
get :failures get :failures
get :status get :status
get :test_report get :test_report
Gitlab.ee do
get :security
get :licenses
end
end end
member do member do
...@@ -514,11 +536,24 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -514,11 +536,24 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
get :realtime_changes get :realtime_changes
post :create_merge_request post :create_merge_request
get :discussions, format: :json get :discussions, format: :json
Gitlab.ee do
get 'designs(/*vueroute)', to: 'issues#designs', as: :designs, format: false
end
end end
collection do collection do
post :bulk_update post :bulk_update
post :import_csv post :import_csv
Gitlab.ee do
post :export_csv
get :service_desk
end
end
Gitlab.ee do
resources :issue_links, only: [:index, :create, :destroy], as: 'links', path: 'links'
end end
end end
...@@ -594,15 +629,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -594,15 +629,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
Gitlab.ee do Gitlab.ee do
resources :managed_licenses, only: [:index, :show, :new, :create, :edit, :update, :destroy] resources :managed_licenses, only: [:index, :show, :new, :create, :edit, :update, :destroy]
end end
# Legacy routes.
# Introduced in 12.0.
# Should be removed after 12.1
Gitlab::Routing.redirect_legacy_paths(self, :settings, :branches, :tags,
:network, :graphs, :autocomplete_sources,
:project_members, :deploy_keys, :deploy_tokens,
:labels, :milestones, :services, :boards, :releases,
:forks, :group_links, :import, :avatar)
end end
resources(:projects, resources(:projects,
...@@ -627,4 +653,22 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -627,4 +653,22 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
end end
end end
end end
# Legacy routes.
# Introduced in 12.0.
# Should be removed after 12.1
scope(path: '*namespace_id',
as: :namespace,
namespace_id: Gitlab::PathRegex.full_namespace_route_regex) do
scope(path: ':project_id',
constraints: { project_id: Gitlab::PathRegex.project_route_regex },
module: :projects,
as: :project) do
Gitlab::Routing.redirect_legacy_paths(self, :settings, :branches, :tags,
:network, :graphs, :autocomplete_sources,
:project_members, :deploy_keys, :deploy_tokens,
:labels, :milestones, :services, :boards, :releases,
:forks, :group_links, :import, :avatar)
end
end
end end
# frozen_string_literal: true # frozen_string_literal: true
namespace :admin do namespace :admin do
resources :users, only: [], constraints: { id: %r{[a-zA-Z./0-9_\-]+} } do resources :users, constraints: { id: %r{[a-zA-Z./0-9_\-]+} } do
member do member do
post :reset_runners_minutes post :reset_runners_minutes
end end
......
...@@ -144,6 +144,14 @@ constraints(::Constraints::GroupUrlConstrainer.new) do ...@@ -144,6 +144,14 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
resource :roadmap, only: [:show], controller: 'roadmap' resource :roadmap, only: [:show], controller: 'roadmap'
legacy_ee_group_boards_redirect = redirect do |params, request|
path = "/groups/#{params[:group_id]}/-/boards"
path << "/#{params[:extra_params]}" if params[:extra_params].present?
path << "?#{request.query_string}" if request.query_string.present?
path
end
get 'boards(/*extra_params)', as: :legacy_ee_group_boards_redirect, to: legacy_ee_group_boards_redirect
resource :dependency_proxy, only: [:show, :update] resource :dependency_proxy, only: [:show, :update]
resources :packages, only: [:index] resources :packages, only: [:index]
end end
......
...@@ -52,18 +52,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -52,18 +52,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
end end
# End of the /-/ scope. # End of the /-/ scope.
resources :path_locks, only: [:index, :destroy] do
collection do
post :toggle
end
end
namespace :prometheus do
resources :alerts, constraints: { id: /\d+/ }, only: [:index, :create, :show, :update, :destroy] do
post :notify, on: :collection
end
end
post 'alerts/notify', to: 'alerting/notifications#create' post 'alerts/notify', to: 'alerting/notifications#create'
resource :tracing, only: [:show] resource :tracing, only: [:show]
...@@ -79,22 +67,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -79,22 +67,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
end end
end end
resources :issues, only: [], constraints: { id: /\d+/ } do
member do
get 'designs(/*vueroute)', to: 'issues#designs', as: :designs, format: false
end
collection do
post :export_csv
get :service_desk
end
resources :issue_links, only: [:index, :create, :destroy], as: 'links', path: 'links'
end
get '/service_desk' => 'service_desk#show', as: :service_desk
put '/service_desk' => 'service_desk#update', as: :service_desk_refresh
resources :merge_requests, only: [], constraints: { id: /\d+/ } do resources :merge_requests, only: [], constraints: { id: /\d+/ } do
member do member do
get :metrics_reports get :metrics_reports
...@@ -106,13 +78,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -106,13 +78,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
end end
end end
resources :pipelines, only: [] do
member do
get :security
get :licenses
end
end
resource :insights, only: [:show], trailing_slash: true do resource :insights, only: [:show], trailing_slash: true do
collection do collection do
post :query post :query
......
...@@ -56,6 +56,16 @@ describe Groups::BoardsController do ...@@ -56,6 +56,16 @@ describe Groups::BoardsController do
let(:parent) { group } let(:parent) { group }
it_behaves_like 'returns recently visited boards' it_behaves_like 'returns recently visited boards'
context 'unauthenticated' do
it 'returns a 401' do
sign_out(user)
list_boards(recent: true)
expect(response).to have_gitlab_http_status(401)
end
end
end end
describe 'GET show' do describe 'GET show' do
......
...@@ -31,6 +31,16 @@ describe Projects::BoardsController do ...@@ -31,6 +31,16 @@ describe Projects::BoardsController do
let(:parent) { project } let(:parent) { project }
it_behaves_like 'returns recently visited boards' it_behaves_like 'returns recently visited boards'
context 'unauthenticated' do
it 'returns a 302' do
sign_out(user)
list_boards(recent: true)
expect(response).to have_gitlab_http_status(302)
end
end
end end
describe 'GET show' do describe 'GET show' do
......
...@@ -41,7 +41,7 @@ describe Projects::ManagedLicensesController do ...@@ -41,7 +41,7 @@ describe Projects::ManagedLicensesController do
describe 'GET #index' do describe 'GET #index' do
subject do subject do
sign_in(user) if user allow(controller).to receive(:current_user).and_return(user)
get :index, params: { namespace_id: project.namespace.to_param, project_id: project }, format: :json get :index, params: { namespace_id: project.namespace.to_param, project_id: project }, format: :json
end end
...@@ -72,10 +72,10 @@ describe Projects::ManagedLicensesController do ...@@ -72,10 +72,10 @@ describe Projects::ManagedLicensesController do
context 'with no logged in user' do context 'with no logged in user' do
let(:user) { unlogged_user } let(:user) { unlogged_user }
it 'returns an unauthorized status' do it 'returns a redirect' do
subject subject
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:redirect)
end end
end end
...@@ -98,7 +98,7 @@ describe Projects::ManagedLicensesController do ...@@ -98,7 +98,7 @@ describe Projects::ManagedLicensesController do
describe 'GET #show' do describe 'GET #show' do
subject do subject do
sign_in(user) if user allow(controller).to receive(:current_user).and_return(user)
get :show, get :show,
params: { params: {
...@@ -122,10 +122,10 @@ describe Projects::ManagedLicensesController do ...@@ -122,10 +122,10 @@ describe Projects::ManagedLicensesController do
context 'with no logged in user' do context 'with no logged in user' do
let(:user) { unlogged_user } let(:user) { unlogged_user }
it 'returns an unauthorized status' do it 'returns a redirect' do
subject subject
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:redirect)
end end
end end
...@@ -151,7 +151,7 @@ describe Projects::ManagedLicensesController do ...@@ -151,7 +151,7 @@ describe Projects::ManagedLicensesController do
let(:user) { dev_user } let(:user) { dev_user }
subject do subject do
sign_in(user) if user allow(controller).to receive(:current_user).and_return(user)
get :show, get :show,
params: { params: {
...@@ -189,7 +189,7 @@ describe Projects::ManagedLicensesController do ...@@ -189,7 +189,7 @@ describe Projects::ManagedLicensesController do
end end
subject do subject do
sign_in(user) if user allow(controller).to receive(:current_user).and_return(user)
post :create, post :create,
params: { params: {
...@@ -235,10 +235,10 @@ describe Projects::ManagedLicensesController do ...@@ -235,10 +235,10 @@ describe Projects::ManagedLicensesController do
new_software_license_policy_attributes new_software_license_policy_attributes
end end
it 'returns an unauthorized status' do it 'returns a redirect' do
expect { subject }.not_to change { project.software_license_policies.count } expect { subject }.not_to change { project.software_license_policies.count }
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:redirect)
end end
end end
...@@ -300,7 +300,7 @@ describe Projects::ManagedLicensesController do ...@@ -300,7 +300,7 @@ describe Projects::ManagedLicensesController do
end end
subject do subject do
sign_in(user) if user allow(controller).to receive(:current_user).and_return(user)
patch :update, patch :update,
params: { params: {
...@@ -347,10 +347,10 @@ describe Projects::ManagedLicensesController do ...@@ -347,10 +347,10 @@ describe Projects::ManagedLicensesController do
new_software_license_policy_attributes new_software_license_policy_attributes
end end
it 'returns an unauthorized status' do it 'returns a redirect' do
expect { subject }.not_to change { project.software_license_policies.count } expect { subject }.not_to change { project.software_license_policies.count }
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:redirect)
end end
end end
...@@ -406,7 +406,7 @@ describe Projects::ManagedLicensesController do ...@@ -406,7 +406,7 @@ describe Projects::ManagedLicensesController do
let(:id_to_destroy) { software_license_policy.id } let(:id_to_destroy) { software_license_policy.id }
subject do subject do
sign_in(user) if user allow(controller).to receive(:current_user).and_return(user)
delete :destroy, delete :destroy,
params: { params: {
...@@ -452,10 +452,10 @@ describe Projects::ManagedLicensesController do ...@@ -452,10 +452,10 @@ describe Projects::ManagedLicensesController do
new_software_license_policy_attributes new_software_license_policy_attributes
end end
it 'returns an unauthorized status' do it 'returns a redirect' do
expect { subject }.not_to change { project.software_license_policies.count } expect { subject }.not_to change { project.software_license_policies.count }
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:redirect)
end end
end end
......
...@@ -506,10 +506,10 @@ describe Projects::Settings::OperationsController do ...@@ -506,10 +506,10 @@ describe Projects::Settings::OperationsController do
sign_out(user) sign_out(user)
end end
it 'returns unauthorized status' do it 'returns a redirect' do
reset_alerting_token reset_alerting_token
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:redirect)
end end
end end
......
...@@ -5,16 +5,6 @@ require 'spec_helper' ...@@ -5,16 +5,6 @@ require 'spec_helper'
shared_examples 'returns recently visited boards' do shared_examples 'returns recently visited boards' do
let(:boards) { create_list(:board, 8, resource_parent: parent) } let(:boards) { create_list(:board, 8, resource_parent: parent) }
context 'unauthenticated' do
it 'returns a 401' do
sign_out(user)
list_boards(recent: true)
expect(response).to have_gitlab_http_status(401)
end
end
it 'returns last 4 visited boards' do it 'returns last 4 visited boards' do
[0, 2, 5, 3, 7, 1].each_with_index do |board_index, i| [0, 2, 5, 3, 7, 1].each_with_index do |board_index, i|
visit_board(boards[board_index], Time.now + i.minutes) visit_board(boards[board_index], Time.now + i.minutes)
......
...@@ -2,12 +2,17 @@ ...@@ -2,12 +2,17 @@
module Constraints module Constraints
class ProjectUrlConstrainer class ProjectUrlConstrainer
def matches?(request) def matches?(request, existence_check: true)
namespace_path = request.params[:namespace_id] namespace_path = request.params[:namespace_id]
project_path = request.params[:project_id] || request.params[:id] project_path = request.params[:project_id] || request.params[:id]
full_path = [namespace_path, project_path].join('/') full_path = [namespace_path, project_path].join('/')
ProjectPathValidator.valid_path?(full_path) return false unless ProjectPathValidator.valid_path?(full_path)
return true unless existence_check
# We intentionally allow SELECT(*) here so result of this query can be used
# as cache for further Project.find_by_full_path calls within request
Project.find_by_full_path(full_path, follow_redirects: request.get?).present?
end end
end end
end end
...@@ -10,7 +10,7 @@ module Gitlab ...@@ -10,7 +10,7 @@ module Gitlab
RoutesNotFound = Class.new(StandardError) RoutesNotFound = Class.new(StandardError)
def draw(routes_name) def draw(routes_name)
drawn_any = draw_ee(routes_name) | draw_ce(routes_name) drawn_any = draw_ce(routes_name) | draw_ee(routes_name)
drawn_any || raise(RoutesNotFound.new("Cannot find #{routes_name}")) drawn_any || raise(RoutesNotFound.new("Cannot find #{routes_name}"))
end end
......
...@@ -186,7 +186,7 @@ describe ApplicationController do ...@@ -186,7 +186,7 @@ describe ApplicationController do
expect(response).to have_gitlab_http_status(404) expect(response).to have_gitlab_http_status(404)
end end
it 'redirects to login page via authenticate_user! if not authenticated' do it 'redirects to login page if not authenticated' do
get :index get :index
expect(response).to redirect_to new_user_session_path expect(response).to redirect_to new_user_session_path
......
...@@ -142,7 +142,7 @@ describe Projects::CommitsController do ...@@ -142,7 +142,7 @@ describe Projects::CommitsController do
context 'token authentication' do context 'token authentication' do
context 'public project' do context 'public project' do
it_behaves_like 'authenticates sessionless user', :show, :atom, public: true do it_behaves_like 'authenticates sessionless user', :show, :atom, { public: true, ignore_incrementing: true } do
before do before do
public_project = create(:project, :repository, :public) public_project = create(:project, :repository, :public)
...@@ -152,7 +152,7 @@ describe Projects::CommitsController do ...@@ -152,7 +152,7 @@ describe Projects::CommitsController do
end end
context 'private project' do context 'private project' do
it_behaves_like 'authenticates sessionless user', :show, :atom, public: false do it_behaves_like 'authenticates sessionless user', :show, :atom, { public: false, ignore_incrementing: true } do
before do before do
private_project = create(:project, :repository, :private) private_project = create(:project, :repository, :private)
private_project.add_maintainer(user) private_project.add_maintainer(user)
......
...@@ -146,7 +146,7 @@ describe Projects::ErrorTrackingController do ...@@ -146,7 +146,7 @@ describe Projects::ErrorTrackingController do
it 'redirects to sign-in page' do it 'redirects to sign-in page' do
post :list_projects, params: list_projects_params post :list_projects, params: list_projects_params
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:redirect)
end end
end end
......
...@@ -1441,7 +1441,7 @@ describe Projects::IssuesController do ...@@ -1441,7 +1441,7 @@ describe Projects::IssuesController do
context 'private project with token authentication' do context 'private project with token authentication' do
let(:private_project) { create(:project, :private) } let(:private_project) { create(:project, :private) }
it_behaves_like 'authenticates sessionless user', :index, :atom do it_behaves_like 'authenticates sessionless user', :index, :atom, ignore_incrementing: true do
before do before do
default_params.merge!(project_id: private_project, namespace_id: private_project.namespace) default_params.merge!(project_id: private_project, namespace_id: private_project.namespace)
...@@ -1449,7 +1449,7 @@ describe Projects::IssuesController do ...@@ -1449,7 +1449,7 @@ describe Projects::IssuesController do
end end
end end
it_behaves_like 'authenticates sessionless user', :calendar, :ics do it_behaves_like 'authenticates sessionless user', :calendar, :ics, ignore_incrementing: true do
before do before do
default_params.merge!(project_id: private_project, namespace_id: private_project.namespace) default_params.merge!(project_id: private_project, namespace_id: private_project.namespace)
......
...@@ -111,8 +111,8 @@ describe Projects::ReleasesController do ...@@ -111,8 +111,8 @@ describe Projects::ReleasesController do
context 'when the project is private and the user is not logged in' do context 'when the project is private and the user is not logged in' do
let(:project) { private_project } let(:project) { private_project }
it 'returns a 401' do it 'returns a redirect' do
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:redirect)
end end
end end
end end
......
...@@ -41,7 +41,7 @@ describe Projects::TagsController do ...@@ -41,7 +41,7 @@ describe Projects::TagsController do
context 'private project with token authentication' do context 'private project with token authentication' do
let(:private_project) { create(:project, :repository, :private) } let(:private_project) { create(:project, :repository, :private) }
it_behaves_like 'authenticates sessionless user', :index, :atom do it_behaves_like 'authenticates sessionless user', :index, :atom, ignore_incrementing: true do
before do before do
default_params.merge!(project_id: private_project, namespace_id: private_project.namespace) default_params.merge!(project_id: private_project, namespace_id: private_project.namespace)
......
...@@ -1149,7 +1149,7 @@ describe ProjectsController do ...@@ -1149,7 +1149,7 @@ describe ProjectsController do
context 'private project with token authentication' do context 'private project with token authentication' do
let(:private_project) { create(:project, :private) } let(:private_project) { create(:project, :private) }
it_behaves_like 'authenticates sessionless user', :show, :atom do it_behaves_like 'authenticates sessionless user', :show, :atom, ignore_incrementing: true do
before do before do
default_params.merge!(id: private_project, namespace_id: private_project.namespace) default_params.merge!(id: private_project, namespace_id: private_project.namespace)
......
...@@ -819,7 +819,10 @@ describe 'Pipelines', :js do ...@@ -819,7 +819,10 @@ describe 'Pipelines', :js do
context 'when project is private' do context 'when project is private' do
let(:project) { create(:project, :private, :repository) } let(:project) { create(:project, :private, :repository) }
it { expect(page).to have_content 'You need to sign in' } it 'redirects the user to sign_in and displays the flash alert' do
expect(page).to have_content 'You need to sign in'
expect(page.current_path).to eq("/users/sign_in")
end
end end
end end
......
...@@ -15,7 +15,7 @@ describe 'User views tags', :feature do ...@@ -15,7 +15,7 @@ describe 'User views tags', :feature do
it do it do
visit project_tags_path(project, format: :atom) visit project_tags_path(project, format: :atom)
expect(page).to have_gitlab_http_status(401) expect(page.current_path).to eq("/users/sign_in")
end end
end end
......
...@@ -14,15 +14,42 @@ describe Constraints::ProjectUrlConstrainer do ...@@ -14,15 +14,42 @@ describe Constraints::ProjectUrlConstrainer do
end end
context 'invalid request' do context 'invalid request' do
context "non-existing project" do
let(:request) { build_request('foo', 'bar') }
it { expect(subject.matches?(request)).to be_falsey }
context 'existence_check is false' do
it { expect(subject.matches?(request, existence_check: false)).to be_truthy }
end
end
context "project id ending with .git" do context "project id ending with .git" do
let(:request) { build_request(namespace.full_path, project.path + '.git') } let(:request) { build_request(namespace.full_path, project.path + '.git') }
it { expect(subject.matches?(request)).to be_falsey } it { expect(subject.matches?(request)).to be_falsey }
end end
end end
context 'when the request matches a redirect route' do
let(:old_project_path) { 'old_project_path' }
let!(:redirect_route) { project.redirect_routes.create!(path: "#{namespace.full_path}/#{old_project_path}") }
context 'and is a GET request' do
let(:request) { build_request(namespace.full_path, old_project_path) }
it { expect(subject.matches?(request)).to be_truthy }
end
context 'and is NOT a GET request' do
let(:request) { build_request(namespace.full_path, old_project_path, 'POST') }
it { expect(subject.matches?(request)).to be_falsey }
end
end
end end
def build_request(namespace, project) def build_request(namespace, project, method = 'GET')
double(:request, params: { namespace_id: namespace, id: project }) double(:request,
'get?': (method == 'GET'),
params: { namespace_id: namespace, id: project })
end end
end end
# frozen_string_literal: true
require 'spec_helper'
describe Projects::BlobController do
let(:project) { create(:project, :private, :repository) }
let(:namespace) { project.namespace }
context 'anonymous user views blob in inaccessible project' do
context 'with default HTML format' do
before do
get namespace_project_blob_path(namespace_id: namespace, project_id: project, id: 'master/README.md')
end
context 'when project is private' do
it { expect(response).to have_gitlab_http_status(:redirect) }
end
context 'when project does not exist' do
let(:namespace) { 'non_existent_namespace' }
let(:project) { 'non_existent_project' }
it { expect(response).to have_gitlab_http_status(:redirect) }
end
end
context 'with JSON format' do
before do
get namespace_project_blob_path(namespace_id: namespace, project_id: project, id: 'master/README.md', format: :json)
end
context 'when project is private' do
it { expect(response).to have_gitlab_http_status(:unauthorized) }
end
context 'when project does not exist' do
let(:namespace) { 'non_existent_namespace' }
let(:project) { 'non_existent_project' }
it { expect(response).to have_gitlab_http_status(:unauthorized) }
end
end
end
end
...@@ -776,6 +776,10 @@ describe 'project routing' do ...@@ -776,6 +776,10 @@ describe 'project routing' do
it 'routes when :template_type is `issue`' do it 'routes when :template_type is `issue`' do
expect(get(show_with_template_type('issue'))).to route_to('projects/templates#show', namespace_id: 'gitlab', project_id: 'gitlabhq', template_type: 'issue', key: 'template_name', format: 'json') expect(get(show_with_template_type('issue'))).to route_to('projects/templates#show', namespace_id: 'gitlab', project_id: 'gitlabhq', template_type: 'issue', key: 'template_name', format: 'json')
end end
it 'routes to application#route_not_found when :template_type is unknown' do
expect(get(show_with_template_type('invalid'))).to route_to('application#route_not_found', unmatched_route: 'gitlab/gitlabhq/templates/invalid/template_name')
end
end end
end end
......
...@@ -34,8 +34,15 @@ shared_examples 'authenticates sessionless user' do |path, format, params| ...@@ -34,8 +34,15 @@ shared_examples 'authenticates sessionless user' do |path, format, params|
context 'when the personal access token has no api scope', unless: params[:public] do context 'when the personal access token has no api scope', unless: params[:public] do
it 'does not log the user in' do it 'does not log the user in' do
# Several instances of where these specs are shared route the request
# through ApplicationController#route_not_found which does not involve
# the usual auth code from Devise, so does not increment the
# :user_unauthenticated_counter
#
unless params[:ignore_incrementing]
expect(authentication_metrics) expect(authentication_metrics)
.to increment(:user_unauthenticated_counter) .to increment(:user_unauthenticated_counter)
end
personal_access_token.update(scopes: [:read_user]) personal_access_token.update(scopes: [:read_user])
...@@ -84,8 +91,15 @@ shared_examples 'authenticates sessionless user' do |path, format, params| ...@@ -84,8 +91,15 @@ shared_examples 'authenticates sessionless user' do |path, format, params|
end end
it "doesn't log the user in otherwise", unless: params[:public] do it "doesn't log the user in otherwise", unless: params[:public] do
# Several instances of where these specs are shared route the request
# through ApplicationController#route_not_found which does not involve
# the usual auth code from Devise, so does not increment the
# :user_unauthenticated_counter
#
unless params[:ignore_incrementing]
expect(authentication_metrics) expect(authentication_metrics)
.to increment(:user_unauthenticated_counter) .to increment(:user_unauthenticated_counter)
end
get path, params: default_params.merge(private_token: 'token') get path, params: default_params.merge(private_token: 'token')
......
...@@ -39,7 +39,7 @@ shared_examples 'todos actions' do ...@@ -39,7 +39,7 @@ shared_examples 'todos actions' do
post_create post_create
end.to change { user.todos.count }.by(0) end.to change { user.todos.count }.by(0)
expect(response).to have_gitlab_http_status(parent.is_a?(Group) ? 401 : 302) expect(response).to have_gitlab_http_status(302)
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment