Commit 7ce03197 authored by Sean McGivern's avatar Sean McGivern

Merge branch 'missing-raw-snippet-access-spec' into 'master'

Add missing security specs for raw snippet access

## What does this MR do?
It extends the project snippets access security specs to cover raw snippet paths as well.

When I was researching snippets for !7256, I noticed that specs existed for the HTML show view of project snippets but not the raw view. Seeing as this is a spec that is checking for access regressions on places where sensitive information might be kept, I thought it would be a good idea to cover the raw snippets access too.

To balance out the karma of adding in extra tests I also changed the tests to all use an `empty_project` spec.

## Are there points in the code the reviewer needs to double check?

With the aim of making the specs easier to read, I restructured some of them to use context blocks for each type of snippet.

I've used the same access rights defined for the show snippet paths for the raw snippet access. 

## Why was this MR needed?

To catch security regressions on raw snippet access for projects.

## Screenshots (if relevant)

## Does this MR meet the acceptance criteria?

- [-] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- [-] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [-] API support added
- Tests
  - [x] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

## What are the relevant issue numbers?

See merge request !7300
parents ce03eba5 80a2e3a9
...@@ -3,7 +3,7 @@ require 'spec_helper' ...@@ -3,7 +3,7 @@ require 'spec_helper'
describe "Internal Project Snippets Access", feature: true do describe "Internal Project Snippets Access", feature: true do
include AccessMatchers include AccessMatchers
let(:project) { create(:project, :internal) } let(:project) { create(:empty_project, :internal) }
let(:owner) { project.owner } let(:owner) { project.owner }
let(:master) { create(:user) } let(:master) { create(:user) }
...@@ -48,7 +48,8 @@ describe "Internal Project Snippets Access", feature: true do ...@@ -48,7 +48,8 @@ describe "Internal Project Snippets Access", feature: true do
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
describe "GET /:project_path/snippets/:id for an internal snippet" do describe "GET /:project_path/snippets/:id" do
context "for an internal snippet" do
subject { namespace_project_snippet_path(project.namespace, project, internal_snippet) } subject { namespace_project_snippet_path(project.namespace, project, internal_snippet) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
...@@ -62,7 +63,7 @@ describe "Internal Project Snippets Access", feature: true do ...@@ -62,7 +63,7 @@ describe "Internal Project Snippets Access", feature: true do
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
describe "GET /:project_path/snippets/:id for a private snippet" do context "for a private snippet" do
subject { namespace_project_snippet_path(project.namespace, project, private_snippet) } subject { namespace_project_snippet_path(project.namespace, project, private_snippet) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
...@@ -75,4 +76,35 @@ describe "Internal Project Snippets Access", feature: true do ...@@ -75,4 +76,35 @@ describe "Internal Project Snippets Access", feature: true do
it { is_expected.to be_denied_for :external } it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
end
describe "GET /:project_path/snippets/:id/raw" do
context "for an internal snippet" do
subject { raw_namespace_project_snippet_path(project.namespace, project, internal_snippet) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for owner }
it { is_expected.to be_allowed_for master }
it { is_expected.to be_allowed_for developer }
it { is_expected.to be_allowed_for reporter }
it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor }
end
context "for a private snippet" do
subject { raw_namespace_project_snippet_path(project.namespace, project, private_snippet) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for owner }
it { is_expected.to be_allowed_for master }
it { is_expected.to be_allowed_for developer }
it { is_expected.to be_allowed_for reporter }
it { is_expected.to be_allowed_for guest }
it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor }
end
end
end end
...@@ -3,7 +3,7 @@ require 'spec_helper' ...@@ -3,7 +3,7 @@ require 'spec_helper'
describe "Private Project Snippets Access", feature: true do describe "Private Project Snippets Access", feature: true do
include AccessMatchers include AccessMatchers
let(:project) { create(:project, :private) } let(:project) { create(:empty_project, :private) }
let(:owner) { project.owner } let(:owner) { project.owner }
let(:master) { create(:user) } let(:master) { create(:user) }
...@@ -60,4 +60,18 @@ describe "Private Project Snippets Access", feature: true do ...@@ -60,4 +60,18 @@ describe "Private Project Snippets Access", feature: true do
it { is_expected.to be_denied_for :external } it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
describe "GET /:project_path/snippets/:id/raw for a private snippet" do
subject { raw_namespace_project_snippet_path(project.namespace, project, private_snippet) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for owner }
it { is_expected.to be_allowed_for master }
it { is_expected.to be_allowed_for developer }
it { is_expected.to be_allowed_for reporter }
it { is_expected.to be_allowed_for guest }
it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor }
end
end end
...@@ -3,7 +3,7 @@ require 'spec_helper' ...@@ -3,7 +3,7 @@ require 'spec_helper'
describe "Public Project Snippets Access", feature: true do describe "Public Project Snippets Access", feature: true do
include AccessMatchers include AccessMatchers
let(:project) { create(:project, :public) } let(:project) { create(:empty_project, :public) }
let(:owner) { project.owner } let(:owner) { project.owner }
let(:master) { create(:user) } let(:master) { create(:user) }
...@@ -49,7 +49,8 @@ describe "Public Project Snippets Access", feature: true do ...@@ -49,7 +49,8 @@ describe "Public Project Snippets Access", feature: true do
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
describe "GET /:project_path/snippets/:id for a public snippet" do describe "GET /:project_path/snippets/:id" do
context "for a public snippet" do
subject { namespace_project_snippet_path(project.namespace, project, public_snippet) } subject { namespace_project_snippet_path(project.namespace, project, public_snippet) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
...@@ -63,7 +64,7 @@ describe "Public Project Snippets Access", feature: true do ...@@ -63,7 +64,7 @@ describe "Public Project Snippets Access", feature: true do
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
describe "GET /:project_path/snippets/:id for an internal snippet" do context "for an internal snippet" do
subject { namespace_project_snippet_path(project.namespace, project, internal_snippet) } subject { namespace_project_snippet_path(project.namespace, project, internal_snippet) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
...@@ -77,7 +78,7 @@ describe "Public Project Snippets Access", feature: true do ...@@ -77,7 +78,7 @@ describe "Public Project Snippets Access", feature: true do
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
describe "GET /:project_path/snippets/:id for a private snippet" do context "for a private snippet" do
subject { namespace_project_snippet_path(project.namespace, project, private_snippet) } subject { namespace_project_snippet_path(project.namespace, project, private_snippet) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
...@@ -90,4 +91,49 @@ describe "Public Project Snippets Access", feature: true do ...@@ -90,4 +91,49 @@ describe "Public Project Snippets Access", feature: true do
it { is_expected.to be_denied_for :external } it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
end
describe "GET /:project_path/snippets/:id/raw" do
context "for a public snippet" do
subject { raw_namespace_project_snippet_path(project.namespace, project, public_snippet) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for owner }
it { is_expected.to be_allowed_for master }
it { is_expected.to be_allowed_for developer }
it { is_expected.to be_allowed_for reporter }
it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor }
end
context "for an internal snippet" do
subject { raw_namespace_project_snippet_path(project.namespace, project, internal_snippet) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for owner }
it { is_expected.to be_allowed_for master }
it { is_expected.to be_allowed_for developer }
it { is_expected.to be_allowed_for reporter }
it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor }
end
context "for a private snippet" do
subject { raw_namespace_project_snippet_path(project.namespace, project, private_snippet) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for owner }
it { is_expected.to be_allowed_for master }
it { is_expected.to be_allowed_for developer }
it { is_expected.to be_allowed_for reporter }
it { is_expected.to be_allowed_for guest }
it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor }
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment