BigW Consortium Gitlab

Commit 157c05f4 by Timothy Andrew

Test `/users` endpoints for the `read_user` scope.

- Test `GET` endpoints to check that the scope is allowed. - Test `POST` endpoints to check that the scope is disallowed. - Test both `v3` and `v4` endpoints.
parent 80c1ebaa
...@@ -50,28 +50,6 @@ describe API::Users do ...@@ -50,28 +50,6 @@ describe API::Users do
end['username']).to eq(username) end['username']).to eq(username)
end end
context "scopes" do
context 'when the requesting token has the "read_user" scope' do
let(:token) { create(:personal_access_token, scopes: ['read_user']) }
it 'returns a "200" response' do
get api("/users", user, personal_access_token: token)
expect(response).to have_http_status(200)
end
end
context 'when the requesting token does not have any required scope' do
let(:token) { create(:personal_access_token, scopes: ['read_registry']) }
it 'returns a "401" response' do
get api("/users", user, personal_access_token: token)
expect(response).to have_http_status(401)
end
end
end
it "returns an array of blocked users" do it "returns an array of blocked users" do
ldap_blocked_user ldap_blocked_user
create(:user, state: 'blocked') create(:user, state: 'blocked')
...@@ -104,6 +82,13 @@ describe API::Users do ...@@ -104,6 +82,13 @@ describe API::Users do
expect(json_response.first.keys).not_to include 'is_admin' expect(json_response.first.keys).not_to include 'is_admin'
end end
context "scopes" do
let(:path) { "/users" }
let(:api_call) { method(:api) }
include_examples 'allows the "read_user" scope'
end
end end
context "when admin" do context "when admin" do
...@@ -186,6 +171,13 @@ describe API::Users do ...@@ -186,6 +171,13 @@ describe API::Users do
expect(response).to have_http_status(404) expect(response).to have_http_status(404)
end end
context "scopes" do
let(:path) { "/users/#{user.id}" }
let(:api_call) { method(:api) }
include_examples 'allows the "read_user" scope'
end
end end
describe "POST /users" do describe "POST /users" do
...@@ -321,16 +313,6 @@ describe API::Users do ...@@ -321,16 +313,6 @@ describe API::Users do
.to eq([Gitlab::PathRegex.namespace_format_message]) .to eq([Gitlab::PathRegex.namespace_format_message])
end end
context 'when the requesting token has the "read_user" scope' do
let(:token) { create(:personal_access_token, scopes: ['read_user'], user: admin) }
it 'returns a "401" response' do
post api("/users", admin, personal_access_token: token), attributes_for(:user, projects_limit: 3)
expect(response).to have_http_status(401)
end
end
it "is not available for non admin users" do it "is not available for non admin users" do
post api("/users", user), attributes_for(:user) post api("/users", user), attributes_for(:user)
expect(response).to have_http_status(403) expect(response).to have_http_status(403)
...@@ -377,6 +359,14 @@ describe API::Users do ...@@ -377,6 +359,14 @@ describe API::Users do
expect(json_response['identities'].first['provider']).to eq('github') expect(json_response['identities'].first['provider']).to eq('github')
end end
end end
context "scopes" do
let(:user) { admin }
let(:path) { '/users' }
let(:api_call) { method(:api) }
include_examples 'does not allow the "read_user" scope'
end
end end
describe "GET /users/sign_up" do describe "GET /users/sign_up" do
......
...@@ -67,6 +67,19 @@ describe API::V3::Users do ...@@ -67,6 +67,19 @@ describe API::V3::Users do
expect(json_response.first['title']).to eq(key.title) expect(json_response.first['title']).to eq(key.title)
end end
end end
context "scopes" do
let(:user) { admin }
let(:path) { "/users/#{user.id}/keys" }
let(:api_call) { method(:v3_api) }
before do
user.keys << key
user.save
end
include_examples 'allows the "read_user" scope'
end
end end
describe 'GET /user/:id/emails' do describe 'GET /user/:id/emails' do
...@@ -312,5 +325,13 @@ describe API::V3::Users do ...@@ -312,5 +325,13 @@ describe API::V3::Users do
expect(json_response['is_admin']).to be_nil expect(json_response['is_admin']).to be_nil
end end
context "scopes" do
let(:user) { admin }
let(:path) { '/users' }
let(:api_call) { method(:v3_api) }
include_examples 'does not allow the "read_user" scope'
end
end end
end end
shared_examples_for 'allows the "read_user" scope' do
describe 'when the requesting token has the "read_user" scope' do
let(:token) { create(:personal_access_token, scopes: ['read_user'], user: user) }
it 'returns a "200" response' do
get api_call.call(path, user, personal_access_token: token)
expect(response).to have_http_status(200)
end
end
describe 'when the requesting token does not have any required scope' do
let(:token) { create(:personal_access_token, scopes: ['read_registry'], user: user) }
it 'returns a "401" response' do
get api_call.call(path, user, personal_access_token: token)
expect(response).to have_http_status(401)
end
end
end
shared_examples_for 'does not allow the "read_user" scope' do
context 'when the requesting token has the "read_user" scope' do
let(:token) { create(:personal_access_token, scopes: ['read_user'], user: user) }
it 'returns a "401" response' do
post api_call.call(path, user, personal_access_token: token), attributes_for(:user, projects_limit: 3)
expect(response).to have_http_status(401)
end
end
end
...@@ -34,8 +34,8 @@ module ApiHelpers ...@@ -34,8 +34,8 @@ module ApiHelpers
end end
# Temporary helper method for simplifying V3 exclusive API specs # Temporary helper method for simplifying V3 exclusive API specs
def v3_api(path, user = nil) def v3_api(path, user = nil, personal_access_token: nil)
api(path, user, version: 'v3') api(path, user, version: 'v3', personal_access_token: personal_access_token)
end end
def ci_api(path, user = nil) def ci_api(path, user = nil)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment