Make sure only the admin could update shared_runners_minutes_limit

32e3955b · Lin Jen-Shin · 0106d2f9 · 32e3955b · 32e3955b · 32e3955b
Commit 32e3955b authored May 25, 2017 by Lin Jen-Shin
4 changed files
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -182,6 +182,8 @@ class User < ActiveRecord::Base
  alias_attribute :private_token, :authentication_token

  delegate :path, to: :namespace, allow_nil: true, prefix: true
+
+  # EE-only
  delegate :shared_runners_minutes_limit, :shared_runners_minutes_limit=,
           to: :namespace


--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -124,6 +124,9 @@ module API
        group = find_group!(params[:id])
        authorize! :admin_group, group

+        # EE
+        authenticated_as_admin! if params[:shared_runners_minutes_limit]
+
        if ::Groups::UpdateService.new(group, current_user, declared_params(include_missing: false)).execute
          present group, with: Entities::GroupDetail, current_user: current_user
        else

--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -274,11 +274,10 @@ describe API::Groups do
      end

      # EE
-      it 'updates the group for shared_runners_minutes_limit' do
+      it 'returns 403 for updating shared_runners_minutes_limit' do
        put api("/groups/#{group1.id}", user1), shared_runners_minutes_limit: 133

-        expect(response).to have_http_status(200)
-        expect(json_response['shared_runners_minutes_limit']).to eq(133)
+        expect(response).to have_http_status(403)
      end
    end

@@ -289,6 +288,14 @@ describe API::Groups do
        expect(response).to have_http_status(200)
        expect(json_response['name']).to eq(new_group_name)
      end
+
+      # EE
+      it 'updates the group for shared_runners_minutes_limit' do
+        put api("/groups/#{group1.id}", admin), shared_runners_minutes_limit: 133
+
+        expect(response).to have_http_status(200)
+        expect(json_response['shared_runners_minutes_limit']).to eq(133)
+      end
    end

    context 'when authenticated as an user that can see the group' do

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -447,9 +447,16 @@ describe API::Users do
      expect(user.reload.email).not_to eq('invalid email')
    end

-    it "is not available for non admin users" do
-      put api("/users/#{user.id}", user), attributes_for(:user)
-      expect(response).to have_http_status(403)
+    context 'when the current user is not an admin' do
+      it "is not available" do
+        put api("/users/#{user.id}", user), attributes_for(:user)
+        expect(response).to have_http_status(403)
+      end
+
+      it "cannot update their own shared_runners_minutes_limit" do
+        put api("/users/#{user.id}", user), { shared_runners_minutes_limit: 133 }
+        expect(response).to have_http_status(403)
+      end
    end

    it "returns 404 for non-existing user" do