Skip to content

G
gitlab-ce
Commit 6ea7db76 authored by Darby Frey's avatar Darby Frey
Browse files
Options

Adding resource block for admin APIs, updated API specs

parent 494c6dde
Show whitespace changes
Inline Side-by-side
Showing with 73 additions and 47 deletions
lib/api/ci/secure_files.rb
View file @ 6ea7db76
......@@ -52,8 +52,7 @@ module API
body secure_file.file.read
end
# Additional authorization check for admin endpoints
# All APIs defined below this block will require admin level permissions
resource do
before do
authorize! :admin_secure_files, user_project
end
......@@ -92,6 +91,7 @@ module API
no_content!
end
end
end
helpers do
def feature_flag_enabled?
......
spec/requests/api/ci/secure_files_spec.rb
View file @ 6ea7db76
......@@ -235,7 +235,9 @@ RSpec.describe API::Ci::SecureFiles do
it 'returns an error when the file checksum fails to validate' do
secure_file.update!(checksum: 'foo')
expect do
get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", maintainer)
end.not_to change { project.secure_files.count }
expect(response.code).to eq("500")
end
......@@ -245,7 +247,9 @@ RSpec.describe API::Ci::SecureFiles do
name: 'upload-keystore.jks'
}
expect do
post api("/projects/#{project.id}/secure_files", maintainer), params: post_params
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['error']).to eq('file is missing')
......@@ -256,7 +260,9 @@ RSpec.describe API::Ci::SecureFiles do
file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks')
}
expect do
post api("/projects/#{project.id}/secure_files", maintainer), params: post_params
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['error']).to eq('name is missing')
......@@ -269,7 +275,9 @@ RSpec.describe API::Ci::SecureFiles do
permissions: 'foo'
}
expect do
post api("/projects/#{project.id}/secure_files", maintainer), params: post_params
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['error']).to eq('permissions does not have a valid value')
......@@ -287,7 +295,9 @@ RSpec.describe API::Ci::SecureFiles do
name: 'upload-keystore.jks'
}
expect do
post api("/projects/#{project.id}/secure_files", maintainer), params: post_params
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:bad_request)
end
......@@ -302,7 +312,9 @@ RSpec.describe API::Ci::SecureFiles do
name: 'upload-keystore.jks'
}
expect do
post api("/projects/#{project.id}/secure_files", maintainer), params: post_params
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:payload_too_large)
end
......@@ -310,7 +322,9 @@ RSpec.describe API::Ci::SecureFiles do
context 'authenticated user with read permissions' do
it 'does not create a secure file' do
expect do
post api("/projects/#{project.id}/secure_files", developer)
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:forbidden)
end
......@@ -318,7 +332,9 @@ RSpec.describe API::Ci::SecureFiles do
context 'authenticated user with no permissions' do
it 'does not create a secure file' do
expect do
post api("/projects/#{project.id}/secure_files", anonymous)
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:not_found)
end
......@@ -326,7 +342,9 @@ RSpec.describe API::Ci::SecureFiles do
context 'unauthenticated user' do
it 'does not create a secure file' do
expect do
post api("/projects/#{project.id}/secure_files")
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:unauthorized)
end
......@@ -340,11 +358,13 @@ RSpec.describe API::Ci::SecureFiles do
delete api("/projects/#{project.id}/secure_files/#{secure_file.id}", maintainer)
expect(response).to have_gitlab_http_status(:no_content)
end.to change {project.secure_files.count}.by(-1)
end.to change { project.secure_files.count }
end
it 'responds with 404 Not Found if requesting non-existing secure_file' do
expect do
delete api("/projects/#{project.id}/secure_files/#{non_existing_record_id}", maintainer)
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:not_found)
end
......@@ -352,7 +372,9 @@ RSpec.describe API::Ci::SecureFiles do
context 'authenticated user with read permissions' do
it 'does not delete the secure_file' do
expect do
delete api("/projects/#{project.id}/secure_files/#{secure_file.id}", developer)
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:forbidden)
end
......@@ -360,7 +382,9 @@ RSpec.describe API::Ci::SecureFiles do
context 'authenticated user with no permissions' do
it 'does not delete the secure_file' do
expect do
delete api("/projects/#{project.id}/secure_files/#{secure_file.id}", anonymous)
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:not_found)
end
......@@ -368,7 +392,9 @@ RSpec.describe API::Ci::SecureFiles do
context 'unauthenticated user' do
it 'does not delete the secure_file' do
expect do
delete api("/projects/#{project.id}/secure_files/#{secure_file.id}")
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:unauthorized)
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7