Commit 9994aa1c authored by Nick Thomas's avatar Nick Thomas

Block empty params to MR target branch autocompletion

parent 631f2a49
......@@ -53,7 +53,7 @@ class AutocompleteController < ApplicationController
private
def target_branch_params
params.permit(:group_id, :project_id)
params.permit(:group_id, :project_id).select { |_, v| v.present? }
end
end
......
......@@ -391,13 +391,24 @@ describe AutocompleteController do
end
context 'user with an accessible merge request but no scope' do
it 'returns an error' do
sign_in(user)
where(
params: [
{},
{ group_id: ' ' },
{ project_id: ' ' },
{ group_id: ' ', project_id: ' ' }
]
)
with_them do
it 'returns an error' do
sign_in(user)
get :merge_request_target_branches
get :merge_request_target_branches, params: params
expect(response).to have_gitlab_http_status(400)
expect(json_response).to eq({ 'error' => 'At least one of group_id or project_id must be specified' })
expect(response).to have_gitlab_http_status(400)
expect(json_response).to eq({ 'error' => 'At least one of group_id or project_id must be specified' })
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment