Block empty params to MR target branch autocompletion

9994aa1c · Nick Thomas · 631f2a49 · 9994aa1c · 9994aa1c
Commit 9994aa1c authored Dec 13, 2019 by Nick Thomas
Showing with 17 additions and 6 deletions

app/controllers/autocomplete_controller.rb app/controllers/autocomplete_controller.rb +1 -1

spec/controllers/autocomplete_controller_spec.rb spec/controllers/autocomplete_controller_spec.rb +16 -5

No files found.
--- a/app/controllers/autocomplete_controller.rb
+++ b/app/controllers/autocomplete_controller.rb
@@ -53,7 +53,7 @@ class AutocompleteController < ApplicationController
  private

  def target_branch_params
-    params.permit(:group_id, :project_id)
+    params.permit(:group_id, :project_id).select { |_, v| v.present? }
  end
 end


--- a/spec/controllers/autocomplete_controller_spec.rb
+++ b/spec/controllers/autocomplete_controller_spec.rb
@@ -391,13 +391,24 @@ describe AutocompleteController do
    end

    context 'user with an accessible merge request but no scope' do
-      it 'returns an error' do
-        sign_in(user)
+      where(
+        params: [
+          {},
+          { group_id: ' ' },
+          { project_id: ' ' },
+          { group_id: ' ', project_id: ' ' }
+        ]
+      )
+
+      with_them do
+        it 'returns an error' do
+          sign_in(user)

-        get :merge_request_target_branches
+          get :merge_request_target_branches, params: params

-        expect(response).to have_gitlab_http_status(400)
-        expect(json_response).to eq({ 'error' => 'At least one of group_id or project_id must be specified' })
+          expect(response).to have_gitlab_http_status(400)
+          expect(json_response).to eq({ 'error' => 'At least one of group_id or project_id must be specified' })
+        end
      end
    end