PageRenderTime 54ms CodeModel.GetById 25ms RepoModel.GetById 0ms app.codeStats 0ms

/spec/requests/api/access_requests_spec.rb

https://gitlab.com/certik/gitlab-ce
Ruby | 269 lines | 218 code | 47 blank | 4 comment | 5 complexity | ac5d44a48b52abb4dcb5a2b173b6d80d MD5 | raw file
  1. require 'spec_helper'
  2. describe API::AccessRequests do
  3. set(:master) { create(:user) }
  4. set(:developer) { create(:user) }
  5. set(:access_requester) { create(:user) }
  6. set(:stranger) { create(:user) }
  7. set(:project) do
  8. create(:project, :public, :access_requestable, creator_id: master.id, namespace: master.namespace) do |project|
  9. project.team << [developer, :developer]
  10. project.team << [master, :master]
  11. project.request_access(access_requester)
  12. end
  13. end
  14. set(:group) do
  15. create(:group, :public, :access_requestable) do |group|
  16. group.add_developer(developer)
  17. group.add_owner(master)
  18. group.request_access(access_requester)
  19. end
  20. end
  21. shared_examples 'GET /:sources/:id/access_requests' do |source_type|
  22. context "with :sources == #{source_type.pluralize}" do
  23. it_behaves_like 'a 404 response when source is private' do
  24. let(:route) { get api("/#{source_type.pluralize}/#{source.id}/access_requests", stranger) }
  25. end
  26. context 'when authenticated as a non-master/owner' do
  27. %i[developer access_requester stranger].each do |type|
  28. context "as a #{type}" do
  29. it 'returns 403' do
  30. user = public_send(type)
  31. get api("/#{source_type.pluralize}/#{source.id}/access_requests", user)
  32. expect(response).to have_http_status(403)
  33. end
  34. end
  35. end
  36. end
  37. context 'when authenticated as a master/owner' do
  38. it 'returns access requesters' do
  39. get api("/#{source_type.pluralize}/#{source.id}/access_requests", master)
  40. expect(response).to have_http_status(200)
  41. expect(response).to include_pagination_headers
  42. expect(json_response).to be_an Array
  43. expect(json_response.size).to eq(1)
  44. end
  45. end
  46. end
  47. end
  48. shared_examples 'POST /:sources/:id/access_requests' do |source_type|
  49. context "with :sources == #{source_type.pluralize}" do
  50. it_behaves_like 'a 404 response when source is private' do
  51. let(:route) { post api("/#{source_type.pluralize}/#{source.id}/access_requests", stranger) }
  52. end
  53. context 'when authenticated as a member' do
  54. %i[developer master].each do |type|
  55. context "as a #{type}" do
  56. it 'returns 403' do
  57. expect do
  58. user = public_send(type)
  59. post api("/#{source_type.pluralize}/#{source.id}/access_requests", user)
  60. expect(response).to have_http_status(403)
  61. end.not_to change { source.requesters.count }
  62. end
  63. end
  64. end
  65. end
  66. context 'when authenticated as an access requester' do
  67. it 'returns 400' do
  68. expect do
  69. post api("/#{source_type.pluralize}/#{source.id}/access_requests", access_requester)
  70. expect(response).to have_http_status(400)
  71. end.not_to change { source.requesters.count }
  72. end
  73. end
  74. context 'when authenticated as a stranger' do
  75. context "when access request is disabled for the #{source_type}" do
  76. before do
  77. source.update_attributes(request_access_enabled: false)
  78. end
  79. it 'returns 403' do
  80. expect do
  81. post api("/#{source_type.pluralize}/#{source.id}/access_requests", stranger)
  82. expect(response).to have_http_status(403)
  83. end.not_to change { source.requesters.count }
  84. end
  85. end
  86. it 'returns 201' do
  87. expect do
  88. post api("/#{source_type.pluralize}/#{source.id}/access_requests", stranger)
  89. expect(response).to have_http_status(201)
  90. end.to change { source.requesters.count }.by(1)
  91. # User attributes
  92. expect(json_response['id']).to eq(stranger.id)
  93. expect(json_response['name']).to eq(stranger.name)
  94. expect(json_response['username']).to eq(stranger.username)
  95. expect(json_response['state']).to eq(stranger.state)
  96. expect(json_response['avatar_url']).to eq(stranger.avatar_url)
  97. expect(json_response['web_url']).to eq(Gitlab::Routing.url_helpers.user_url(stranger))
  98. # Member attributes
  99. expect(json_response['requested_at']).to be_present
  100. end
  101. end
  102. end
  103. end
  104. shared_examples 'PUT /:sources/:id/access_requests/:user_id/approve' do |source_type|
  105. context "with :sources == #{source_type.pluralize}" do
  106. it_behaves_like 'a 404 response when source is private' do
  107. let(:route) { put api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}/approve", stranger) }
  108. end
  109. context 'when authenticated as a non-master/owner' do
  110. %i[developer access_requester stranger].each do |type|
  111. context "as a #{type}" do
  112. it 'returns 403' do
  113. user = public_send(type)
  114. put api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}/approve", user)
  115. expect(response).to have_http_status(403)
  116. end
  117. end
  118. end
  119. end
  120. context 'when authenticated as a master/owner' do
  121. it 'returns 201' do
  122. expect do
  123. put api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}/approve", master),
  124. access_level: Member::MASTER
  125. expect(response).to have_http_status(201)
  126. end.to change { source.members.count }.by(1)
  127. # User attributes
  128. expect(json_response['id']).to eq(access_requester.id)
  129. expect(json_response['name']).to eq(access_requester.name)
  130. expect(json_response['username']).to eq(access_requester.username)
  131. expect(json_response['state']).to eq(access_requester.state)
  132. expect(json_response['avatar_url']).to eq(access_requester.avatar_url)
  133. expect(json_response['web_url']).to eq(Gitlab::Routing.url_helpers.user_url(access_requester))
  134. # Member attributes
  135. expect(json_response['access_level']).to eq(Member::MASTER)
  136. end
  137. context 'user_id does not match an existing access requester' do
  138. it 'returns 404' do
  139. expect do
  140. put api("/#{source_type.pluralize}/#{source.id}/access_requests/#{stranger.id}/approve", master)
  141. expect(response).to have_http_status(404)
  142. end.not_to change { source.members.count }
  143. end
  144. end
  145. end
  146. end
  147. end
  148. shared_examples 'DELETE /:sources/:id/access_requests/:user_id' do |source_type|
  149. context "with :sources == #{source_type.pluralize}" do
  150. it_behaves_like 'a 404 response when source is private' do
  151. let(:route) { delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}", stranger) }
  152. end
  153. context 'when authenticated as a non-master/owner' do
  154. %i[developer stranger].each do |type|
  155. context "as a #{type}" do
  156. it 'returns 403' do
  157. user = public_send(type)
  158. delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}", user)
  159. expect(response).to have_http_status(403)
  160. end
  161. end
  162. end
  163. end
  164. context 'when authenticated as the access requester' do
  165. it 'deletes the access requester' do
  166. expect do
  167. delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}", access_requester)
  168. expect(response).to have_http_status(204)
  169. end.to change { source.requesters.count }.by(-1)
  170. end
  171. end
  172. context 'when authenticated as a master/owner' do
  173. it 'deletes the access requester' do
  174. expect do
  175. delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{access_requester.id}", master)
  176. expect(response).to have_http_status(204)
  177. end.to change { source.requesters.count }.by(-1)
  178. end
  179. context 'user_id matches a member, not an access requester' do
  180. it 'returns 404' do
  181. expect do
  182. delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{developer.id}", master)
  183. expect(response).to have_http_status(404)
  184. end.not_to change { source.requesters.count }
  185. end
  186. end
  187. context 'user_id does not match an existing access requester' do
  188. it 'returns 404' do
  189. expect do
  190. delete api("/#{source_type.pluralize}/#{source.id}/access_requests/#{stranger.id}", master)
  191. expect(response).to have_http_status(404)
  192. end.not_to change { source.requesters.count }
  193. end
  194. end
  195. end
  196. end
  197. end
  198. it_behaves_like 'GET /:sources/:id/access_requests', 'project' do
  199. let(:source) { project }
  200. end
  201. it_behaves_like 'GET /:sources/:id/access_requests', 'group' do
  202. let(:source) { group }
  203. end
  204. it_behaves_like 'POST /:sources/:id/access_requests', 'project' do
  205. let(:source) { project }
  206. end
  207. it_behaves_like 'POST /:sources/:id/access_requests', 'group' do
  208. let(:source) { group }
  209. end
  210. it_behaves_like 'PUT /:sources/:id/access_requests/:user_id/approve', 'project' do
  211. let(:source) { project }
  212. end
  213. it_behaves_like 'PUT /:sources/:id/access_requests/:user_id/approve', 'group' do
  214. let(:source) { group }
  215. end
  216. it_behaves_like 'DELETE /:sources/:id/access_requests/:user_id', 'project' do
  217. let(:source) { project }
  218. end
  219. it_behaves_like 'DELETE /:sources/:id/access_requests/:user_id', 'group' do
  220. let(:source) { group }
  221. end
  222. end