debian-mirror-gitlab/spec/controllers/projects/releases_controller_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

401 lines
10 KiB
Ruby
Raw Normal View History

2019-02-15 15:39:39 +05:30
# frozen_string_literal: true
2017-08-17 22:00:37 +05:30
require 'spec_helper'
2020-06-23 00:09:42 +05:30
RSpec.describe Projects::ReleasesController do
2020-07-28 23:09:34 +05:30
include AccessMatchersForController
2020-04-22 19:07:51 +05:30
let!(:project) { create(:project, :repository, :public) }
let_it_be(:private_project) { create(:project, :repository, :private) }
let_it_be(:developer) { create(:user) }
let_it_be(:reporter) { create(:user) }
2021-02-04 15:43:07 +05:30
let_it_be(:guest) { create(:user) }
2020-04-22 19:07:51 +05:30
let_it_be(:user) { developer }
2021-04-29 21:17:54 +05:30
2019-12-26 22:10:19 +05:30
let!(:release_1) { create(:release, project: project, released_at: Time.zone.parse('2018-10-18')) }
let!(:release_2) { create(:release, project: project, released_at: Time.zone.parse('2019-10-19')) }
2017-08-17 22:00:37 +05:30
2019-12-26 22:10:19 +05:30
before do
project.add_developer(developer)
project.add_reporter(reporter)
2021-02-04 15:43:07 +05:30
project.add_guest(guest)
2019-12-26 22:10:19 +05:30
end
shared_examples_for 'successful request' do
it 'renders a 200' do
subject
expect(response).to have_gitlab_http_status(:success)
end
end
shared_examples_for 'not found' do
it 'renders 404' do
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
shared_examples 'common access controls' do
2019-02-15 15:39:39 +05:30
it 'renders a 200' do
get_index
2017-08-17 22:00:37 +05:30
2020-04-22 19:07:51 +05:30
expect(response).to have_gitlab_http_status(:ok)
2019-02-15 15:39:39 +05:30
end
2017-08-17 22:00:37 +05:30
2019-02-15 15:39:39 +05:30
context 'when the project is private' do
2019-12-26 22:10:19 +05:30
let(:project) { private_project }
before do
sign_in(user)
end
context 'when user is a developer' do
let(:user) { developer }
2017-08-17 22:00:37 +05:30
2019-12-26 22:10:19 +05:30
it 'renders a 200 for a logged in developer' do
sign_in(user)
2017-08-17 22:00:37 +05:30
2019-12-26 22:10:19 +05:30
get_index
2020-04-22 19:07:51 +05:30
expect(response).to have_gitlab_http_status(:ok)
2019-12-26 22:10:19 +05:30
end
2019-02-15 15:39:39 +05:30
end
2017-08-17 22:00:37 +05:30
2019-12-26 22:10:19 +05:30
context 'when user is an external user' do
let(:user) { create(:user) }
2017-08-17 22:00:37 +05:30
2019-12-26 22:10:19 +05:30
it 'renders a 404 when logged in but not in the project' do
sign_in(user)
2017-08-17 22:00:37 +05:30
2019-12-26 22:10:19 +05:30
get_index
2020-04-22 19:07:51 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2019-12-26 22:10:19 +05:30
end
2019-02-15 15:39:39 +05:30
end
2019-12-26 22:10:19 +05:30
end
end
2019-02-15 15:39:39 +05:30
2019-12-26 22:10:19 +05:30
describe 'GET #index' do
context 'as html' do
let(:format) { :html }
2019-02-15 15:39:39 +05:30
2019-12-26 22:10:19 +05:30
it 'returns a text/html content_type' do
2022-07-16 23:28:13 +05:30
get_index
2021-02-22 17:27:13 +05:30
expect(response.media_type).to eq 'text/html'
2019-02-15 15:39:39 +05:30
end
2019-12-26 22:10:19 +05:30
it_behaves_like 'common access controls'
context 'when the project is private and the user is not logged in' do
let(:project) { private_project }
it 'returns a redirect' do
2022-07-16 23:28:13 +05:30
get_index
2019-12-26 22:10:19 +05:30
expect(response).to have_gitlab_http_status(:redirect)
end
end
end
context 'as json' do
let(:format) { :json }
it 'returns an application/json content_type' do
2022-07-16 23:28:13 +05:30
get_index
2021-02-22 17:27:13 +05:30
expect(response.media_type).to eq 'application/json'
2019-12-26 22:10:19 +05:30
end
it "returns the project's releases as JSON, ordered by released_at" do
2022-07-16 23:28:13 +05:30
get_index
expect(json_response.map { |release| release["id"] } ).to eq([release_2.id, release_1.id])
end
2019-12-26 22:10:19 +05:30
it_behaves_like 'common access controls'
context 'when the project is private and the user is not logged in' do
let(:project) { private_project }
it 'returns a redirect' do
2022-07-16 23:28:13 +05:30
get_index
2019-12-26 22:10:19 +05:30
expect(response).to have_gitlab_http_status(:redirect)
end
end
end
end
2020-07-28 23:09:34 +05:30
describe 'GET #new' do
let(:request) do
get :new, params: { namespace_id: project.namespace, project_id: project }
end
it { expect { request }.to be_denied_for(:reporter).of(project) }
it { expect { request }.to be_allowed_for(:developer).of(project) }
end
2019-12-26 22:10:19 +05:30
describe 'GET #edit' do
subject do
get :edit, params: { namespace_id: project.namespace, project_id: project, tag: tag }
end
before do
sign_in(user)
end
2020-03-13 15:44:24 +05:30
let(:release) { create(:release, project: project) }
2022-07-23 23:45:48 +05:30
let(:tag) { release.tag }
2019-12-26 22:10:19 +05:30
it_behaves_like 'successful request'
context 'when tag name contains slash' do
2020-03-13 15:44:24 +05:30
let(:release) { create(:release, project: project, tag: 'awesome/v1.0') }
2022-07-23 23:45:48 +05:30
let(:tag) { release.tag }
2019-12-26 22:10:19 +05:30
it_behaves_like 'successful request'
it 'is accesible at a URL encoded path' do
expect(edit_project_release_path(project, release))
2022-07-23 23:45:48 +05:30
.to eq("/#{project.namespace.path}/#{project.name}/-/releases/awesome%2Fv1.0/edit")
2019-12-26 22:10:19 +05:30
end
end
context 'when release does not exist' do
let(:tag) { 'non-existent-tag' }
it_behaves_like 'not found'
end
context 'when user is a reporter' do
let(:user) { reporter }
it_behaves_like 'not found'
2017-08-17 22:00:37 +05:30
end
end
2020-03-13 15:44:24 +05:30
describe 'GET #show' do
subject do
get :show, params: { namespace_id: project.namespace, project_id: project, tag: tag }
end
before do
sign_in(user)
end
let(:release) { create(:release, project: project) }
2022-07-23 23:45:48 +05:30
let(:tag) { release.tag }
2020-03-13 15:44:24 +05:30
it_behaves_like 'successful request'
context 'when tag name contains slash' do
let(:release) { create(:release, project: project, tag: 'awesome/v1.0') }
2022-07-23 23:45:48 +05:30
let(:tag) { release.tag }
2020-03-13 15:44:24 +05:30
it_behaves_like 'successful request'
it 'is accesible at a URL encoded path' do
expect(project_release_path(project, release))
2022-07-23 23:45:48 +05:30
.to eq("/#{project.namespace.path}/#{project.name}/-/releases/awesome%2Fv1.0")
2020-03-13 15:44:24 +05:30
end
end
context 'when release does not exist' do
let(:tag) { 'non-existent-tag' }
it_behaves_like 'not found'
end
2021-02-04 15:43:07 +05:30
context 'when user is a guest' do
let(:project) { private_project }
let(:user) { guest }
2021-12-11 22:18:48 +05:30
it_behaves_like 'successful request'
end
context 'when user is an external user for the project' do
let(:project) { private_project }
let(:user) { create(:user) }
it 'behaves like not found' do
subject
expect(response).to have_gitlab_http_status(:not_found)
end
2021-02-04 15:43:07 +05:30
end
2020-03-13 15:44:24 +05:30
end
2022-05-07 20:08:51 +05:30
describe 'GET #latest_permalink' do
# Uses default order_by=released_at parameter.
subject do
get :latest_permalink, params: { namespace_id: project.namespace, project_id: project }
end
before do
sign_in(user)
end
let(:release) { create(:release, project: project) }
2022-07-23 23:45:48 +05:30
let(:tag) { release.tag }
2022-05-07 20:08:51 +05:30
context 'when user is a guest' do
let(:project) { private_project }
let(:user) { guest }
it 'proceeds with the redirect' do
subject
expect(response).to have_gitlab_http_status(:redirect)
end
end
context 'when user is an external user for the project' do
let(:project) { private_project }
let(:user) { create(:user) }
it 'behaves like not found' do
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when there are no releases for the project' do
let(:project) { create(:project, :repository, :public) }
let(:user) { developer }
before do
project.releases.destroy_all # rubocop: disable Cop/DestroyAll
end
it 'behaves like not found' do
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'multiple releases' do
let(:user) { developer }
it 'redirects to the latest release' do
create(:release, project: project, released_at: 1.day.ago)
latest_release = create(:release, project: project, released_at: Time.current)
subject
expect(response).to redirect_to("#{project_releases_path(project)}/#{latest_release.tag}")
end
end
context 'suffix path redirection' do
let(:user) { developer }
let(:suffix_path) { 'downloads/zips/helm-hello-world.zip' }
let!(:latest_release) { create(:release, project: project, released_at: Time.current) }
subject do
get :latest_permalink, params: {
namespace_id: project.namespace,
project_id: project,
suffix_path: suffix_path
}
end
it 'redirects to the latest release with suffix path and format' do
subject
expect(response).to redirect_to(
"#{project_releases_path(project)}/#{latest_release.tag}/#{suffix_path}")
end
context 'suffix path abuse' do
2022-10-11 01:57:18 +05:30
let(:suffix_path) { 'downloads/zips/../../../../../../../robots.txt' }
2022-05-07 20:08:51 +05:30
it 'raises attack error' do
expect do
subject
end.to raise_error(Gitlab::Utils::PathTraversalAttackError)
end
end
context 'url parameters' do
let(:suffix_path) { 'downloads/zips/helm-hello-world.zip' }
subject do
get :latest_permalink, params: {
namespace_id: project.namespace,
project_id: project,
suffix_path: suffix_path,
order_by: 'released_at',
param_1: 1,
param_2: 2
}
end
it 'carries over query parameters without order_by parameter in the redirect' do
subject
expect(response).to redirect_to(
"#{project_releases_path(project)}/#{latest_release.tag}/#{suffix_path}?param_1=1&param_2=2")
end
end
end
context 'order_by parameter' do
let!(:latest_release) { create(:release, project: project, released_at: Time.current, tag: 'latest') }
shared_examples_for 'redirects to latest release ordered by using released_at' do
it do
expect(Release).to receive(:order_released_desc).and_call_original
subject
expect(response).to redirect_to("#{project_releases_path(project)}/#{latest_release.tag}")
end
end
before do
create(:release, project: project, released_at: 1.day.ago, tag: 'alpha')
create(:release, project: project, released_at: 2.days.ago, tag: 'beta')
end
context 'invalid parameter' do
let(:user) { developer }
subject do
get :latest_permalink, params: {
namespace_id: project.namespace,
project_id: project,
order_by: 'unsupported'
}
end
it_behaves_like 'redirects to latest release ordered by using released_at'
end
context 'valid parameter' do
subject do
get :latest_permalink, params: {
namespace_id: project.namespace,
project_id: project,
order_by: 'released_at'
}
end
it_behaves_like 'redirects to latest release ordered by using released_at'
end
end
end
2021-01-29 00:20:46 +05:30
# `GET #downloads` is addressed in spec/requests/projects/releases_controller_spec.rb
2020-04-08 14:13:33 +05:30
2019-02-15 15:39:39 +05:30
private
def get_index
2019-12-26 22:10:19 +05:30
get :index, params: { namespace_id: project.namespace, project_id: project, format: format }
2017-08-17 22:00:37 +05:30
end
end