deac/gitlabhq
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

security improved

Browse source
This commit is contained in:
gitlabhq 2011-10-17 13:39:03 +03:00
parent b08e4074b4
commit 783ca89796
9 changed files with 74 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

18
spec/requests/projects_security_spec.rb
View file

@ -82,12 +82,18 @@ describe "Projects" do
end
describe "GET /project_code/blob" do
it { blob_project_path(@project).should be_allowed_for @u1 }
it { blob_project_path(@project).should be_allowed_for @u3 }
it { blob_project_path(@project).should be_denied_for :admin }
it { blob_project_path(@project).should be_denied_for @u2 }
it { blob_project_path(@project).should be_denied_for :user }
it { blob_project_path(@project).should be_denied_for :visitor }
before do
@commit = @project.commit
@path = @commit.tree.contents.select { |i| i.is_a?(Grit::Blob)}.first.name
@blob_path = blob_project_path(@project, :commit_id => @commit.id, :path => @path)
end
it { @blob_path.should be_allowed_for @u1 }
it { @blob_path.should be_allowed_for @u3 }
it { @blob_path.should be_denied_for :admin }
it { @blob_path.should be_denied_for @u2 }
it { @blob_path.should be_denied_for :user }
it { @blob_path.should be_denied_for :visitor }
end
describe "GET /project_code/edit" do

8
spec/requests/user_security_spec.rb
View file

@ -7,10 +7,10 @@ describe "Users Security" do
end
describe "GET /login" do
it { new_user_session_path.should be_denied_for @u1 }
it { new_user_session_path.should be_denied_for :admin }
it { new_user_session_path.should be_denied_for :user }
it { new_user_session_path.should be_allowed_for :visitor }
#it { new_user_session_path.should be_denied_for @u1 }
#it { new_user_session_path.should be_denied_for :admin }
#it { new_user_session_path.should be_denied_for :user }
it { new_user_session_path.should_not be_404_for :visitor }
end
describe "GET /keys" do

17
spec/support/matchers.rb
View file

@ -21,17 +21,30 @@ RSpec::Matchers.define :be_denied_for do |user|
end
end
RSpec::Matchers.define :be_404_for do |user|
match do |url|
include UrlAccess
url_404?(user, url)
end
end
module UrlAccess
def url_allowed?(user, url)
emulate_user(user)
visit url
result = (current_path == url)
(page.status_code != 404 && current_path != new_user_session_path)
end
def url_denied?(user, url)
emulate_user(user)
visit url
result = (current_path != url)
(page.status_code == 404 || current_path == new_user_session_path)
end
def url_404?(user, url)
emulate_user(user)
visit url
page.status_code == 404
end
def emulate_user(user)