Commit a7ddff87 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge pull request #9066 from jirutka/fix-6417

Fix #6417: users with group permission should be able to create groups via API
parents e097812f 9769c2d7
......@@ -35,7 +35,7 @@ Parameters:
## New group
Creates a new project group. Available only for admin.
Creates a new project group. Available only for users who can create groups.
```
POST /groups
......
......@@ -20,7 +20,7 @@ module API
present @groups, with: Entities::Group
end
# Create group. Available only for admin
# Create group. Available only for users who can create groups.
#
# Parameters:
# name (required) - The name of the group
......@@ -28,7 +28,7 @@ module API
# Example Request:
# POST /groups
post do
authenticated_as_admin!
authorize! :create_group, current_user
required_attributes! [:name, :path]
attrs = attributes_for_keys [:name, :path, :description]
......
......@@ -22,6 +22,7 @@ FactoryGirl.define do
password "12345678"
confirmed_at { Time.now }
confirmation_token { nil }
can_create_group true
trait :admin do
admin true
......
......@@ -3,8 +3,9 @@ require 'spec_helper'
describe API::API, api: true do
include ApiHelpers
let(:user1) { create(:user) }
let(:user1) { create(:user, can_create_group: false) }
let(:user2) { create(:user) }
let(:user3) { create(:user) }
let(:admin) { create(:admin) }
let!(:group1) { create(:group) }
let!(:group2) { create(:group) }
......@@ -94,32 +95,32 @@ describe API::API, api: true do
end
describe "POST /groups" do
context "when authenticated as user" do
context "when authenticated as user without group permissions" do
it "should not create group" do
post api("/groups", user1), attributes_for(:group)
expect(response.status).to eq(403)
end
end
context "when authenticated as admin" do
context "when authenticated as user with group permissions" do
it "should create group" do
post api("/groups", admin), attributes_for(:group)
post api("/groups", user3), attributes_for(:group)
expect(response.status).to eq(201)
end
it "should not create group, duplicate" do
post api("/groups", admin), {name: "Duplicate Test", path: group2.path}
post api("/groups", user3), {name: 'Duplicate Test', path: group2.path}
expect(response.status).to eq(400)
expect(response.message).to eq("Bad Request")
end
it "should return 400 bad request error if name not given" do
post api("/groups", admin), {path: group2.path}
post api("/groups", user3), {path: group2.path}
expect(response.status).to eq(400)
end
it "should return 400 bad request error if path not given" do
post api("/groups", admin), { name: 'test' }
post api("/groups", user3), {name: 'test'}
expect(response.status).to eq(400)
end
end
......@@ -133,8 +134,8 @@ describe API::API, api: true do
end
it "should not remove a group if not an owner" do
user3 = create(:user)
group1.add_user(user3, Gitlab::Access::MASTER)
user4 = create(:user)
group1.add_user(user4, Gitlab::Access::MASTER)
delete api("/groups/#{group1.id}", user3)
expect(response.status).to eq(403)
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment