Commit a7ddff87 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge pull request #9066 from jirutka/fix-6417

Fix #6417: users with group permission should be able to create groups via API
parents e097812f 9769c2d7
...@@ -35,7 +35,7 @@ Parameters: ...@@ -35,7 +35,7 @@ Parameters:
## New group ## New group
Creates a new project group. Available only for admin. Creates a new project group. Available only for users who can create groups.
``` ```
POST /groups POST /groups
......
...@@ -20,7 +20,7 @@ module API ...@@ -20,7 +20,7 @@ module API
present @groups, with: Entities::Group present @groups, with: Entities::Group
end end
# Create group. Available only for admin # Create group. Available only for users who can create groups.
# #
# Parameters: # Parameters:
# name (required) - The name of the group # name (required) - The name of the group
...@@ -28,7 +28,7 @@ module API ...@@ -28,7 +28,7 @@ module API
# Example Request: # Example Request:
# POST /groups # POST /groups
post do post do
authenticated_as_admin! authorize! :create_group, current_user
required_attributes! [:name, :path] required_attributes! [:name, :path]
attrs = attributes_for_keys [:name, :path, :description] attrs = attributes_for_keys [:name, :path, :description]
......
...@@ -22,6 +22,7 @@ FactoryGirl.define do ...@@ -22,6 +22,7 @@ FactoryGirl.define do
password "12345678" password "12345678"
confirmed_at { Time.now } confirmed_at { Time.now }
confirmation_token { nil } confirmation_token { nil }
can_create_group true
trait :admin do trait :admin do
admin true admin true
......
...@@ -3,8 +3,9 @@ require 'spec_helper' ...@@ -3,8 +3,9 @@ require 'spec_helper'
describe API::API, api: true do describe API::API, api: true do
include ApiHelpers include ApiHelpers
let(:user1) { create(:user) } let(:user1) { create(:user, can_create_group: false) }
let(:user2) { create(:user) } let(:user2) { create(:user) }
let(:user3) { create(:user) }
let(:admin) { create(:admin) } let(:admin) { create(:admin) }
let!(:group1) { create(:group) } let!(:group1) { create(:group) }
let!(:group2) { create(:group) } let!(:group2) { create(:group) }
...@@ -94,32 +95,32 @@ describe API::API, api: true do ...@@ -94,32 +95,32 @@ describe API::API, api: true do
end end
describe "POST /groups" do describe "POST /groups" do
context "when authenticated as user" do context "when authenticated as user without group permissions" do
it "should not create group" do it "should not create group" do
post api("/groups", user1), attributes_for(:group) post api("/groups", user1), attributes_for(:group)
expect(response.status).to eq(403) expect(response.status).to eq(403)
end end
end end
context "when authenticated as admin" do context "when authenticated as user with group permissions" do
it "should create group" do it "should create group" do
post api("/groups", admin), attributes_for(:group) post api("/groups", user3), attributes_for(:group)
expect(response.status).to eq(201) expect(response.status).to eq(201)
end end
it "should not create group, duplicate" do it "should not create group, duplicate" do
post api("/groups", admin), {name: "Duplicate Test", path: group2.path} post api("/groups", user3), {name: 'Duplicate Test', path: group2.path}
expect(response.status).to eq(400) expect(response.status).to eq(400)
expect(response.message).to eq("Bad Request") expect(response.message).to eq("Bad Request")
end end
it "should return 400 bad request error if name not given" do it "should return 400 bad request error if name not given" do
post api("/groups", admin), {path: group2.path} post api("/groups", user3), {path: group2.path}
expect(response.status).to eq(400) expect(response.status).to eq(400)
end end
it "should return 400 bad request error if path not given" do it "should return 400 bad request error if path not given" do
post api("/groups", admin), { name: 'test' } post api("/groups", user3), {name: 'test'}
expect(response.status).to eq(400) expect(response.status).to eq(400)
end end
end end
...@@ -133,8 +134,8 @@ describe API::API, api: true do ...@@ -133,8 +134,8 @@ describe API::API, api: true do
end end
it "should not remove a group if not an owner" do it "should not remove a group if not an owner" do
user3 = create(:user) user4 = create(:user)
group1.add_user(user3, Gitlab::Access::MASTER) group1.add_user(user4, Gitlab::Access::MASTER)
delete api("/groups/#{group1.id}", user3) delete api("/groups/#{group1.id}", user3)
expect(response.status).to eq(403) expect(response.status).to eq(403)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment