| ... | @@ -106,6 +106,14 @@ describe IssuableCollections do |
... | @@ -106,6 +106,14 @@ describe IssuableCollections do |
|
|
end
|
|
end
|
|
|
|
|
|
|
|
describe '#finder_options' do
|
|
describe '#finder_options' do
|
|
|
|
before do
|
|
|
|
allow(controller).to receive(:cookies).and_return({})
|
|
|
|
allow(controller).to receive(:current_user).and_return(nil)
|
|
|
|
end
|
|
|
|
|
|
|
|
subject { controller.send(:finder_options).to_h }
|
|
|
|
|
|
|
|
context 'scalar params' do
|
|
|
let(:params) do
|
|
let(:params) do
|
|
|
{
|
|
{
|
|
|
assignee_id: '1',
|
|
assignee_id: '1',
|
| ... | @@ -117,7 +125,7 @@ describe IssuableCollections do |
... | @@ -117,7 +125,7 @@ describe IssuableCollections do |
|
|
due_date: '2017-01-01',
|
|
due_date: '2017-01-01',
|
|
|
group_id: '3',
|
|
group_id: '3',
|
|
|
iids: '4',
|
|
iids: '4',
|
|
|
label_name: ['foo'],
|
|
label_name: 'foo',
|
|
|
milestone_title: 'bar',
|
|
milestone_title: 'bar',
|
|
|
my_reaction_emoji: 'thumbsup',
|
|
my_reaction_emoji: 'thumbsup',
|
|
|
non_archived: 'true',
|
|
non_archived: 'true',
|
| ... | @@ -131,18 +139,13 @@ describe IssuableCollections do |
... | @@ -131,18 +139,13 @@ describe IssuableCollections do |
|
|
end
|
|
end
|
|
|
|
|
|
|
|
it 'only allows whitelisted params' do
|
|
it 'only allows whitelisted params' do
|
|
|
allow(controller).to receive(:cookies).and_return({})
|
|
is_expected.to include({
|
|
|
allow(controller).to receive(:current_user).and_return(nil)
|
|
|
|
|
|
|
|
|
|
finder_options = controller.send(:finder_options)
|
|
|
|
|
|
|
|
|
|
expect(finder_options).to eq(ActionController::Parameters.new({
|
|
|
|
|
'assignee_id' => '1',
|
|
'assignee_id' => '1',
|
|
|
'assignee_username' => 'user1',
|
|
'assignee_username' => 'user1',
|
|
|
'author_id' => '2',
|
|
'author_id' => '2',
|
|
|
'author_username' => 'user2',
|
|
'author_username' => 'user2',
|
|
|
'confidential' => true,
|
|
'confidential' => true,
|
|
|
'label_name' => ['foo'],
|
|
'label_name' => 'foo',
|
|
|
'milestone_title' => 'bar',
|
|
'milestone_title' => 'bar',
|
|
|
'my_reaction_emoji' => 'thumbsup',
|
|
'my_reaction_emoji' => 'thumbsup',
|
|
|
'due_date' => '2017-01-01',
|
|
'due_date' => '2017-01-01',
|
| ... | @@ -150,7 +153,30 @@ describe IssuableCollections do |
... | @@ -150,7 +153,30 @@ describe IssuableCollections do |
|
|
'search' => 'baz',
|
|
'search' => 'baz',
|
|
|
'sort' => 'priority',
|
|
'sort' => 'priority',
|
|
|
'state' => 'opened'
|
|
'state' => 'opened'
|
|
|
}).permit!)
|
|
})
|
|
|
|
|
|
|
|
is_expected.not_to include('invalid_param')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'array params' do
|
|
|
|
let(:params) do
|
|
|
|
{
|
|
|
|
assignee_username: %w[user1 user2],
|
|
|
|
label_name: %w[label1 label2],
|
|
|
|
invalid_param: 'invalid_param',
|
|
|
|
invalid_array: ['param']
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'only allows whitelisted params' do
|
|
|
|
is_expected.to include({
|
|
|
|
'label_name' => %w[label1 label2],
|
|
|
|
'assignee_username' => %w[user1 user2]
|
|
|
|
})
|
|
|
|
|
|
|
|
is_expected.not_to include('invalid_param', 'invalid_array')
|
|
|
|
end
|
|
|
end
|
|
end
|
|
|
end
|
|
end
|
|
|
end |
|
end |