Add test scenario for downloading archives and making sure that the user can only download his/her data
Per issue in https://gitlab.com/gitlab-org/gitlab-ce/issues/45689.
This should be automated via Web UI first, then vis the public API, as a second iteration.
Steps
- User of a public repository named "user1/download-test" selects "Download as .zip".
/user1/download-test/-/archive/master/download-test-master.zip
- Before any new changes are made to "user1/download-test", user2 requests "Download zip" from "/user2/download-test". They receive the contents of the
.zip
produced from "/user1/download-test"./user2/download-test/-/archive/master/download-test-master.zip
- User2 requests "Download as .tar.gz" of "/user2/download-test".
/user1/download-test/-/archive/master/download-test-master.tar.gz
Pseudo code
- Instantiate
ApiClient1
and log in asUSER1
- Instantiate
ApiClient2
and log in asUSER2
- From
ApiClient1
call endpoint to download repo as .zip forUSER1
data - From
ApiClient2
call endpoint to download repo as .zip forUSER2
data - Verify that data requested from
USER1
contains onlyUSER1
data and data requested fromUSER2
contains onlyUSER2
data
Edited by Rémy Coutable