Replace user permission tests from spec/features/security to spec/controllers/xxx_controller_spec.rb

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Description

Recently, AccessMatchersForController was implemented at https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11846. This helper is specifically designed for checking the declaration of user permissions, such as before_action :authorize_xxx!.

The following advantages are expected.

1. Each pipeline will be faster 10min
   By adopting the new way, it will be faster about 4 sec per describe block (Because of feature spec vs controller spec). Currently, there are 162 describe blocks in spec/features/security/. 162 * 4 = 648 ≒ 10min.
2. Support POST/PUT/DELETE/etc
   AccessMatchers which is used in spec/features/security only supports GET. However AccessMatchersForController supports an original block(let(:action)). Developers can easily customize the subject.
3. Gain security tests awareness
   Previously, spec/features/security was not acknowledged widely. Instead, puting those specs in xxx_controller_spec.rb will gain the awareness of security tests to developers.

Proposal

Replace spec/features/security to each spec/controllers/xxx_controller_spec.rb.

Here is an exmaple. (Please see describe 'security')

Links / references

• https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11846

/cc @rymai @grzesiek