Ensure user is project member in create package service tests
What does this MR do and why?
This MR wants to correct the user used in the test cases for the Npm::CreatePackageService
. Currently, the user defined in the test cases is not a member of the project and can create new packages. This is unexpected and because we do not want non-member users to create packages for this project.
As far as I have seen, I do not see any security issues because the user and its project membership are authorized in API::NpmProjectPackages
, see https://gitlab.com/gitlab-community/gitlab/-/blob/810d3a92ab59bff03411d3f4512628671d6d866e/lib/api/npm_project_packages.rb#L75 . However IMO, it might make sense to fix the test user in order to use more realistic test data.
Note: The services tests for other package formats are also using a non-member as a test user. If desired, I am also happy to extend these changes also to the other service tests.
Screenshots or screen recordings
Only changes in the test cases.
How to set up and validate locally
- Execute test case
bundle exec rspec spec/services/packages/npm/create_package_service_spec.rb
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR. -
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides
-
Related to #323970