From 7ecf63f9d7c6160ed9a5c111bb78e571f6a4ef39 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miquel=20Sabat=C3=A9?= <msabate@suse.com>
Date: Fri, 10 Jul 2015 14:40:44 +0200
Subject: [PATCH] Don't allow the creation of namespaces for hidden teams on
 the controller

---
 app/controllers/namespaces_controller.rb      | 17 +++++++++++++---
 app/views/namespaces/create.js.erb            |  5 ++++-
 .../controllers/namespaces_controller_spec.rb | 17 ++++++++++++++++
 spec/features/namespaces_spec.rb              | 20 ++++++++++++++++++-
 4 files changed, 54 insertions(+), 5 deletions(-)

diff --git a/app/controllers/namespaces_controller.rb b/app/controllers/namespaces_controller.rb
index f4a6d5a5a..4230dba85 100644
--- a/app/controllers/namespaces_controller.rb
+++ b/app/controllers/namespaces_controller.rb
@@ -1,6 +1,7 @@
 class NamespacesController < ApplicationController
   respond_to :html, :js
   before_action :set_namespace, only: [:toggle_public, :show]
+  before_action :check_team, only: [:create]
 
   after_action :verify_authorized, except: :index
   after_action :verify_policy_scoped, only: :index
@@ -25,10 +26,8 @@ def show
   # POST /namespace
   # POST /namespace.json
   def create
-    team = Team.find_by!(name: params['namespace']['team'])
-
     @namespace = Namespace.new(
-      team:     team,
+      team:     @team,
       name:     params['namespace']['namespace'],
       registry: Registry.first
     )
@@ -60,6 +59,18 @@ def toggle_public
 
   private
 
+  # Check that the given team exists and that is not hidden. This hook is used
+  # only as a helper of the `create` method.
+  def check_team
+    @team = Team.find_by(name: params['namespace']['team'], hidden: false)
+    return unless @team.nil?
+
+    @error = 'Selected team does not exist.'
+    respond_to do |format|
+      format.js { respond_with nil, status: :not_found }
+    end
+  end
+
   def set_namespace
     @namespace = Namespace.find(params[:id])
   end
diff --git a/app/views/namespaces/create.js.erb b/app/views/namespaces/create.js.erb
index 4d26a46cc..4e3d5498e 100644
--- a/app/views/namespaces/create.js.erb
+++ b/app/views/namespaces/create.js.erb
@@ -1,4 +1,7 @@
-<% if @namespace.errors.any? %>
+<% if @error %>
+  $('#alert p').html("<%= escape_javascript(@error) %>");
+  $('#alert').fadeIn();
+<% elsif @namespace.errors.any? %>
   $('#alert p').html("<%= escape_javascript(@namespace.errors.full_messages.join('<br/>')) %>");
   $('#alert').fadeIn();
 <% else %>
diff --git a/spec/controllers/namespaces_controller_spec.rb b/spec/controllers/namespaces_controller_spec.rb
index ee91c7308..2cea338a1 100644
--- a/spec/controllers/namespaces_controller_spec.rb
+++ b/spec/controllers/namespaces_controller_spec.rb
@@ -83,8 +83,25 @@
       }
     end
 
+    let(:hidden_attributes) do
+      {
+        team:      Team.where(hidden: true).first,
+        namespace: 'qa_team_namespace'
+      }
+    end
+
     context 'as a contributor of the team that is going to control the namespace' do
 
+      it 'is not possible to create a namespace inside of a hidden team' do
+        sign_in contributor
+        post_params = { namespace: hidden_attributes, format: :js }
+
+        expect do
+          post :create, post_params
+        end.not_to change(Namespace, :count)
+        expect(response.status).to eq(404)
+      end
+
       it 'creates a new namespace' do
         sign_in contributor
         post_params = { namespace: valid_attributes, format: :js }
diff --git a/spec/features/namespaces_spec.rb b/spec/features/namespaces_spec.rb
index 2f5b5122f..a36cc7d20 100644
--- a/spec/features/namespaces_spec.rb
+++ b/spec/features/namespaces_spec.rb
@@ -31,7 +31,7 @@
       visit namespaces_path
       find('#add_namespace_btn').click
       fill_in 'Namespace', with: Namespace.first.name
-      fill_in 'Team', with: Team.first.name
+      fill_in 'Team', with: Team.where(hidden: false).first.name
       wait_for_effect_on('#add_namespace_form')
 
       click_button 'Create'
@@ -43,6 +43,24 @@
       expect(page).to have_css('#alert .alert.alert-dismissible.alert-info')
     end
 
+    scenario 'An user cannot create a namespace for a hidden team', js: true do
+      namespaces_count = Namespace.count
+
+      visit namespaces_path
+      find('#add_namespace_btn').click
+      fill_in 'Namespace', with: Namespace.first.name
+      fill_in 'Team', with: Team.where(hidden: true).first.name
+      wait_for_effect_on('#add_namespace_form')
+
+      click_button 'Create'
+      wait_for_ajax
+      wait_for_effect_on('#alert')
+      expect(Namespace.count).to eql namespaces_count
+      expect(current_path).to eql namespaces_path
+      expect(page).to have_content('Selected team does not exist')
+      expect(page).to have_css('#alert .alert.alert-dismissible.alert-info')
+    end
+
     scenario 'A namespace can be created from the index page', js: true do
       namespaces_count = Namespace.count