Don't allow the creation of namespaces for hidden teams on the contro…

…ller

app/controllers/namespaces_controller.rb

@@ -1,6 +1,7 @@
 class NamespacesController < ApplicationController
   respond_to :html, :js
   before_action :set_namespace, only: [:toggle_public, :show]
+  before_action :check_team, only: [:create]
 
   after_action :verify_authorized, except: :index
   after_action :verify_policy_scoped, only: :index
@@ -25,10 +26,8 @@ def show
   # POST /namespace
   # POST /namespace.json
   def create
-    team = Team.find_by!(name: params['namespace']['team'])
-
     @namespace = Namespace.new(
-      team:     team,
+      team:     @team,
       name:     params['namespace']['namespace'],
       registry: Registry.first
     )
@@ -60,6 +59,18 @@ def toggle_public
 
   private
 
+  # Check that the given team exists and that is not hidden. This hook is used
+  # only as a helper of the `create` method.
+  def check_team
+    @team = Team.find_by(name: params['namespace']['team'], hidden: false)
+    return unless @team.nil?
+
+    @error = 'Selected team does not exist.'
+    respond_to do |format|
+      format.js { respond_with nil, status: :not_found }
+    end
+  end
+
   def set_namespace
     @namespace = Namespace.find(params[:id])
   end

app/views/namespaces/create.js.erb

@@ -1,4 +1,7 @@
-<% if @namespace.errors.any? %>
+<% if @error %>
+  $('#alert p').html("<%= escape_javascript(@error) %>");
+  $('#alert').fadeIn();
+<% elsif @namespace.errors.any? %>
   $('#alert p').html("<%= escape_javascript(@namespace.errors.full_messages.join('<br/>')) %>");
   $('#alert').fadeIn();
 <% else %>

spec/controllers/namespaces_controller_spec.rb

@@ -83,8 +83,25 @@
       }
     end
 
+    let(:hidden_attributes) do
+      {
+        team:      Team.where(hidden: true).first,
+        namespace: 'qa_team_namespace'
+      }
+    end
+
     context 'as a contributor of the team that is going to control the namespace' do
 
+      it 'is not possible to create a namespace inside of a hidden team' do
+        sign_in contributor
+        post_params = { namespace: hidden_attributes, format: :js }
+
+        expect do
+          post :create, post_params
+        end.not_to change(Namespace, :count)
+        expect(response.status).to eq(404)
+      end
+
       it 'creates a new namespace' do
         sign_in contributor
         post_params = { namespace: valid_attributes, format: :js }

spec/features/namespaces_spec.rb

@@ -31,7 +31,7 @@
       visit namespaces_path
       find('#add_namespace_btn').click
       fill_in 'Namespace', with: Namespace.first.name
-      fill_in 'Team', with: Team.first.name
+      fill_in 'Team', with: Team.where(hidden: false).first.name
       wait_for_effect_on('#add_namespace_form')
 
       click_button 'Create'
@@ -43,6 +43,24 @@
       expect(page).to have_css('#alert .alert.alert-dismissible.alert-info')
     end
 
+    scenario 'An user cannot create a namespace for a hidden team', js: true do
+      namespaces_count = Namespace.count
+
+      visit namespaces_path
+      find('#add_namespace_btn').click
+      fill_in 'Namespace', with: Namespace.first.name
+      fill_in 'Team', with: Team.where(hidden: true).first.name
+      wait_for_effect_on('#add_namespace_form')
+
+      click_button 'Create'
+      wait_for_ajax
+      wait_for_effect_on('#alert')
+      expect(Namespace.count).to eql namespaces_count
+      expect(current_path).to eql namespaces_path
+      expect(page).to have_content('Selected team does not exist')
+      expect(page).to have_css('#alert .alert.alert-dismissible.alert-info')
+    end
+
     scenario 'A namespace can be created from the index page', js: true do
       namespaces_count = Namespace.count