From 53f775ae6d6d0cd33a6a1421e736670b45e59309 Mon Sep 17 00:00:00 2001
From: Tomasz Maczukin <tomasz@maczukin.pl>
Date: Fri, 29 Jan 2016 16:44:29 +0100
Subject: [PATCH] Fix runners filtering in API

---
 lib/api/runners.rb                |  6 ++---
 spec/requests/api/runners_spec.rb | 41 ++++++++++++++++++-------------
 2 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/lib/api/runners.rb b/lib/api/runners.rb
index b7294258c7d..799c10a1897 100644
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
@@ -121,11 +121,11 @@ module API
         return runners unless scope.present?
 
         available_scopes = ::Ci::Runner::AVAILABLE_SCOPES
-        unless (available_scopes && scope).empty?
-          runners.send(scope)
-        else
+        if (available_scopes & [scope]).empty?
           render_api_error!('Scope contains invalid value', 400)
         end
+
+        runners.send(scope)
       end
 
       def get_runner(id)
diff --git a/spec/requests/api/runners_spec.rb b/spec/requests/api/runners_spec.rb
index 9ffa59dac07..d600b2312c5 100644
--- a/spec/requests/api/runners_spec.rb
+++ b/spec/requests/api/runners_spec.rb
@@ -22,35 +22,42 @@ describe API::API, api: true  do
   let!(:two_projects_runner_project2) { create(:ci_runner_project, runner: two_projects_runner, project: project2) }
 
   describe 'GET /runners' do
-    context 'authorized user with admin privileges' do
-      it 'should return all runners' do
-        get api('/runners', admin)
-        shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr}
+    context 'authorized user' do
+      context 'authorized user with admin privileges' do
+        it 'should return all runners' do
+          get api('/runners', admin)
+          shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr}
 
-        expect(response.status).to eq(200)
-        expect(json_response).to be_an Array
-        expect(shared).to be_truthy
+          expect(response.status).to eq(200)
+          expect(json_response).to be_an Array
+          expect(shared).to be_truthy
+        end
       end
 
-      it 'should filter runners by scope' do
-        get api('/runners?scope=specific', admin)
-        shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr}
+      context 'authorized user without admin privileges' do
+        it 'should return user available runners' do
+          get api('/runners', user)
+          shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr}
 
-        expect(response.status).to eq(200)
-        expect(json_response).to be_an Array
-        expect(shared).to be_falsey
+          expect(response.status).to eq(200)
+          expect(json_response).to be_an Array
+          expect(shared).to be_falsey
+        end
       end
-    end
 
-    context 'authorized user without admin privileges' do
-      it 'should return user available runners' do
-        get api('/runners', user)
+      it 'should filter runners by scope' do
+        get api('/runners?scope=specific', user)
         shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr}
 
         expect(response.status).to eq(200)
         expect(json_response).to be_an Array
         expect(shared).to be_falsey
       end
+
+      it 'should avoid filtering if scope is invalid' do
+        get api('/runners?scope=unknown', user)
+        expect(response.status).to eq(400)
+      end
     end
 
     context 'unauthorized user' do
-- 
GitLab