diff options
author | Thong Kuah <tkuah@gitlab.com> | 2018-10-15 13:42:02 +1300 |
---|---|---|
committer | Thong Kuah <tkuah@gitlab.com> | 2018-11-03 23:37:03 +1300 |
commit | fda6fdd392a3c7169217b1e53bfb75a13e6930f9 (patch) | |
tree | bfb9d291da438b2fc73bf681659211d8921598c2 | |
parent | 3cdf7c7ec137d7753bab7687b24c7c1cd880357b (diff) | |
download | gitlab-ce-fda6fdd392a3c7169217b1e53bfb75a13e6930f9.tar.gz |
Add policy for clusters on group level
- maintainer for group can read, create, update, and admin cluster
- project user, at any level, cannot do anything with group cluster
-rw-r--r-- | app/policies/clusters/cluster_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 2 | ||||
-rw-r--r-- | spec/policies/clusters/cluster_policy_spec.rb | 42 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 6 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 4 |
6 files changed, 56 insertions, 8 deletions
diff --git a/app/policies/clusters/cluster_policy.rb b/app/policies/clusters/cluster_policy.rb index 147943a3d6c..d6d590687e2 100644 --- a/app/policies/clusters/cluster_policy.rb +++ b/app/policies/clusters/cluster_policy.rb @@ -4,11 +4,7 @@ module Clusters class ClusterPolicy < BasePolicy alias_method :cluster, :subject + delegate { cluster.group } delegate { cluster.project } - - rule { can?(:maintainer_access) }.policy do - enable :update_cluster - enable :admin_cluster - end end end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 73c93b22c95..6b4e56ef5e4 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -65,6 +65,10 @@ class GroupPolicy < BasePolicy enable :create_projects enable :admin_pipeline enable :admin_build + enable :read_cluster + enable :create_cluster + enable :update_cluster + enable :admin_cluster end rule { owner }.policy do diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index a76a083bceb..1c082945299 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -258,6 +258,8 @@ class ProjectPolicy < BasePolicy enable :update_pages enable :read_cluster enable :create_cluster + enable :update_cluster + enable :admin_cluster enable :create_environment_terminal end diff --git a/spec/policies/clusters/cluster_policy_spec.rb b/spec/policies/clusters/cluster_policy_spec.rb index ced969830d8..b2f0ca1bc30 100644 --- a/spec/policies/clusters/cluster_policy_spec.rb +++ b/spec/policies/clusters/cluster_policy_spec.rb @@ -24,5 +24,47 @@ describe Clusters::ClusterPolicy, :models do it { expect(policy).to be_allowed :update_cluster } it { expect(policy).to be_allowed :admin_cluster } end + + context 'group cluster' do + let(:cluster) { create(:cluster, :group) } + let(:group) { cluster.group } + let(:project) { create(:project, namespace: group) } + + context 'when group developer' do + before do + group.add_developer(user) + end + + it { expect(policy).to be_disallowed :update_cluster } + it { expect(policy).to be_disallowed :admin_cluster } + end + + context 'when group maintainer' do + before do + group.add_maintainer(user) + end + + it { expect(policy).to be_allowed :update_cluster } + it { expect(policy).to be_allowed :admin_cluster } + end + + context 'when project maintainer' do + before do + project.add_maintainer(user) + end + + it { expect(policy).to be_disallowed :update_cluster } + it { expect(policy).to be_disallowed :admin_cluster } + end + + context 'when project developer' do + before do + project.add_developer(user) + end + + it { expect(policy).to be_disallowed :update_cluster } + it { expect(policy).to be_disallowed :admin_cluster } + end + end end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 5e583be457e..9d0093e8159 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -21,7 +21,11 @@ describe GroupPolicy do let(:maintainer_permissions) do [ - :create_projects + :create_projects, + :read_cluster, + :create_cluster, + :update_cluster, + :admin_cluster ] end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index b7ec35d6ec5..d6bc67a9d70 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -163,7 +163,7 @@ describe ProjectPolicy do :create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, - :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, + :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment ] @@ -182,7 +182,7 @@ describe ProjectPolicy do :create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, - :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, + :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment ] |