Use rspec-parameterized declarative syntaxallow-all-users-to-see-history

This aids clarity.

Also includes changelog fixes.

2 files changed, 96 insertions, 33 deletions

diff --git a/changelogs/unreleased/allow-all-users-to-see-history.yml b/changelogs/unreleased/allow-all-users-to-see-history.yml
index 6e6bf9a2a36..7423fa079cc 100644
--- a/changelogs/unreleased/allow-all-users-to-see-history.yml
+++ b/changelogs/unreleased/allow-all-users-to-see-history.yml
@@ -1,4 +1,4 @@
 ---
-title: 'Fixes #29528, by allowing all users to view history'
-merge_request: '30470'
+title: Align access permissions for wiki history to those of wiki pages
+merge_request: 30470
 type: fixed
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 2aa244c52e1..8fd54e0bf1d 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -130,56 +130,119 @@ describe ProjectPolicy do
     describe 'read_wiki' do
       subject { described_class.new(user, project) }
 
-      user_roles = %i[anonymous non_member guest developer]
+      member_roles = %i[guest developer]
+      stranger_roles = %i[anonymous non_member]
 
-      def member?(role)
-        %i[guest developer].include?(role)
+      user_roles = stranger_roles + member_roles
+
+      # When a user is anonymous, their `current_user == nil`
+      let(:user) { create(:user) unless user_role == :anonymous }
+
+      before do
+        project.visibility = project_visibility
+        project.project_feature.update_attribute(:wiki_access_level, wiki_access_level)
+        project.add_user(user, user_role) if member_roles.include?(user_role)
+      end
+
+      title = ->(project_visibility, wiki_access_level, user_role) do
+        [
+          "project is #{Gitlab::VisibilityLevel.level_name project_visibility}",
+          "wiki is #{ProjectFeature.str_from_access_level wiki_access_level}",
+          "user is #{user_role}"
+        ].join(', ')
       end
 
-      Viz = Gitlab::VisibilityLevel
-      WikiAccess = ProjectFeature
+      describe 'Situations where :read_wiki is always false' do
+        where(case_names: title,
+              project_visibility: Gitlab::VisibilityLevel.options.values,
+              wiki_access_level: [ProjectFeature::DISABLED],
+              user_role: user_roles)
 
-      must_be_member = [[Viz::PUBLIC, WikiAccess::PRIVATE],
-                        [Viz::INTERNAL, WikiAccess::PRIVATE],
-                        [Viz::PRIVATE, WikiAccess::ENABLED]]
+        with_them do
+          it { is_expected.to be_disallowed(:read_wiki) }
+        end
+      end
+
+      describe 'Situations where :read_wiki is always true' do
+        where(case_names: title,
+              project_visibility: [Gitlab::VisibilityLevel::PUBLIC],
+              wiki_access_level: [ProjectFeature::ENABLED],
+              user_role: user_roles)
 
-      where(:project_visibility, :wiki_access_level, :user_role, :allowed_access) do
-        # Situations where :read_wiki is always false:
-        disabled = Viz.options.values.flat_map do |pv|
-          user_roles.map { |role| [pv, WikiAccess::DISABLED, role, false] }
+        with_them do
+          it { is_expected.to be_allowed(:read_wiki) }
         end
+      end
+
+      describe 'Situations where :read_wiki requires project membership' do
+        context 'the wiki is private, and the user is a member' do
+          where(case_names: title,
+                project_visibility: [Gitlab::VisibilityLevel::PUBLIC,
+                                     Gitlab::VisibilityLevel::INTERNAL],
+                wiki_access_level: [ProjectFeature::PRIVATE],
+                user_role: member_roles)
 
-        # Situations where :read_wiki is always true
-        public_and_enabled = user_roles.map do |role|
-          [Viz::PUBLIC, WikiAccess::ENABLED, role, true]
+          with_them do
+            it { is_expected.to be_allowed(:read_wiki) }
+          end
         end
 
-        # Situations where :read_wiki requires project membership
-        membership_required = must_be_member.flat_map do |(pv, wa)|
-          user_roles.map { |role| [pv, wa, role, member?(role)] }
+        context 'the wiki is private, and the user is not member' do
+          where(case_names: title,
+                project_visibility: [Gitlab::VisibilityLevel::PUBLIC,
+                                     Gitlab::VisibilityLevel::INTERNAL],
+                wiki_access_level: [ProjectFeature::PRIVATE],
+                user_role: stranger_roles)
+
+          with_them do
+            it { is_expected.to be_disallowed(:read_wiki) }
+          end
         end
 
-        # Situations where :read_wiki prohibits anonymous access
-        internal_project = user_roles.flat_map do |role|
-          [WikiAccess::ENABLED, WikiAccess::PUBLIC].map do |wa|
-            [Viz::INTERNAL, wa, role, role != :anonymous]
+        context 'the wiki is enabled, and the user is a member' do
+          where(case_names: title,
+                project_visibility: [Gitlab::VisibilityLevel::PRIVATE],
+                wiki_access_level: [ProjectFeature::ENABLED],
+                user_role: member_roles)
+
+          with_them do
+            it { is_expected.to be_allowed(:read_wiki) }
           end
         end
 
-        disabled + public_and_enabled + membership_required + internal_project
+        context 'the wiki is enabled, and the user is not a member' do
+          where(case_names: title,
+                project_visibility: [Gitlab::VisibilityLevel::PRIVATE],
+                wiki_access_level: [ProjectFeature::ENABLED],
+                user_role: stranger_roles)
+
+          with_them do
+            it { is_expected.to be_disallowed(:read_wiki) }
+          end
+        end
       end
 
-      with_them do
-        let(:user) { create(:user) unless user_role == :anonymous }
+      describe 'Situations where :read_wiki prohibits anonymous access' do
+        context 'the user is not anonymous' do
+          where(case_names: title,
+                project_visibility: [Gitlab::VisibilityLevel::INTERNAL],
+                wiki_access_level: [ProjectFeature::ENABLED, ProjectFeature::PUBLIC],
+                user_role: user_roles.reject { |u| u == :anonymous })
 
-        before do
-          project.visibility = project_visibility
-          project.project_feature.update_attribute(:wiki_access_level, wiki_access_level)
-          project.add_user(user, user_role) if user.present? && user_role != :non_member
+          with_them do
+            it { is_expected.to be_allowed(:read_wiki) }
+          end
         end
 
-        it do
-          is_expected.send(allowed_access ? :to : :not_to, be_allowed(:read_wiki))
+        context 'the user is not anonymous' do
+          where(case_names: title,
+                project_visibility: [Gitlab::VisibilityLevel::INTERNAL],
+                wiki_access_level: [ProjectFeature::ENABLED, ProjectFeature::PUBLIC],
+                user_role: %i[anonymous])
+
+          with_them do
+            it { is_expected.to be_disallowed(:read_wiki) }
+          end
         end
       end
     end