summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrancisco Javier López <fjlopez@gitlab.com>2019-09-10 13:30:03 +0200
committerFrancisco Javier López <fjlopez@gitlab.com>2019-09-10 13:30:03 +0200
commitae5aa1100c7e11fa5109b6fb79247d2884aaaffe (patch)
tree059223df43e8fabf3da2ac48a65667836ffa693e
parent4e9a93a38d0bbc6940a54b484b5d902f2d481a4d (diff)
downloadgitlab-ce-fj-14330-external-user-snippet-creation.tar.gz
Added rule to prevent external users from creating project snippetfj-14330-external-user-snippet-creation
Diffstat
-rw-r--r--app/policies/project_snippet_policy.rb1
-rw-r--r--spec/policies/personal_snippet_policy_spec.rb14
-rw-r--r--spec/policies/project_snippet_policy_spec.rb3
3 files changed, 18 insertions, 0 deletions
diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb
index e5e005cee6d..03af719e750 100644
--- a/app/policies/project_snippet_policy.rb
+++ b/app/policies/project_snippet_policy.rb
@@ -45,4 +45,5 @@ class ProjectSnippetPolicy < BasePolicy
end
rule { ~can?(:read_project_snippet) }.prevent :create_note
+ rule { external_user }.prevent :create_project_snippet
end
diff --git a/spec/policies/personal_snippet_policy_spec.rb b/spec/policies/personal_snippet_policy_spec.rb
index 097000ceb6a..8fcedef64c3 100644
--- a/spec/policies/personal_snippet_policy_spec.rb
+++ b/spec/policies/personal_snippet_policy_spec.rb
@@ -43,6 +43,18 @@ describe PersonalSnippetPolicy do
end
end
+ context 'external user' do
+ subject { permissions(external_user) }
+
+ it do
+ is_expected.to be_allowed(:read_personal_snippet)
+ is_expected.to be_disallowed(:create_personal_snippet)
+ is_expected.to be_allowed(:create_note)
+ is_expected.to be_allowed(:award_emoji)
+ is_expected.to be_disallowed(*author_permissions)
+ end
+ end
+
context 'author' do
subject { permissions(snippet.author) }
@@ -85,6 +97,7 @@ describe PersonalSnippetPolicy do
it do
is_expected.to be_disallowed(:read_personal_snippet)
+ is_expected.to be_disallowed(:create_personal_snippet)
is_expected.to be_disallowed(:create_note)
is_expected.to be_disallowed(:award_emoji)
is_expected.to be_disallowed(*author_permissions)
@@ -144,6 +157,7 @@ describe PersonalSnippetPolicy do
it do
is_expected.to be_disallowed(:read_personal_snippet)
+ is_expected.to be_disallowed(:create_personal_snippet)
is_expected.to be_disallowed(:create_note)
is_expected.to be_disallowed(:award_emoji)
is_expected.to be_disallowed(*author_permissions)
diff --git a/spec/policies/project_snippet_policy_spec.rb b/spec/policies/project_snippet_policy_spec.rb
index 2e9ef1e89fd..fab654223f8 100644
--- a/spec/policies/project_snippet_policy_spec.rb
+++ b/spec/policies/project_snippet_policy_spec.rb
@@ -41,6 +41,7 @@ describe ProjectSnippetPolicy do
it do
expect_allowed(:read_project_snippet, :create_note)
+ expect_disallowed(:create_project_snippet)
expect_disallowed(*author_permissions)
end
end
@@ -72,6 +73,7 @@ describe ProjectSnippetPolicy do
it do
expect_disallowed(:read_project_snippet, :create_note)
+ expect_disallowed(:create_project_snippet)
expect_disallowed(*author_permissions)
end
@@ -139,6 +141,7 @@ describe ProjectSnippetPolicy do
it do
expect_allowed(:read_project_snippet, :create_note)
+ expect_disallowed(:create_project_snippet)
expect_disallowed(*author_permissions)
end
end
View Lorry Controller Status