diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-18 19:00:14 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-18 19:00:14 +0000 |
commit | 05f0ebba3a2c8ddf39e436f412dc2ab5bf1353b2 (patch) | |
tree | 11d0f2a6ec31c7793c184106cedc2ded3d9a2cc5 /spec/policies/merge_request_policy_spec.rb | |
parent | ec73467c23693d0db63a797d10194da9e72a74af (diff) | |
download | gitlab-ce-05f0ebba3a2c8ddf39e436f412dc2ab5bf1353b2.tar.gz |
Add latest changes from gitlab-org/gitlab@15-8-stable-eev15.8.0-rc42
Diffstat (limited to 'spec/policies/merge_request_policy_spec.rb')
-rw-r--r-- | spec/policies/merge_request_policy_spec.rb | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb index 741a0db3009..c21e1244402 100644 --- a/spec/policies/merge_request_policy_spec.rb +++ b/spec/policies/merge_request_policy_spec.rb @@ -461,4 +461,34 @@ RSpec.describe MergeRequestPolicy do end end end + + context 'when the author of the merge request is banned', feature_category: :insider_threat do + let_it_be(:user) { create(:user) } + let_it_be(:admin) { create(:user, :admin) } + let_it_be(:author) { create(:user, :banned) } + let_it_be(:project) { create(:project, :public) } + let_it_be(:hidden_merge_request) { create(:merge_request, source_project: project, author: author) } + + it 'does not allow non-admin user to read the merge_request' do + expect(permissions(user, hidden_merge_request)).not_to be_allowed(:read_merge_request) + end + + it 'allows admin to read the merge_request', :enable_admin_mode do + expect(permissions(admin, hidden_merge_request)).to be_allowed(:read_merge_request) + end + + context 'when the `hide_merge_requests_from_banned_users` feature flag is disabled' do + before do + stub_feature_flags(hide_merge_requests_from_banned_users: false) + end + + it 'allows non-admin users to read the merge_request' do + expect(permissions(user, hidden_merge_request)).to be_allowed(:read_merge_request) + end + + it 'allows admin users to read the merge_request', :enable_admin_mode do + expect(permissions(admin, hidden_merge_request)).to be_allowed(:read_merge_request) + end + end + end end |