diff options
author | Timothy Andrew <mail@timothyandrew.net> | 2017-02-17 20:28:12 +0530 |
---|---|---|
committer | Timothy Andrew <mail@timothyandrew.net> | 2017-02-24 16:50:20 +0530 |
commit | 6fdb17cbbe5dc70d18f50e9d131ab70407976a71 (patch) | |
tree | 79541d2bab89273fdf0b1d99cee7a3dfe94b0d8b /spec/policies/user_policy_spec.rb | |
parent | f2ed82fa8486875660b80dd061827ac8b86d00b6 (diff) | |
download | gitlab-ce-6fdb17cbbe5dc70d18f50e9d131ab70407976a71.tar.gz |
Don't allow deleting a ghost user.
- Add a `destroy_user` ability. This didn't exist before, and was implicit in
other abilities (only admins could access the admin area, so only they could
destroy all users; a user can only access their own account page, and so can
destroy only themselves).
- Grant this ability to admins, and when the current user is trying to destroy
themselves. Disallow destroying ghost users in all cases.
- Modify the `Users::DestroyService` to check this ability. Also check it in
views to decide whether or not to show the "Delete User" button.
- Add a short summary of the Ghost User to the bio.
Diffstat (limited to 'spec/policies/user_policy_spec.rb')
-rw-r--r-- | spec/policies/user_policy_spec.rb | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb new file mode 100644 index 00000000000..d5761390d39 --- /dev/null +++ b/spec/policies/user_policy_spec.rb @@ -0,0 +1,37 @@ +require 'spec_helper' + +describe UserPolicy, models: true do + let(:current_user) { create(:user) } + let(:user) { create(:user) } + + subject { described_class.abilities(current_user, user).to_set } + + describe "reading a user's information" do + it { is_expected.to include(:read_user) } + end + + describe "destroying a user" do + context "when a regular user tries to destroy another regular user" do + it { is_expected.not_to include(:destroy_user) } + end + + context "when a regular user tries to destroy themselves" do + let(:current_user) { user } + + it { is_expected.to include(:destroy_user) } + end + + context "when an admin user tries to destroy a regular user" do + let(:current_user) { create(:user, :admin) } + + it { is_expected.to include(:destroy_user) } + end + + context "when an admin user tries to destroy a ghost user" do + let(:current_user) { create(:user, :admin) } + let(:user) { create(:user, :ghost) } + + it { is_expected.not_to include(:destroy_user) } + end + end +end |