diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-20 13:18:24 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-20 13:18:24 +0000 |
| commit | 0653e08efd039a5905f3fa4f6e9cef9f5d2f799c (patch) | |
| tree | 4dcc884cf6d81db44adae4aa99f8ec1233a41f55 /spec/policies | |
| parent | 744144d28e3e7fddc117924fef88de5d9674fe4c (diff) | |
| download | gitlab-ce-0653e08efd039a5905f3fa4f6e9cef9f5d2f799c.tar.gz | |
Add latest changes from gitlab-org/gitlab@14-3-stable-eev14.3.0-rc42
Diffstat (limited to 'spec/policies')
| -rw-r--r-- | spec/policies/custom_emoji_policy_spec.rb | 73 | ||||
| -rw-r--r-- | spec/policies/group_policy_spec.rb | 59 | ||||
| -rw-r--r-- | spec/policies/issue_policy_spec.rb | 149 | ||||
| -rw-r--r-- | spec/policies/user_policy_spec.rb | 46 |
4 files changed, 246 insertions, 81 deletions
diff --git a/spec/policies/custom_emoji_policy_spec.rb b/spec/policies/custom_emoji_policy_spec.rb new file mode 100644 index 00000000000..9538ef9bb4a --- /dev/null +++ b/spec/policies/custom_emoji_policy_spec.rb @@ -0,0 +1,73 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe CustomEmojiPolicy do + let(:user) { create(:user) } + let(:group) { create(:group) } + let(:custom_emoji) { create(:custom_emoji, group: group) } + + let(:custom_emoji_permissions) do + [ + :create_custom_emoji, + :delete_custom_emoji + ] + end + + context 'custom emoji permissions' do + subject { described_class.new(user, custom_emoji) } + + context 'when user is' do + context 'a developer' do + before do + group.add_developer(user) + end + + it do + expect_allowed(:create_custom_emoji) + end + end + + context 'is maintainer' do + before do + group.add_maintainer(user) + end + + it do + expect_allowed(*custom_emoji_permissions) + end + end + + context 'is owner' do + before do + group.add_owner(user) + end + + it do + expect_allowed(*custom_emoji_permissions) + end + end + + context 'is developer and emoji creator' do + before do + group.add_developer(user) + custom_emoji.update_attribute(:creator, user) + end + + it do + expect_allowed(*custom_emoji_permissions) + end + end + + context 'is emoji creator but not a member of the group' do + before do + custom_emoji.update_attribute(:creator, user) + end + + it do + expect_disallowed(*custom_emoji_permissions) + end + end + end + end +end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 9fac5521aa6..482e12c029d 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -11,6 +11,9 @@ RSpec.describe GroupPolicy do it do expect_allowed(:read_group) + expect_allowed(:read_organization) + expect_allowed(:read_contact) + expect_allowed(:read_counts) expect_allowed(*read_group_permissions) expect_disallowed(:upload_file) expect_disallowed(*reporter_permissions) @@ -30,6 +33,9 @@ RSpec.describe GroupPolicy do end it { expect_disallowed(:read_group) } + it { expect_disallowed(:read_organization) } + it { expect_disallowed(:read_contact) } + it { expect_disallowed(:read_counts) } it { expect_disallowed(*read_group_permissions) } end @@ -42,6 +48,9 @@ RSpec.describe GroupPolicy do end it { expect_disallowed(:read_group) } + it { expect_disallowed(:read_organization) } + it { expect_disallowed(:read_contact) } + it { expect_disallowed(:read_counts) } it { expect_disallowed(*read_group_permissions) } end @@ -245,6 +254,7 @@ RSpec.describe GroupPolicy do let(:current_user) { nil } it do + expect_disallowed(:read_counts) expect_disallowed(*read_group_permissions) expect_disallowed(*guest_permissions) expect_disallowed(*reporter_permissions) @@ -258,6 +268,7 @@ RSpec.describe GroupPolicy do let(:current_user) { guest } it do + expect_allowed(:read_counts) expect_allowed(*read_group_permissions) expect_allowed(*guest_permissions) expect_disallowed(*reporter_permissions) @@ -271,6 +282,7 @@ RSpec.describe GroupPolicy do let(:current_user) { reporter } it do + expect_allowed(:read_counts) expect_allowed(*read_group_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) @@ -284,6 +296,7 @@ RSpec.describe GroupPolicy do let(:current_user) { developer } it do + expect_allowed(:read_counts) expect_allowed(*read_group_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) @@ -297,6 +310,7 @@ RSpec.describe GroupPolicy do let(:current_user) { maintainer } it do + expect_allowed(:read_counts) expect_allowed(*read_group_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) @@ -310,6 +324,7 @@ RSpec.describe GroupPolicy do let(:current_user) { owner } it do + expect_allowed(:read_counts) expect_allowed(*read_group_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) @@ -878,6 +893,34 @@ RSpec.describe GroupPolicy do end end + describe 'dependency proxy' do + context 'feature disabled' do + let(:current_user) { owner } + + it { is_expected.to be_disallowed(:read_dependency_proxy) } + it { is_expected.to be_disallowed(:admin_dependency_proxy) } + end + + context 'feature enabled' do + before do + stub_config(dependency_proxy: { enabled: true }) + group.create_dependency_proxy_setting!(enabled: true) + end + + context 'reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:admin_dependency_proxy) } + end + + context 'developer' do + let(:current_user) { developer } + + it { is_expected.to be_allowed(:admin_dependency_proxy) } + end + end + end + context 'deploy token access' do let!(:group_deploy_token) do create(:group_deploy_token, group: group, deploy_token: deploy_token) @@ -890,6 +933,8 @@ RSpec.describe GroupPolicy do it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_group) } + it { is_expected.to be_allowed(:read_organization) } + it { is_expected.to be_allowed(:read_contact) } it { is_expected.to be_disallowed(:create_package) } end @@ -899,8 +944,22 @@ RSpec.describe GroupPolicy do it { is_expected.to be_allowed(:create_package) } it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_group) } + it { is_expected.to be_allowed(:read_organization) } + it { is_expected.to be_allowed(:read_contact) } it { is_expected.to be_disallowed(:destroy_package) } end + + context 'a deploy token with dependency proxy scopes' do + let_it_be(:deploy_token) { create(:deploy_token, :group, :dependency_proxy_scopes) } + + before do + stub_config(dependency_proxy: { enabled: true }) + group.create_dependency_proxy_setting!(enabled: true) + end + + it { is_expected.to be_allowed(:read_dependency_proxy) } + it { is_expected.to be_disallowed(:admin_dependency_proxy) } + end end it_behaves_like 'Self-managed Core resource access tokens' diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index d62271eedf6..3805976b3e7 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -27,17 +27,17 @@ RSpec.describe IssuePolicy do end it 'allows support_bot to read issues, create and set metadata on new issues' do - expect(permissions(support_bot, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(support_bot, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(support_bot, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) + expect(permissions(support_bot, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(support_bot, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(support_bot, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) end end shared_examples 'support bot with service desk disabled' do - it 'allows support_bot to read issues, create and set metadata on new issues' do - expect(permissions(support_bot, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(support_bot, issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(support_bot, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata) + it 'does not allow support_bot to read issues, create and set metadata on new issues' do + expect(permissions(support_bot, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(support_bot, issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(support_bot, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality) end end @@ -60,50 +60,50 @@ RSpec.describe IssuePolicy do it 'allows guests to read issues' do expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) - expect(permissions(guest, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) + expect(permissions(guest, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it 'allows reporters to read, update, and admin issues' do - expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) + expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it 'allows reporters from group links to read, update, and admin issues' do - expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(reporter_from_group_link, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) + expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter_from_group_link, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it 'allows issue authors to read and update their issues' do expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(author, issue)).to be_disallowed(:admin_issue, :set_issue_metadata) + expect(permissions(author, issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) - expect(permissions(author, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) + expect(permissions(author, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it 'allows issue assignees to read and update their issues' do expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(assignee, issue)).to be_disallowed(:admin_issue, :set_issue_metadata) + expect(permissions(assignee, issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) - expect(permissions(assignee, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) + expect(permissions(assignee, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it 'does not allow non-members to read, update or create issues' do - expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata) + expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it_behaves_like 'support bot with service desk disabled' @@ -115,49 +115,49 @@ RSpec.describe IssuePolicy do it 'does not allow non-members to read confidential issues' do expect(permissions(non_member, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(non_member, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(non_member, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) end it 'does not allow guests to read confidential issues' do expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) end it 'allows reporters to read, update, and admin confidential issues' do - expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) end it 'allows reporters from group links to read, update, and admin confidential issues' do - expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) end it 'allows issue authors to read and update their confidential issues' do expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata) + expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:admin_issue, :set_issue_metadata) + expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality) end it 'does not allow issue author to read or update confidential issue moved to an private project' do confidential_issue.project = create(:project, :private) - expect(permissions(author, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :set_issue_metadata) + expect(permissions(author, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :set_issue_metadata, :set_confidentiality) end it 'allows issue assignees to read and update their confidential issues' do expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata) + expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality) - expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) end it 'does not allow issue assignees to read or update confidential issue moved to an private project' do confidential_issue.project = create(:project, :private) - expect(permissions(assignee, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :set_issue_metadata) + expect(permissions(assignee, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :set_issue_metadata, :set_confidentiality) end end end @@ -180,48 +180,48 @@ RSpec.describe IssuePolicy do it 'does not allow anonymous user to create todos' do expect(permissions(nil, issue)).to be_allowed(:read_issue) - expect(permissions(nil, issue)).to be_disallowed(:create_todo, :update_subscription, :set_issue_metadata) - expect(permissions(nil, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata) + expect(permissions(nil, issue)).to be_disallowed(:create_todo, :update_subscription, :set_issue_metadata, :set_confidentiality) + expect(permissions(nil, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it 'allows guests to read issues' do expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid, :create_todo, :update_subscription) - expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) + expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) + expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(guest, issue_locked)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(guest, issue_locked)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) + expect(permissions(guest, issue_locked)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) - expect(permissions(guest, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) + expect(permissions(guest, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it 'allows reporters to read, update, reopen, and admin issues' do - expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) - expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) - expect(permissions(reporter, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(reporter, issue_locked)).to be_disallowed(:reopen_issue) - expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) + expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it 'allows reporters from group links to read, update, reopen and admin issues' do - expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) - expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) - expect(permissions(reporter_from_group_link, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter_from_group_link, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(reporter_from_group_link, issue_locked)).to be_disallowed(:reopen_issue) - expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) + expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it 'allows issue authors to read, reopen and update their issues' do expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :reopen_issue) - expect(permissions(author, issue)).to be_disallowed(:admin_issue, :set_issue_metadata) + expect(permissions(author, issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) + expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(author, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(author, issue_locked)).to be_disallowed(:admin_issue, :reopen_issue, :set_issue_metadata) + expect(permissions(author, issue_locked)).to be_disallowed(:admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(author, new_issue)).to be_allowed(:create_issue) expect(permissions(author, new_issue)).to be_disallowed(:set_issue_metadata) @@ -229,13 +229,13 @@ RSpec.describe IssuePolicy do it 'allows issue assignees to read, reopen and update their issues' do expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :reopen_issue) - expect(permissions(assignee, issue)).to be_disallowed(:admin_issue, :set_issue_metadata) + expect(permissions(assignee, issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) + expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(assignee, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(assignee, issue_locked)).to be_disallowed(:admin_issue, :reopen_issue, :set_issue_metadata) + expect(permissions(assignee, issue_locked)).to be_disallowed(:admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) end it 'allows non-members to read and create issues' do @@ -249,22 +249,25 @@ RSpec.describe IssuePolicy do expect(permissions(non_member, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) end - it 'does not allow non-members to update, admin or set metadata' do - expect(permissions(non_member, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) + it 'does not allow non-members to update, admin or set metadata except for set confidential flag' do + expect(permissions(non_member, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(non_member, new_issue)).to be_disallowed(:set_issue_metadata) + # this is allowed for non-members in a public project, as we want to let users report security issues + # see https://gitlab.com/gitlab-org/gitlab/-/issues/337665 + expect(permissions(non_member, new_issue)).to be_allowed(:set_confidentiality) end it 'allows support_bot to read issues' do # support_bot is still allowed read access in public projects through :public_access permission, # see project_policy public_access rules policy (rule { can?(:public_access) }.policy {...}) expect(permissions(support_bot, issue)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(support_bot, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(support_bot, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(support_bot, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(support_bot, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(support_bot, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) - expect(permissions(support_bot, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata) + expect(permissions(support_bot, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it_behaves_like 'support bot with service desk enabled' @@ -318,9 +321,9 @@ RSpec.describe IssuePolicy do end it 'does not allow non-members to update or create issues' do - expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) - expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata) + expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality) end it_behaves_like 'support bot with service desk disabled' @@ -333,31 +336,31 @@ RSpec.describe IssuePolicy do it 'does not allow guests to read confidential issues' do expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) end it 'allows reporters to read, update, and admin confidential issues' do expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) end it 'allows reporter from group links to read, update, and admin confidential issues' do expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) end it 'allows issue authors to read and update their confidential issues' do expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata) + expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality) - expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) end it 'allows issue assignees to read and update their confidential issues' do expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata) + expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality) - expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) end end diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb index 78212f06526..b800e7dbc43 100644 --- a/spec/policies/user_policy_spec.rb +++ b/spec/policies/user_policy_spec.rb @@ -3,8 +3,12 @@ require 'spec_helper' RSpec.describe UserPolicy do - let(:current_user) { create(:user) } - let(:user) { create(:user) } + let_it_be(:admin) { create(:user, :admin) } + let_it_be(:regular_user) { create(:user) } + let_it_be(:subject_user) { create(:user) } + + let(:current_user) { regular_user } + let(:user) { subject_user } subject { described_class.new(current_user, user) } @@ -16,7 +20,7 @@ RSpec.describe UserPolicy do let(:token) { create(:personal_access_token, user: user) } context 'when user is admin' do - let(:current_user) { create(:user, :admin) } + let(:current_user) { admin } context 'when admin mode is enabled', :enable_admin_mode do it { is_expected.to be_allowed(:read_user_personal_access_tokens) } @@ -42,7 +46,7 @@ RSpec.describe UserPolicy do describe "creating a different user's Personal Access Tokens" do context 'when current_user is admin' do - let(:current_user) { create(:user, :admin) } + let(:current_user) { admin } context 'when admin mode is enabled and current_user is not blocked', :enable_admin_mode do it { is_expected.to be_allowed(:create_user_personal_access_token) } @@ -92,7 +96,7 @@ RSpec.describe UserPolicy do end context "when an admin user tries to destroy a regular user" do - let(:current_user) { create(:user, :admin) } + let(:current_user) { admin } context 'when admin mode is enabled', :enable_admin_mode do it { is_expected.to be_allowed(ability) } @@ -104,7 +108,7 @@ RSpec.describe UserPolicy do end context "when an admin user tries to destroy a ghost user" do - let(:current_user) { create(:user, :admin) } + let(:current_user) { admin } let(:user) { create(:user, :ghost) } it { is_expected.not_to be_allowed(ability) } @@ -132,7 +136,7 @@ RSpec.describe UserPolicy do context 'disabling the two-factor authentication of another user' do context 'when the executor is an admin', :enable_admin_mode do - let(:current_user) { create(:user, :admin) } + let(:current_user) { admin } it { is_expected.to be_allowed(:disable_two_factor) } end @@ -145,7 +149,7 @@ RSpec.describe UserPolicy do describe "reading a user's group count" do context "when current_user is an admin", :enable_admin_mode do - let(:current_user) { create(:user, :admin) } + let(:current_user) { admin } it { is_expected.to be_allowed(:read_group_count) } end @@ -172,4 +176,30 @@ RSpec.describe UserPolicy do it { is_expected.to be_allowed(:read_user_profile) } end end + + describe ':read_user_groups' do + context 'when user is admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:read_user_groups) } + end + + context 'when admin mode is disabled' do + it { is_expected.not_to be_allowed(:read_user_groups) } + end + end + + context 'when user is not an admin' do + context 'requesting their own manageable groups' do + subject { described_class.new(current_user, current_user) } + + it { is_expected.to be_allowed(:read_user_groups) } + end + + context "requesting a different user's manageable groups" do + it { is_expected.not_to be_allowed(:read_user_groups) } + end + end + end end |