diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-20 11:10:13 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-20 11:10:13 +0000 |
commit | 0ea3fcec397b69815975647f5e2aa5fe944a8486 (patch) | |
tree | 7979381b89d26011bcf9bdc989a40fcc2f1ed4ff /spec/policies | |
parent | 72123183a20411a36d607d70b12d57c484394c8e (diff) | |
download | gitlab-ce-0ea3fcec397b69815975647f5e2aa5fe944a8486.tar.gz |
Add latest changes from gitlab-org/gitlab@15-1-stable-eev15.1.0-rc42
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/blob_policy_spec.rb | 7 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 13 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 159 | ||||
-rw-r--r-- | spec/policies/work_item_policy_spec.rb | 6 |
4 files changed, 165 insertions, 20 deletions
diff --git a/spec/policies/blob_policy_spec.rb b/spec/policies/blob_policy_spec.rb index 2b0465f3615..1be2318a0fe 100644 --- a/spec/policies/blob_policy_spec.rb +++ b/spec/policies/blob_policy_spec.rb @@ -20,8 +20,11 @@ RSpec.describe BlobPolicy do with_them do it 'grants permission' do enable_admin_mode!(user) if admin_mode - project.update!(visibility_level: Gitlab::VisibilityLevel.level_value(project_level.to_s)) - update_feature_access_level(project, feature_access_level) + update_feature_access_level( + project, + feature_access_level, + visibility_level: Gitlab::VisibilityLevel.level_value(project_level.to_s) + ) if expected_count == 1 expect(policy).to be_allowed(:read_blob) diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 05bba167bd3..c513baea517 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -1216,19 +1216,6 @@ RSpec.describe GroupPolicy do end end - context 'with customer relations feature flag disabled' do - let(:current_user) { owner } - - before do - stub_feature_flags(customer_relations: false) - end - - it { is_expected.to be_disallowed(:read_crm_contact) } - it { is_expected.to be_disallowed(:read_crm_organization) } - it { is_expected.to be_disallowed(:admin_crm_contact) } - it { is_expected.to be_disallowed(:admin_crm_organization) } - end - context 'when crm_enabled is false' do let(:current_user) { owner } diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index b77ccb83509..7b3d1abadc1 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -32,7 +32,7 @@ RSpec.describe ProjectPolicy do end end - it 'does not include the read_issue permission when the issue author is not a member of the private project' do + it 'does not include the read permissions when the issue author is not a member of the private project' do project = create(:project, :private) issue = create(:issue, project: project, author: create(:user)) user = issue.author @@ -40,6 +40,7 @@ RSpec.describe ProjectPolicy do expect(project.team.member?(issue.author)).to be false expect(Ability).not_to be_allowed(user, :read_issue, project) + expect(Ability).not_to be_allowed(user, :read_work_item, project) end it_behaves_like 'model with wiki policies' do @@ -61,7 +62,7 @@ RSpec.describe ProjectPolicy do end it 'does not include the issues permissions' do - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident, :create_work_item, :create_task + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident, :create_work_item, :create_task, :read_work_item end it 'disables boards and lists permissions' do @@ -73,7 +74,7 @@ RSpec.describe ProjectPolicy do it 'does not include the issues permissions' do create(:jira_integration, project: project) - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident, :create_work_item, :create_task + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident, :create_work_item, :create_task, :read_work_item end end end @@ -463,6 +464,62 @@ RSpec.describe ProjectPolicy do end end + context 'owner access' do + let!(:owner_user) { create(:user) } + let!(:owner_of_different_thing) { create(:user) } + let(:stranger) { create(:user) } + + context 'personal project' do + let!(:project) { create(:project) } + let!(:project2) { create(:project) } + + before do + project.add_guest(guest) + project.add_reporter(reporter) + project.add_developer(developer) + project.add_maintainer(maintainer) + project2.add_owner(owner_of_different_thing) + end + + it 'allows owner access', :aggregate_failures do + expect(described_class.new(owner_of_different_thing, project)).to be_disallowed(:owner_access) + expect(described_class.new(stranger, project)).to be_disallowed(:owner_access) + expect(described_class.new(guest, project)).to be_disallowed(:owner_access) + expect(described_class.new(reporter, project)).to be_disallowed(:owner_access) + expect(described_class.new(developer, project)).to be_disallowed(:owner_access) + expect(described_class.new(maintainer, project)).to be_disallowed(:owner_access) + expect(described_class.new(project.owner, project)).to be_allowed(:owner_access) + end + end + + context 'group project' do + let(:group) { create(:group) } + let!(:group2) { create(:group) } + let!(:project) { create(:project, group: group) } + + context 'group members' do + before do + group.add_guest(guest) + group.add_reporter(reporter) + group.add_developer(developer) + group.add_maintainer(maintainer) + group.add_owner(owner_user) + group2.add_owner(owner_of_different_thing) + end + + it 'allows owner access', :aggregate_failures do + expect(described_class.new(owner_of_different_thing, project)).to be_disallowed(:owner_access) + expect(described_class.new(stranger, project)).to be_disallowed(:owner_access) + expect(described_class.new(guest, project)).to be_disallowed(:owner_access) + expect(described_class.new(reporter, project)).to be_disallowed(:owner_access) + expect(described_class.new(developer, project)).to be_disallowed(:owner_access) + expect(described_class.new(maintainer, project)).to be_disallowed(:owner_access) + expect(described_class.new(owner_user, project)).to be_allowed(:owner_access) + end + end + end + end + context 'reading a project' do it 'allows access when a user has read access to the repo' do expect(described_class.new(owner, project)).to be_allowed(:read_project) @@ -678,14 +735,14 @@ RSpec.describe ProjectPolicy do allow(project).to receive(:service_desk_enabled?).and_return(true) end - it { expect_allowed(:reporter_access, :create_note, :read_issue) } + it { expect_allowed(:reporter_access, :create_note, :read_issue, :read_work_item) } context 'when issues are protected members only' do before do project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE) end - it { expect_allowed(:reporter_access, :create_note, :read_issue) } + it { expect_allowed(:reporter_access, :create_note, :read_issue, :read_work_item) } end end end @@ -1282,6 +1339,98 @@ RSpec.describe ProjectPolicy do end end + describe 'admin_package' do + context 'with admin' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:admin_package) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:admin_package) } + end + end + + %i[owner maintainer].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_allowed(:admin_package) } + end + end + + %i[developer reporter guest non_member anonymous].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:admin_package) } + end + end + end + + describe 'view_package_registry_project_settings' do + context 'with registry enabled' do + before do + stub_config(registry: { enabled: true }) + end + + context 'with an admin user' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:view_package_registry_project_settings) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + + %i[owner maintainer].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_allowed(:view_package_registry_project_settings) } + end + end + + %i[developer reporter guest non_member anonymous].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + end + + context 'with registry disabled' do + before do + stub_config(registry: { enabled: false }) + end + + context 'with admin user' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + + %i[owner maintainer developer reporter guest non_member anonymous].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + end + end + describe 'read_feature_flag' do subject { described_class.new(current_user, project) } diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb index b19f7d2557d..9cfc4455979 100644 --- a/spec/policies/work_item_policy_spec.rb +++ b/spec/policies/work_item_policy_spec.rb @@ -37,6 +37,12 @@ RSpec.describe WorkItemPolicy do let(:current_user) { guest_author } it { is_expected.to be_allowed(:read_work_item) } + + context 'when work_item is confidential' do + let(:work_item_subject) { create(:work_item, confidential: true, project: project) } + + it { is_expected.not_to be_allowed(:read_work_item) } + end end end |