Add latest changes from gitlab-org/gitlab@14-9-stable-eev14.9.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-03-18 20:02:30 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-03-18 20:02:30 +0000
commit: 41fe97390ceddf945f3d967b8fdb3de4c66b7dea (patch)
tree: 9c8d89a8624828992f06d892cd2f43818ff5dcc8 /spec/policies
parent: 0804d2dc31052fb45a1efecedc8e06ce9bc32862 (diff)
download: gitlab-ce-41fe97390ceddf945f3d967b8fdb3de4c66b7dea.tar.gz
6 files changed, 303 insertions, 53 deletions
diff --git a/spec/policies/application_setting_policy_spec.rb b/spec/policies/application_setting_policy_spec.rb
new file mode 100644
index 00000000000..f5f02d25c64
--- /dev/null
+++ b/spec/policies/application_setting_policy_spec.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ApplicationSettingPolicy do
+  let(:current_user) { create(:user) }
+  let(:user) { create(:user) }
+
+  subject { described_class.new(current_user, [user]) }
+
+  describe 'update_runners_registration_token' do
+    context 'when anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
+    end
+
+    context 'regular user' do
+      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
+    end
+
+    context 'when external' do
+      let(:current_user) { build(:user, :external) }
+
+      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
+    end
+
+    context 'admin' do
+      let(:current_user) { create(:admin) }
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:update_runners_registration_token) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:update_runners_registration_token) }
+      end
+    end
+  end
+end
diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb
index ca9a5b1853c..04d7eca6f09 100644
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -591,34 +591,4 @@ RSpec.describe GlobalPolicy do
       it { is_expected.not_to be_allowed(:log_in) }
     end
   end
-
-  describe 'update_runners_registration_token' do
-    context 'when anonymous' do
-      let(:current_user) { nil }
-
-      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
-    end
-
-    context 'regular user' do
-      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
-    end
-
-    context 'when external' do
-      let(:current_user) { build(:user, :external) }
-
-      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
-    end
-
-    context 'admin' do
-      let(:current_user) { create(:admin) }
-
-      context 'when admin mode is enabled', :enable_admin_mode do
-        it { is_expected.to be_allowed(:update_runners_registration_token) }
-      end
-
-      context 'when admin mode is disabled' do
-        it { is_expected.to be_disallowed(:update_runners_registration_token) }
-      end
-    end
-  end
 end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 2607e285a80..ff59a2e04a7 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -1076,37 +1076,33 @@ RSpec.describe GroupPolicy do
   end
 
   describe 'register_group_runners' do
-    shared_examples 'expected outcome based on runner registration control' do
-      context 'with runner_registration_control FF disabled' do
-        before do
-          stub_feature_flags(runner_registration_control: false)
-        end
+    context 'admin' do
+      let(:current_user) { admin }
 
-        it { is_expected.to be_allowed(:register_group_runners) }
-      end
+      context 'when admin mode is enabled', :enable_admin_mode do
+        context 'with runner_registration_control FF disabled' do
+          before do
+            stub_feature_flags(runner_registration_control: false)
+          end
 
-      context 'with runner_registration_control FF enabled' do
-        before do
-          stub_feature_flags(runner_registration_control: true)
+          it { is_expected.to be_allowed(:register_group_runners) }
         end
 
-        context 'with group runner registration disabled' do
+        context 'with runner_registration_control FF enabled' do
           before do
-            stub_application_setting(valid_runner_registrars: ['project'])
+            stub_feature_flags(runner_registration_control: true)
           end
 
-          it { is_expected.to be_disallowed(:register_group_runners) }
-        end
-      end
-    end
+          it { is_expected.to be_allowed(:register_group_runners) }
 
-    context 'admin' do
-      let(:current_user) { admin }
-
-      context 'when admin mode is enabled', :enable_admin_mode do
-        it { is_expected.to be_allowed(:register_group_runners) }
+          context 'with group runner registration disabled' do
+            before do
+              stub_application_setting(valid_runner_registrars: ['project'])
+            end
 
-        it_behaves_like 'expected outcome based on runner registration control'
+            it { is_expected.to be_allowed(:register_group_runners) }
+          end
+        end
       end
 
       context 'when admin mode is disabled' do
@@ -1119,7 +1115,29 @@ RSpec.describe GroupPolicy do
 
       it { is_expected.to be_allowed(:register_group_runners) }
 
-      it_behaves_like 'expected outcome based on runner registration control'
+      context 'with runner_registration_control FF disabled' do
+        before do
+          stub_feature_flags(runner_registration_control: false)
+        end
+
+        it { is_expected.to be_allowed(:register_group_runners) }
+      end
+
+      context 'with runner_registration_control FF enabled' do
+        before do
+          stub_feature_flags(runner_registration_control: true)
+        end
+
+        it { is_expected.to be_allowed(:register_group_runners) }
+
+        context 'with group runner registration disabled' do
+          before do
+            stub_application_setting(valid_runner_registrars: ['project'])
+          end
+
+          it { is_expected.to be_disallowed(:register_group_runners) }
+        end
+      end
     end
 
     context 'with maintainer' do
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index 3805976b3e7..1fe9e430011 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -396,4 +396,36 @@ RSpec.describe IssuePolicy do
       expect(policies).to be_allowed(:read_issue_iid)
     end
   end
+
+  describe 'set_issue_crm_contacts' do
+    let(:user) { create(:user) }
+    let(:subgroup) { create(:group, :crm_enabled, parent: create(:group, :crm_enabled)) }
+    let(:project) { create(:project, group: subgroup) }
+    let(:issue) { create(:issue, project: project) }
+    let(:policies) { described_class.new(user, issue) }
+
+    context 'when project reporter' do
+      it 'is disallowed' do
+        project.add_reporter(user)
+
+        expect(policies).to be_disallowed(:set_issue_crm_contacts)
+      end
+    end
+
+    context 'when subgroup reporter' do
+      it 'is allowed' do
+        subgroup.add_reporter(user)
+
+        expect(policies).to be_disallowed(:set_issue_crm_contacts)
+      end
+    end
+
+    context 'when root group reporter' do
+      it 'is allowed' do
+        subgroup.parent.add_reporter(user)
+
+        expect(policies).to be_allowed(:set_issue_crm_contacts)
+      end
+    end
+  end
 end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 793b1fffd5f..0da37fc5378 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -1755,4 +1755,100 @@ RSpec.describe ProjectPolicy do
       end
     end
   end
+
+  describe 'register_project_runners' do
+    context 'admin' do
+      let(:current_user) { admin }
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        context 'with runner_registration_control FF disabled' do
+          before do
+            stub_feature_flags(runner_registration_control: false)
+          end
+
+          it { is_expected.to be_allowed(:register_project_runners) }
+        end
+
+        context 'with runner_registration_control FF enabled' do
+          before do
+            stub_feature_flags(runner_registration_control: true)
+          end
+
+          it { is_expected.to be_allowed(:register_project_runners) }
+
+          context 'with project runner registration disabled' do
+            before do
+              stub_application_setting(valid_runner_registrars: ['group'])
+            end
+
+            it { is_expected.to be_allowed(:register_project_runners) }
+          end
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:register_project_runners) }
+      end
+    end
+
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_allowed(:register_project_runners) }
+
+      context 'with runner_registration_control FF disabled' do
+        before do
+          stub_feature_flags(runner_registration_control: false)
+        end
+
+        it { is_expected.to be_allowed(:register_project_runners) }
+      end
+
+      context 'with runner_registration_control FF enabled' do
+        before do
+          stub_feature_flags(runner_registration_control: true)
+        end
+
+        it { is_expected.to be_allowed(:register_project_runners) }
+
+        context 'with project runner registration disabled' do
+          before do
+            stub_application_setting(valid_runner_registrars: ['group'])
+          end
+
+          it { is_expected.to be_disallowed(:register_project_runners) }
+        end
+      end
+    end
+
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+
+      it { is_expected.to be_allowed(:register_project_runners) }
+    end
+
+    context 'with reporter' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_disallowed(:register_project_runners) }
+    end
+
+    context 'with guest' do
+      let(:current_user) { guest }
+
+      it { is_expected.to be_disallowed(:register_project_runners) }
+    end
+
+    context 'with non member' do
+      let(:current_user) { create(:user) }
+
+      it { is_expected.to be_disallowed(:register_project_runners) }
+    end
+
+    context 'with anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.to be_disallowed(:register_project_runners) }
+    end
+  end
 end
diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb
new file mode 100644
index 00000000000..08a22a95540
--- /dev/null
+++ b/spec/policies/work_item_policy_spec.rb
@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe WorkItemPolicy do
+  let_it_be(:project) { create(:project) }
+  let_it_be(:public_project) { create(:project, :public) }
+  let_it_be(:guest) { create(:user).tap { |user| project.add_guest(user) } }
+  let_it_be(:guest_author) { create(:user).tap { |user| project.add_guest(user) } }
+  let_it_be(:reporter) { create(:user).tap { |user| project.add_reporter(user) } }
+  let_it_be(:non_member_user) { create(:user) }
+  let_it_be(:work_item) { create(:work_item, project: project) }
+  let_it_be(:authored_work_item) { create(:work_item, project: project, author: guest_author) }
+  let_it_be(:public_work_item) { create(:work_item, project: public_project) }
+
+  let(:work_item_subject) { work_item }
+
+  subject { described_class.new(current_user, work_item_subject) }
+
+  before_all do
+    public_project.add_developer(guest_author)
+  end
+
+  describe 'read_work_item' do
+    context 'when project is public' do
+      let(:work_item_subject) { public_work_item }
+
+      context 'when user is not a member of the project' do
+        let(:current_user) { non_member_user }
+
+        it { is_expected.to be_allowed(:read_work_item) }
+      end
+
+      context 'when user is a member of the project' do
+        let(:current_user) { guest_author }
+
+        it { is_expected.to be_allowed(:read_work_item) }
+      end
+    end
+
+    context 'when project is private' do
+      let(:work_item_subject) { work_item }
+
+      context 'when user is not a member of the project' do
+        let(:current_user) { non_member_user }
+
+        it { is_expected.to be_disallowed(:read_work_item) }
+      end
+
+      context 'when user is a member of the project' do
+        let(:current_user) { guest_author }
+
+        it { is_expected.to be_allowed(:read_work_item) }
+      end
+    end
+  end
+
+  describe 'update_work_item' do
+    context 'when user is reporter' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_allowed(:update_work_item) }
+    end
+
+    context 'when user is guest' do
+      let(:current_user) { guest }
+
+      it { is_expected.to be_disallowed(:update_work_item) }
+
+      context 'when guest authored the work item' do
+        let(:work_item_subject) { authored_work_item }
+        let(:current_user) { guest_author }
+
+        it { is_expected.to be_allowed(:update_work_item) }
+      end
+    end
+  end
+
+  describe 'delete_work_item' do
+    context 'when user is a member of the project' do
+      let(:work_item_subject) { work_item }
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_disallowed(:delete_work_item) }
+
+      context 'when guest authored the work item' do
+        let(:work_item_subject) { authored_work_item }
+        let(:current_user) { guest_author }
+
+        it { is_expected.to be_allowed(:delete_work_item) }
+      end
+    end
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-03-18 20:02:30 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-03-18 20:02:30 +0000
commit	41fe97390ceddf945f3d967b8fdb3de4c66b7dea (patch)
tree	9c8d89a8624828992f06d892cd2f43818ff5dcc8 /spec/policies
parent	0804d2dc31052fb45a1efecedc8e06ce9bc32862 (diff)
download	gitlab-ce-41fe97390ceddf945f3d967b8fdb3de4c66b7dea.tar.gz