diff options
author | John Jarvis <jarv@gitlab.com> | 2019-01-01 20:38:54 +0000 |
---|---|---|
committer | John Jarvis <jarv@gitlab.com> | 2019-01-01 20:38:54 +0000 |
commit | ec4ade500e5eb7060b4b79f6bed2f474ce03a851 (patch) | |
tree | 21ccbfaf52dc63f7b58211eec27faa2a7f5d28b2 /spec/policies | |
parent | 3fca973e339e9bbf7a2e993bb36e0d800d4e1041 (diff) | |
parent | 52feca595a3311fc12a6f35191a24ff61c33e440 (diff) | |
download | gitlab-ce-ec4ade500e5eb7060b4b79f6bed2f474ce03a851.tar.gz |
Merge branch 'security-53543-user-keeps-access-to-mr-issue-when-removed-from-team' into 'master'
[master] Adds validation to check if user can read project
See merge request gitlab/gitlabhq!2645
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/issuable_policy_spec.rb | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb index d1bf98995e7..db3df760472 100644 --- a/spec/policies/issuable_policy_spec.rb +++ b/spec/policies/issuable_policy_spec.rb @@ -7,6 +7,33 @@ describe IssuablePolicy, models: true do let(:policies) { described_class.new(user, issue) } describe '#rules' do + context 'when user is author of issuable' do + let(:merge_request) { create(:merge_request, source_project: project, author: user) } + let(:policies) { described_class.new(user, merge_request) } + + context 'when user is able to read project' do + it 'enables user to read and update issuables' do + expect(policies).to be_allowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request) + end + end + + context 'when project is private' do + let(:project) { create(:project, :private) } + + context 'when user belongs to the projects team' do + it 'enables user to read and update issuables' do + project.add_maintainer(user) + + expect(policies).to be_allowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request) + end + end + + it 'disallows user from reading and updating issuables from that project' do + expect(policies).to be_disallowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request) + end + end + end + context 'when discussion is locked for the issuable' do let(:issue) { create(:issue, project: project, discussion_locked: true) } |