Merge branch 'snippets-finder-visibility' into 'security'

Refactor snippets finder & dont return internal snippets for external users See merge request !2094
author: Douwe Maan <douwe@gitlab.com> 2017-04-28 22:06:27 +0000
committer: Bob Van Landuyt <bob@gitlab.com> 2017-05-10 11:09:17 +0200
commit: 050d92f8177513b74d6c18d75d35a62f5fa6addd (patch)
tree: db6caf2ce3c47d1127974384c2c78c11bd7c038f /spec/policies
parent: c26e9027d31b0735cea438eaa7bf787bc5b6e3a7 (diff)
download: gitlab-ce-050d92f8177513b74d6c18d75d35a62f5fa6addd.tar.gz
1 files changed, 65 insertions, 15 deletions
diff --git a/spec/policies/project_snippet_policy_spec.rb b/spec/policies/project_snippet_policy_spec.rb
index d0758af57dd..e1771b636b8 100644
--- a/spec/policies/project_snippet_policy_spec.rb
+++ b/spec/policies/project_snippet_policy_spec.rb
@@ -1,7 +1,9 @@
 require 'spec_helper'
 
 describe ProjectSnippetPolicy, models: true do
-  let(:current_user) { create(:user) }
+  let(:regular_user) { create(:user) }
+  let(:external_user) { create(:user, :external) }
+  let(:project) { create(:empty_project) }
 
   let(:author_permissions) do
     [
@@ -10,13 +12,15 @@ describe ProjectSnippetPolicy, models: true do
     ]
   end
 
-  subject { described_class.abilities(current_user, project_snippet).to_set }
+  def abilities(user, snippet_visibility)
+    snippet = create(:project_snippet, snippet_visibility, project: project)
 
-  context 'public snippet' do
-    let(:project_snippet) { create(:project_snippet, :public) }
+    described_class.abilities(user, snippet).to_set
+  end
 
+  context 'public snippet' do
     context 'no user' do
-      let(:current_user) { nil }
+      subject { abilities(nil, :public) }
 
       it do
         is_expected.to include(:read_project_snippet)
@@ -25,6 +29,17 @@ describe ProjectSnippetPolicy, models: true do
     end
 
     context 'regular user' do
+      subject { abilities(regular_user, :public) }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'external user' do
+      subject { abilities(external_user, :public) }
+
       it do
         is_expected.to include(:read_project_snippet)
         is_expected.not_to include(*author_permissions)
@@ -33,10 +48,8 @@ describe ProjectSnippetPolicy, models: true do
   end
 
   context 'internal snippet' do
-    let(:project_snippet) { create(:project_snippet, :internal) }
-
     context 'no user' do
-      let(:current_user) { nil }
+      subject { abilities(nil, :internal) }
 
       it do
         is_expected.not_to include(:read_project_snippet)
@@ -45,6 +58,28 @@ describe ProjectSnippetPolicy, models: true do
     end
 
     context 'regular user' do
+      subject { abilities(regular_user, :internal) }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'external user' do
+      subject { abilities(external_user, :internal) }
+
+      it do
+        is_expected.not_to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'project team member external user' do
+      subject { abilities(external_user, :internal) }
+
+      before { project.team << [external_user, :developer] }
+
       it do
         is_expected.to include(:read_project_snippet)
         is_expected.not_to include(*author_permissions)
@@ -53,10 +88,8 @@ describe ProjectSnippetPolicy, models: true do
   end
 
   context 'private snippet' do
-    let(:project_snippet) { create(:project_snippet, :private) }
-
     context 'no user' do
-      let(:current_user) { nil }
+      subject { abilities(nil, :private) }
 
       it do
         is_expected.not_to include(:read_project_snippet)
@@ -65,6 +98,8 @@ describe ProjectSnippetPolicy, models: true do
     end
 
     context 'regular user' do
+      subject { abilities(regular_user, :private) }
+
       it do
         is_expected.not_to include(:read_project_snippet)
         is_expected.not_to include(*author_permissions)
@@ -72,7 +107,9 @@ describe ProjectSnippetPolicy, models: true do
     end
 
     context 'snippet author' do
-      let(:project_snippet) { create(:project_snippet, :private, author: current_user) }
+      let(:snippet) { create(:project_snippet, :private, author: regular_user) }
+
+      subject { described_class.abilities(regular_user, snippet).to_set }
 
       it do
         is_expected.to include(:read_project_snippet)
@@ -80,8 +117,21 @@ describe ProjectSnippetPolicy, models: true do
       end
     end
 
-    context 'project team member' do
-      before { project_snippet.project.team << [current_user, :developer] }
+    context 'project team member normal user' do
+      subject { abilities(regular_user, :private) }
+
+      before { project.team << [regular_user, :developer] }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'project team member external user' do
+      subject { abilities(external_user, :private) }
+
+      before { project.team << [external_user, :developer] }
 
       it do
         is_expected.to include(:read_project_snippet)
@@ -90,7 +140,7 @@ describe ProjectSnippetPolicy, models: true do
     end
 
     context 'admin user' do
-      let(:current_user) { create(:admin) }
+      subject { abilities(create(:admin), :private) }
 
       it do
         is_expected.to include(:read_project_snippet)
author	Douwe Maan <douwe@gitlab.com>	2017-04-28 22:06:27 +0000
committer	Bob Van Landuyt <bob@gitlab.com>	2017-05-10 11:09:17 +0200
commit	050d92f8177513b74d6c18d75d35a62f5fa6addd (patch)
tree	db6caf2ce3c47d1127974384c2c78c11bd7c038f /spec/policies
parent	c26e9027d31b0735cea438eaa7bf787bc5b6e3a7 (diff)
download	gitlab-ce-050d92f8177513b74d6c18d75d35a62f5fa6addd.tar.gz