diff options
author | Sean McGivern <sean@gitlab.com> | 2017-07-24 11:35:54 +0100 |
---|---|---|
committer | Sean McGivern <sean@gitlab.com> | 2017-07-24 16:58:04 +0100 |
commit | ccac2abeba419f16029c40f29063f1812c9e159c (patch) | |
tree | 975ca2e9f3fc91fae1ce0c775c8c267256fa7480 /spec/policies | |
parent | f81ed493e1f02e5a197df3e2df9c5e42cb09e7ff (diff) | |
download | gitlab-ce-ccac2abeba419f16029c40f29063f1812c9e159c.tar.gz |
Don't treat anonymous users as owners when group has pending invites
The `members` table can have entries where `user_id: nil`, because people can
invite group members by email. We never want to include those as members,
because it might cause confusion with the anonymous (logged out) user.
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/project_policy_spec.rb | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 4ed788af811..f244975e597 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -127,6 +127,24 @@ describe ProjectPolicy, models: true do end end + context 'when a project has pending invites, and the current user is anonymous' do + let(:group) { create(:group, :public) } + let(:project) { create(:empty_project, :public, namespace: group) } + let(:user_permissions) { [:create_project, :create_issue, :create_note, :upload_file] } + let(:anonymous_permissions) { guest_permissions - user_permissions } + + subject { described_class.new(nil, project) } + + before do + create(:group_member, :invited, group: group) + end + + it 'does not grant owner access' do + expect_allowed(*anonymous_permissions) + expect_disallowed(*user_permissions) + end + end + context 'abilities for non-public projects' do let(:project) { create(:empty_project, namespace: owner.namespace) } |