diff options
author | Tiago Botelho <tiagonbotelho@hotmail.com> | 2018-12-07 15:48:38 +0000 |
---|---|---|
committer | Tiago Botelho <tiagonbotelho@hotmail.com> | 2018-12-19 10:56:11 +0000 |
commit | 52feca595a3311fc12a6f35191a24ff61c33e440 (patch) | |
tree | 5131015b5e30d3407211fb7431a0ad1ad95b7e48 /spec/policies | |
parent | ffef28ccd6d37ade2c3ee3ca46679749f9cf09aa (diff) | |
download | gitlab-ce-52feca595a3311fc12a6f35191a24ff61c33e440.tar.gz |
Adds validation to check if user can read project
An issuable should not be available to a user if the
project is not visible to that specific user
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/issuable_policy_spec.rb | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb index d1bf98995e7..db3df760472 100644 --- a/spec/policies/issuable_policy_spec.rb +++ b/spec/policies/issuable_policy_spec.rb @@ -7,6 +7,33 @@ describe IssuablePolicy, models: true do let(:policies) { described_class.new(user, issue) } describe '#rules' do + context 'when user is author of issuable' do + let(:merge_request) { create(:merge_request, source_project: project, author: user) } + let(:policies) { described_class.new(user, merge_request) } + + context 'when user is able to read project' do + it 'enables user to read and update issuables' do + expect(policies).to be_allowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request) + end + end + + context 'when project is private' do + let(:project) { create(:project, :private) } + + context 'when user belongs to the projects team' do + it 'enables user to read and update issuables' do + project.add_maintainer(user) + + expect(policies).to be_allowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request) + end + end + + it 'disallows user from reading and updating issuables from that project' do + expect(policies).to be_disallowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request) + end + end + end + context 'when discussion is locked for the issuable' do let(:issue) { create(:issue, project: project, discussion_locked: true) } |