Do not blindly expose public project statistics

Add the missing check on GraphQL API for project statistics
author: Mayra Cabrera <mcabrera@gitlab.com> 2019-06-14 20:40:21 +0000
committer: Stan Hu <stanhu@gmail.com> 2019-06-14 20:40:21 +0000
commit: d7f10c2949cef3fb6c15d4972cf8e8186d6d84a0 (patch)
tree: cc17c353be14a903723f55a715f70128e31439e8 /spec/policies
parent: ad722a4e1f588382f5c5c1848c0502864993c7e7 (diff)
download: gitlab-ce-d7f10c2949cef3fb6c15d4972cf8e8186d6d84a0.tar.gz
1 files changed, 83 insertions, 0 deletions
diff --git a/spec/policies/project_statistics_policy_spec.rb b/spec/policies/project_statistics_policy_spec.rb
new file mode 100644
index 00000000000..50dfbf7291b
--- /dev/null
+++ b/spec/policies/project_statistics_policy_spec.rb
@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ProjectStatisticsPolicy do
+  using RSpec::Parameterized::TableSyntax
+
+  describe '#rules' do
+    let(:external)   { create(:user, :external) }
+    let(:guest)      { create(:user) }
+    let(:reporter)   { create(:user) }
+    let(:developer)  { create(:user) }
+    let(:maintainer) { create(:user) }
+
+    let(:users) do
+      {
+        unauthenticated: nil,
+        non_member: create(:user),
+        guest: guest,
+        reporter: reporter,
+        developer: developer,
+        maintainer: maintainer
+      }
+    end
+
+    where(:project_type, :user_type, :outcome) do
+      [
+        # Public projects
+        [:public, :unauthenticated, false],
+        [:public, :non_member, false],
+        [:public, :guest, false],
+        [:public, :reporter, true],
+        [:public, :developer, true],
+        [:public, :maintainer, true],
+
+        # Private project
+        [:private, :unauthenticated, false],
+        [:private, :non_member, false],
+        [:private, :guest, false],
+        [:private, :reporter, true],
+        [:private, :developer, true],
+        [:private, :maintainer, true],
+
+        # Internal projects
+        [:internal, :unauthenticated, false],
+        [:internal, :non_member, false],
+        [:internal, :guest, false],
+        [:internal, :reporter, true],
+        [:internal, :developer, true],
+        [:internal, :maintainer, true]
+      ]
+    end
+
+    with_them do
+      let(:user) { users[user_type] }
+      let(:project) { create(:project, visibility_level: Gitlab::VisibilityLevel.level_value(project_type.to_s)) }
+      let(:project_statistics) { create(:project_statistics, project: project) }
+
+      subject { Ability.allowed?(user, :read_statistics, project_statistics) }
+
+      before do
+        project.add_guest(guest)
+        project.add_reporter(reporter)
+        project.add_developer(developer)
+        project.add_maintainer(maintainer)
+      end
+
+      it { is_expected.to eq(outcome) }
+
+      context 'when the user is external' do
+        let(:user) { external }
+
+        before do
+          unless [:unauthenticated, :non_member].include?(user_type)
+            project.add_user(external, user_type)
+          end
+        end
+
+        it { is_expected.to eq(outcome) }
+      end
+    end
+  end
+end
author	Mayra Cabrera <mcabrera@gitlab.com>	2019-06-14 20:40:21 +0000
committer	Stan Hu <stanhu@gmail.com>	2019-06-14 20:40:21 +0000
commit	d7f10c2949cef3fb6c15d4972cf8e8186d6d84a0 (patch)
tree	cc17c353be14a903723f55a715f70128e31439e8 /spec/policies
parent	ad722a4e1f588382f5c5c1848c0502864993c7e7 (diff)
download	gitlab-ce-d7f10c2949cef3fb6c15d4972cf8e8186d6d84a0.tar.gz