summaryrefslogtreecommitdiff
path: root/spec/policies
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-12-17 11:59:07 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-12-17 11:59:07 +0000
commit8b573c94895dc0ac0e1d9d59cf3e8745e8b539ca (patch)
tree544930fb309b30317ae9797a9683768705d664c4 /spec/policies
parent4b1de649d0168371549608993deac953eb692019 (diff)
downloadgitlab-ce-8b573c94895dc0ac0e1d9d59cf3e8745e8b539ca.tar.gz
Add latest changes from gitlab-org/gitlab@13-7-stable-eev13.7.0-rc42
Diffstat (limited to 'spec/policies')
-rw-r--r--spec/policies/global_policy_spec.rb38
-rw-r--r--spec/policies/namespace_policy_spec.rb2
-rw-r--r--spec/policies/project_policy_spec.rb174
-rw-r--r--spec/policies/user_policy_spec.rb12
4 files changed, 225 insertions, 1 deletions
diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb
index 2f9376f9b0a..e677f5558fd 100644
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -7,6 +7,8 @@ RSpec.describe GlobalPolicy do
let_it_be(:project_bot) { create(:user, :project_bot) }
let_it_be(:migration_bot) { create(:user, :migration_bot) }
+ let_it_be(:security_bot) { create(:user, :security_bot) }
+
let(:current_user) { create(:user) }
let(:user) { create(:user) }
@@ -148,6 +150,24 @@ RSpec.describe GlobalPolicy do
end
end
+ describe 'rejecting users' do
+ context 'regular user' do
+ it { is_expected.not_to be_allowed(:reject_user) }
+ end
+
+ context 'admin' do
+ let(:current_user) { create(:admin) }
+
+ context 'when admin mode is enabled', :enable_admin_mode do
+ it { is_expected.to be_allowed(:reject_user) }
+ end
+
+ context 'when admin mode is disabled' do
+ it { is_expected.to be_disallowed(:reject_user) }
+ end
+ end
+ end
+
describe 'using project statistics filters' do
context 'regular user' do
it { is_expected.not_to be_allowed(:use_project_statistics_filters) }
@@ -205,6 +225,12 @@ RSpec.describe GlobalPolicy do
it { is_expected.not_to be_allowed(:access_api) }
end
+ context 'security bot' do
+ let(:current_user) { security_bot }
+
+ it { is_expected.not_to be_allowed(:access_api) }
+ end
+
context 'user blocked pending approval' do
before do
current_user.block_pending_approval
@@ -335,6 +361,12 @@ RSpec.describe GlobalPolicy do
it { is_expected.to be_allowed(:access_git) }
end
+ context 'security bot' do
+ let(:current_user) { security_bot }
+
+ it { is_expected.to be_allowed(:access_git) }
+ end
+
describe 'deactivated user' do
before do
current_user.deactivate
@@ -495,6 +527,12 @@ RSpec.describe GlobalPolicy do
it { is_expected.not_to be_allowed(:log_in) }
end
+ context 'security bot' do
+ let(:current_user) { security_bot }
+
+ it { is_expected.not_to be_allowed(:log_in) }
+ end
+
context 'user blocked pending approval' do
before do
current_user.block_pending_approval
diff --git a/spec/policies/namespace_policy_spec.rb b/spec/policies/namespace_policy_spec.rb
index 8f71cf114c3..514d7303ad7 100644
--- a/spec/policies/namespace_policy_spec.rb
+++ b/spec/policies/namespace_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe NamespacePolicy do
let(:admin) { create(:admin) }
let(:namespace) { create(:namespace, owner: owner) }
- let(:owner_permissions) { [:create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects] }
+ let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects] }
subject { described_class.new(current_user, namespace) }
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 6c281030618..7f6c47d675b 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -401,6 +401,40 @@ RSpec.describe ProjectPolicy do
end
end
+ describe 'bot_log_in' do
+ let(:bot_user) { create(:user, :project_bot) }
+ let(:project) { private_project }
+
+ context 'when bot is in project and is not blocked' do
+ before do
+ project.add_maintainer(bot_user)
+ end
+
+ it 'is a valid project bot' do
+ expect(bot_user.can?(:bot_log_in, project)).to be_truthy
+ end
+ end
+
+ context 'when project bot is invalid' do
+ context 'when bot is not in project' do
+ it 'is not a valid project bot' do
+ expect(bot_user.can?(:bot_log_in, project)).to be_falsy
+ end
+ end
+
+ context 'when bot user is blocked' do
+ before do
+ project.add_maintainer(bot_user)
+ bot_user.block!
+ end
+
+ it 'is not a valid project bot' do
+ expect(bot_user.can?(:bot_log_in, project)).to be_falsy
+ end
+ end
+ end
+ end
+
context 'support bot' do
let(:current_user) { User.support_bot }
@@ -943,5 +977,145 @@ RSpec.describe ProjectPolicy do
end
end
+ describe 'read_analytics' do
+ context 'anonymous user' do
+ let(:current_user) { anonymous }
+
+ it { is_expected.to be_allowed(:read_analytics) }
+ end
+
+ context 'project member' do
+ let(:project) { private_project }
+
+ %w(guest reporter developer maintainer).each do |role|
+ context role do
+ let(:current_user) { send(role) }
+
+ it { is_expected.to be_allowed(:read_analytics) }
+
+ context "without access to Analytics" do
+ before do
+ project.project_feature.update!(analytics_access_level: ProjectFeature::DISABLED)
+ end
+
+ it { is_expected.to be_disallowed(:read_analytics) }
+ end
+ end
+ end
+ end
+ end
+
it_behaves_like 'Self-managed Core resource access tokens'
+
+ describe 'operations feature' do
+ using RSpec::Parameterized::TableSyntax
+
+ let(:guest_operations_permissions) { [:read_environment, :read_deployment] }
+
+ let(:developer_operations_permissions) do
+ guest_operations_permissions + [
+ :read_feature_flag, :read_sentry_issue, :read_alert_management_alert, :read_terraform_state,
+ :metrics_dashboard, :read_pod_logs, :read_prometheus, :create_feature_flag,
+ :create_environment, :create_deployment, :update_feature_flag, :update_environment,
+ :update_sentry_issue, :update_alert_management_alert, :update_deployment,
+ :destroy_feature_flag, :destroy_environment, :admin_feature_flag
+ ]
+ end
+
+ let(:maintainer_operations_permissions) do
+ developer_operations_permissions + [
+ :read_cluster, :create_cluster, :update_cluster, :admin_environment,
+ :admin_cluster, :admin_terraform_state, :admin_deployment
+ ]
+ end
+
+ where(:project_visibility, :access_level, :role, :allowed) do
+ :public | ProjectFeature::ENABLED | :maintainer | true
+ :public | ProjectFeature::ENABLED | :developer | true
+ :public | ProjectFeature::ENABLED | :guest | true
+ :public | ProjectFeature::ENABLED | :anonymous | true
+ :public | ProjectFeature::PRIVATE | :maintainer | true
+ :public | ProjectFeature::PRIVATE | :developer | true
+ :public | ProjectFeature::PRIVATE | :guest | true
+ :public | ProjectFeature::PRIVATE | :anonymous | false
+ :public | ProjectFeature::DISABLED | :maintainer | false
+ :public | ProjectFeature::DISABLED | :developer | false
+ :public | ProjectFeature::DISABLED | :guest | false
+ :public | ProjectFeature::DISABLED | :anonymous | false
+ :internal | ProjectFeature::ENABLED | :maintainer | true
+ :internal | ProjectFeature::ENABLED | :developer | true
+ :internal | ProjectFeature::ENABLED | :guest | true
+ :internal | ProjectFeature::ENABLED | :anonymous | false
+ :internal | ProjectFeature::PRIVATE | :maintainer | true
+ :internal | ProjectFeature::PRIVATE | :developer | true
+ :internal | ProjectFeature::PRIVATE | :guest | true
+ :internal | ProjectFeature::PRIVATE | :anonymous | false
+ :internal | ProjectFeature::DISABLED | :maintainer | false
+ :internal | ProjectFeature::DISABLED | :developer | false
+ :internal | ProjectFeature::DISABLED | :guest | false
+ :internal | ProjectFeature::DISABLED | :anonymous | false
+ :private | ProjectFeature::ENABLED | :maintainer | true
+ :private | ProjectFeature::ENABLED | :developer | true
+ :private | ProjectFeature::ENABLED | :guest | false
+ :private | ProjectFeature::ENABLED | :anonymous | false
+ :private | ProjectFeature::PRIVATE | :maintainer | true
+ :private | ProjectFeature::PRIVATE | :developer | true
+ :private | ProjectFeature::PRIVATE | :guest | false
+ :private | ProjectFeature::PRIVATE | :anonymous | false
+ :private | ProjectFeature::DISABLED | :maintainer | false
+ :private | ProjectFeature::DISABLED | :developer | false
+ :private | ProjectFeature::DISABLED | :guest | false
+ :private | ProjectFeature::DISABLED | :anonymous | false
+ end
+
+ with_them do
+ let(:current_user) { user_subject(role) }
+ let(:project) { project_subject(project_visibility) }
+
+ it 'allows/disallows the abilities based on the operation feature access level' do
+ project.project_feature.update!(operations_access_level: access_level)
+
+ if allowed
+ expect_allowed(*permissions_abilities(role))
+ else
+ expect_disallowed(*permissions_abilities(role))
+ end
+ end
+
+ def project_subject(project_type)
+ case project_type
+ when :public
+ public_project
+ when :internal
+ internal_project
+ else
+ private_project
+ end
+ end
+
+ def user_subject(role)
+ case role
+ when :maintainer
+ maintainer
+ when :developer
+ developer
+ when :guest
+ guest
+ when :anonymous
+ anonymous
+ end
+ end
+
+ def permissions_abilities(role)
+ case role
+ when :maintainer
+ maintainer_operations_permissions
+ when :developer
+ developer_operations_permissions
+ else
+ guest_operations_permissions
+ end
+ end
+ end
+ end
end
diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
index 17ac7d0e44d..78212f06526 100644
--- a/spec/policies/user_policy_spec.rb
+++ b/spec/policies/user_policy_spec.rb
@@ -160,4 +160,16 @@ RSpec.describe UserPolicy do
it { is_expected.not_to be_allowed(:read_group_count) }
end
end
+
+ describe ':read_user_profile' do
+ context 'when the user is unconfirmed' do
+ let(:user) { create(:user, :unconfirmed) }
+
+ it { is_expected.not_to be_allowed(:read_user_profile) }
+ end
+
+ context 'when the user is confirmed' do
+ it { is_expected.to be_allowed(:read_user_profile) }
+ end
+ end
end