diff options
author | Mayra Cabrera <mcabrera@gitlab.com> | 2019-06-14 20:40:21 +0000 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2019-06-14 20:40:21 +0000 |
commit | d7f10c2949cef3fb6c15d4972cf8e8186d6d84a0 (patch) | |
tree | cc17c353be14a903723f55a715f70128e31439e8 /spec/policies | |
parent | ad722a4e1f588382f5c5c1848c0502864993c7e7 (diff) | |
download | gitlab-ce-d7f10c2949cef3fb6c15d4972cf8e8186d6d84a0.tar.gz |
Do not blindly expose public project statistics
Add the missing check on GraphQL API for project statistics
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/project_statistics_policy_spec.rb | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/spec/policies/project_statistics_policy_spec.rb b/spec/policies/project_statistics_policy_spec.rb new file mode 100644 index 00000000000..50dfbf7291b --- /dev/null +++ b/spec/policies/project_statistics_policy_spec.rb @@ -0,0 +1,83 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe ProjectStatisticsPolicy do + using RSpec::Parameterized::TableSyntax + + describe '#rules' do + let(:external) { create(:user, :external) } + let(:guest) { create(:user) } + let(:reporter) { create(:user) } + let(:developer) { create(:user) } + let(:maintainer) { create(:user) } + + let(:users) do + { + unauthenticated: nil, + non_member: create(:user), + guest: guest, + reporter: reporter, + developer: developer, + maintainer: maintainer + } + end + + where(:project_type, :user_type, :outcome) do + [ + # Public projects + [:public, :unauthenticated, false], + [:public, :non_member, false], + [:public, :guest, false], + [:public, :reporter, true], + [:public, :developer, true], + [:public, :maintainer, true], + + # Private project + [:private, :unauthenticated, false], + [:private, :non_member, false], + [:private, :guest, false], + [:private, :reporter, true], + [:private, :developer, true], + [:private, :maintainer, true], + + # Internal projects + [:internal, :unauthenticated, false], + [:internal, :non_member, false], + [:internal, :guest, false], + [:internal, :reporter, true], + [:internal, :developer, true], + [:internal, :maintainer, true] + ] + end + + with_them do + let(:user) { users[user_type] } + let(:project) { create(:project, visibility_level: Gitlab::VisibilityLevel.level_value(project_type.to_s)) } + let(:project_statistics) { create(:project_statistics, project: project) } + + subject { Ability.allowed?(user, :read_statistics, project_statistics) } + + before do + project.add_guest(guest) + project.add_reporter(reporter) + project.add_developer(developer) + project.add_maintainer(maintainer) + end + + it { is_expected.to eq(outcome) } + + context 'when the user is external' do + let(:user) { external } + + before do + unless [:unauthenticated, :non_member].include?(user_type) + project.add_user(external, user_type) + end + end + + it { is_expected.to eq(outcome) } + end + end + end +end |