diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-03-18 20:02:30 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-03-18 20:02:30 +0000 |
commit | 41fe97390ceddf945f3d967b8fdb3de4c66b7dea (patch) | |
tree | 9c8d89a8624828992f06d892cd2f43818ff5dcc8 /spec/policies | |
parent | 0804d2dc31052fb45a1efecedc8e06ce9bc32862 (diff) | |
download | gitlab-ce-41fe97390ceddf945f3d967b8fdb3de4c66b7dea.tar.gz |
Add latest changes from gitlab-org/gitlab@14-9-stable-eev14.9.0-rc42
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/application_setting_policy_spec.rb | 40 | ||||
-rw-r--r-- | spec/policies/global_policy_spec.rb | 30 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 64 | ||||
-rw-r--r-- | spec/policies/issue_policy_spec.rb | 32 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 96 | ||||
-rw-r--r-- | spec/policies/work_item_policy_spec.rb | 94 |
6 files changed, 303 insertions, 53 deletions
diff --git a/spec/policies/application_setting_policy_spec.rb b/spec/policies/application_setting_policy_spec.rb new file mode 100644 index 00000000000..f5f02d25c64 --- /dev/null +++ b/spec/policies/application_setting_policy_spec.rb @@ -0,0 +1,40 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe ApplicationSettingPolicy do + let(:current_user) { create(:user) } + let(:user) { create(:user) } + + subject { described_class.new(current_user, [user]) } + + describe 'update_runners_registration_token' do + context 'when anonymous' do + let(:current_user) { nil } + + it { is_expected.not_to be_allowed(:update_runners_registration_token) } + end + + context 'regular user' do + it { is_expected.not_to be_allowed(:update_runners_registration_token) } + end + + context 'when external' do + let(:current_user) { build(:user, :external) } + + it { is_expected.not_to be_allowed(:update_runners_registration_token) } + end + + context 'admin' do + let(:current_user) { create(:admin) } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:update_runners_registration_token) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:update_runners_registration_token) } + end + end + end +end diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index ca9a5b1853c..04d7eca6f09 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -591,34 +591,4 @@ RSpec.describe GlobalPolicy do it { is_expected.not_to be_allowed(:log_in) } end end - - describe 'update_runners_registration_token' do - context 'when anonymous' do - let(:current_user) { nil } - - it { is_expected.not_to be_allowed(:update_runners_registration_token) } - end - - context 'regular user' do - it { is_expected.not_to be_allowed(:update_runners_registration_token) } - end - - context 'when external' do - let(:current_user) { build(:user, :external) } - - it { is_expected.not_to be_allowed(:update_runners_registration_token) } - end - - context 'admin' do - let(:current_user) { create(:admin) } - - context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:update_runners_registration_token) } - end - - context 'when admin mode is disabled' do - it { is_expected.to be_disallowed(:update_runners_registration_token) } - end - end - end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 2607e285a80..ff59a2e04a7 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -1076,37 +1076,33 @@ RSpec.describe GroupPolicy do end describe 'register_group_runners' do - shared_examples 'expected outcome based on runner registration control' do - context 'with runner_registration_control FF disabled' do - before do - stub_feature_flags(runner_registration_control: false) - end + context 'admin' do + let(:current_user) { admin } - it { is_expected.to be_allowed(:register_group_runners) } - end + context 'when admin mode is enabled', :enable_admin_mode do + context 'with runner_registration_control FF disabled' do + before do + stub_feature_flags(runner_registration_control: false) + end - context 'with runner_registration_control FF enabled' do - before do - stub_feature_flags(runner_registration_control: true) + it { is_expected.to be_allowed(:register_group_runners) } end - context 'with group runner registration disabled' do + context 'with runner_registration_control FF enabled' do before do - stub_application_setting(valid_runner_registrars: ['project']) + stub_feature_flags(runner_registration_control: true) end - it { is_expected.to be_disallowed(:register_group_runners) } - end - end - end + it { is_expected.to be_allowed(:register_group_runners) } - context 'admin' do - let(:current_user) { admin } - - context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:register_group_runners) } + context 'with group runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['project']) + end - it_behaves_like 'expected outcome based on runner registration control' + it { is_expected.to be_allowed(:register_group_runners) } + end + end end context 'when admin mode is disabled' do @@ -1119,7 +1115,29 @@ RSpec.describe GroupPolicy do it { is_expected.to be_allowed(:register_group_runners) } - it_behaves_like 'expected outcome based on runner registration control' + context 'with runner_registration_control FF disabled' do + before do + stub_feature_flags(runner_registration_control: false) + end + + it { is_expected.to be_allowed(:register_group_runners) } + end + + context 'with runner_registration_control FF enabled' do + before do + stub_feature_flags(runner_registration_control: true) + end + + it { is_expected.to be_allowed(:register_group_runners) } + + context 'with group runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['project']) + end + + it { is_expected.to be_disallowed(:register_group_runners) } + end + end end context 'with maintainer' do diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index 3805976b3e7..1fe9e430011 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -396,4 +396,36 @@ RSpec.describe IssuePolicy do expect(policies).to be_allowed(:read_issue_iid) end end + + describe 'set_issue_crm_contacts' do + let(:user) { create(:user) } + let(:subgroup) { create(:group, :crm_enabled, parent: create(:group, :crm_enabled)) } + let(:project) { create(:project, group: subgroup) } + let(:issue) { create(:issue, project: project) } + let(:policies) { described_class.new(user, issue) } + + context 'when project reporter' do + it 'is disallowed' do + project.add_reporter(user) + + expect(policies).to be_disallowed(:set_issue_crm_contacts) + end + end + + context 'when subgroup reporter' do + it 'is allowed' do + subgroup.add_reporter(user) + + expect(policies).to be_disallowed(:set_issue_crm_contacts) + end + end + + context 'when root group reporter' do + it 'is allowed' do + subgroup.parent.add_reporter(user) + + expect(policies).to be_allowed(:set_issue_crm_contacts) + end + end + end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 793b1fffd5f..0da37fc5378 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -1755,4 +1755,100 @@ RSpec.describe ProjectPolicy do end end end + + describe 'register_project_runners' do + context 'admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + context 'with runner_registration_control FF disabled' do + before do + stub_feature_flags(runner_registration_control: false) + end + + it { is_expected.to be_allowed(:register_project_runners) } + end + + context 'with runner_registration_control FF enabled' do + before do + stub_feature_flags(runner_registration_control: true) + end + + it { is_expected.to be_allowed(:register_project_runners) } + + context 'with project runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['group']) + end + + it { is_expected.to be_allowed(:register_project_runners) } + end + end + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:register_project_runners) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:register_project_runners) } + + context 'with runner_registration_control FF disabled' do + before do + stub_feature_flags(runner_registration_control: false) + end + + it { is_expected.to be_allowed(:register_project_runners) } + end + + context 'with runner_registration_control FF enabled' do + before do + stub_feature_flags(runner_registration_control: true) + end + + it { is_expected.to be_allowed(:register_project_runners) } + + context 'with project runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['group']) + end + + it { is_expected.to be_disallowed(:register_project_runners) } + end + end + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:register_project_runners) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:register_project_runners) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:register_project_runners) } + end + + context 'with non member' do + let(:current_user) { create(:user) } + + it { is_expected.to be_disallowed(:register_project_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:register_project_runners) } + end + end end diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb new file mode 100644 index 00000000000..08a22a95540 --- /dev/null +++ b/spec/policies/work_item_policy_spec.rb @@ -0,0 +1,94 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe WorkItemPolicy do + let_it_be(:project) { create(:project) } + let_it_be(:public_project) { create(:project, :public) } + let_it_be(:guest) { create(:user).tap { |user| project.add_guest(user) } } + let_it_be(:guest_author) { create(:user).tap { |user| project.add_guest(user) } } + let_it_be(:reporter) { create(:user).tap { |user| project.add_reporter(user) } } + let_it_be(:non_member_user) { create(:user) } + let_it_be(:work_item) { create(:work_item, project: project) } + let_it_be(:authored_work_item) { create(:work_item, project: project, author: guest_author) } + let_it_be(:public_work_item) { create(:work_item, project: public_project) } + + let(:work_item_subject) { work_item } + + subject { described_class.new(current_user, work_item_subject) } + + before_all do + public_project.add_developer(guest_author) + end + + describe 'read_work_item' do + context 'when project is public' do + let(:work_item_subject) { public_work_item } + + context 'when user is not a member of the project' do + let(:current_user) { non_member_user } + + it { is_expected.to be_allowed(:read_work_item) } + end + + context 'when user is a member of the project' do + let(:current_user) { guest_author } + + it { is_expected.to be_allowed(:read_work_item) } + end + end + + context 'when project is private' do + let(:work_item_subject) { work_item } + + context 'when user is not a member of the project' do + let(:current_user) { non_member_user } + + it { is_expected.to be_disallowed(:read_work_item) } + end + + context 'when user is a member of the project' do + let(:current_user) { guest_author } + + it { is_expected.to be_allowed(:read_work_item) } + end + end + end + + describe 'update_work_item' do + context 'when user is reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:update_work_item) } + end + + context 'when user is guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:update_work_item) } + + context 'when guest authored the work item' do + let(:work_item_subject) { authored_work_item } + let(:current_user) { guest_author } + + it { is_expected.to be_allowed(:update_work_item) } + end + end + end + + describe 'delete_work_item' do + context 'when user is a member of the project' do + let(:work_item_subject) { work_item } + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:delete_work_item) } + + context 'when guest authored the work item' do + let(:work_item_subject) { authored_work_item } + let(:current_user) { guest_author } + + it { is_expected.to be_allowed(:delete_work_item) } + end + end + end +end |