Add latest changes from gitlab-org/gitlab@13-6-stable-eev13.6.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-11-19 08:27:35 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-11-19 08:27:35 +0000
commit: 7e9c479f7de77702622631cff2628a9c8dcbc627 (patch)
tree: c8f718a08e110ad7e1894510980d2155a6549197 /spec/policies
parent: e852b0ae16db4052c1c567d9efa4facc81146e88 (diff)
download: gitlab-ce-7e9c479f7de77702622631cff2628a9c8dcbc627.tar.gz
14 files changed, 315 insertions, 87 deletions
diff --git a/spec/policies/alert_management/http_integration_policy_spec.rb b/spec/policies/alert_management/http_integration_policy_spec.rb
new file mode 100644
index 00000000000..8e8348ad7f5
--- /dev/null
+++ b/spec/policies/alert_management/http_integration_policy_spec.rb
@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe AlertManagement::HttpIntegrationPolicy, :models do
+  let(:integration) { create(:alert_management_http_integration) }
+  let(:project) { integration.project }
+  let(:user) { create(:user) }
+
+  subject(:policy) { described_class.new(user, integration) }
+
+  describe 'rules' do
+    it { is_expected.to be_disallowed :admin_operations }
+
+    context 'when maintainer' do
+      before do
+        project.add_maintainer(user)
+      end
+
+      it { is_expected.to be_allowed :admin_operations }
+    end
+  end
+end
diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb
index 103f2e9bc39..226660dc955 100644
--- a/spec/policies/base_policy_spec.rb
+++ b/spec/policies/base_policy_spec.rb
@@ -22,6 +22,34 @@ RSpec.describe BasePolicy do
     end
   end
 
+  shared_examples 'admin only access' do |policy|
+    let(:current_user) { build_stubbed(:user) }
+
+    subject { described_class.new(current_user, nil) }
+
+    it { is_expected.not_to be_allowed(policy) }
+
+    context 'for admins' do
+      let(:current_user) { build_stubbed(:admin) }
+
+      it 'allowed when in admin mode' do
+        enable_admin_mode!(current_user)
+
+        is_expected.to be_allowed(policy)
+      end
+
+      it 'prevented when not in admin mode' do
+        is_expected.not_to be_allowed(policy)
+      end
+    end
+
+    context 'for anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.not_to be_allowed(policy) }
+    end
+  end
+
   describe 'read cross project' do
     let(:current_user) { build_stubbed(:user) }
     let(:user) { build_stubbed(:user) }
@@ -41,51 +69,15 @@ RSpec.describe BasePolicy do
         enable_external_authorization_service_check
       end
 
-      it { is_expected.not_to be_allowed(:read_cross_project) }
-
-      context 'for admins' do
-        let(:current_user) { build_stubbed(:admin) }
-
-        subject { described_class.new(current_user, nil) }
-
-        it 'allowed when in admin mode' do
-          enable_admin_mode!(current_user)
-
-          is_expected.to be_allowed(:read_cross_project)
-        end
-
-        it 'prevented when not in admin mode' do
-          is_expected.not_to be_allowed(:read_cross_project)
-        end
-      end
-
-      context 'for anonymous' do
-        let(:current_user) { nil }
-
-        it { is_expected.not_to be_allowed(:read_cross_project) }
-      end
+      it_behaves_like 'admin only access', :read_cross_project
     end
   end
 
   describe 'full private access' do
-    let(:current_user) { build_stubbed(:user) }
-
-    subject { described_class.new(current_user, nil) }
-
-    it { is_expected.not_to be_allowed(:read_all_resources) }
-
-    context 'for admins' do
-      let(:current_user) { build_stubbed(:admin) }
-
-      it 'allowed when in admin mode' do
-        enable_admin_mode!(current_user)
-
-        is_expected.to be_allowed(:read_all_resources)
-      end
+    it_behaves_like 'admin only access', :read_all_resources
+  end
 
-      it 'prevented when not in admin mode' do
-        is_expected.not_to be_allowed(:read_all_resources)
-      end
-    end
+  describe 'change_repository_storage' do
+    it_behaves_like 'admin only access', :change_repository_storage
   end
 end
diff --git a/spec/policies/blob_policy_spec.rb b/spec/policies/blob_policy_spec.rb
index fc46b25f25c..daabcd844af 100644
--- a/spec/policies/blob_policy_spec.rb
+++ b/spec/policies/blob_policy_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe BlobPolicy, :enable_admin_mode do
+RSpec.describe BlobPolicy do
   include_context 'ProjectPolicyTable context'
   include ProjectHelpers
   using RSpec::Parameterized::TableSyntax
@@ -13,12 +13,13 @@ RSpec.describe BlobPolicy, :enable_admin_mode do
 
   subject(:policy) { described_class.new(user, blob) }
 
-  where(:project_level, :feature_access_level, :membership, :expected_count) do
+  where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
     permission_table_for_guest_feature_access_and_non_private_project_only
   end
 
   with_them do
     it "grants permission" do
+      enable_admin_mode!(user) if admin_mode
       update_feature_access_level(project, feature_access_level)
 
       if expected_count == 1
diff --git a/spec/policies/group_member_policy_spec.rb b/spec/policies/group_member_policy_spec.rb
index 4215fa09301..9e58ea81ef3 100644
--- a/spec/policies/group_member_policy_spec.rb
+++ b/spec/policies/group_member_policy_spec.rb
@@ -42,6 +42,7 @@ RSpec.describe GroupMemberPolicy do
     it do
       expect_disallowed(:destroy_group_member)
       expect_disallowed(:update_group_member)
+      expect_allowed(:read_group)
     end
   end
 
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index fecf5f3e4f8..7cded27e449 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -876,10 +876,30 @@ RSpec.describe GroupPolicy do
       let(:deploy_token) { create(:deploy_token, :group, write_package_registry: true) }
 
       it { is_expected.to be_allowed(:create_package) }
+      it { is_expected.to be_allowed(:read_package) }
       it { is_expected.to be_allowed(:read_group) }
       it { is_expected.to be_disallowed(:destroy_package) }
     end
   end
 
   it_behaves_like 'Self-managed Core resource access tokens'
+
+  context 'support bot' do
+    let_it_be(:group) { create(:group, :private) }
+    let_it_be(:current_user) { User.support_bot }
+
+    before do
+      allow(Gitlab::ServiceDesk).to receive(:supported?).and_return(true)
+    end
+
+    it { expect_disallowed(:read_label) }
+
+    context 'when group hierarchy has a project with service desk enabled' do
+      let_it_be(:subgroup) { create(:group, :private, parent: group)}
+      let_it_be(:project) { create(:project, group: subgroup, service_desk_enabled: true) }
+
+      it { expect_allowed(:read_label) }
+      it { expect(described_class.new(current_user, subgroup)).to be_allowed(:read_label) }
+    end
+  end
 end
diff --git a/spec/policies/instance_metadata_policy_spec.rb b/spec/policies/instance_metadata_policy_spec.rb
new file mode 100644
index 00000000000..2c8e18483e6
--- /dev/null
+++ b/spec/policies/instance_metadata_policy_spec.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe InstanceMetadataPolicy do
+  subject { described_class.new(user, InstanceMetadata.new) }
+
+  context 'for any logged-in user' do
+    let(:user) { create(:user) }
+
+    specify { expect_allowed(:read_instance_metadata) }
+  end
+
+  context 'for anonymous users' do
+    let(:user) { nil }
+
+    specify { expect_disallowed(:read_instance_metadata) }
+  end
+end
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index e352b990159..76788ae2cb7 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -139,8 +139,13 @@ RSpec.describe IssuePolicy do
       create(:project_group_link, group: group, project: project)
     end
 
+    it 'does not allow guest to create todos' do
+      expect(permissions(nil, issue)).to be_allowed(:read_issue)
+      expect(permissions(nil, issue)).to be_disallowed(:create_todo)
+    end
+
     it 'allows guests to read issues' do
-      expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid)
+      expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid, :create_todo)
       expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue)
 
       expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index 3a46d5b9226..744822f58d1 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -24,6 +24,7 @@ RSpec.describe MergeRequestPolicy do
   mr_perms = %i[create_merge_request_in
                 create_merge_request_from
                 read_merge_request
+                create_todo
                 approve_merge_request
                 create_note].freeze
 
@@ -47,6 +48,18 @@ RSpec.describe MergeRequestPolicy do
     end
   end
 
+  context 'when merge request is public' do
+    context 'and user is anonymous' do
+      let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
+
+      subject { permissions(nil, merge_request) }
+
+      it do
+        is_expected.to be_disallowed(:create_todo)
+      end
+    end
+  end
+
   context 'when merge requests have been disabled' do
     let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
 
diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb
index a4cc3a1e9af..f6cd84f29ae 100644
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'
 
 RSpec.describe NotePolicy do
-  describe '#rules' do
+  describe '#rules', :aggregate_failures do
     let(:user) { create(:user) }
     let(:project) { create(:project, :public) }
     let(:issue) { create(:issue, project: project) }
@@ -11,14 +11,15 @@ RSpec.describe NotePolicy do
     let(:policy) { described_class.new(user, note) }
     let(:note) { create(:note, noteable: noteable, author: user, project: project) }
 
+    shared_examples_for 'user cannot read or act on the note' do
+      specify do
+        expect(policy).to be_disallowed(:admin_note, :reposition_note, :resolve_note, :read_note, :award_emoji)
+      end
+    end
+
     shared_examples_for 'a discussion with a private noteable' do
       context 'when the note author can no longer see the noteable' do
-        it 'can not edit nor read the note' do
-          expect(policy).to be_disallowed(:admin_note)
-          expect(policy).to be_disallowed(:resolve_note)
-          expect(policy).to be_disallowed(:read_note)
-          expect(policy).to be_disallowed(:award_emoji)
-        end
+        it_behaves_like 'user cannot read or act on the note'
       end
 
       context 'when the note author can still see the noteable' do
@@ -28,6 +29,7 @@ RSpec.describe NotePolicy do
 
         it 'can edit the note' do
           expect(policy).to be_allowed(:admin_note)
+          expect(policy).to be_allowed(:reposition_note)
           expect(policy).to be_allowed(:resolve_note)
           expect(policy).to be_allowed(:read_note)
           expect(policy).to be_allowed(:award_emoji)
@@ -35,6 +37,13 @@ RSpec.describe NotePolicy do
       end
     end
 
+    shared_examples_for 'a note on a public noteable' do
+      it 'can only read and award emoji on the note' do
+        expect(policy).to be_allowed(:read_note, :award_emoji)
+        expect(policy).to be_disallowed(:reposition_note, :admin_note, :resolve_note)
+      end
+    end
+
     context 'when the noteable is a deleted commit' do
       let(:commit) { nil }
       let(:note) { create(:note_on_commit, commit_id: '12345678', author: user, project: project) }
@@ -42,6 +51,7 @@ RSpec.describe NotePolicy do
       it 'allows to read' do
         expect(policy).to be_allowed(:read_note)
         expect(policy).to be_disallowed(:admin_note)
+        expect(policy).to be_disallowed(:reposition_note)
         expect(policy).to be_disallowed(:resolve_note)
         expect(policy).to be_disallowed(:award_emoji)
       end
@@ -66,31 +76,60 @@ RSpec.describe NotePolicy do
       end
     end
 
+    context 'when the noteable is a Design' do
+      include DesignManagementTestHelpers
+
+      let(:note) { create(:note, noteable: noteable, project: project) }
+      let(:noteable) { create(:design, issue: issue) }
+
+      before do
+        enable_design_management
+      end
+
+      it 'can read, award emoji and reposition the note' do
+        expect(policy).to be_allowed(:reposition_note, :read_note, :award_emoji)
+        expect(policy).to be_disallowed(:admin_note, :resolve_note)
+      end
+
+      context 'when project is private' do
+        let(:project) { create(:project, :private) }
+
+        it_behaves_like 'user cannot read or act on the note'
+      end
+    end
+
     context 'when the noteable is a personal snippet' do
       let(:noteable) { create(:personal_snippet, :public) }
-      let(:note) { create(:note, noteable: noteable, author: user) }
+      let(:note) { create(:note, noteable: noteable) }
 
-      it 'can edit note' do
-        expect(policy).to be_allowed(:admin_note)
-        expect(policy).to be_allowed(:resolve_note)
-        expect(policy).to be_allowed(:read_note)
-      end
+      it_behaves_like 'a note on a public noteable'
+
+      context 'when user is the author of the personal snippet' do
+        let(:note) { create(:note, noteable: noteable, author: user) }
 
-      context 'when it is private' do
-        let(:noteable) { create(:personal_snippet, :private) }
+        it 'can edit note' do
+          expect(policy).to be_allowed(:read_note, :award_emoji, :admin_note, :reposition_note, :resolve_note)
+        end
+
+        context 'when it is private' do
+          let(:noteable) { create(:personal_snippet, :private) }
 
-        it 'can not edit nor read the note' do
-          expect(policy).to be_disallowed(:admin_note)
-          expect(policy).to be_disallowed(:resolve_note)
-          expect(policy).to be_disallowed(:read_note)
+          it_behaves_like 'user cannot read or act on the note'
         end
       end
     end
 
     context 'when the project is public' do
+      context 'when user is not the author of the note' do
+        let(:note) { create(:note, noteable: noteable, project: project) }
+
+        it_behaves_like 'a note on a public noteable'
+      end
+
       context 'when the note author is not a project member' do
         it 'can edit a note' do
           expect(policy).to be_allowed(:admin_note)
+          expect(policy).to be_allowed(:reposition_note)
           expect(policy).to be_allowed(:resolve_note)
           expect(policy).to be_allowed(:read_note)
         end
@@ -101,6 +140,7 @@ RSpec.describe NotePolicy do
 
         it 'can edit note' do
           expect(policy).to be_allowed(:admin_note)
+          expect(policy).to be_allowed(:reposition_note)
           expect(policy).to be_allowed(:resolve_note)
           expect(policy).to be_allowed(:read_note)
         end
@@ -132,6 +172,7 @@ RSpec.describe NotePolicy do
 
           it 'can edit a note' do
             expect(policy).to be_allowed(:admin_note)
+            expect(policy).to be_allowed(:reposition_note)
             expect(policy).to be_allowed(:resolve_note)
             expect(policy).to be_allowed(:read_note)
           end
@@ -140,6 +181,7 @@ RSpec.describe NotePolicy do
         context 'when the note author is not a project member' do
           it 'can not edit a note' do
             expect(policy).to be_disallowed(:admin_note)
+            expect(policy).to be_disallowed(:reposition_note)
             expect(policy).to be_disallowed(:resolve_note)
           end
 
@@ -154,6 +196,7 @@ RSpec.describe NotePolicy do
 
         it 'allows the author to manage the discussion' do
           expect(policy).to be_allowed(:admin_note)
+          expect(policy).to be_allowed(:reposition_note)
           expect(policy).to be_allowed(:resolve_note)
           expect(policy).to be_allowed(:read_note)
           expect(policy).to be_allowed(:award_emoji)
@@ -180,21 +223,13 @@ RSpec.describe NotePolicy do
 
         shared_examples_for 'user can act on the note' do
           it 'allows the user to read the note' do
-            expect(policy).not_to be_allowed(:admin_note)
+            expect(policy).to be_disallowed(:admin_note)
+            expect(policy).to be_disallowed(:reposition_note)
             expect(policy).to be_allowed(:resolve_note)
             expect(policy).to be_allowed(:award_emoji)
           end
         end
 
-        shared_examples_for 'user cannot read or act on the note' do
-          it 'allows user to read the note' do
-            expect(policy).not_to be_allowed(:admin_note)
-            expect(policy).not_to be_allowed(:resolve_note)
-            expect(policy).not_to be_allowed(:read_note)
-            expect(policy).not_to be_allowed(:award_emoji)
-          end
-        end
-
         context 'when noteable is a public issue' do
           let(:note) { create(:note, system: true, noteable: noteable, author: user, project: project) }
 
@@ -274,42 +309,42 @@ RSpec.describe NotePolicy do
 
         shared_examples_for 'confidential notes permissions' do
           it 'does not allow non members to read confidential notes and replies' do
-            expect(permissions(non_member, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+            expect(permissions(non_member, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
           end
 
           it 'does not allow guests to read confidential notes and replies' do
-            expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+            expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
           end
 
           it 'allows reporter to read all notes but not resolve and admin them' do
             expect(permissions(reporter, confidential_note)).to be_allowed(:read_note, :award_emoji)
-            expect(permissions(reporter, confidential_note)).to be_disallowed(:admin_note, :resolve_note)
+            expect(permissions(reporter, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note)
           end
 
           it 'allows developer to read and resolve all notes' do
             expect(permissions(developer, confidential_note)).to be_allowed(:read_note, :award_emoji, :resolve_note)
-            expect(permissions(developer, confidential_note)).to be_disallowed(:admin_note)
+            expect(permissions(developer, confidential_note)).to be_disallowed(:admin_note, :reposition_note)
           end
 
           it 'allows maintainers to read all notes and admin them' do
-            expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+            expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
           end
 
           context 'when admin mode is enabled', :enable_admin_mode do
             it 'allows admins to read all notes and admin them' do
-              expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+              expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
             end
           end
 
           context 'when admin mode is disabled' do
             it 'does not allow non members to read confidential notes and replies' do
-              expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+              expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
             end
           end
 
           it 'allows noteable author to read and resolve all notes' do
             expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji)
-            expect(permissions(author, confidential_note)).to be_disallowed(:admin_note)
+            expect(permissions(author, confidential_note)).to be_disallowed(:admin_note, :reposition_note)
           end
         end
 
@@ -321,7 +356,7 @@ RSpec.describe NotePolicy do
 
           it 'allows noteable assignees to read all notes' do
             expect(permissions(assignee, confidential_note)).to be_allowed(:read_note, :award_emoji)
-            expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :resolve_note)
+            expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note)
           end
         end
 
@@ -333,7 +368,7 @@ RSpec.describe NotePolicy do
 
           it 'allows noteable assignees to read all notes' do
             expect(permissions(assignee, confidential_note)).to be_allowed(:read_note, :award_emoji)
-            expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :resolve_note)
+            expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note)
           end
         end
 
@@ -350,11 +385,11 @@ RSpec.describe NotePolicy do
 
           it 'allows snippet author to read and resolve all notes' do
             expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji)
-            expect(permissions(author, confidential_note)).to be_disallowed(:admin_note)
+            expect(permissions(author, confidential_note)).to be_disallowed(:admin_note, :reposition_note)
           end
 
           it 'does not allow maintainers to read confidential notes and replies' do
-            expect(permissions(maintainer, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+            expect(permissions(maintainer, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
           end
         end
       end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index b28fb9a0255..6c281030618 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -697,6 +697,7 @@ RSpec.describe ProjectPolicy do
       let(:deploy_token) { create(:deploy_token, write_package_registry: true) }
 
       it { is_expected.to be_allowed(:create_package) }
+      it { is_expected.to be_allowed(:read_package) }
       it { is_expected.to be_allowed(:read_project) }
       it { is_expected.to be_disallowed(:destroy_package) }
     end
diff --git a/spec/policies/service_policy_spec.rb b/spec/policies/service_policy_spec.rb
new file mode 100644
index 00000000000..5d2c9c1f6c3
--- /dev/null
+++ b/spec/policies/service_policy_spec.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ServicePolicy, :models do
+  let_it_be(:user) { create(:user) }
+  let(:project) { integration.project }
+
+  subject(:policy) { Ability.policy_for(user, integration) }
+
+  context 'when the integration is a prometheus_service' do
+    let(:integration) { create(:prometheus_service) }
+
+    describe 'rules' do
+      it { is_expected.to be_disallowed :admin_project }
+
+      context 'when maintainer' do
+        before do
+          project.add_maintainer(user)
+        end
+
+        it { is_expected.to be_allowed :admin_project }
+      end
+    end
+  end
+end
diff --git a/spec/policies/terraform/state_version_policy_spec.rb b/spec/policies/terraform/state_version_policy_spec.rb
new file mode 100644
index 00000000000..6614e073332
--- /dev/null
+++ b/spec/policies/terraform/state_version_policy_spec.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Terraform::StateVersionPolicy do
+  let_it_be(:project) { create(:project) }
+  let_it_be(:terraform_state) { create(:terraform_state, :with_version, project: project)}
+
+  subject { described_class.new(user, terraform_state.latest_version) }
+
+  describe 'rules' do
+    context 'no access' do
+      let(:user) { create(:user) }
+
+      it { is_expected.to be_disallowed(:read_terraform_state) }
+      it { is_expected.to be_disallowed(:admin_terraform_state) }
+    end
+
+    context 'developer' do
+      let(:user) { create(:user, developer_projects: [project]) }
+
+      it { is_expected.to be_allowed(:read_terraform_state) }
+      it { is_expected.to be_disallowed(:admin_terraform_state) }
+    end
+
+    context 'maintainer' do
+      let(:user) { create(:user, maintainer_projects: [project]) }
+
+      it { is_expected.to be_allowed(:read_terraform_state) }
+      it { is_expected.to be_allowed(:admin_terraform_state) }
+    end
+  end
+end
diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
index 38641558b6b..17ac7d0e44d 100644
--- a/spec/policies/user_policy_spec.rb
+++ b/spec/policies/user_policy_spec.rb
@@ -40,6 +40,46 @@ RSpec.describe UserPolicy do
     end
   end
 
+  describe "creating a different user's Personal Access Tokens" do
+    context 'when current_user is admin' do
+      let(:current_user) { create(:user, :admin) }
+
+      context 'when admin mode is enabled and current_user is not blocked', :enable_admin_mode do
+        it { is_expected.to be_allowed(:create_user_personal_access_token) }
+      end
+
+      context 'when admin mode is enabled and current_user is blocked', :enable_admin_mode do
+        let(:current_user) { create(:admin, :blocked) }
+
+        it { is_expected.not_to be_allowed(:create_user_personal_access_token) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.not_to be_allowed(:create_user_personal_access_token) }
+      end
+    end
+
+    context 'when current_user is not an admin' do
+      context 'creating their own personal access tokens' do
+        subject { described_class.new(current_user, current_user) }
+
+        context 'when current_user is not blocked' do
+          it { is_expected.to be_allowed(:create_user_personal_access_token) }
+        end
+
+        context 'when current_user is blocked' do
+          let(:current_user) { create(:user, :blocked) }
+
+          it { is_expected.not_to be_allowed(:create_user_personal_access_token) }
+        end
+      end
+
+      context "creating a different user's personal access tokens" do
+        it { is_expected.not_to be_allowed(:create_user_personal_access_token) }
+      end
+    end
+  end
+
   shared_examples 'changing a user' do |ability|
     context "when a regular user tries to destroy another regular user" do
       it { is_expected.not_to be_allowed(ability) }
@@ -102,4 +142,22 @@ RSpec.describe UserPolicy do
       end
     end
   end
+
+  describe "reading a user's group count" do
+    context "when current_user is an admin", :enable_admin_mode do
+      let(:current_user) { create(:user, :admin) }
+
+      it { is_expected.to be_allowed(:read_group_count) }
+    end
+
+    context "for self users" do
+      let(:user) { current_user }
+
+      it { is_expected.to be_allowed(:read_group_count) }
+    end
+
+    context "when accessing a different user's group count" do
+      it { is_expected.not_to be_allowed(:read_group_count) }
+    end
+  end
 end
diff --git a/spec/policies/wiki_page_policy_spec.rb b/spec/policies/wiki_page_policy_spec.rb
index 093db9f8374..a2fa7f29135 100644
--- a/spec/policies/wiki_page_policy_spec.rb
+++ b/spec/policies/wiki_page_policy_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe WikiPagePolicy, :enable_admin_mode do
+RSpec.describe WikiPagePolicy do
   include_context 'ProjectPolicyTable context'
   include ProjectHelpers
   using RSpec::Parameterized::TableSyntax
@@ -13,12 +13,13 @@ RSpec.describe WikiPagePolicy, :enable_admin_mode do
 
   subject(:policy) { described_class.new(user, wiki_page) }
 
-  where(:project_level, :feature_access_level, :membership, :expected_count) do
+  where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
     permission_table_for_guest_feature_access
   end
 
   with_them do
     it "grants permission" do
+      enable_admin_mode!(user) if admin_mode
       update_feature_access_level(project, feature_access_level)
 
       if expected_count == 1
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-11-19 08:27:35 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-11-19 08:27:35 +0000
commit	7e9c479f7de77702622631cff2628a9c8dcbc627 (patch)
tree	c8f718a08e110ad7e1894510980d2155a6549197 /spec/policies
parent	e852b0ae16db4052c1c567d9efa4facc81146e88 (diff)
download	gitlab-ce-7e9c479f7de77702622631cff2628a9c8dcbc627.tar.gz