diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-19 01:45:44 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-19 01:45:44 +0000 |
| commit | 85dc423f7090da0a52c73eb66faf22ddb20efff9 (patch) | |
| tree | 9160f299afd8c80c038f08e1545be119f5e3f1e1 /spec/policies | |
| parent | 15c2c8c66dbe422588e5411eee7e68f1fa440bb8 (diff) | |
| download | gitlab-ce-85dc423f7090da0a52c73eb66faf22ddb20efff9.tar.gz | |
Add latest changes from gitlab-org/gitlab@13-4-stable-ee
Diffstat (limited to 'spec/policies')
| -rw-r--r-- | spec/policies/design_management/design_policy_spec.rb | 11 | ||||
| -rw-r--r-- | spec/policies/global_policy_spec.rb | 40 | ||||
| -rw-r--r-- | spec/policies/group_policy_spec.rb | 44 | ||||
| -rw-r--r-- | spec/policies/issuable_policy_spec.rb | 8 | ||||
| -rw-r--r-- | spec/policies/metrics/dashboard/annotation_policy_spec.rb | 26 | ||||
| -rw-r--r-- | spec/policies/namespace_policy_spec.rb | 26 | ||||
| -rw-r--r-- | spec/policies/personal_access_token_policy_spec.rb | 18 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 233 | ||||
| -rw-r--r-- | spec/policies/user_policy_spec.rb | 20 |
9 files changed, 200 insertions, 226 deletions
diff --git a/spec/policies/design_management/design_policy_spec.rb b/spec/policies/design_management/design_policy_spec.rb index 5cf2f376edf..5a74d979ef3 100644 --- a/spec/policies/design_management/design_policy_spec.rb +++ b/spec/policies/design_management/design_policy_spec.rb @@ -131,17 +131,6 @@ RSpec.describe DesignManagement::DesignPolicy do it_behaves_like "design abilities available for members" - context 'when reorder_designs is not enabled' do - before do - stub_feature_flags(reorder_designs: false) - end - - let(:current_user) { developer } - - it { is_expected.to be_allowed(*(developer_design_abilities - [:move_design])) } - it { is_expected.to be_disallowed(:move_design) } - end - context "for guests in private projects" do let_it_be(:project) { create(:project, :private) } let(:current_user) { guest } diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 4954eafe338..6cd1c201c62 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -370,46 +370,6 @@ RSpec.describe GlobalPolicy do end end - describe 'read instance statistics' do - context 'regular user' do - it { is_expected.to be_allowed(:read_instance_statistics) } - - context 'when instance statistics are set to private' do - before do - stub_application_setting(instance_statistics_visibility_private: true) - end - - it { is_expected.not_to be_allowed(:read_instance_statistics) } - end - end - - context 'admin' do - let(:current_user) { create(:admin) } - - it { is_expected.to be_allowed(:read_instance_statistics) } - - context 'when instance statistics are set to private' do - before do - stub_application_setting(instance_statistics_visibility_private: true) - end - - context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:read_instance_statistics) } - end - - context 'when admin mode is disabled' do - it { is_expected.to be_disallowed(:read_instance_statistics) } - end - end - end - - context 'anonymous' do - let(:current_user) { nil } - - it { is_expected.not_to be_allowed(:read_instance_statistics) } - end - end - describe 'slash commands' do context 'regular user' do it { is_expected.to be_allowed(:use_slash_commands) } diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 3e0ea164e3d..dbe444acb58 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -768,4 +768,48 @@ RSpec.describe GroupPolicy do end end end + + describe 'create_jira_connect_subscription' do + context 'admin' do + let(:current_user) { admin } + + it { is_expected.to be_allowed(:create_jira_connect_subscription) } + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:create_jira_connect_subscription) } + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:create_jira_connect_subscription) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:create_jira_connect_subscription) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:create_jira_connect_subscription) } + end + + context 'with non member' do + let(:current_user) { create(:user) } + + it { is_expected.to be_disallowed(:create_jira_connect_subscription) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_jira_connect_subscription) } + end + end end diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb index 20eb09e11c9..86b04ccda57 100644 --- a/spec/policies/issuable_policy_spec.rb +++ b/spec/policies/issuable_policy_spec.rb @@ -40,8 +40,8 @@ RSpec.describe IssuablePolicy, models: true do let(:issue) { create(:issue, project: project, discussion_locked: true) } context 'when the user is not a project member' do - it 'can not create a note' do - expect(policies).to be_disallowed(:create_note) + it 'can not create a note nor award emojis' do + expect(policies).to be_disallowed(:create_note, :award_emoji) end end @@ -50,8 +50,8 @@ RSpec.describe IssuablePolicy, models: true do project.add_guest(user) end - it 'can create a note' do - expect(policies).to be_allowed(:create_note) + it 'can create a note and award emojis' do + expect(policies).to be_allowed(:create_note, :award_emoji) end end end diff --git a/spec/policies/metrics/dashboard/annotation_policy_spec.rb b/spec/policies/metrics/dashboard/annotation_policy_spec.rb index 0c59b39ae3e..9ea9f843f2c 100644 --- a/spec/policies/metrics/dashboard/annotation_policy_spec.rb +++ b/spec/policies/metrics/dashboard/annotation_policy_spec.rb @@ -3,6 +3,10 @@ require 'spec_helper' RSpec.describe Metrics::Dashboard::AnnotationPolicy, :models do + let(:policy) { described_class.new(user, annotation) } + + let_it_be(:user) { create(:user) } + shared_examples 'metrics dashboard annotation policy' do context 'when guest' do before do @@ -51,23 +55,21 @@ RSpec.describe Metrics::Dashboard::AnnotationPolicy, :models do describe 'rules' do context 'environments annotation' do - let(:annotation) { create(:metrics_dashboard_annotation, environment: environment) } - let(:environment) { create(:environment) } - let!(:project) { environment.project } - let(:user) { create(:user) } - let(:policy) { described_class.new(user, annotation) } + let_it_be(:environment) { create(:environment) } + let_it_be(:annotation) { create(:metrics_dashboard_annotation, environment: environment) } - it_behaves_like 'metrics dashboard annotation policy' + it_behaves_like 'metrics dashboard annotation policy' do + let(:project) { environment.project } + end end context 'cluster annotation' do - let(:annotation) { create(:metrics_dashboard_annotation, environment: nil, cluster: cluster) } - let(:cluster) { create(:cluster, :project) } - let(:project) { cluster.project } - let(:user) { create(:user) } - let(:policy) { described_class.new(user, annotation) } + let_it_be(:cluster) { create(:cluster, :project) } + let_it_be(:annotation) { create(:metrics_dashboard_annotation, environment: nil, cluster: cluster) } - it_behaves_like 'metrics dashboard annotation policy' + it_behaves_like 'metrics dashboard annotation policy' do + let(:project) { cluster.project } + end end end end diff --git a/spec/policies/namespace_policy_spec.rb b/spec/policies/namespace_policy_spec.rb index f2f411e48d6..8f71cf114c3 100644 --- a/spec/policies/namespace_policy_spec.rb +++ b/spec/policies/namespace_policy_spec.rb @@ -48,4 +48,30 @@ RSpec.describe NamespacePolicy do it { is_expected.to be_disallowed(*owner_permissions) } end end + + describe 'create_jira_connect_subscription' do + context 'admin' do + let(:current_user) { build_stubbed(:admin) } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:create_jira_connect_subscription) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:create_jira_connect_subscription) } + end + end + + context 'owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:create_jira_connect_subscription) } + end + + context 'other user' do + let(:current_user) { build_stubbed(:user) } + + it { is_expected.to be_disallowed(:create_jira_connect_subscription) } + end + end end diff --git a/spec/policies/personal_access_token_policy_spec.rb b/spec/policies/personal_access_token_policy_spec.rb index 71795202e13..b5e8d40b133 100644 --- a/spec/policies/personal_access_token_policy_spec.rb +++ b/spec/policies/personal_access_token_policy_spec.rb @@ -8,17 +8,17 @@ RSpec.describe PersonalAccessTokenPolicy do subject { described_class.new(current_user, token) } context 'current_user is an administrator', :enable_admin_mode do - let_it_be(:current_user) { build(:admin) } + let_it_be(:current_user) { build_stubbed(:admin) } context 'not the owner of the token' do - let_it_be(:token) { build(:personal_access_token) } + let_it_be(:token) { build_stubbed(:personal_access_token) } it { is_expected.to be_allowed(:read_token) } it { is_expected.to be_allowed(:revoke_token) } end context 'owner of the token' do - let_it_be(:token) { build(:personal_access_token, user: current_user) } + let_it_be(:token) { build_stubbed(:personal_access_token, user: current_user) } it { is_expected.to be_allowed(:read_token) } it { is_expected.to be_allowed(:revoke_token) } @@ -26,17 +26,17 @@ RSpec.describe PersonalAccessTokenPolicy do end context 'current_user is not an administrator' do - let_it_be(:current_user) { build(:user) } + let_it_be(:current_user) { build_stubbed(:user) } context 'not the owner of the token' do - let_it_be(:token) { build(:personal_access_token) } + let_it_be(:token) { build_stubbed(:personal_access_token) } it { is_expected.to be_disallowed(:read_token) } it { is_expected.to be_disallowed(:revoke_token) } end context 'owner of the token' do - let_it_be(:token) { build(:personal_access_token, user: current_user) } + let_it_be(:token) { build_stubbed(:personal_access_token, user: current_user) } it { is_expected.to be_allowed(:read_token) } it { is_expected.to be_allowed(:revoke_token) } @@ -44,17 +44,17 @@ RSpec.describe PersonalAccessTokenPolicy do end context 'current_user is a blocked administrator', :enable_admin_mode do - let_it_be(:current_user) { build(:admin, :blocked) } + let_it_be(:current_user) { create(:admin, :blocked) } context 'owner of the token' do - let_it_be(:token) { build(:personal_access_token, user: current_user) } + let_it_be(:token) { build_stubbed(:personal_access_token, user: current_user) } it { is_expected.to be_disallowed(:read_token) } it { is_expected.to be_disallowed(:revoke_token) } end context 'not the owner of the token' do - let_it_be(:token) { build(:personal_access_token) } + let_it_be(:token) { build_stubbed(:personal_access_token) } it { is_expected.to be_disallowed(:read_token) } it { is_expected.to be_disallowed(:revoke_token) } diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 9879fc53461..0c457148b4d 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -5,93 +5,10 @@ require 'spec_helper' RSpec.describe ProjectPolicy do include ExternalAuthorizationServiceHelpers include_context 'ProjectPolicy context' - let_it_be(:other_user) { create(:user) } - let_it_be(:guest) { create(:user) } - let_it_be(:reporter) { create(:user) } - let_it_be(:developer) { create(:user) } - let_it_be(:maintainer) { create(:user) } - let_it_be(:owner) { create(:user) } - let_it_be(:admin) { create(:admin) } - let(:project) { create(:project, :public, namespace: owner.namespace) } - - let(:base_guest_permissions) do - %i[ - read_project read_board read_list read_wiki read_issue - read_project_for_iids read_issue_iid read_label - read_milestone read_snippet read_project_member read_note - create_project create_issue create_note upload_file create_merge_request_in - award_emoji read_release read_issue_link - ] - end - - let(:base_reporter_permissions) do - %i[ - download_code fork_project create_snippet update_issue - admin_issue admin_label admin_list read_commit_status read_build - read_container_image read_pipeline read_environment read_deployment - read_merge_request download_wiki_code read_sentry_issue read_metrics_dashboard_annotation - metrics_dashboard read_confidential_issues admin_issue_link - ] - end - - let(:team_member_reporter_permissions) do - %i[build_download_code build_read_container_image] - end - - let(:developer_permissions) do - %i[ - admin_tag admin_milestone admin_merge_request update_merge_request create_commit_status - update_commit_status create_build update_build create_pipeline - update_pipeline create_merge_request_from create_wiki push_code - resolve_note create_container_image update_container_image destroy_container_image daily_statistics - create_environment update_environment create_deployment update_deployment create_release update_release - create_metrics_dashboard_annotation delete_metrics_dashboard_annotation update_metrics_dashboard_annotation - read_terraform_state read_pod_logs - ] - end - - let(:base_maintainer_permissions) do - %i[ - push_to_delete_protected_branch update_snippet - admin_snippet admin_project_member admin_note admin_wiki admin_project - admin_commit_status admin_build admin_container_image - admin_pipeline admin_environment admin_deployment destroy_release add_cluster - read_deploy_token create_deploy_token destroy_deploy_token - admin_terraform_state - ] - end - let(:public_permissions) do - %i[ - download_code fork_project read_commit_status read_pipeline - read_container_image build_download_code build_read_container_image - download_wiki_code read_release - ] - end - - let(:owner_permissions) do - %i[ - change_namespace change_visibility_level rename_project remove_project - archive_project remove_fork_project destroy_merge_request destroy_issue - set_issue_iid set_issue_created_at set_issue_updated_at set_note_created_at - ] - end + let(:project) { public_project } - # Used in EE specs - let(:additional_guest_permissions) { [] } - let(:additional_reporter_permissions) { [] } - let(:additional_maintainer_permissions) { [] } - - let(:guest_permissions) { base_guest_permissions + additional_guest_permissions } - let(:reporter_permissions) { base_reporter_permissions + additional_reporter_permissions } - let(:maintainer_permissions) { base_maintainer_permissions + additional_maintainer_permissions } - - before do - project.add_guest(guest) - project.add_maintainer(maintainer) - project.add_developer(developer) - project.add_reporter(reporter) - end + subject { described_class.new(current_user, project) } def expect_allowed(*permissions) permissions.each { |p| is_expected.to be_allowed(p) } @@ -102,7 +19,7 @@ RSpec.describe ProjectPolicy do end context 'with no project feature' do - subject { described_class.new(owner, project) } + let(:current_user) { owner } before do project.project_feature.destroy! @@ -134,7 +51,7 @@ RSpec.describe ProjectPolicy do end context 'issues feature' do - subject { described_class.new(owner, project) } + let(:current_user) { owner } context 'when the feature is disabled' do before do @@ -162,7 +79,7 @@ RSpec.describe ProjectPolicy do end context 'merge requests feature' do - subject { described_class.new(owner, project) } + let(:current_user) { owner } it 'disallows all permissions when the feature is disabled' do project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED) @@ -176,9 +93,8 @@ RSpec.describe ProjectPolicy do end context 'for a guest in a private project' do - let(:project) { create(:project, :private) } - - subject { described_class.new(guest, project) } + let(:current_user) { guest } + let(:project) { private_project } it 'disallows the guest from reading the merge request and merge request iid' do expect_disallowed(:read_merge_request) @@ -187,12 +103,10 @@ RSpec.describe ProjectPolicy do end context 'pipeline feature' do - let(:project) { create(:project) } + let(:project) { private_project } describe 'for unconfirmed user' do - let(:unconfirmed_user) { create(:user, confirmed_at: nil) } - - subject { described_class.new(unconfirmed_user, project) } + let(:current_user) { create(:user, confirmed_at: nil) } it 'disallows to modify pipelines' do expect_disallowed(:create_pipeline) @@ -202,7 +116,7 @@ RSpec.describe ProjectPolicy do end describe 'for confirmed user' do - subject { described_class.new(developer, project) } + let(:current_user) { developer } it 'allows modify pipelines' do expect_allowed(:create_pipeline) @@ -214,7 +128,7 @@ RSpec.describe ProjectPolicy do context 'builds feature' do context 'when builds are disabled' do - subject { described_class.new(owner, project) } + let(:current_user) { owner } before do project.project_feature.update!(builds_access_level: ProjectFeature::DISABLED) @@ -234,7 +148,7 @@ RSpec.describe ProjectPolicy do end context 'when builds are disabled only for some users' do - subject { described_class.new(guest, project) } + let(:current_user) { guest } before do project.project_feature.update!(builds_access_level: ProjectFeature::PRIVATE) @@ -265,7 +179,7 @@ RSpec.describe ProjectPolicy do end context 'when user is a project member' do - subject { described_class.new(owner, project) } + let(:current_user) { owner } context 'when it is disabled' do before do @@ -283,8 +197,8 @@ RSpec.describe ProjectPolicy do end end - context 'when user is some other user' do - subject { described_class.new(other_user, project) } + context 'when user is non-member' do + let(:current_user) { non_member } context 'when access level is private' do before do @@ -314,7 +228,7 @@ RSpec.describe ProjectPolicy do context 'when a public project has merge requests allowing access' do include ProjectForksHelper - let(:user) { create(:user) } + let(:current_user) { create(:user) } let(:target_project) { create(:project, :public) } let(:project) { fork_project(target_project) } let!(:merge_request) do @@ -330,20 +244,18 @@ RSpec.describe ProjectPolicy do %w(create_build create_pipeline) end - subject { described_class.new(user, project) } - it 'does not allow pushing code' do expect_disallowed(*maintainer_abilities) end it 'allows pushing if the user is a member with push access to the target project' do - target_project.add_developer(user) + target_project.add_developer(current_user) expect_allowed(*maintainer_abilities) end it 'disallows abilities to a maintainer if the merge request was closed' do - target_project.add_developer(user) + target_project.add_developer(current_user) merge_request.close! expect_disallowed(*maintainer_abilities) @@ -351,12 +263,9 @@ RSpec.describe ProjectPolicy do end it_behaves_like 'clusterable policies' do - let(:clusterable) { create(:project, :repository) } - let(:cluster) do - create(:cluster, - :provided_by_gcp, - :project, - projects: [clusterable]) + let_it_be(:clusterable) { create(:project, :repository) } + let_it_be(:cluster) do + create(:cluster, :provided_by_gcp, :project, projects: [clusterable]) end end @@ -427,16 +336,14 @@ RSpec.describe ProjectPolicy do end context 'forking a project' do - subject { described_class.new(current_user, project) } - context 'anonymous user' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { is_expected.to be_disallowed(:fork_project) } end context 'project member' do - let_it_be(:project) { create(:project, :private) } + let(:project) { private_project } context 'guest' do let(:current_user) { guest } @@ -455,10 +362,8 @@ RSpec.describe ProjectPolicy do end describe 'update_max_artifacts_size' do - subject { described_class.new(current_user, project) } - context 'when no user' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { expect_disallowed(:update_max_artifacts_size) } end @@ -487,12 +392,10 @@ RSpec.describe ProjectPolicy do context 'alert bot' do let(:current_user) { User.alert_bot } - subject { described_class.new(current_user, project) } - it { is_expected.to be_allowed(:reporter_access) } context 'within a private project' do - let(:project) { create(:project, :private) } + let(:project) { private_project } it { is_expected.to be_allowed(:admin_issue) } end @@ -501,8 +404,6 @@ RSpec.describe ProjectPolicy do context 'support bot' do let(:current_user) { User.support_bot } - subject { described_class.new(current_user, project) } - context 'with service desk disabled' do it { expect_allowed(:guest_access) } it { expect_disallowed(:create_note, :read_project) } @@ -526,8 +427,6 @@ RSpec.describe ProjectPolicy do end describe 'read_prometheus_alerts' do - subject { described_class.new(current_user, project) } - context 'with admin' do let(:current_user) { admin } @@ -571,17 +470,15 @@ RSpec.describe ProjectPolicy do end context 'with anonymous' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { is_expected.to be_disallowed(:read_prometheus_alerts) } end end describe 'metrics_dashboard feature' do - subject { described_class.new(current_user, project) } - context 'public project' do - let(:project) { create(:project, :public) } + let(:project) { public_project } context 'feature private' do context 'with reporter' do @@ -601,7 +498,7 @@ RSpec.describe ProjectPolicy do end context 'with anonymous' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } end @@ -633,7 +530,7 @@ RSpec.describe ProjectPolicy do end context 'with anonymous' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { is_expected.to be_allowed(:metrics_dashboard) } it { is_expected.to be_allowed(:read_prometheus) } @@ -645,7 +542,7 @@ RSpec.describe ProjectPolicy do end context 'internal project' do - let(:project) { create(:project, :internal) } + let(:project) { internal_project } context 'feature private' do context 'with reporter' do @@ -665,7 +562,7 @@ RSpec.describe ProjectPolicy do end context 'with anonymous' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard)} end @@ -697,7 +594,7 @@ RSpec.describe ProjectPolicy do end context 'with anonymous' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } end @@ -705,7 +602,7 @@ RSpec.describe ProjectPolicy do end context 'private project' do - let(:project) { create(:project, :private) } + let(:project) { private_project } context 'feature private' do context 'with reporter' do @@ -725,7 +622,7 @@ RSpec.describe ProjectPolicy do end context 'with anonymous' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } end @@ -749,7 +646,7 @@ RSpec.describe ProjectPolicy do end context 'with anonymous' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } end @@ -774,7 +671,7 @@ RSpec.describe ProjectPolicy do end context 'with anonymous' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } end @@ -806,8 +703,6 @@ RSpec.describe ProjectPolicy do end describe 'create_web_ide_terminal' do - subject { described_class.new(current_user, project) } - context 'with admin' do let(:current_user) { admin } @@ -851,20 +746,20 @@ RSpec.describe ProjectPolicy do end context 'with non member' do - let(:current_user) { create(:user) } + let(:current_user) { non_member } it { is_expected.to be_disallowed(:create_web_ide_terminal) } end context 'with anonymous' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { is_expected.to be_disallowed(:create_web_ide_terminal) } end end describe 'read_repository_graphs' do - subject { described_class.new(guest, project) } + let(:current_user) { guest } before do allow(subject).to receive(:allowed?).with(:read_repository_graphs).and_call_original @@ -885,7 +780,7 @@ RSpec.describe ProjectPolicy do end describe 'design permissions' do - subject { described_class.new(guest, project) } + let(:current_user) { guest } let(:design_permissions) do %i[read_design_activity read_design] @@ -907,7 +802,7 @@ RSpec.describe ProjectPolicy do end describe 'read_build_report_results' do - subject { described_class.new(guest, project) } + let(:current_user) { guest } before do allow(subject).to receive(:allowed?).with(:read_build_report_results).and_call_original @@ -945,8 +840,6 @@ RSpec.describe ProjectPolicy do end describe 'read_package' do - subject { described_class.new(current_user, project) } - context 'with admin' do let(:current_user) { admin } @@ -997,15 +890,55 @@ RSpec.describe ProjectPolicy do end context 'with non member' do - let(:current_user) { create(:user) } + let(:current_user) { non_member } it { is_expected.to be_allowed(:read_package) } end context 'with anonymous' do - let(:current_user) { nil } + let(:current_user) { anonymous } it { is_expected.to be_allowed(:read_package) } end end + + describe 'read_feature_flag' do + subject { described_class.new(current_user, project) } + + context 'with maintainer' do + let(:current_user) { maintainer } + + context 'when repository is available' do + it { is_expected.to be_allowed(:read_feature_flag) } + end + + context 'when repository is disabled' do + before do + project.project_feature.update!( + merge_requests_access_level: ProjectFeature::DISABLED, + builds_access_level: ProjectFeature::DISABLED, + repository_access_level: ProjectFeature::DISABLED + ) + end + + it { is_expected.to be_disallowed(:read_feature_flag) } + end + end + + context 'with developer' do + let(:current_user) { developer } + + context 'when repository is available' do + it { is_expected.to be_allowed(:read_feature_flag) } + end + end + + context 'with reporter' do + let(:current_user) { reporter } + + context 'when repository is available' do + it { is_expected.to be_disallowed(:read_feature_flag) } + end + end + end end diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb index d7338622c86..38641558b6b 100644 --- a/spec/policies/user_policy_spec.rb +++ b/spec/policies/user_policy_spec.rb @@ -82,4 +82,24 @@ RSpec.describe UserPolicy do describe "updating a user" do it_behaves_like 'changing a user', :update_user end + + describe 'disabling two-factor authentication' do + context 'disabling their own two-factor authentication' do + let(:user) { current_user } + + it { is_expected.to be_allowed(:disable_two_factor) } + end + + context 'disabling the two-factor authentication of another user' do + context 'when the executor is an admin', :enable_admin_mode do + let(:current_user) { create(:user, :admin) } + + it { is_expected.to be_allowed(:disable_two_factor) } + end + + context 'when the executor is not an admin' do + it { is_expected.not_to be_allowed(:disable_two_factor) } + end + end + end end |