diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-16 18:18:33 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-16 18:18:33 +0000 |
commit | f64a639bcfa1fc2bc89ca7db268f594306edfd7c (patch) | |
tree | a2c3c2ebcc3b45e596949db485d6ed18ffaacfa1 /spec/policies | |
parent | bfbc3e0d6583ea1a91f627528bedc3d65ba4b10f (diff) | |
download | gitlab-ce-f64a639bcfa1fc2bc89ca7db268f594306edfd7c.tar.gz |
Add latest changes from gitlab-org/gitlab@13-10-stable-eev13.10.0-rc40
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/base_policy_spec.rb | 6 | ||||
-rw-r--r-- | spec/policies/group_member_policy_spec.rb | 8 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 38 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 94 |
4 files changed, 134 insertions, 12 deletions
diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb index 226660dc955..44ff909872d 100644 --- a/spec/policies/base_policy_spec.rb +++ b/spec/policies/base_policy_spec.rb @@ -73,10 +73,14 @@ RSpec.describe BasePolicy do end end - describe 'full private access' do + describe 'full private access: read_all_resources' do it_behaves_like 'admin only access', :read_all_resources end + describe 'full private access: admin_all_resources' do + it_behaves_like 'admin only access', :admin_all_resources + end + describe 'change_repository_storage' do it_behaves_like 'admin only access', :change_repository_storage end diff --git a/spec/policies/group_member_policy_spec.rb b/spec/policies/group_member_policy_spec.rb index 6099e4549b1..d283b0ffda5 100644 --- a/spec/policies/group_member_policy_spec.rb +++ b/spec/policies/group_member_policy_spec.rb @@ -90,6 +90,14 @@ RSpec.describe GroupMemberPolicy do specify { expect_allowed(:read_group) } end + context 'with one blocked owner' do + let(:owner) { create(:user, :blocked) } + let(:current_user) { owner } + + specify { expect_disallowed(*member_related_permissions) } + specify { expect_disallowed(:read_group) } + end + context 'with more than one owner' do let(:current_user) { owner } diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 7cded27e449..1794934dd20 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -193,16 +193,24 @@ RSpec.describe GroupPolicy do let(:current_user) { admin } specify do - expect_allowed(*read_group_permissions) - expect_allowed(*guest_permissions) - expect_allowed(*reporter_permissions) - expect_allowed(*developer_permissions) - expect_allowed(*maintainer_permissions) - expect_allowed(*owner_permissions) + expect_disallowed(*read_group_permissions) + expect_disallowed(*guest_permissions) + expect_disallowed(*reporter_permissions) + expect_disallowed(*developer_permissions) + expect_disallowed(*maintainer_permissions) + expect_disallowed(*owner_permissions) end context 'with admin mode', :enable_admin_mode do - specify { expect_allowed(*admin_permissions) } + specify do + expect_allowed(*read_group_permissions) + expect_allowed(*guest_permissions) + expect_allowed(*reporter_permissions) + expect_allowed(*developer_permissions) + expect_allowed(*maintainer_permissions) + expect_allowed(*owner_permissions) + expect_allowed(*admin_permissions) + end end it_behaves_like 'deploy token does not get confused with user' do @@ -773,7 +781,13 @@ RSpec.describe GroupPolicy do context 'admin' do let(:current_user) { admin } - it { is_expected.to be_allowed(:create_jira_connect_subscription) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:create_jira_connect_subscription) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_jira_connect_subscription) } + end end context 'with owner' do @@ -817,7 +831,13 @@ RSpec.describe GroupPolicy do context 'admin' do let(:current_user) { admin } - it { is_expected.to be_allowed(:read_package) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:read_package) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:read_package) } + end end context 'with owner' do diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 6ba3ab6aace..60c54f97312 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -64,8 +64,8 @@ RSpec.describe ProjectPolicy do end it 'disables boards and lists permissions' do - expect_disallowed :read_board, :create_board, :update_board - expect_disallowed :read_list, :create_list, :update_list, :admin_list + expect_disallowed :read_issue_board, :create_board, :update_board + expect_disallowed :read_issue_board_list, :create_list, :update_list, :admin_issue_board_list end context 'when external tracker configured' do @@ -105,6 +105,10 @@ RSpec.describe ProjectPolicy do context 'pipeline feature' do let(:project) { private_project } + before do + private_project.add_developer(current_user) + end + describe 'for unconfirmed user' do let(:current_user) { create(:user, confirmed_at: nil) } @@ -1263,4 +1267,90 @@ RSpec.describe ProjectPolicy do end end end + + describe 'access_security_and_compliance' do + context 'when the "Security & Compliance" is enabled' do + before do + project.project_feature.update!(security_and_compliance_access_level: Featurable::PRIVATE) + end + + %w[owner maintainer developer].each do |role| + context "when the role is #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_allowed(:access_security_and_compliance) } + end + end + + context 'with admin' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:access_security_and_compliance) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:access_security_and_compliance) } + end + end + + %w[reporter guest].each do |role| + context "when the role is #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:access_security_and_compliance) } + end + end + + context 'with non member' do + let(:current_user) { non_member } + + it { is_expected.to be_disallowed(:access_security_and_compliance) } + end + + context 'with anonymous' do + let(:current_user) { anonymous } + + it { is_expected.to be_disallowed(:access_security_and_compliance) } + end + end + + context 'when the "Security & Compliance" is not enabled' do + before do + project.project_feature.update!(security_and_compliance_access_level: Featurable::DISABLED) + end + + %w[owner maintainer developer reporter guest].each do |role| + context "when the role is #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:access_security_and_compliance) } + end + end + + context 'with admin' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_disallowed(:access_security_and_compliance) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:access_security_and_compliance) } + end + end + + context 'with non member' do + let(:current_user) { non_member } + + it { is_expected.to be_disallowed(:access_security_and_compliance) } + end + + context 'with anonymous' do + let(:current_user) { anonymous } + + it { is_expected.to be_disallowed(:access_security_and_compliance) } + end + end + end end |