diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-20 14:34:42 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-20 14:34:42 +0000 |
commit | 9f46488805e86b1bc341ea1620b866016c2ce5ed (patch) | |
tree | f9748c7e287041e37d6da49e0a29c9511dc34768 /spec/policies | |
parent | dfc92d081ea0332d69c8aca2f0e745cb48ae5e6d (diff) | |
download | gitlab-ce-9f46488805e86b1bc341ea1620b866016c2ce5ed.tar.gz |
Add latest changes from gitlab-org/gitlab@13-0-stable-ee
Diffstat (limited to 'spec/policies')
20 files changed, 772 insertions, 97 deletions
diff --git a/spec/policies/alert_management/alert_policy_spec.rb b/spec/policies/alert_management/alert_policy_spec.rb new file mode 100644 index 00000000000..0d7624a0142 --- /dev/null +++ b/spec/policies/alert_management/alert_policy_spec.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe AlertManagement::AlertPolicy, :models do + let(:alert) { create(:alert_management_alert) } + let(:project) { alert.project } + let(:user) { create(:user) } + + subject(:policy) { described_class.new(user, alert) } + + describe 'rules' do + it { is_expected.to be_disallowed :read_alert_management_alert } + it { is_expected.to be_disallowed :update_alert_management_alert } + + context 'when developer' do + before do + project.add_developer(user) + end + + it { is_expected.to be_allowed :read_alert_management_alert } + it { is_expected.to be_allowed :update_alert_management_alert } + end + end +end diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb index e15221492c3..67f7452528a 100644 --- a/spec/policies/base_policy_spec.rb +++ b/spec/policies/base_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -describe BasePolicy, :do_not_mock_admin_mode do +describe BasePolicy do include ExternalAuthorizationServiceHelpers include AdminModeHelper diff --git a/spec/policies/blob_policy_spec.rb b/spec/policies/blob_policy_spec.rb index 20c8a55f437..e48dd751a8f 100644 --- a/spec/policies/blob_policy_spec.rb +++ b/spec/policies/blob_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -describe BlobPolicy do +describe BlobPolicy, :enable_admin_mode do include_context 'ProjectPolicyTable context' include ProjectHelpers using RSpec::Parameterized::TableSyntax diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb index 333f4e560cf..f29ed26f2aa 100644 --- a/spec/policies/ci/build_policy_spec.rb +++ b/spec/policies/ci/build_policy_spec.rb @@ -176,15 +176,21 @@ describe Ci::BuildPolicy do end context 'when developers can push to the branch' do - before do - create(:protected_branch, :developers_can_push, - name: build.ref, project: project) - end - context 'when the build was created by the developer' do let(:owner) { user } - it { expect(policy).to be_allowed :erase_build } + context 'when the build was created for a protected ref' do + before do + create(:protected_branch, :developers_can_push, + name: build.ref, project: project) + end + + it { expect(policy).to be_disallowed :erase_build } + end + + context 'when the build was created for an unprotected ref' do + it { expect(policy).to be_allowed :erase_build } + end end context 'when the build was created by the other' do diff --git a/spec/policies/clusters/cluster_policy_spec.rb b/spec/policies/clusters/cluster_policy_spec.rb index 55c3351a171..26cfc19862a 100644 --- a/spec/policies/clusters/cluster_policy_spec.rb +++ b/spec/policies/clusters/cluster_policy_spec.rb @@ -80,8 +80,15 @@ describe Clusters::ClusterPolicy, :models do context 'when admin' do let(:user) { create(:admin) } - it { expect(policy).to be_allowed :update_cluster } - it { expect(policy).to be_allowed :admin_cluster } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :update_cluster } + it { expect(policy).to be_allowed :admin_cluster } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :update_cluster } + it { expect(policy).to be_disallowed :admin_cluster } + end end end end diff --git a/spec/policies/clusters/instance_policy_spec.rb b/spec/policies/clusters/instance_policy_spec.rb index 2373fef8aa6..dfe480d7fa4 100644 --- a/spec/policies/clusters/instance_policy_spec.rb +++ b/spec/policies/clusters/instance_policy_spec.rb @@ -18,11 +18,21 @@ describe Clusters::InstancePolicy do context 'when admin' do let(:user) { create(:admin) } - it { expect(policy).to be_allowed :read_cluster } - it { expect(policy).to be_allowed :add_cluster } - it { expect(policy).to be_allowed :create_cluster } - it { expect(policy).to be_allowed :update_cluster } - it { expect(policy).to be_allowed :admin_cluster } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :read_cluster } + it { expect(policy).to be_allowed :add_cluster } + it { expect(policy).to be_allowed :create_cluster } + it { expect(policy).to be_allowed :update_cluster } + it { expect(policy).to be_allowed :admin_cluster } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :read_cluster } + it { expect(policy).to be_disallowed :add_cluster } + it { expect(policy).to be_disallowed :create_cluster } + it { expect(policy).to be_disallowed :update_cluster } + it { expect(policy).to be_disallowed :admin_cluster } + end end end end diff --git a/spec/policies/deploy_key_policy_spec.rb b/spec/policies/deploy_key_policy_spec.rb index aca93d8fe85..545647e2c67 100644 --- a/spec/policies/deploy_key_policy_spec.rb +++ b/spec/policies/deploy_key_policy_spec.rb @@ -42,16 +42,28 @@ describe DeployKeyPolicy do context 'when an admin user' do let(:current_user) { create(:user, :admin) } - context ' tries to update private deploy key' do + context 'tries to update private deploy key' do let(:deploy_key) { create(:deploy_key, public: false) } - it { is_expected.to be_allowed(:update_deploy_key) } + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:update_deploy_key) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:update_deploy_key) } + end end context 'when an admin user tries to update public deploy key' do let(:deploy_key) { create(:another_deploy_key, public: true) } - it { is_expected.to be_allowed(:update_deploy_key) } + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:update_deploy_key) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:update_deploy_key) } + end end end end diff --git a/spec/policies/design_management/design_policy_spec.rb b/spec/policies/design_management/design_policy_spec.rb new file mode 100644 index 00000000000..a566aecc4b7 --- /dev/null +++ b/spec/policies/design_management/design_policy_spec.rb @@ -0,0 +1,181 @@ +# frozen_string_literal: true +require 'spec_helper' + +describe DesignManagement::DesignPolicy do + include DesignManagementTestHelpers + + include_context 'ProjectPolicy context' + + let(:guest_design_abilities) { %i[read_design] } + let(:developer_design_abilities) do + %i[create_design destroy_design] + end + let(:design_abilities) { guest_design_abilities + developer_design_abilities } + + let(:issue) { create(:issue, project: project) } + let(:design) { create(:design, issue: issue) } + + subject(:design_policy) { described_class.new(current_user, design) } + + shared_examples_for "design abilities not available" do + context "for owners" do + let(:current_user) { owner } + + it { is_expected.to be_disallowed(*design_abilities) } + end + + context "for admins" do + let(:current_user) { admin } + + it { is_expected.to be_disallowed(*design_abilities) } + end + + context "for maintainers" do + let(:current_user) { maintainer } + + it { is_expected.to be_disallowed(*design_abilities) } + end + + context "for developers" do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(*design_abilities) } + end + + context "for reporters" do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(*design_abilities) } + end + + context "for guests" do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(*design_abilities) } + end + + context "for anonymous users" do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(*design_abilities) } + end + end + + shared_examples_for "design abilities available for members" do + context "for owners" do + let(:current_user) { owner } + + it { is_expected.to be_allowed(*design_abilities) } + end + + context "for admins" do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(*design_abilities) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_allowed(*guest_design_abilities) } + it { is_expected.to be_disallowed(*developer_design_abilities) } + end + end + + context "for maintainers" do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(*design_abilities) } + end + + context "for developers" do + let(:current_user) { developer } + + it { is_expected.to be_allowed(*design_abilities) } + end + + context "for reporters" do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(*guest_design_abilities) } + it { is_expected.to be_disallowed(*developer_design_abilities) } + end + end + + shared_examples_for "read-only design abilities" do + it { is_expected.to be_allowed(:read_design) } + it { is_expected.to be_disallowed(:create_design, :destroy_design) } + end + + context "when DesignManagement is not enabled" do + before do + enable_design_management(false) + end + + it_behaves_like "design abilities not available" + end + + context "when the feature is available" do + before do + enable_design_management + end + + it_behaves_like "design abilities available for members" + + context "for guests in private projects" do + let(:project) { create(:project, :private) } + let(:current_user) { guest } + + it { is_expected.to be_allowed(*guest_design_abilities) } + it { is_expected.to be_disallowed(*developer_design_abilities) } + end + + context "for anonymous users in public projects" do + let(:current_user) { nil } + + it { is_expected.to be_allowed(*guest_design_abilities) } + it { is_expected.to be_disallowed(*developer_design_abilities) } + end + + context "when the issue is confidential" do + let(:issue) { create(:issue, :confidential, project: project) } + + it_behaves_like "design abilities available for members" + + context "for guests" do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(*design_abilities) } + end + + context "for anonymous users" do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(*design_abilities) } + end + end + + context "when the issue is locked" do + let(:current_user) { owner } + let(:issue) { create(:issue, :locked, project: project) } + + it_behaves_like "read-only design abilities" + end + + context "when the issue has moved" do + let(:current_user) { owner } + let(:issue) { create(:issue, project: project, moved_to: create(:issue)) } + + it_behaves_like "read-only design abilities" + end + + context "when the project is archived" do + let(:current_user) { owner } + + before do + project.update!(archived: true) + end + + it_behaves_like "read-only design abilities" + end + end +end diff --git a/spec/policies/environment_policy_spec.rb b/spec/policies/environment_policy_spec.rb index a098b52023d..75fca464ec8 100644 --- a/spec/policies/environment_policy_spec.rb +++ b/spec/policies/environment_policy_spec.rb @@ -37,7 +37,13 @@ describe EnvironmentPolicy do context 'when an admin user' do let(:user) { create(:user, :admin) } - it { expect(policy).to be_allowed :stop_environment } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :stop_environment } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :stop_environment } + end end context 'with protected branch' do @@ -54,7 +60,13 @@ describe EnvironmentPolicy do context 'when an admin user' do let(:user) { create(:user, :admin) } - it { expect(policy).to be_allowed :stop_environment } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :stop_environment } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :stop_environment } + end end end end @@ -83,7 +95,13 @@ describe EnvironmentPolicy do context 'when an admin user' do let(:user) { create(:user, :admin) } - it { expect(policy).to be_allowed :stop_environment } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :stop_environment } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :stop_environment } + end end end @@ -126,7 +144,13 @@ describe EnvironmentPolicy do environment.stop! end - it { expect(policy).to be_allowed :destroy_environment } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :destroy_environment } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :destroy_environment } + end end end end diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 5e77b64a408..e8ba4eed4ec 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -6,6 +6,7 @@ describe GlobalPolicy do include TermsHelper let_it_be(:project_bot) { create(:user, :project_bot) } + let_it_be(:migration_bot) { create(:user, :migration_bot) } let(:current_user) { create(:user) } let(:user) { create(:user) } @@ -80,6 +81,34 @@ describe GlobalPolicy do end end + describe 'create group' do + context 'when user has the ability to create group' do + let(:current_user) { create(:user, can_create_group: true) } + + it { is_expected.to be_allowed(:create_group) } + end + + context 'when user does not have the ability to create group' do + let(:current_user) { create(:user, can_create_group: false) } + + it { is_expected.not_to be_allowed(:create_group) } + end + end + + describe 'create group with default branch protection' do + context 'when user has the ability to create group' do + let(:current_user) { create(:user, can_create_group: true) } + + it { is_expected.to be_allowed(:create_group_with_default_branch_protection) } + end + + context 'when user does not have the ability to create group' do + let(:current_user) { create(:user, can_create_group: false) } + + it { is_expected.not_to be_allowed(:create_group_with_default_branch_protection) } + end + end + describe 'custom attributes' do context 'regular user' do it { is_expected.not_to be_allowed(:read_custom_attribute) } @@ -89,8 +118,15 @@ describe GlobalPolicy do context 'admin' do let(:current_user) { create(:user, :admin) } - it { is_expected.to be_allowed(:read_custom_attribute) } - it { is_expected.to be_allowed(:update_custom_attribute) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:read_custom_attribute) } + it { is_expected.to be_allowed(:update_custom_attribute) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:read_custom_attribute) } + it { is_expected.to be_disallowed(:update_custom_attribute) } + end end end @@ -127,6 +163,12 @@ describe GlobalPolicy do it { is_expected.to be_allowed(:access_api) } end + context 'migration bot' do + let(:current_user) { migration_bot } + + it { is_expected.not_to be_allowed(:access_api) } + end + context 'when terms are enforced' do before do enforce_terms @@ -216,6 +258,12 @@ describe GlobalPolicy do it { is_expected.not_to be_allowed(:receive_notifications) } end + + context 'migration bot' do + let(:current_user) { migration_bot } + + it { is_expected.not_to be_allowed(:receive_notifications) } + end end describe 'git access' do @@ -235,6 +283,12 @@ describe GlobalPolicy do it { is_expected.to be_allowed(:access_git) } end + context 'migration bot' do + let(:current_user) { migration_bot } + + it { is_expected.to be_allowed(:access_git) } + end + describe 'deactivated user' do before do current_user.deactivate @@ -321,7 +375,13 @@ describe GlobalPolicy do stub_application_setting(instance_statistics_visibility_private: true) end - it { is_expected.to be_allowed(:read_instance_statistics) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:read_instance_statistics) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:read_instance_statistics) } + end end end @@ -386,6 +446,12 @@ describe GlobalPolicy do it { is_expected.to be_allowed(:use_slash_commands) } end + + context 'migration bot' do + let(:current_user) { migration_bot } + + it { is_expected.not_to be_allowed(:use_slash_commands) } + end end describe 'create_snippet' do @@ -412,5 +478,11 @@ describe GlobalPolicy do it { is_expected.not_to be_allowed(:log_in) } end + + context 'migration bot' do + let(:current_user) { migration_bot } + + it { is_expected.not_to be_allowed(:log_in) } + end end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 13f1bcb389a..9faddfd00e5 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -644,7 +644,13 @@ describe GroupPolicy do context 'admin' do let(:current_user) { admin } - it { expect_allowed(:update_max_artifacts_size) } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect_allowed(:update_max_artifacts_size) } + end + + context 'when admin mode is enabled' do + it { expect_disallowed(:update_max_artifacts_size) } + end end %w(guest reporter developer maintainer owner).each do |role| @@ -655,26 +661,4 @@ describe GroupPolicy do end end end - - it_behaves_like 'model with wiki policies' do - let(:container) { create(:group) } - - def set_access_level(access_level) - allow(container).to receive(:wiki_access_level).and_return(access_level) - end - - before do - stub_feature_flags(group_wiki: true) - end - - context 'when the feature flag is disabled' do - before do - stub_feature_flags(group_wiki: false) - end - - it 'does not include the wiki permissions' do - expect_disallowed(*permissions) - end - end - end end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index 242a002bc23..9d52079e4be 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -206,11 +206,25 @@ describe IssuePolicy do it 'allows guests to comment' do expect(permissions(guest, issue)).to be_allowed(:create_note) end - it 'allows admins to view' do - expect(permissions(admin, issue)).to be_allowed(:read_issue) + + context 'when admin mode is enabled', :enable_admin_mode do + it 'allows admins to view' do + expect(permissions(admin, issue)).to be_allowed(:read_issue) + end + + it 'allows admins to comment' do + expect(permissions(admin, issue)).to be_allowed(:create_note) + end end - it 'allows admins to comment' do - expect(permissions(admin, issue)).to be_allowed(:create_note) + + context 'when admin mode is disabled' do + it 'forbids admins to view' do + expect(permissions(admin, issue)).to be_disallowed(:read_issue) + end + + it 'forbids admins to comment' do + expect(permissions(admin, issue)).to be_disallowed(:create_note) + end end end diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb index 287325e96df..31ced5db953 100644 --- a/spec/policies/merge_request_policy_spec.rb +++ b/spec/policies/merge_request_policy_spec.rb @@ -21,7 +21,7 @@ describe MergeRequestPolicy do project.add_developer(developer) end - MR_PERMS = %i[create_merge_request_in + mr_perms = %i[create_merge_request_in create_merge_request_from read_merge_request create_note].freeze @@ -29,7 +29,7 @@ describe MergeRequestPolicy do shared_examples_for 'a denied user' do let(:perms) { permissions(subject, merge_request) } - MR_PERMS.each do |thing| + mr_perms.each do |thing| it "cannot #{thing}" do expect(perms).to be_disallowed(thing) end @@ -39,7 +39,7 @@ describe MergeRequestPolicy do shared_examples_for 'a user with access' do let(:perms) { permissions(subject, merge_request) } - MR_PERMS.each do |thing| + mr_perms.each do |thing| it "can #{thing}" do expect(perms).to be_allowed(thing) end diff --git a/spec/policies/namespace_policy_spec.rb b/spec/policies/namespace_policy_spec.rb index c0a5119c550..01162dc0fc4 100644 --- a/spec/policies/namespace_policy_spec.rb +++ b/spec/policies/namespace_policy_spec.rb @@ -40,6 +40,12 @@ describe NamespacePolicy do context 'admin' do let(:current_user) { admin } - it { is_expected.to be_allowed(*owner_permissions) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(*owner_permissions) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(*owner_permissions) } + end end end diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb index e9dd5ee1c51..1e3bd0d9147 100644 --- a/spec/policies/note_policy_spec.rb +++ b/spec/policies/note_policy_spec.rb @@ -295,8 +295,16 @@ describe NotePolicy do expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) end - it 'allows admins to read all notes and admin them' do - expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) + context 'when admin mode is enabled', :enable_admin_mode do + it 'allows admins to read all notes and admin them' do + expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) + end + end + + context 'when admin mode is disabled' do + it 'does not allow non members to read confidential notes and replies' do + expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji) + end end it 'allows noteable author to read and resolve all notes' do diff --git a/spec/policies/personal_snippet_policy_spec.rb b/spec/policies/personal_snippet_policy_spec.rb index a6b76620c29..5fc48717d86 100644 --- a/spec/policies/personal_snippet_policy_spec.rb +++ b/spec/policies/personal_snippet_policy_spec.rb @@ -19,8 +19,8 @@ describe PersonalSnippetPolicy do described_class.new(user, snippet) end - shared_examples 'admin access' do - context 'admin user' do + shared_examples 'admin access with admin mode' do + context 'admin user', :enable_admin_mode do subject { permissions(admin_user) } it do @@ -68,7 +68,7 @@ describe PersonalSnippetPolicy do end end - it_behaves_like 'admin access' + it_behaves_like 'admin access with admin mode' end context 'internal snippet' do @@ -118,7 +118,7 @@ describe PersonalSnippetPolicy do end end - it_behaves_like 'admin access' + it_behaves_like 'admin access with admin mode' end context 'private snippet' do @@ -168,6 +168,6 @@ describe PersonalSnippetPolicy do end end - it_behaves_like 'admin access' + it_behaves_like 'admin access with admin mode' end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index db643e3a31f..09d54eb9df6 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -29,6 +29,7 @@ describe ProjectPolicy do admin_issue admin_label admin_list read_commit_status read_build read_container_image read_pipeline read_environment read_deployment read_merge_request download_wiki_code read_sentry_issue read_metrics_dashboard_annotation + metrics_dashboard ] end @@ -41,7 +42,7 @@ describe ProjectPolicy do admin_tag admin_milestone admin_merge_request update_merge_request create_commit_status update_commit_status create_build update_build create_pipeline update_pipeline create_merge_request_from create_wiki push_code - resolve_note create_container_image update_container_image destroy_container_image + resolve_note create_container_image update_container_image destroy_container_image daily_statistics create_environment update_environment create_deployment update_deployment create_release update_release create_metrics_dashboard_annotation delete_metrics_dashboard_annotation update_metrics_dashboard_annotation ] @@ -53,7 +54,7 @@ describe ProjectPolicy do admin_snippet admin_project_member admin_note admin_wiki admin_project admin_commit_status admin_build admin_container_image admin_pipeline admin_environment admin_deployment destroy_release add_cluster - daily_statistics read_deploy_token create_deploy_token destroy_deploy_token + read_deploy_token create_deploy_token destroy_deploy_token admin_terraform_state ] end @@ -123,6 +124,7 @@ describe ProjectPolicy do it_behaves_like 'model with wiki policies' do let(:container) { project } + let_it_be(:user) { owner } def set_access_level(access_level) project.project_feature.update_attribute(:wiki_access_level, access_level) @@ -216,16 +218,41 @@ describe ProjectPolicy do project.project_feature.update(builds_access_level: ProjectFeature::DISABLED) end - it 'disallows all permissions except pipeline when the feature is disabled' do - builds_permissions = [ - :create_build, :read_build, :update_build, :admin_build, :destroy_build, - :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, - :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, - :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, - :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment - ] + context 'without metrics_dashboard_allowed' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED) + end - expect_disallowed(*builds_permissions) + it 'disallows all permissions except pipeline when the feature is disabled' do + builds_permissions = [ + :create_build, :read_build, :update_build, :admin_build, :destroy_build, + :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, + :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, + :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, + :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment + ] + + expect_disallowed(*builds_permissions) + end + end + + context 'with metrics_dashboard_allowed' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + it 'disallows all permissions except pipeline and read_environment when the feature is disabled' do + builds_permissions = [ + :create_build, :read_build, :update_build, :admin_build, :destroy_build, + :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, + :create_environment, :update_environment, :admin_environment, :destroy_environment, + :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, + :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment + ] + + expect_disallowed(*builds_permissions) + expect_allowed(:read_environment) + end end end @@ -250,20 +277,49 @@ describe ProjectPolicy do context 'repository feature' do subject { described_class.new(owner, project) } - it 'disallows all permissions when the feature is disabled' do + before do project.project_feature.update(repository_access_level: ProjectFeature::DISABLED) + end - repository_permissions = [ - :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, - :create_build, :read_build, :update_build, :admin_build, :destroy_build, - :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, - :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, - :create_cluster, :read_cluster, :update_cluster, :admin_cluster, - :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment, - :destroy_release - ] + context 'without metrics_dashboard_allowed' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED) + end - expect_disallowed(*repository_permissions) + it 'disallows all permissions when the feature is disabled' do + repository_permissions = [ + :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, + :create_build, :read_build, :update_build, :admin_build, :destroy_build, + :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, + :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, + :create_cluster, :read_cluster, :update_cluster, :admin_cluster, + :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment, + :destroy_release + ] + + expect_disallowed(*repository_permissions) + end + end + + context 'with metrics_dashboard_allowed' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + it 'disallows all permissions when the feature is disabled' do + repository_permissions = [ + :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, + :create_build, :read_build, :update_build, :admin_build, :destroy_build, + :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, + :create_environment, :update_environment, :admin_environment, :destroy_environment, + :create_cluster, :read_cluster, :update_cluster, :admin_cluster, + :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment, + :destroy_release + ] + + expect_disallowed(*repository_permissions) + expect_allowed(:read_environment) + end end end @@ -273,7 +329,8 @@ describe ProjectPolicy do it_behaves_like 'project policies as developer' it_behaves_like 'project policies as maintainer' it_behaves_like 'project policies as owner' - it_behaves_like 'project policies as admin' + it_behaves_like 'project policies as admin with admin mode' + it_behaves_like 'project policies as admin without admin mode' context 'when a public project has merge requests allowing access' do include ProjectForksHelper @@ -304,7 +361,7 @@ describe ProjectPolicy do expect_allowed(*maintainer_abilities) end - it 'dissallows abilities to a maintainer if the merge request was closed' do + it 'disallows abilities to a maintainer if the merge request was closed' do target_project.add_developer(user) merge_request.close! @@ -348,10 +405,24 @@ describe ProjectPolicy do expect(described_class.new(developer, project)).to be_allowed(:read_project) end - it 'does not check the external service for admins and allows access' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) + context 'with an admin' do + context 'when admin mode is enabled', :enable_admin_mode do + it 'does not check the external service and allows access' do + expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - expect(described_class.new(admin, project)).to be_allowed(:read_project) + expect(described_class.new(admin, project)).to be_allowed(:read_project) + end + end + + context 'when admin mode is disabled' do + it 'checks the external service and allows access' do + external_service_allow_access(admin, project) + + expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?) + + expect(described_class.new(admin, project)).to be_allowed(:read_project) + end + end end it 'prevents all but seeing a public project in a list when access is denied' do @@ -414,7 +485,13 @@ describe ProjectPolicy do context 'admin' do let(:current_user) { admin } - it { expect_allowed(:update_max_artifacts_size) } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect_allowed(:update_max_artifacts_size) } + end + + context 'when admin mode is disabled' do + it { expect_disallowed(:update_max_artifacts_size) } + end end %w(guest reporter developer maintainer owner).each do |role| @@ -446,7 +523,13 @@ describe ProjectPolicy do context 'with admin' do let(:current_user) { admin } - it { is_expected.to be_allowed(:read_prometheus_alerts) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:read_prometheus_alerts) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:read_prometheus_alerts) } + end end context 'with owner' do @@ -485,4 +568,232 @@ describe ProjectPolicy do it { is_expected.to be_disallowed(:read_prometheus_alerts) } end end + + describe 'metrics_dashboard feature' do + subject { described_class.new(current_user, project) } + + context 'public project' do + let(:project) { create(:project, :public) } + + context 'feature private' do + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + end + + context 'feature enabled' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_disallowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_disallowed(:create_metrics_user_starred_dashboard) } + end + end + end + + context 'internal project' do + let(:project) { create(:project, :internal) } + + context 'feature private' do + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard)} + end + end + + context 'feature enabled' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + end + end + + context 'private project' do + let(:project) { create(:project, :private) } + + context 'feature private' do + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + end + + context 'feature enabled' do + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + end + end + + context 'feature disabled' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED) + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + end + end + + context 'deploy token access' do + let!(:project_deploy_token) do + create(:project_deploy_token, project: project, deploy_token: deploy_token) + end + + subject { described_class.new(deploy_token, project) } + + context 'a deploy token with read_package_registry scope' do + let(:deploy_token) { create(:deploy_token, read_package_registry: true) } + + it { is_expected.to be_allowed(:read_package) } + it { is_expected.to be_allowed(:read_project) } + it { is_expected.to be_disallowed(:create_package) } + end + + context 'a deploy token with write_package_registry scope' do + let(:deploy_token) { create(:deploy_token, write_package_registry: true) } + + it { is_expected.to be_allowed(:create_package) } + it { is_expected.to be_allowed(:read_project) } + it { is_expected.to be_disallowed(:destroy_package) } + end + end end diff --git a/spec/policies/project_snippet_policy_spec.rb b/spec/policies/project_snippet_policy_spec.rb index c5077e119bc..3864666f587 100644 --- a/spec/policies/project_snippet_policy_spec.rb +++ b/spec/policies/project_snippet_policy_spec.rb @@ -235,9 +235,18 @@ describe ProjectSnippetPolicy do let(:snippet_visibility) { :private } let(:current_user) { create(:admin) } - it do - expect_allowed(:read_snippet, :create_note) - expect_allowed(*author_permissions) + context 'when admin mode is enabled', :enable_admin_mode do + it do + expect_allowed(:read_snippet, :create_note) + expect_allowed(*author_permissions) + end + end + + context 'when admin mode is disabled' do + it do + expect_disallowed(:read_snippet, :create_note) + expect_disallowed(*author_permissions) + end end end end diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb index 9da9d2ce49b..63c4bd05836 100644 --- a/spec/policies/user_policy_spec.rb +++ b/spec/policies/user_policy_spec.rb @@ -26,7 +26,13 @@ describe UserPolicy do context "when an admin user tries to destroy a regular user" do let(:current_user) { create(:user, :admin) } - it { is_expected.to be_allowed(ability) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(ability) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(ability) } + end end context "when an admin user tries to destroy a ghost user" do diff --git a/spec/policies/wiki_page_policy_spec.rb b/spec/policies/wiki_page_policy_spec.rb index e550ccf6d65..0dedccb6e88 100644 --- a/spec/policies/wiki_page_policy_spec.rb +++ b/spec/policies/wiki_page_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -describe WikiPagePolicy do +describe WikiPagePolicy, :enable_admin_mode do include_context 'ProjectPolicyTable context' include ProjectHelpers using RSpec::Parameterized::TableSyntax |