[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb

Signed-off-by: Rémy Coutable <remy@rymai.me>
author: Rémy Coutable <remy@rymai.me> 2019-03-26 12:31:47 +0100
committer: Rémy Coutable <remy@rymai.me> 2019-03-27 15:41:46 +0100
commit: 1983d05ccd6f7484ed1634d744ac0f414c4967ff (patch)
tree: ce4748266840cf21869d0a0ff2142cb3274bd6c6 /spec/support
parent: 9aca2ccfd2baef52b09834bf913c7a92d6d04034 (diff)
download: gitlab-ce-1983d05ccd6f7484ed1634d744ac0f414c4967ff.tar.gz
2 files changed, 327 insertions, 0 deletions
diff --git a/spec/support/shared_context/policies/project_policy_shared_context.rb b/spec/support/shared_context/policies/project_policy_shared_context.rb
new file mode 100644
index 00000000000..2c71aabd292
--- /dev/null
+++ b/spec/support/shared_context/policies/project_policy_shared_context.rb
@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+RSpec.shared_context 'ProjectPolicy context' do
+  set(:guest) { create(:user) }
+  set(:reporter) { create(:user) }
+  set(:developer) { create(:user) }
+  set(:maintainer) { create(:user) }
+  set(:owner) { create(:user) }
+  set(:admin) { create(:admin) }
+  let(:project) { create(:project, :public, namespace: owner.namespace) }
+
+  let(:base_guest_permissions) do
+    %i[
+      read_project read_board read_list read_wiki read_issue
+      read_project_for_iids read_issue_iid read_label
+      read_milestone read_project_snippet read_project_member read_note
+      create_project create_issue create_note upload_file create_merge_request_in
+      award_emoji read_release
+    ]
+  end
+
+  let(:base_reporter_permissions) do
+    %i[
+      download_code fork_project create_project_snippet update_issue
+      admin_issue admin_label admin_list read_commit_status read_build
+      read_container_image read_pipeline read_environment read_deployment
+      read_merge_request download_wiki_code read_sentry_issue
+    ]
+  end
+
+  let(:team_member_reporter_permissions) do
+    %i[build_download_code build_read_container_image]
+  end
+
+  let(:developer_permissions) do
+    %i[
+      admin_milestone admin_merge_request update_merge_request create_commit_status
+      update_commit_status create_build update_build create_pipeline
+      update_pipeline create_merge_request_from create_wiki push_code
+      resolve_note create_container_image update_container_image
+      create_environment create_deployment create_release update_release
+    ]
+  end
+
+  let(:base_maintainer_permissions) do
+    %i[
+      push_to_delete_protected_branch update_project_snippet update_environment
+      update_deployment admin_project_snippet admin_project_member admin_note admin_wiki admin_project
+      admin_commit_status admin_build admin_container_image
+      admin_pipeline admin_environment admin_deployment destroy_release add_cluster
+      daily_statistics
+    ]
+  end
+
+  let(:public_permissions) do
+    %i[
+      download_code fork_project read_commit_status read_pipeline
+      read_container_image build_download_code build_read_container_image
+      download_wiki_code read_release
+    ]
+  end
+
+  let(:base_owner_permissions) do
+    %i[
+      change_namespace change_visibility_level rename_project remove_project
+      archive_project remove_fork_project destroy_merge_request destroy_issue
+      set_issue_iid set_issue_created_at set_note_created_at
+    ]
+  end
+
+  # Used in EE specs
+  let(:additional_guest_permissions) { [] }
+  let(:additional_reporter_permissions) { [] }
+  let(:additional_maintainer_permissions) { [] }
+  let(:additional_owner_permissions) { [] }
+
+  let(:guest_permissions) { base_guest_permissions + additional_guest_permissions }
+  let(:reporter_permissions) { base_reporter_permissions + additional_reporter_permissions }
+  let(:maintainer_permissions) { base_maintainer_permissions + additional_maintainer_permissions }
+  let(:owner_permissions) { base_owner_permissions + additional_owner_permissions }
+
+  before do
+    project.add_guest(guest)
+    project.add_maintainer(maintainer)
+    project.add_developer(developer)
+    project.add_reporter(reporter)
+  end
+
+  def expect_allowed(*permissions)
+    permissions.each { |p| is_expected.to be_allowed(p) }
+  end
+
+  def expect_disallowed(*permissions)
+    permissions.each { |p| is_expected.not_to be_allowed(p) }
+  end
+end
diff --git a/spec/support/shared_examples/policies/project_policy_shared_examples.rb b/spec/support/shared_examples/policies/project_policy_shared_examples.rb
new file mode 100644
index 00000000000..7a71e2ee370
--- /dev/null
+++ b/spec/support/shared_examples/policies/project_policy_shared_examples.rb
@@ -0,0 +1,231 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'archived project policies' do
+  let(:feature_write_abilities) do
+    described_class::READONLY_FEATURES_WHEN_ARCHIVED.flat_map do |feature|
+      described_class.create_update_admin_destroy(feature)
+    end + additional_reporter_permissions + additional_maintainer_permissions
+  end
+
+  let(:other_write_abilities) do
+    %i[
+      create_merge_request_in
+      create_merge_request_from
+      push_to_delete_protected_branch
+      push_code
+      request_access
+      upload_file
+      resolve_note
+      award_emoji
+    ]
+  end
+
+  context 'when the project is archived' do
+    before do
+      project.archived = true
+    end
+
+    it 'disables write actions on all relevant project features' do
+      expect_disallowed(*feature_write_abilities)
+    end
+
+    it 'disables some other important write actions' do
+      expect_disallowed(*other_write_abilities)
+    end
+
+    it 'does not disable other abilities' do
+      expect_allowed(*(regular_abilities - feature_write_abilities - other_write_abilities))
+    end
+  end
+end
+
+RSpec.shared_examples 'project policies as anonymous' do
+  context 'abilities for public projects' do
+    context 'when a project has pending invites' do
+      let(:group) { create(:group, :public) }
+      let(:project) { create(:project, :public, namespace: group) }
+      let(:user_permissions) { [:create_merge_request_in, :create_project, :create_issue, :create_note, :upload_file, :award_emoji] }
+      let(:anonymous_permissions) { guest_permissions - user_permissions }
+
+      subject { described_class.new(nil, project) }
+
+      before do
+        create(:group_member, :invited, group: group)
+      end
+
+      it 'does not grant owner access' do
+        expect_allowed(*anonymous_permissions)
+        expect_disallowed(*user_permissions)
+      end
+
+      it_behaves_like 'archived project policies' do
+        let(:regular_abilities) { anonymous_permissions }
+      end
+    end
+  end
+
+  context 'abilities for non-public projects' do
+    let(:project) { create(:project, namespace: owner.namespace) }
+
+    subject { described_class.new(nil, project) }
+
+    it { is_expected.to be_banned }
+  end
+end
+
+RSpec.shared_examples 'project policies as guest' do
+  subject { described_class.new(guest, project) }
+
+  context 'abilities for non-public projects' do
+    let(:project) { create(:project, namespace: owner.namespace) }
+    let(:reporter_public_build_permissions) do
+      reporter_permissions - [:read_build, :read_pipeline]
+    end
+
+    it do
+      expect_allowed(*guest_permissions)
+      expect_disallowed(*reporter_public_build_permissions)
+      expect_disallowed(*team_member_reporter_permissions)
+      expect_disallowed(*developer_permissions)
+      expect_disallowed(*maintainer_permissions)
+      expect_disallowed(*owner_permissions)
+    end
+
+    it_behaves_like 'archived project policies' do
+      let(:regular_abilities) { guest_permissions }
+    end
+
+    context 'public builds enabled' do
+      it do
+        expect_allowed(*guest_permissions)
+        expect_allowed(:read_build, :read_pipeline)
+      end
+    end
+
+    context 'when public builds disabled' do
+      before do
+        project.update(public_builds: false)
+      end
+
+      it do
+        expect_allowed(*guest_permissions)
+        expect_disallowed(:read_build, :read_pipeline)
+      end
+    end
+
+    context 'when builds are disabled' do
+      before do
+        project.project_feature.update(builds_access_level: ProjectFeature::DISABLED)
+      end
+
+      it do
+        expect_disallowed(:read_build)
+        expect_allowed(:read_pipeline)
+      end
+    end
+  end
+end
+
+RSpec.shared_examples 'project policies as reporter' do
+  context 'abilities for non-public projects' do
+    let(:project) { create(:project, namespace: owner.namespace) }
+
+    subject { described_class.new(reporter, project) }
+
+    it do
+      expect_allowed(*guest_permissions)
+      expect_allowed(*reporter_permissions)
+      expect_allowed(*team_member_reporter_permissions)
+      expect_disallowed(*developer_permissions)
+      expect_disallowed(*maintainer_permissions)
+      expect_disallowed(*owner_permissions)
+    end
+
+    it_behaves_like 'archived project policies' do
+      let(:regular_abilities) { reporter_permissions }
+    end
+  end
+end
+
+RSpec.shared_examples 'project policies as developer' do
+  context 'abilities for non-public projects' do
+    let(:project) { create(:project, namespace: owner.namespace) }
+    subject { described_class.new(developer, project) }
+
+    it do
+      expect_allowed(*guest_permissions)
+      expect_allowed(*reporter_permissions)
+      expect_allowed(*team_member_reporter_permissions)
+      expect_allowed(*developer_permissions)
+      expect_disallowed(*maintainer_permissions)
+      expect_disallowed(*owner_permissions)
+    end
+
+    it_behaves_like 'archived project policies' do
+      let(:regular_abilities) { developer_permissions }
+    end
+  end
+end
+
+RSpec.shared_examples 'project policies as maintainer' do
+  context 'abilities for non-public projects' do
+    let(:project) { create(:project, namespace: owner.namespace) }
+
+    subject { described_class.new(maintainer, project) }
+
+    it do
+      expect_allowed(*guest_permissions)
+      expect_allowed(*reporter_permissions)
+      expect_allowed(*team_member_reporter_permissions)
+      expect_allowed(*developer_permissions)
+      expect_allowed(*maintainer_permissions)
+      expect_disallowed(*owner_permissions)
+    end
+
+    it_behaves_like 'archived project policies' do
+      let(:regular_abilities) { maintainer_permissions }
+    end
+  end
+end
+
+RSpec.shared_examples 'project policies as owner' do
+  context 'abilities for non-public projects' do
+    let(:project) { create(:project, namespace: owner.namespace) }
+
+    subject { described_class.new(owner, project) }
+
+    it do
+      expect_allowed(*guest_permissions)
+      expect_allowed(*reporter_permissions)
+      expect_allowed(*team_member_reporter_permissions)
+      expect_allowed(*developer_permissions)
+      expect_allowed(*maintainer_permissions)
+      expect_allowed(*owner_permissions)
+    end
+
+    it_behaves_like 'archived project policies' do
+      let(:regular_abilities) { owner_permissions }
+    end
+  end
+end
+
+RSpec.shared_examples 'project policies as admin' do
+  context 'abilities for non-public projects' do
+    let(:project) { create(:project, namespace: owner.namespace) }
+
+    subject { described_class.new(admin, project) }
+
+    it do
+      expect_allowed(*guest_permissions)
+      expect_allowed(*reporter_permissions)
+      expect_disallowed(*team_member_reporter_permissions)
+      expect_allowed(*developer_permissions)
+      expect_allowed(*maintainer_permissions)
+      expect_allowed(*owner_permissions)
+    end
+
+    it_behaves_like 'archived project policies' do
+      let(:regular_abilities) { owner_permissions }
+    end
+  end
+end
author	Rémy Coutable <remy@rymai.me>	2019-03-26 12:31:47 +0100
committer	Rémy Coutable <remy@rymai.me>	2019-03-27 15:41:46 +0100
commit	1983d05ccd6f7484ed1634d744ac0f414c4967ff (patch)
tree	ce4748266840cf21869d0a0ff2142cb3274bd6c6 /spec/support
parent	9aca2ccfd2baef52b09834bf913c7a92d6d04034 (diff)
download	gitlab-ce-1983d05ccd6f7484ed1634d744ac0f414c4967ff.tar.gz