Addreses backend review suggestions

- Remove extra method for authorize_admin_project
- Ensure project presence
- Rename 'read_repo' to 'read_repository' to be more verbose

5 files changed, 55 insertions, 9 deletions

diff --git a/spec/factories/deploy_tokens.rb b/spec/factories/deploy_tokens.rb
index fa349e10ddc..7cce55a3e14 100644
--- a/spec/factories/deploy_tokens.rb
+++ b/spec/factories/deploy_tokens.rb
@@ -5,14 +5,14 @@ FactoryBot.define do
     sequence(:name) { |n| "PDT #{n}" }
     revoked false
     expires_at { 5.days.from_now }
-    scopes %w(read_repo read_registry)
+    scopes %w(read_repository read_registry)
 
     trait :revoked do
       revoked true
     end
 
-    trait :read_repo do
-      scopes ['read_repo']
+    trait :read_repository do
+      scopes ['read_repository']
     end
 
     trait :read_registry do
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 79984787e2a..f704c20f598 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -5,7 +5,7 @@ describe Gitlab::Auth do
 
   describe 'constants' do
     it 'API_SCOPES contains all scopes for API access' do
-      expect(subject::API_SCOPES).to eq %i[api read_user sudo read_repo]
+      expect(subject::API_SCOPES).to eq %i[api read_user sudo read_repository]
     end
 
     it 'OPENID_SCOPES contains all scopes for OpenID Connect' do
@@ -19,7 +19,7 @@ describe Gitlab::Auth do
     it 'optional_scopes contains all non-default scopes' do
       stub_container_registry_config(enabled: true)
 
-      expect(subject.optional_scopes).to eq %i[read_user sudo read_repo read_registry openid]
+      expect(subject.optional_scopes).to eq %i[read_user sudo read_repository read_registry openid]
     end
 
     context 'registry_scopes' do
@@ -260,10 +260,10 @@ describe Gitlab::Auth do
       let(:project) { create(:project) }
       let(:auth_failure) { Gitlab::Auth::Result.new(nil, nil) }
 
-      context 'when the deploy token has read_repo as scope' do
-        let(:deploy_token) { create(:deploy_token, :read_repo, project: project) }
+      context 'when the deploy token has read_repository as scope' do
+        let(:deploy_token) { create(:deploy_token, :read_repository, project: project) }
 
-        it 'succeeds when project is present, token is valid and has read_repo as scope' do
+        it 'succeeds when project is present, token is valid and has read_repository as scope' do
           abilities = %i(read_project download_code)
           auth_success = Gitlab::Auth::Result.new(deploy_token, project, :deploy_token, abilities)
 
diff --git a/spec/models/deploy_token_spec.rb b/spec/models/deploy_token_spec.rb
index 26d846ac6c8..50f6f441a58 100644
--- a/spec/models/deploy_token_spec.rb
+++ b/spec/models/deploy_token_spec.rb
@@ -4,6 +4,7 @@ describe DeployToken do
   let(:deploy_token) { create(:deploy_token) }
 
   it { is_expected.to belong_to :project }
+  it { is_expected.to validate_presence_of :project }
 
   describe 'validations' do
     context 'with no scopes defined' do
diff --git a/spec/policies/deploy_token_policy_spec.rb b/spec/policies/deploy_token_policy_spec.rb
new file mode 100644
index 00000000000..cbb5fb815a1
--- /dev/null
+++ b/spec/policies/deploy_token_policy_spec.rb
@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+describe DeployTokenPolicy do
+  let(:current_user) { create(:user) }
+  let(:project) { create(:project) }
+  let(:deploy_token) { create(:deploy_token, project: project) }
+
+  subject { described_class.new(current_user, deploy_token) }
+
+  describe 'creating a deploy key' do
+    context 'when user is master' do
+      before do
+        project.add_master(current_user)
+      end
+
+      it { is_expected.to be_allowed(:create_deploy_token) }
+    end
+    
+    context 'when user is not master' do
+      before do
+        project.add_developer(current_user)
+      end
+
+      it { is_expected.to be_disallowed(:create_deploy_token) }
+    end
+  end
+
+  describe 'updating a deploy key' do
+    context 'when user is master' do
+      before do
+        project.add_master(current_user)
+      end
+
+      it { is_expected.to be_allowed(:update_deploy_token) }
+    end
+
+    context 'when user is not master' do
+      before do
+        project.add_developer(current_user)
+      end
+
+      it { is_expected.to be_disallowed(:update_deploy_token) }
+    end
+  end
+end
diff --git a/spec/presenters/projects/settings/deploy_tokens_presenter_spec.rb b/spec/presenters/projects/settings/deploy_tokens_presenter_spec.rb
index ca734019727..7bfe074ad30 100644
--- a/spec/presenters/projects/settings/deploy_tokens_presenter_spec.rb
+++ b/spec/presenters/projects/settings/deploy_tokens_presenter_spec.rb
@@ -9,7 +9,7 @@ describe Projects::Settings::DeployTokensPresenter do
 
   describe '#available_scopes' do
     it 'returns the all the deploy token scopes' do
-      expect(presenter.available_scopes).to match_array(%w(read_repo read_registry))
+      expect(presenter.available_scopes).to match_array(%w(read_repository read_registry))
     end
   end