summaryrefslogtreecommitdiff
path: root/spec/controllers/projects
diff options
context:
space:
mode:
Diffstat (limited to 'spec/controllers/projects')
-rw-r--r--spec/controllers/projects/artifacts_controller_spec.rb38
-rw-r--r--spec/controllers/projects/pipeline_schedules_controller_spec.rb104
2 files changed, 104 insertions, 38 deletions
diff --git a/spec/controllers/projects/artifacts_controller_spec.rb b/spec/controllers/projects/artifacts_controller_spec.rb
index f410c16b30b..433114f3e64 100644
--- a/spec/controllers/projects/artifacts_controller_spec.rb
+++ b/spec/controllers/projects/artifacts_controller_spec.rb
@@ -204,6 +204,44 @@ RSpec.describe Projects::ArtifactsController do
end
end
end
+
+ context 'when downloading a debug trace' do
+ let(:file_type) { 'trace' }
+ let(:job) { create(:ci_build, :success, :trace_artifact, pipeline: pipeline) }
+
+ before do
+ create(:ci_job_variable, key: 'CI_DEBUG_TRACE', value: 'true', job: job)
+ end
+
+ context 'when the user does not have update_build permissions' do
+ let(:user) { create(:user) }
+
+ before do
+ project.add_guest(user)
+ end
+
+ render_views
+
+ it 'denies the user access' do
+ download_artifact(file_type: file_type)
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ expect(response.body).to include(
+ 'You must have developer or higher permissions in the associated project to view job logs when debug trace is enabled. ' \
+ 'To disable debug trace, set the 'CI_DEBUG_TRACE' variable to 'false' in your pipeline configuration or CI/CD settings. ' \
+ 'If you need to view this job log, a project maintainer must add you to the project with developer permissions or higher.'
+ )
+ end
+ end
+
+ context 'when the user has update_build permissions' do
+ it 'sends the trace' do
+ download_artifact(file_type: file_type)
+
+ expect(response).to have_gitlab_http_status(:ok)
+ end
+ end
+ end
end
describe 'GET browse' do
diff --git a/spec/controllers/projects/pipeline_schedules_controller_spec.rb b/spec/controllers/projects/pipeline_schedules_controller_spec.rb
index d86f38c1f0b..77acd5fe13c 100644
--- a/spec/controllers/projects/pipeline_schedules_controller_spec.rb
+++ b/spec/controllers/projects/pipeline_schedules_controller_spec.rb
@@ -13,10 +13,43 @@ RSpec.describe Projects::PipelineSchedulesController do
project.add_developer(user)
end
+ shared_examples 'access update schedule' do
+ describe 'security' do
+ it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+ expect { go }.to be_allowed_for(:admin)
+ end
+
+ it 'is denied for admin when admin mode disabled' do
+ expect { go }.to be_denied_for(:admin)
+ end
+
+ it { expect { go }.to be_denied_for(:owner).of(project) }
+ it { expect { go }.to be_denied_for(:maintainer).of(project) }
+ it { expect { go }.to be_denied_for(:developer).of(project) }
+ it { expect { go }.to be_denied_for(:reporter).of(project) }
+ it { expect { go }.to be_denied_for(:guest).of(project) }
+ it { expect { go }.to be_denied_for(:user) }
+ it { expect { go }.to be_denied_for(:external) }
+ it { expect { go }.to be_denied_for(:visitor) }
+
+ context 'when user is schedule owner' do
+ it { expect { go }.to be_allowed_for(:owner).of(project).own(pipeline_schedule) }
+ it { expect { go }.to be_allowed_for(:maintainer).of(project).own(pipeline_schedule) }
+ it { expect { go }.to be_allowed_for(:developer).of(project).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:reporter).of(project).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:guest).of(project).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:user).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:external).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:visitor).own(pipeline_schedule) }
+ end
+ end
+ end
+
describe 'GET #index' do
render_views
let(:scope) { nil }
+
let!(:inactive_pipeline_schedule) do
create(:ci_pipeline_schedule, :inactive, project: project)
end
@@ -130,12 +163,15 @@ RSpec.describe Projects::PipelineSchedulesController do
it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
expect { go }.to be_allowed_for(:admin)
end
+
it 'is denied for admin when admin mode disabled' do
expect { go }.to be_denied_for(:admin)
end
+
it { expect { go }.to be_allowed_for(:owner).of(project) }
it { expect { go }.to be_allowed_for(:maintainer).of(project) }
it { expect { go }.to be_allowed_for(:developer).of(project) }
+
it { expect { go }.to be_denied_for(:reporter).of(project) }
it { expect { go }.to be_denied_for(:guest).of(project) }
it { expect { go }.to be_denied_for(:user) }
@@ -284,20 +320,7 @@ RSpec.describe Projects::PipelineSchedulesController do
describe 'security' do
let(:schedule) { { description: 'updated_desc' } }
- it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
- expect { go }.to be_allowed_for(:admin)
- end
- it 'is denied for admin when admin mode disabled' do
- expect { go }.to be_denied_for(:admin)
- end
- it { expect { go }.to be_allowed_for(:owner).of(project) }
- it { expect { go }.to be_allowed_for(:maintainer).of(project) }
- it { expect { go }.to be_allowed_for(:developer).of(project).own(pipeline_schedule) }
- it { expect { go }.to be_denied_for(:reporter).of(project) }
- it { expect { go }.to be_denied_for(:guest).of(project) }
- it { expect { go }.to be_denied_for(:user) }
- it { expect { go }.to be_denied_for(:external) }
- it { expect { go }.to be_denied_for(:visitor) }
+ it_behaves_like 'access update schedule'
context 'when a developer created a pipeline schedule' do
let(:developer_1) { create(:user) }
@@ -308,8 +331,10 @@ RSpec.describe Projects::PipelineSchedulesController do
end
it { expect { go }.to be_allowed_for(developer_1) }
+
+ it { expect { go }.to be_denied_for(:owner).of(project) }
+ it { expect { go }.to be_denied_for(:maintainer).of(project) }
it { expect { go }.to be_denied_for(:developer).of(project) }
- it { expect { go }.to be_allowed_for(:maintainer).of(project) }
end
context 'when a maintainer created a pipeline schedule' do
@@ -321,17 +346,21 @@ RSpec.describe Projects::PipelineSchedulesController do
end
it { expect { go }.to be_allowed_for(maintainer_1) }
- it { expect { go }.to be_allowed_for(:maintainer).of(project) }
+
+ it { expect { go }.to be_denied_for(:owner).of(project) }
+ it { expect { go }.to be_denied_for(:maintainer).of(project) }
it { expect { go }.to be_denied_for(:developer).of(project) }
end
end
def go
- put :update, params: { namespace_id: project.namespace.to_param,
- project_id: project,
- id: pipeline_schedule,
- schedule: schedule },
- as: :html
+ put :update, params: {
+ namespace_id: project.namespace.to_param,
+ project_id: project,
+ id: pipeline_schedule,
+ schedule: schedule
+ },
+ as: :html
end
end
@@ -341,6 +370,7 @@ RSpec.describe Projects::PipelineSchedulesController do
before do
project.add_maintainer(user)
+ pipeline_schedule.update!(owner: user)
sign_in(user)
end
@@ -352,22 +382,7 @@ RSpec.describe Projects::PipelineSchedulesController do
end
end
- describe 'security' do
- it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
- expect { go }.to be_allowed_for(:admin)
- end
- it 'is denied for admin when admin mode disabled' do
- expect { go }.to be_denied_for(:admin)
- end
- it { expect { go }.to be_allowed_for(:owner).of(project) }
- it { expect { go }.to be_allowed_for(:maintainer).of(project) }
- it { expect { go }.to be_allowed_for(:developer).of(project).own(pipeline_schedule) }
- it { expect { go }.to be_denied_for(:reporter).of(project) }
- it { expect { go }.to be_denied_for(:guest).of(project) }
- it { expect { go }.to be_denied_for(:user) }
- it { expect { go }.to be_denied_for(:external) }
- it { expect { go }.to be_denied_for(:visitor) }
- end
+ it_behaves_like 'access update schedule'
def go
get :edit, params: { namespace_id: project.namespace.to_param, project_id: project, id: pipeline_schedule.id }
@@ -379,17 +394,30 @@ RSpec.describe Projects::PipelineSchedulesController do
it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
expect { go }.to be_allowed_for(:admin)
end
+
it 'is denied for admin when admin mode disabled' do
expect { go }.to be_denied_for(:admin)
end
+
it { expect { go }.to be_allowed_for(:owner).of(project) }
it { expect { go }.to be_allowed_for(:maintainer).of(project) }
- it { expect { go }.to be_allowed_for(:developer).of(project).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:developer).of(project) }
it { expect { go }.to be_denied_for(:reporter).of(project) }
it { expect { go }.to be_denied_for(:guest).of(project) }
it { expect { go }.to be_denied_for(:user) }
it { expect { go }.to be_denied_for(:external) }
it { expect { go }.to be_denied_for(:visitor) }
+
+ context 'when user is schedule owner' do
+ it { expect { go }.to be_denied_for(:owner).of(project).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:maintainer).of(project).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:developer).of(project).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:reporter).of(project).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:guest).of(project).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:user).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:external).own(pipeline_schedule) }
+ it { expect { go }.to be_denied_for(:visitor).own(pipeline_schedule) }
+ end
end
def go
View Lorry Controller Status