diff options
Diffstat (limited to 'spec/policies/merge_request_policy_spec.rb')
-rw-r--r-- | spec/policies/merge_request_policy_spec.rb | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb index 741a0db3009..c21e1244402 100644 --- a/spec/policies/merge_request_policy_spec.rb +++ b/spec/policies/merge_request_policy_spec.rb @@ -461,4 +461,34 @@ RSpec.describe MergeRequestPolicy do end end end + + context 'when the author of the merge request is banned', feature_category: :insider_threat do + let_it_be(:user) { create(:user) } + let_it_be(:admin) { create(:user, :admin) } + let_it_be(:author) { create(:user, :banned) } + let_it_be(:project) { create(:project, :public) } + let_it_be(:hidden_merge_request) { create(:merge_request, source_project: project, author: author) } + + it 'does not allow non-admin user to read the merge_request' do + expect(permissions(user, hidden_merge_request)).not_to be_allowed(:read_merge_request) + end + + it 'allows admin to read the merge_request', :enable_admin_mode do + expect(permissions(admin, hidden_merge_request)).to be_allowed(:read_merge_request) + end + + context 'when the `hide_merge_requests_from_banned_users` feature flag is disabled' do + before do + stub_feature_flags(hide_merge_requests_from_banned_users: false) + end + + it 'allows non-admin users to read the merge_request' do + expect(permissions(user, hidden_merge_request)).to be_allowed(:read_merge_request) + end + + it 'allows admin users to read the merge_request', :enable_admin_mode do + expect(permissions(admin, hidden_merge_request)).to be_allowed(:read_merge_request) + end + end + end end |