1 files changed, 80 insertions, 0 deletions

diff --git a/spec/policies/namespace/root_storage_statistics_policy_spec.rb b/spec/policies/namespace/root_storage_statistics_policy_spec.rb
new file mode 100644
index 00000000000..8d53050fffb
--- /dev/null
+++ b/spec/policies/namespace/root_storage_statistics_policy_spec.rb
@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Namespace::RootStorageStatisticsPolicy do
+  using RSpec::Parameterized::TableSyntax
+
+  describe '#rules' do
+    let(:statistics) { create(:namespace_root_storage_statistics, namespace: namespace) }
+    let(:user) { create(:user) }
+
+    subject { Ability.allowed?(user, :read_statistics, statistics) }
+
+    shared_examples 'deny anonymous users' do
+      context 'when the users is anonymous' do
+        let(:user) { nil }
+
+        it { is_expected.to be_falsey }
+      end
+    end
+
+    context 'when the namespace is a personal namespace' do
+      let(:owner) { create(:user) }
+      let(:namespace) { owner.namespace }
+
+      include_examples 'deny anonymous users'
+
+      context 'when the user is not the owner' do
+        it { is_expected.to be_falsey }
+      end
+
+      context 'when the user is the owner' do
+        let(:user) { owner }
+
+        it { is_expected.to be_truthy }
+      end
+    end
+
+    context 'when the namespace is a group' do
+      let(:user)     { create(:user) }
+      let(:external) { create(:user, :external) }
+
+      shared_examples 'allows only owners' do |group_type|
+        let(:group) { create(:group, visibility_level: Gitlab::VisibilityLevel.level_value(group_type.to_s)) }
+        let(:namespace) { group }
+
+        include_examples 'deny anonymous users'
+
+        where(:user_type, :outcome) do
+          [
+            [:non_member, false],
+            [:guest, false],
+            [:reporter, false],
+            [:developer, false],
+            [:maintainer, false],
+            [:owner, true]
+          ]
+        end
+
+        with_them do
+          before do
+            group.add_user(user, user_type) unless user_type == :non_member
+          end
+
+          it { is_expected.to eq(outcome) }
+
+          context 'when the user is external' do
+            let(:user) { external }
+
+            it { is_expected.to eq(outcome) }
+          end
+        end
+      end
+
+      include_examples 'allows only owners', :public
+      include_examples 'allows only owners', :private
+      include_examples 'allows only owners', :internal
+    end
+  end
+end