diff options
Diffstat (limited to 'spec/policies/project_policy_spec.rb')
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 119 |
1 files changed, 111 insertions, 8 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index b2fb310aca3..3759539677a 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorization do +RSpec.describe ProjectPolicy, feature_category: :system_access do include ExternalAuthorizationServiceHelpers include AdminModeHelper include_context 'ProjectPolicy context' @@ -441,6 +441,36 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio end end + context 'importing work items' do + %w(reporter developer maintainer owner).each do |role| + context "with #{role}" do + let(:current_user) { send(role) } + + it { is_expected.to be_allowed(:import_work_items) } + end + end + + %w(guest anonymous).each do |role| + context "with #{role}" do + let(:current_user) { send(role) } + + it { is_expected.to be_disallowed(:import_work_items) } + end + end + + context 'with an admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { expect_allowed(:import_work_items) } + end + + context 'when admin mode is disabled' do + it { expect_disallowed(:import_work_items) } + end + end + end + context 'reading usage quotas' do %w(maintainer owner).each do |role| context "with #{role}" do @@ -1219,7 +1249,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio it { is_expected.to be_allowed(:create_package) } it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_project) } - it { is_expected.to be_disallowed(:destroy_package) } + it { is_expected.to be_allowed(:destroy_package) } it_behaves_like 'package access with repository disabled' end @@ -1400,6 +1430,28 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio end end + context 'infrastructure aws feature' do + %w(guest reporter developer).each do |role| + context role do + let(:current_user) { send(role) } + + it 'disallows managing aws' do + expect_disallowed(:admin_project_aws) + end + end + end + + %w(maintainer owner).each do |role| + context role do + let(:current_user) { send(role) } + + it 'allows managing aws' do + expect_allowed(:admin_project_aws) + end + end + end + end + describe 'design permissions' do include DesignManagementTestHelpers @@ -2275,6 +2327,12 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio describe 'infrastructure feature' do using RSpec::Parameterized::TableSyntax + before do + # assuming the default setting terraform_state.enabled=true + # the terraform_state permissions should follow the same logic as the other features + stub_config(terraform_state: { enabled: true }) + end + let(:guest_permissions) { [] } let(:developer_permissions) do @@ -2338,10 +2396,35 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio end end end + + context 'when terraform state management is disabled' do + before do + stub_config(terraform_state: { enabled: false }) + end + + with_them do + let(:current_user) { user_subject(role) } + let(:project) { project_subject(project_visibility) } + + let(:developer_permissions) do + [:read_terraform_state] + end + + let(:maintainer_permissions) do + developer_permissions + [:admin_terraform_state] + end + + it 'always disallows the terraform_state feature' do + project.project_feature.update!(infrastructure_access_level: access_level) + + expect_disallowed(*permissions_abilities(role)) + end + end + end end describe 'access_security_and_compliance' do - context 'when the "Security & Compliance" is enabled' do + context 'when the "Security and Compliance" is enabled' do before do project.project_feature.update!(security_and_compliance_access_level: Featurable::PRIVATE) end @@ -2387,7 +2470,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio end end - context 'when the "Security & Compliance" is not enabled' do + context 'when the "Security and Compliance" is not enabled' do before do project.project_feature.update!(security_and_compliance_access_level: Featurable::DISABLED) end @@ -2740,9 +2823,9 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio end describe 'create_project_runners' do - context 'create_runner_workflow flag enabled' do + context 'create_runner_workflow_for_namespace flag enabled' do before do - stub_feature_flags(create_runner_workflow: true) + stub_feature_flags(create_runner_workflow_for_namespace: [project.namespace]) end context 'admin' do @@ -2810,9 +2893,9 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio end end - context 'create_runner_workflow flag disabled' do + context 'create_runner_workflow_for_namespace flag disabled' do before do - stub_feature_flags(create_runner_workflow: false) + stub_feature_flags(create_runner_workflow_for_namespace: [group]) end context 'admin' do @@ -2981,6 +3064,26 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio end end + describe 'add_catalog_resource' do + using RSpec::Parameterized::TableSyntax + + let(:current_user) { public_send(role) } + + where(:role, :allowed) do + :owner | true + :maintainer | false + :developer | false + :reporter | false + :guest | false + end + + with_them do + it do + expect(subject.can?(:add_catalog_resource)).to be(allowed) + end + end + end + describe 'read_code' do let(:current_user) { create(:user) } |