summaryrefslogtreecommitdiff
path: root/spec/policies/project_policy_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies/project_policy_spec.rb')
-rw-r--r--spec/policies/project_policy_spec.rb142
1 files changed, 69 insertions, 73 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index f3c92751d06..59123c3695a 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'
RSpec.describe ProjectPolicy do
include ExternalAuthorizationServiceHelpers
+ include AdminModeHelper
include_context 'ProjectPolicy context'
let(:project) { public_project }
@@ -70,7 +71,7 @@ RSpec.describe ProjectPolicy do
context 'when external tracker configured' do
it 'does not include the issues permissions' do
- create(:jira_service, project: project)
+ create(:jira_integration, project: project)
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident
end
@@ -1423,6 +1424,7 @@ RSpec.describe ProjectPolicy do
before do
current_user.set_ci_job_token_scope!(job)
+ scope_project.update!(ci_job_token_scope_enabled: true)
end
context 'when accessing a private project' do
@@ -1442,6 +1444,14 @@ RSpec.describe ProjectPolicy do
end
it { is_expected.to be_disallowed(:guest_access) }
+
+ context 'when job token scope is disabled' do
+ before do
+ scope_project.update!(ci_job_token_scope_enabled: false)
+ end
+
+ it { is_expected.to be_allowed(:guest_access) }
+ end
end
end
@@ -1462,6 +1472,14 @@ RSpec.describe ProjectPolicy do
end
it { is_expected.to be_disallowed(:public_access) }
+
+ context 'when job token scope is disabled' do
+ before do
+ scope_project.update!(ci_job_token_scope_enabled: false)
+ end
+
+ it { is_expected.to be_allowed(:public_access) }
+ end
end
end
end
@@ -1469,7 +1487,12 @@ RSpec.describe ProjectPolicy do
describe 'container_image policies' do
using RSpec::Parameterized::TableSyntax
- let(:guest_operations_permissions) { [:read_container_image] }
+ # These are permissions that admins should not have when the project is private
+ # or the container registry is private.
+ let(:admin_excluded_permissions) { [:build_read_container_image] }
+
+ let(:anonymous_operations_permissions) { [:read_container_image] }
+ let(:guest_operations_permissions) { anonymous_operations_permissions + [:build_read_container_image] }
let(:developer_operations_permissions) do
guest_operations_permissions + [
@@ -1483,47 +1506,67 @@ RSpec.describe ProjectPolicy do
]
end
+ let(:all_permissions) { maintainer_operations_permissions }
+
where(:project_visibility, :access_level, :role, :allowed) do
+ :public | ProjectFeature::ENABLED | :admin | true
+ :public | ProjectFeature::ENABLED | :owner | true
:public | ProjectFeature::ENABLED | :maintainer | true
:public | ProjectFeature::ENABLED | :developer | true
:public | ProjectFeature::ENABLED | :reporter | true
:public | ProjectFeature::ENABLED | :guest | true
:public | ProjectFeature::ENABLED | :anonymous | true
+ :public | ProjectFeature::PRIVATE | :admin | true
+ :public | ProjectFeature::PRIVATE | :owner | true
:public | ProjectFeature::PRIVATE | :maintainer | true
:public | ProjectFeature::PRIVATE | :developer | true
:public | ProjectFeature::PRIVATE | :reporter | true
:public | ProjectFeature::PRIVATE | :guest | false
:public | ProjectFeature::PRIVATE | :anonymous | false
+ :public | ProjectFeature::DISABLED | :admin | false
+ :public | ProjectFeature::DISABLED | :owner | false
:public | ProjectFeature::DISABLED | :maintainer | false
:public | ProjectFeature::DISABLED | :developer | false
:public | ProjectFeature::DISABLED | :reporter | false
:public | ProjectFeature::DISABLED | :guest | false
:public | ProjectFeature::DISABLED | :anonymous | false
+ :internal | ProjectFeature::ENABLED | :admin | true
+ :internal | ProjectFeature::ENABLED | :owner | true
:internal | ProjectFeature::ENABLED | :maintainer | true
:internal | ProjectFeature::ENABLED | :developer | true
:internal | ProjectFeature::ENABLED | :reporter | true
:internal | ProjectFeature::ENABLED | :guest | true
:internal | ProjectFeature::ENABLED | :anonymous | false
+ :internal | ProjectFeature::PRIVATE | :admin | true
+ :internal | ProjectFeature::PRIVATE | :owner | true
:internal | ProjectFeature::PRIVATE | :maintainer | true
:internal | ProjectFeature::PRIVATE | :developer | true
:internal | ProjectFeature::PRIVATE | :reporter | true
:internal | ProjectFeature::PRIVATE | :guest | false
:internal | ProjectFeature::PRIVATE | :anonymous | false
+ :internal | ProjectFeature::DISABLED | :admin | false
+ :internal | ProjectFeature::DISABLED | :owner | false
:internal | ProjectFeature::DISABLED | :maintainer | false
:internal | ProjectFeature::DISABLED | :developer | false
:internal | ProjectFeature::DISABLED | :reporter | false
:internal | ProjectFeature::DISABLED | :guest | false
:internal | ProjectFeature::DISABLED | :anonymous | false
+ :private | ProjectFeature::ENABLED | :admin | true
+ :private | ProjectFeature::ENABLED | :owner | true
:private | ProjectFeature::ENABLED | :maintainer | true
:private | ProjectFeature::ENABLED | :developer | true
:private | ProjectFeature::ENABLED | :reporter | true
:private | ProjectFeature::ENABLED | :guest | false
:private | ProjectFeature::ENABLED | :anonymous | false
+ :private | ProjectFeature::PRIVATE | :admin | true
+ :private | ProjectFeature::PRIVATE | :owner | true
:private | ProjectFeature::PRIVATE | :maintainer | true
:private | ProjectFeature::PRIVATE | :developer | true
:private | ProjectFeature::PRIVATE | :reporter | true
:private | ProjectFeature::PRIVATE | :guest | false
:private | ProjectFeature::PRIVATE | :anonymous | false
+ :private | ProjectFeature::DISABLED | :admin | false
+ :private | ProjectFeature::DISABLED | :owner | false
:private | ProjectFeature::DISABLED | :maintainer | false
:private | ProjectFeature::DISABLED | :developer | false
:private | ProjectFeature::DISABLED | :reporter | false
@@ -1535,96 +1578,49 @@ RSpec.describe ProjectPolicy do
let(:current_user) { send(role) }
let(:project) { send("#{project_visibility}_project") }
- it 'allows/disallows the abilities based on the container_registry feature access level' do
+ before do
+ enable_admin_mode!(admin) if role == :admin
project.project_feature.update!(container_registry_access_level: access_level)
+ end
+ it 'allows/disallows the abilities based on the container_registry feature access level' do
if allowed
expect_allowed(*permissions_abilities(role))
+ expect_disallowed(*(all_permissions - permissions_abilities(role)))
else
- expect_disallowed(*permissions_abilities(role))
+ expect_disallowed(*all_permissions)
+ end
+ end
+
+ it 'allows build_read_container_image to admins who are also team members' do
+ if allowed && role == :admin
+ project.add_reporter(current_user)
+
+ expect_allowed(:build_read_container_image)
end
end
def permissions_abilities(role)
case role
- when :maintainer
+ when :admin
+ if project_visibility == :private || access_level == ProjectFeature::PRIVATE
+ maintainer_operations_permissions - admin_excluded_permissions
+ else
+ maintainer_operations_permissions
+ end
+ when :maintainer, :owner
maintainer_operations_permissions
when :developer
developer_operations_permissions
- when :reporter, :guest, :anonymous
+ when :reporter, :guest
guest_operations_permissions
+ when :anonymous
+ anonymous_operations_permissions
else
raise "Unknown role #{role}"
end
end
end
-
- context 'with read_container_registry_access_level disabled' do
- before do
- stub_feature_flags(read_container_registry_access_level: false)
- end
-
- where(:project_visibility, :container_registry_enabled, :role, :allowed) do
- :public | true | :maintainer | true
- :public | true | :developer | true
- :public | true | :reporter | true
- :public | true | :guest | true
- :public | true | :anonymous | true
- :public | false | :maintainer | false
- :public | false | :developer | false
- :public | false | :reporter | false
- :public | false | :guest | false
- :public | false | :anonymous | false
- :internal | true | :maintainer | true
- :internal | true | :developer | true
- :internal | true | :reporter | true
- :internal | true | :guest | true
- :internal | true | :anonymous | false
- :internal | false | :maintainer | false
- :internal | false | :developer | false
- :internal | false | :reporter | false
- :internal | false | :guest | false
- :internal | false | :anonymous | false
- :private | true | :maintainer | true
- :private | true | :developer | true
- :private | true | :reporter | true
- :private | true | :guest | false
- :private | true | :anonymous | false
- :private | false | :maintainer | false
- :private | false | :developer | false
- :private | false | :reporter | false
- :private | false | :guest | false
- :private | false | :anonymous | false
- end
-
- with_them do
- let(:current_user) { send(role) }
- let(:project) { send("#{project_visibility}_project") }
-
- it 'allows/disallows the abilities based on container_registry_enabled' do
- project.update_column(:container_registry_enabled, container_registry_enabled)
-
- if allowed
- expect_allowed(*permissions_abilities(role))
- else
- expect_disallowed(*permissions_abilities(role))
- end
- end
-
- def permissions_abilities(role)
- case role
- when :maintainer
- maintainer_operations_permissions
- when :developer
- developer_operations_permissions
- when :reporter, :guest, :anonymous
- guest_operations_permissions
- else
- raise "Unknown role #{role}"
- end
- end
- end
- end
end
describe 'update_runners_registration_token' do
View Lorry Controller Status