summaryrefslogtreecommitdiff
path: root/spec/policies/project_policy_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies/project_policy_spec.rb')
-rw-r--r--spec/policies/project_policy_spec.rb118
1 files changed, 55 insertions, 63 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 051a4420e73..f36b0a62aa3 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -840,6 +840,8 @@ RSpec.describe ProjectPolicy do
it { is_expected.to be_allowed(:read_package) }
it { is_expected.to be_allowed(:read_project) }
it { is_expected.to be_disallowed(:create_package) }
+
+ it_behaves_like 'package access with repository disabled'
end
context 'a deploy token with write_package_registry scope' do
@@ -849,6 +851,8 @@ RSpec.describe ProjectPolicy do
it { is_expected.to be_allowed(:read_package) }
it { is_expected.to be_allowed(:read_project) }
it { is_expected.to be_disallowed(:destroy_package) }
+
+ it_behaves_like 'package access with repository disabled'
end
end
@@ -1021,18 +1025,7 @@ RSpec.describe ProjectPolicy do
it { is_expected.to be_allowed(:read_package) }
- context 'when repository is disabled' do
- before do
- project.project_feature.update!(
- # Disable merge_requests and builds as well, since merge_requests and
- # builds cannot have higher visibility than repository.
- merge_requests_access_level: ProjectFeature::DISABLED,
- builds_access_level: ProjectFeature::DISABLED,
- repository_access_level: ProjectFeature::DISABLED)
- end
-
- it { is_expected.to be_disallowed(:read_package) }
- end
+ it_behaves_like 'package access with repository disabled'
end
context 'with owner' do
@@ -1460,66 +1453,65 @@ RSpec.describe ProjectPolicy do
end
describe 'when user is authenticated via CI_JOB_TOKEN', :request_store do
- let(:current_user) { developer }
- let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) }
+ using RSpec::Parameterized::TableSyntax
- before do
- current_user.set_ci_job_token_scope!(job)
- scope_project.update!(ci_job_token_scope_enabled: true)
+ where(:project_visibility, :user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do
+ :private | :reporter | false | :same | true | true
+ :private | :reporter | false | :same | false | true
+ :private | :reporter | false | :different | true | false
+ :private | :reporter | false | :different | false | true
+ :private | :guest | false | :same | true | true
+ :private | :guest | false | :same | false | true
+ :private | :guest | false | :different | true | false
+ :private | :guest | false | :different | false | true
+
+ :internal | :reporter | false | :same | true | true
+ :internal | :reporter | true | :same | true | true
+ :internal | :reporter | false | :same | false | true
+ :internal | :reporter | false | :different | true | true
+ :internal | :reporter | true | :different | true | false
+ :internal | :reporter | false | :different | false | true
+ :internal | :guest | false | :same | true | true
+ :internal | :guest | true | :same | true | true
+ :internal | :guest | false | :same | false | true
+ :internal | :guest | false | :different | true | true
+ :internal | :guest | true | :different | true | false
+ :internal | :guest | false | :different | false | true
+
+ :public | :reporter | false | :same | true | true
+ :public | :reporter | false | :same | false | true
+ :public | :reporter | false | :different | true | true
+ :public | :reporter | false | :different | false | true
+ :public | :guest | false | :same | true | true
+ :public | :guest | false | :same | false | true
+ :public | :guest | false | :different | true | true
+ :public | :guest | false | :different | false | true
end
- context 'when accessing a private project' do
- let(:project) { private_project }
-
- context 'when the job token comes from the same project' do
- let(:scope_project) { project }
-
- it { is_expected.to be_allowed(:developer_access) }
- end
-
- context 'when the job token comes from another project' do
- let(:scope_project) { create(:project, :private) }
-
- before do
- scope_project.add_developer(current_user)
- end
-
- it { is_expected.to be_disallowed(:guest_access) }
-
- context 'when job token scope is disabled' do
- before do
- scope_project.update!(ci_job_token_scope_enabled: false)
- end
+ with_them do
+ let(:current_user) { public_send(user_role) }
+ let(:project) { public_send("#{project_visibility}_project") }
+ let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) }
- it { is_expected.to be_allowed(:guest_access) }
+ let(:scope_project) do
+ if scope_project_type == :same
+ project
+ else
+ create(:project, :private)
end
end
- end
-
- context 'when accessing a public project' do
- let(:project) { public_project }
-
- context 'when the job token comes from the same project' do
- let(:scope_project) { project }
- it { is_expected.to be_allowed(:developer_access) }
+ before do
+ current_user.set_ci_job_token_scope!(job)
+ current_user.external = external_user
+ scope_project.update!(ci_job_token_scope_enabled: token_scope_enabled)
end
- context 'when the job token comes from another project' do
- let(:scope_project) { create(:project, :private) }
-
- before do
- scope_project.add_developer(current_user)
- end
-
- it { is_expected.to be_disallowed(:public_access) }
-
- context 'when job token scope is disabled' do
- before do
- scope_project.update!(ci_job_token_scope_enabled: false)
- end
-
- it { is_expected.to be_allowed(:public_access) }
+ it "enforces the expected permissions" do
+ if result
+ is_expected.to be_allowed("#{user_role}_access".to_sym)
+ else
+ is_expected.to be_disallowed("#{user_role}_access".to_sym)
end
end
end
View Lorry Controller Status