diff options
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/environment_policy_spec.rb | 8 | ||||
-rw-r--r-- | spec/policies/global_policy_spec.rb | 40 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 27 | ||||
-rw-r--r-- | spec/policies/incident_management/timeline_event_policy_spec.rb | 60 | ||||
-rw-r--r-- | spec/policies/issue_policy_spec.rb | 12 | ||||
-rw-r--r-- | spec/policies/merge_request_policy_spec.rb | 62 | ||||
-rw-r--r-- | spec/policies/namespace/root_storage_statistics_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/namespaces/user_namespace_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 157 | ||||
-rw-r--r-- | spec/policies/project_statistics_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/work_item_policy_spec.rb | 29 |
11 files changed, 360 insertions, 41 deletions
diff --git a/spec/policies/environment_policy_spec.rb b/spec/policies/environment_policy_spec.rb index 649b1a770c0..701fc7ac9ae 100644 --- a/spec/policies/environment_policy_spec.rb +++ b/spec/policies/environment_policy_spec.rb @@ -28,7 +28,7 @@ RSpec.describe EnvironmentPolicy do with_them do before do - project.add_user(user, access_level) unless access_level.nil? + project.add_member(user, access_level) unless access_level.nil? end it { expect(policy.allowed?(:stop_environment)).to be allowed? } @@ -49,7 +49,7 @@ RSpec.describe EnvironmentPolicy do context 'with protected branch' do with_them do before do - project.add_user(user, access_level) unless access_level.nil? + project.add_member(user, access_level) unless access_level.nil? create(:protected_branch, :no_one_can_push, name: 'master', project: project) end @@ -86,7 +86,7 @@ RSpec.describe EnvironmentPolicy do with_them do before do - project.add_user(user, access_level) unless access_level.nil? + project.add_member(user, access_level) unless access_level.nil? end it { expect(policy.allowed?(:stop_environment)).to be allowed? } @@ -120,7 +120,7 @@ RSpec.describe EnvironmentPolicy do with_them do before do - project.add_user(user, access_level) unless access_level.nil? + project.add_member(user, access_level) unless access_level.nil? end it { expect(policy).to be_disallowed :destroy_environment } diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 04d7eca6f09..da0427420e4 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -40,7 +40,7 @@ RSpec.describe GlobalPolicy do end context "for an admin" do - let(:current_user) { create(:admin) } + let_it_be(:current_user) { create(:admin) } context "when the public level is restricted" do before do @@ -118,7 +118,7 @@ RSpec.describe GlobalPolicy do end context 'admin' do - let(:current_user) { create(:user, :admin) } + let_it_be(:current_user) { create(:user, :admin) } context 'when admin mode is enabled', :enable_admin_mode do it { is_expected.to be_allowed(:read_custom_attribute) } @@ -138,7 +138,7 @@ RSpec.describe GlobalPolicy do end context 'admin' do - let(:current_user) { create(:admin) } + let_it_be(:current_user) { create(:admin) } context 'when admin mode is enabled', :enable_admin_mode do it { is_expected.to be_allowed(:approve_user) } @@ -156,7 +156,7 @@ RSpec.describe GlobalPolicy do end context 'admin' do - let(:current_user) { create(:admin) } + let_it_be(:current_user) { create(:admin) } context 'when admin mode is enabled', :enable_admin_mode do it { is_expected.to be_allowed(:reject_user) } @@ -174,7 +174,7 @@ RSpec.describe GlobalPolicy do end context 'admin' do - let(:current_user) { create(:user, :admin) } + let_it_be(:current_user) { create(:user, :admin) } context 'when admin mode is enabled', :enable_admin_mode do it { is_expected.to be_allowed(:use_project_statistics_filters) } @@ -591,4 +591,34 @@ RSpec.describe GlobalPolicy do it { is_expected.not_to be_allowed(:log_in) } end end + + describe 'delete runners' do + context 'when anonymous' do + let(:current_user) { nil } + + it { is_expected.not_to be_allowed(:delete_runners) } + end + + context 'regular user' do + it { is_expected.not_to be_allowed(:delete_runners) } + end + + context 'when external' do + let(:current_user) { build(:user, :external) } + + it { is_expected.not_to be_allowed(:delete_runners) } + end + + context 'admin user' do + let_it_be(:current_user) { create(:user, :admin) } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:delete_runners) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:delete_runners) } + end + end + end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index c513baea517..3ef859376a4 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -4,6 +4,7 @@ require 'spec_helper' RSpec.describe GroupPolicy do include_context 'GroupPolicy context' + using RSpec::Parameterized::TableSyntax context 'public group with no user' do let(:group) { create(:group, :public, :crm_enabled) } @@ -1229,4 +1230,30 @@ RSpec.describe GroupPolicy do it { is_expected.to be_disallowed(:admin_crm_contact) } it { is_expected.to be_disallowed(:admin_crm_organization) } end + + describe 'maintain_namespace' do + context 'with non-admin roles' do + where(:role, :allowed) do + :guest | false + :reporter | false + :developer | false + :maintainer | true + :owner | true + end + + with_them do + let(:current_user) { public_send(role) } + + it do + expect(subject.allowed?(:maintain_namespace)).to eq allowed + end + end + end + + context 'as an admin', :enable_admin_mode do + let(:current_user) { admin } + + it { is_expected.to be_allowed(:maintain_namespace) } + end + end end diff --git a/spec/policies/incident_management/timeline_event_policy_spec.rb b/spec/policies/incident_management/timeline_event_policy_spec.rb new file mode 100644 index 00000000000..5a659054d7a --- /dev/null +++ b/spec/policies/incident_management/timeline_event_policy_spec.rb @@ -0,0 +1,60 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe IncidentManagement::TimelineEventPolicy, models: true do + let_it_be(:project) { create(:project) } + let_it_be(:reporter) { create(:user) } + let_it_be(:developer) { create(:user) } + let_it_be(:user) { developer } + let_it_be(:incident) { create(:incident, project: project, author: user) } + + let_it_be(:editable_timeline_event) do + create(:incident_management_timeline_event, :editable, project: project, author: user, incident: incident) + end + + let_it_be(:non_editable_timeline_event) do + create(:incident_management_timeline_event, :non_editable, project: project, author: user, incident: incident) + end + + before do + project.add_developer(developer) + project.add_reporter(reporter) + end + + describe '#rules' do + subject(:policies) { described_class.new(user, timeline_event) } + + context 'when a user is not able to manage timeline events' do + let_it_be(:user) { reporter } + + context 'when timeline event is editable' do + let(:timeline_event) { editable_timeline_event } + + it 'does not allow to edit the timeline event' do + is_expected.not_to be_allowed(:edit_incident_management_timeline_event) + end + end + end + + context 'when a user is able to manage timeline events' do + let_it_be(:user) { developer } + + context 'when timeline event is editable' do + let(:timeline_event) { editable_timeline_event } + + it 'allows to edit the timeline event' do + is_expected.to be_allowed(:edit_incident_management_timeline_event) + end + end + + context 'when timeline event is not editable' do + let(:timeline_event) { non_editable_timeline_event } + + it 'does not allow to edit the timeline event' do + is_expected.not_to be_allowed(:edit_incident_management_timeline_event) + end + end + end + end +end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index 557bda985af..fefbb59a830 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -13,6 +13,7 @@ RSpec.describe IssuePolicy do let(:reporter_from_group_link) { create(:user) } let(:non_member) { create(:user) } let(:support_bot) { User.support_bot } + let(:alert_bot) { User.alert_bot } def permissions(user, issue) described_class.new(user, issue) @@ -41,6 +42,14 @@ RSpec.describe IssuePolicy do end end + shared_examples 'alert bot' do + it 'allows alert_bot to read and set metadata on issues' do + expect(permissions(alert_bot, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(alert_bot, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(alert_bot, new_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + end + end + context 'a private project' do let(:project) { create(:project, :private) } let(:issue) { create(:issue, project: project, assignees: [assignee], author: author) } @@ -106,6 +115,7 @@ RSpec.describe IssuePolicy do expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality) end + it_behaves_like 'alert bot' it_behaves_like 'support bot with service desk disabled' it_behaves_like 'support bot with service desk enabled' @@ -270,6 +280,7 @@ RSpec.describe IssuePolicy do expect(permissions(support_bot, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality) end + it_behaves_like 'alert bot' it_behaves_like 'support bot with service desk enabled' context 'when issues are private' do @@ -326,6 +337,7 @@ RSpec.describe IssuePolicy do expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality) end + it_behaves_like 'alert bot' it_behaves_like 'support bot with service desk disabled' it_behaves_like 'support bot with service desk enabled' end diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb index e05de25f182..dd42e1b9313 100644 --- a/spec/policies/merge_request_policy_spec.rb +++ b/spec/policies/merge_request_policy_spec.rb @@ -51,7 +51,8 @@ RSpec.describe MergeRequestPolicy do end context 'when merge request is public' do - let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) } + let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) } + let(:user) { author } context 'and user is anonymous' do subject { permissions(nil, merge_request) } @@ -61,19 +62,62 @@ RSpec.describe MergeRequestPolicy do end end - describe 'the author, who became a guest' do - subject { permissions(author, merge_request) } + context 'and user is author' do + subject { permissions(user, merge_request) } - it do - is_expected.to be_allowed(:update_merge_request) + context 'and the user is a guest' do + let(:user) { guest } + + it do + is_expected.to be_allowed(:update_merge_request) + end + + it do + is_expected.to be_allowed(:reopen_merge_request) + end + + it do + is_expected.to be_allowed(:approve_merge_request) + end end - it do - is_expected.to be_allowed(:reopen_merge_request) + context 'and the user is a group member' do + let(:project) { create(:project, :public, group: group) } + let(:group) { create(:group) } + let(:user) { non_team_member } + + before do + group.add_guest(non_team_member) + end + + it do + is_expected.to be_allowed(:approve_merge_request) + end end - it do - is_expected.to be_allowed(:approve_merge_request) + context 'and the user is a member of a shared group' do + let(:user) { non_team_member } + + before do + group = create(:group) + project.project_group_links.create!( + group: group, + group_access: Gitlab::Access::DEVELOPER) + + group.add_guest(non_team_member) + end + + it do + is_expected.to be_allowed(:approve_merge_request) + end + end + + context 'and the user is not a project member' do + let(:user) { non_team_member } + + it do + is_expected.not_to be_allowed(:approve_merge_request) + end end end end diff --git a/spec/policies/namespace/root_storage_statistics_policy_spec.rb b/spec/policies/namespace/root_storage_statistics_policy_spec.rb index e6b58bca4a8..89875f83c9b 100644 --- a/spec/policies/namespace/root_storage_statistics_policy_spec.rb +++ b/spec/policies/namespace/root_storage_statistics_policy_spec.rb @@ -59,7 +59,7 @@ RSpec.describe Namespace::RootStorageStatisticsPolicy do with_them do before do - group.add_user(user, user_type) unless user_type == :non_member + group.add_member(user, user_type) unless user_type == :non_member end it { is_expected.to eq(outcome) } diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb index 22c3f6a6d67..e8a3c9b828d 100644 --- a/spec/policies/namespaces/user_namespace_policy_spec.rb +++ b/spec/policies/namespaces/user_namespace_policy_spec.rb @@ -8,7 +8,7 @@ RSpec.describe Namespaces::UserNamespacePolicy do let_it_be(:admin) { create(:admin) } let_it_be(:namespace) { create(:user_namespace, owner: owner) } - let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package] } + let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package, :maintain_namespace] } subject { described_class.new(current_user, namespace) } diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index d363a822d18..c041c72a0be 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -612,6 +612,24 @@ RSpec.describe ProjectPolicy do end end + describe 'create_task' do + context 'when user is member of the project' do + let(:current_user) { developer } + + context 'when work_items feature flag is enabled' do + it { expect_allowed(:create_task) } + end + + context 'when work_items feature flag is disabled' do + before do + stub_feature_flags(work_items: false) + end + + it { expect_disallowed(:create_task) } + end + end + end + describe 'update_max_artifacts_size' do context 'when no user' do let(:current_user) { anonymous } @@ -1462,43 +1480,142 @@ RSpec.describe ProjectPolicy do end describe 'view_package_registry_project_settings' do - context 'with registry enabled' do + context 'with packages disabled and' do before do - stub_config(registry: { enabled: true }) + stub_config(packages: { enabled: false }) end - context 'with an admin user' do - let(:current_user) { admin } + context 'with registry enabled' do + before do + stub_config(registry: { enabled: true }) + end - context 'when admin mode enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:view_package_registry_project_settings) } + context 'with an admin user' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:view_package_registry_project_settings) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end end - context 'when admin mode disabled' do - it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + %i[owner maintainer].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_allowed(:view_package_registry_project_settings) } + end + end + + %i[developer reporter guest non_member anonymous].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end end end - %i[owner maintainer].each do |role| - context "with #{role}" do - let(:current_user) { public_send(role) } + context 'with registry disabled' do + before do + stub_config(registry: { enabled: false }) + end + + context 'with admin user' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end - it { is_expected.to be_allowed(:view_package_registry_project_settings) } + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + + %i[owner maintainer developer reporter guest non_member anonymous].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end end end + end - %i[developer reporter guest non_member anonymous].each do |role| - context "with #{role}" do - let(:current_user) { public_send(role) } + context 'with registry disabled and' do + before do + stub_config(registry: { enabled: false }) + end - it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + context 'with packages enabled' do + before do + stub_config(packages: { enabled: true }) + end + + context 'with an admin user' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:view_package_registry_project_settings) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + + %i[owner maintainer].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_allowed(:view_package_registry_project_settings) } + end + end + + %i[developer reporter guest non_member anonymous].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + end + + context 'with packages disabled' do + before do + stub_config(packages: { enabled: false }) + end + + context 'with admin user' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + + %i[owner maintainer developer reporter guest non_member anonymous].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end end end end - context 'with registry disabled' do + context 'with registry & packages both disabled' do before do stub_config(registry: { enabled: false }) + stub_config(packages: { enabled: false }) end context 'with admin user' do @@ -1718,7 +1835,7 @@ RSpec.describe ProjectPolicy do %w(guest reporter developer maintainer).each do |role| context role do before do - project.add_user(current_user, role.to_sym) + project.add_member(current_user, role.to_sym) end if role == 'guest' @@ -1752,7 +1869,7 @@ RSpec.describe ProjectPolicy do %w(guest reporter developer maintainer).each do |role| context role do before do - project.add_user(current_user, role.to_sym) + project.add_member(current_user, role.to_sym) end it { is_expected.to be_allowed(:read_ci_cd_analytics) } @@ -1782,7 +1899,7 @@ RSpec.describe ProjectPolicy do %w(guest reporter developer maintainer).each do |role| context role do before do - project.add_user(current_user, role.to_sym) + project.add_member(current_user, role.to_sym) end if role == 'guest' diff --git a/spec/policies/project_statistics_policy_spec.rb b/spec/policies/project_statistics_policy_spec.rb index 74630dc38ad..56e6161a264 100644 --- a/spec/policies/project_statistics_policy_spec.rb +++ b/spec/policies/project_statistics_policy_spec.rb @@ -72,7 +72,7 @@ RSpec.describe ProjectStatisticsPolicy do before do unless [:unauthenticated, :non_member].include?(user_type) - project.add_user(external, user_type) + project.add_member(external, user_type) end end diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb index 9cfc4455979..f8ec7d9f9bc 100644 --- a/spec/policies/work_item_policy_spec.rb +++ b/spec/policies/work_item_policy_spec.rb @@ -131,4 +131,33 @@ RSpec.describe WorkItemPolicy do end end end + + describe 'admin_parent_link' do + context 'when user is reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:admin_parent_link) } + end + + context 'when user is guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:admin_parent_link) } + + context 'when guest authored the work item' do + let(:work_item_subject) { authored_work_item } + let(:current_user) { guest_author } + + it { is_expected.to be_disallowed(:admin_parent_link) } + end + + context 'when guest is assigned to the work item' do + before do + work_item.assignees = [guest] + end + + it { is_expected.to be_disallowed(:admin_parent_link) } + end + end + end end |