summaryrefslogtreecommitdiff
path: root/spec/policies
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies')
-rw-r--r--spec/policies/ci/build_policy_spec.rb32
-rw-r--r--spec/policies/ci/pipeline_policy_spec.rb2
-rw-r--r--spec/policies/ci/pipeline_schedule_policy_spec.rb6
-rw-r--r--spec/policies/concerns/crud_policy_helpers_spec.rb50
-rw-r--r--spec/policies/concerns/readonly_abilities_spec.rb27
-rw-r--r--spec/policies/design_management/design_policy_spec.rb53
-rw-r--r--spec/policies/group_deploy_key_policy_spec.rb27
-rw-r--r--spec/policies/group_deploy_keys_group_policy_spec.rb24
-rw-r--r--spec/policies/group_policy_spec.rb20
-rw-r--r--spec/policies/issue_policy_spec.rb6
-rw-r--r--spec/policies/merge_request_policy_spec.rb6
-rw-r--r--spec/policies/personal_access_token_policy_spec.rb63
-rw-r--r--spec/policies/project_policy_spec.rb16
-rw-r--r--spec/policies/user_policy_spec.rb28
14 files changed, 317 insertions, 43 deletions
diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb
index d2547338855..098efd7daa6 100644
--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -146,7 +146,7 @@ RSpec.describe Ci::BuildPolicy do
create(:protected_tag, :no_one_can_create,
name: build.ref, project: project)
- build.update(tag: true)
+ build.update!(tag: true)
end
it 'does not include ability to update build' do
@@ -247,6 +247,36 @@ RSpec.describe Ci::BuildPolicy do
it { expect(policy).to be_disallowed :erase_build }
end
end
+
+ context 'when an admin erases a build', :enable_admin_mode do
+ let(:owner) { create(:user) }
+
+ before do
+ user.update!(admin: true)
+ end
+
+ context 'when the build was created for a protected branch' do
+ before do
+ create(:protected_branch, :developers_can_push,
+ name: build.ref, project: project)
+ end
+
+ it { expect(policy).to be_allowed :erase_build }
+ end
+
+ context 'when the build was created for a protected tag' do
+ before do
+ create(:protected_tag, :developers_can_create,
+ name: build.ref, project: project)
+ end
+
+ it { expect(policy).to be_allowed :erase_build }
+ end
+
+ context 'when the build was created for an unprotected ref' do
+ it { expect(policy).to be_allowed :erase_build }
+ end
+ end
end
end
diff --git a/spec/policies/ci/pipeline_policy_spec.rb b/spec/policies/ci/pipeline_policy_spec.rb
index fcd96bc6653..9a65823c950 100644
--- a/spec/policies/ci/pipeline_policy_spec.rb
+++ b/spec/policies/ci/pipeline_policy_spec.rb
@@ -45,7 +45,7 @@ RSpec.describe Ci::PipelinePolicy, :models do
create(:protected_tag, :no_one_can_create,
name: pipeline.ref, project: project)
- pipeline.update(tag: true)
+ pipeline.update!(tag: true)
end
it 'does not include ability to update pipeline' do
diff --git a/spec/policies/ci/pipeline_schedule_policy_spec.rb b/spec/policies/ci/pipeline_schedule_policy_spec.rb
index b455384d17a..1e36f455f6f 100644
--- a/spec/policies/ci/pipeline_schedule_policy_spec.rb
+++ b/spec/policies/ci/pipeline_schedule_policy_spec.rb
@@ -43,7 +43,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models do
let(:tag) { 'v1.0.0' }
before do
- pipeline_schedule.update(ref: tag)
+ pipeline_schedule.update!(ref: tag)
create(:protected_tag, :no_one_can_create,
name: pipeline_schedule.ref, project: project)
@@ -69,7 +69,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models do
describe 'rules for owner of schedule' do
before do
project.add_developer(user)
- pipeline_schedule.update(owner: user)
+ pipeline_schedule.update!(owner: user)
end
it 'includes abilities to do all operations on pipeline schedule' do
@@ -97,7 +97,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models do
before do
project.add_maintainer(owner)
project.add_maintainer(user)
- pipeline_schedule.update(owner: owner)
+ pipeline_schedule.update!(owner: owner)
end
it 'includes abilities to take ownership' do
diff --git a/spec/policies/concerns/crud_policy_helpers_spec.rb b/spec/policies/concerns/crud_policy_helpers_spec.rb
new file mode 100644
index 00000000000..69bf9ad12d6
--- /dev/null
+++ b/spec/policies/concerns/crud_policy_helpers_spec.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe CrudPolicyHelpers do
+ let(:policy_test_class) do
+ Class.new do
+ include CrudPolicyHelpers
+ end
+ end
+
+ let(:feature_name) { :foo }
+
+ before do
+ stub_const('PolicyTestClass', policy_test_class)
+ end
+
+ describe '.create_read_update_admin_destroy' do
+ it 'returns an array of the appropriate abilites given a feature name' do
+ expect(PolicyTestClass.create_read_update_admin_destroy(feature_name)).to eq([
+ :read_foo,
+ :create_foo,
+ :update_foo,
+ :admin_foo,
+ :destroy_foo
+ ])
+ end
+ end
+
+ describe '.create_update_admin_destroy' do
+ it 'returns an array of the appropriate abilites given a feature name' do
+ expect(PolicyTestClass.create_update_admin_destroy(feature_name)).to eq([
+ :create_foo,
+ :update_foo,
+ :admin_foo,
+ :destroy_foo
+ ])
+ end
+ end
+
+ describe '.create_update_admin' do
+ it 'returns an array of the appropriate abilites given a feature name' do
+ expect(PolicyTestClass.create_update_admin(feature_name)).to eq([
+ :create_foo,
+ :update_foo,
+ :admin_foo
+ ])
+ end
+ end
+end
diff --git a/spec/policies/concerns/readonly_abilities_spec.rb b/spec/policies/concerns/readonly_abilities_spec.rb
new file mode 100644
index 00000000000..864924a091d
--- /dev/null
+++ b/spec/policies/concerns/readonly_abilities_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ReadonlyAbilities do
+ let(:test_class) do
+ Class.new do
+ include ReadonlyAbilities
+ end
+ end
+
+ before do
+ stub_const('TestClass', test_class)
+ end
+
+ describe '.readonly_abilities' do
+ it 'returns an array of abilites to be prevented when readonly' do
+ expect(TestClass.readonly_abilities).to include(*described_class::READONLY_ABILITIES)
+ end
+ end
+
+ describe '.readonly_features' do
+ it 'returns an array of features to be prevented when readonly' do
+ expect(TestClass.readonly_features).to include(*described_class::READONLY_FEATURES)
+ end
+ end
+end
diff --git a/spec/policies/design_management/design_policy_spec.rb b/spec/policies/design_management/design_policy_spec.rb
index 5dde5f896c9..5cf2f376edf 100644
--- a/spec/policies/design_management/design_policy_spec.rb
+++ b/spec/policies/design_management/design_policy_spec.rb
@@ -1,22 +1,32 @@
# frozen_string_literal: true
-require 'spec_helper'
+require "spec_helper"
RSpec.describe DesignManagement::DesignPolicy do
include DesignManagementTestHelpers
- include_context 'ProjectPolicy context'
-
let(:guest_design_abilities) { %i[read_design] }
- let(:developer_design_abilities) do
- %i[create_design destroy_design]
- end
+ let(:developer_design_abilities) { %i[create_design destroy_design move_design] }
let(:design_abilities) { guest_design_abilities + developer_design_abilities }
- let(:issue) { create(:issue, project: project) }
+ let_it_be(:guest) { create(:user) }
+ let_it_be(:reporter) { create(:user) }
+ let_it_be(:developer) { create(:user) }
+ let_it_be(:maintainer) { create(:user) }
+ let_it_be(:owner) { create(:user) }
+ let_it_be(:admin) { create(:admin) }
+ let_it_be(:project) { create(:project, :public, namespace: owner.namespace) }
+ let_it_be(:issue) { create(:issue, project: project) }
let(:design) { create(:design, issue: issue) }
subject(:design_policy) { described_class.new(current_user, design) }
+ before_all do
+ project.add_guest(guest)
+ project.add_maintainer(maintainer)
+ project.add_developer(developer)
+ project.add_reporter(reporter)
+ end
+
shared_examples_for "design abilities not available" do
context "for owners" do
let(:current_user) { owner }
@@ -71,11 +81,11 @@ RSpec.describe DesignManagement::DesignPolicy do
context "for admins" do
let(:current_user) { admin }
- context 'when admin mode enabled', :enable_admin_mode do
+ context "when admin mode enabled", :enable_admin_mode do
it { is_expected.to be_allowed(*design_abilities) }
end
- context 'when admin mode disabled' do
+ context "when admin mode disabled" do
it { is_expected.to be_allowed(*guest_design_abilities) }
it { is_expected.to be_disallowed(*developer_design_abilities) }
end
@@ -121,8 +131,19 @@ RSpec.describe DesignManagement::DesignPolicy do
it_behaves_like "design abilities available for members"
+ context 'when reorder_designs is not enabled' do
+ before do
+ stub_feature_flags(reorder_designs: false)
+ end
+
+ let(:current_user) { developer }
+
+ it { is_expected.to be_allowed(*(developer_design_abilities - [:move_design])) }
+ it { is_expected.to be_disallowed(:move_design) }
+ end
+
context "for guests in private projects" do
- let(:project) { create(:project, :private) }
+ let_it_be(:project) { create(:project, :private) }
let(:current_user) { guest }
it { is_expected.to be_allowed(*guest_design_abilities) }
@@ -137,7 +158,7 @@ RSpec.describe DesignManagement::DesignPolicy do
end
context "when the issue is confidential" do
- let(:issue) { create(:issue, :confidential, project: project) }
+ let_it_be(:issue) { create(:issue, :confidential, project: project) }
it_behaves_like "design abilities available for members"
@@ -155,26 +176,24 @@ RSpec.describe DesignManagement::DesignPolicy do
end
context "when the issue is locked" do
+ let_it_be(:issue) { create(:issue, :locked, project: project) }
let(:current_user) { owner }
- let(:issue) { create(:issue, :locked, project: project) }
it_behaves_like "read-only design abilities"
end
context "when the issue has moved" do
+ let_it_be(:issue) { create(:issue, project: project, moved_to: create(:issue)) }
let(:current_user) { owner }
- let(:issue) { create(:issue, project: project, moved_to: create(:issue)) }
it_behaves_like "read-only design abilities"
end
context "when the project is archived" do
+ let_it_be(:project) { create(:project, :public, :archived) }
+ let_it_be(:issue) { create(:issue, project: project) }
let(:current_user) { owner }
- before do
- project.update!(archived: true)
- end
-
it_behaves_like "read-only design abilities"
end
end
diff --git a/spec/policies/group_deploy_key_policy_spec.rb b/spec/policies/group_deploy_key_policy_spec.rb
new file mode 100644
index 00000000000..c3903a3fa55
--- /dev/null
+++ b/spec/policies/group_deploy_key_policy_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GroupDeployKeyPolicy do
+ subject { described_class.new(user, group_deploy_key) }
+
+ let_it_be(:user) { create(:user) }
+
+ describe 'edit a group deploy key' do
+ context 'when the user does not own the group deploy key' do
+ let(:group_deploy_key) { create(:group_deploy_key) }
+
+ it { is_expected.to be_disallowed(:update_group_deploy_key) }
+ end
+
+ context 'when the user owns the group deploy key' do
+ let(:group_deploy_key) { create(:group_deploy_key, user: user) }
+
+ before do
+ user.reload
+ end
+
+ it { is_expected.to be_allowed(:update_group_deploy_key) }
+ end
+ end
+end
diff --git a/spec/policies/group_deploy_keys_group_policy_spec.rb b/spec/policies/group_deploy_keys_group_policy_spec.rb
new file mode 100644
index 00000000000..7ad9b655411
--- /dev/null
+++ b/spec/policies/group_deploy_keys_group_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GroupDeployKeysGroupPolicy do
+ subject { described_class.new(user, group_deploy_keys_group) }
+
+ let_it_be(:user) { create(:user) }
+ let_it_be(:group) { create(:group) }
+ let_it_be(:group_deploy_key) { create(:group_deploy_key) }
+ let(:group_deploy_keys_group) { create(:group_deploy_keys_group, group: group, group_deploy_key: group_deploy_key) }
+
+ describe 'edit a group deploy key for a given group' do
+ it 'is allowed when the user is an owner of this group' do
+ group.add_owner(user)
+
+ expect(subject).to be_allowed(:update_group_deploy_key_for_group)
+ end
+
+ it 'is not allowed when the user is not an owner of this group' do
+ expect(subject).to be_disallowed(:update_group_deploy_key_for_group)
+ end
+ end
+end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 9bd692b45c3..3e0ea164e3d 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -137,7 +137,7 @@ RSpec.describe GroupPolicy do
context 'with subgroup_creation level set to maintainer' do
before_all do
- group.update(subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
+ group.update!(subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
end
it 'allows every maintainer permission plus creating subgroups' do
@@ -409,7 +409,7 @@ RSpec.describe GroupPolicy do
context 'transfer_projects' do
shared_examples_for 'allowed to transfer projects' do
before do
- group.update(project_creation_level: project_creation_level)
+ group.update!(project_creation_level: project_creation_level)
end
it { is_expected.to be_allowed(:transfer_projects) }
@@ -417,7 +417,7 @@ RSpec.describe GroupPolicy do
shared_examples_for 'not allowed to transfer projects' do
before do
- group.update(project_creation_level: project_creation_level)
+ group.update!(project_creation_level: project_creation_level)
end
it { is_expected.to be_disallowed(:transfer_projects) }
@@ -491,7 +491,7 @@ RSpec.describe GroupPolicy do
context 'create_projects' do
context 'when group has no project creation level set' do
before_all do
- group.update(project_creation_level: nil)
+ group.update!(project_creation_level: nil)
end
context 'reporter' do
@@ -521,7 +521,7 @@ RSpec.describe GroupPolicy do
context 'when group has project creation level set to no one' do
before_all do
- group.update(project_creation_level: ::Gitlab::Access::NO_ONE_PROJECT_ACCESS)
+ group.update!(project_creation_level: ::Gitlab::Access::NO_ONE_PROJECT_ACCESS)
end
context 'reporter' do
@@ -551,7 +551,7 @@ RSpec.describe GroupPolicy do
context 'when group has project creation level set to maintainer only' do
before_all do
- group.update(project_creation_level: ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS)
+ group.update!(project_creation_level: ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS)
end
context 'reporter' do
@@ -581,7 +581,7 @@ RSpec.describe GroupPolicy do
context 'when group has project creation level set to developers + maintainer' do
before_all do
- group.update(project_creation_level: ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS)
+ group.update!(project_creation_level: ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS)
end
context 'reporter' do
@@ -613,7 +613,7 @@ RSpec.describe GroupPolicy do
context 'create_subgroup' do
context 'when group has subgroup creation level set to owner' do
before_all do
- group.update(subgroup_creation_level: ::Gitlab::Access::OWNER_SUBGROUP_ACCESS)
+ group.update!(subgroup_creation_level: ::Gitlab::Access::OWNER_SUBGROUP_ACCESS)
end
context 'reporter' do
@@ -643,7 +643,7 @@ RSpec.describe GroupPolicy do
context 'when group has subgroup creation level set to maintainer' do
before_all do
- group.update(subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
+ group.update!(subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
end
context 'reporter' do
@@ -752,7 +752,7 @@ RSpec.describe GroupPolicy do
context 'which does not have design management enabled' do
before do
- project.update(lfs_enabled: false)
+ project.update!(lfs_enabled: false)
end
it { is_expected.not_to be_allowed(:read_design_activity) }
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index b3ca37b17c2..e352b990159 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -104,7 +104,7 @@ RSpec.describe IssuePolicy do
end
it 'does not allow issue author to read or update confidential issue moved to an private project' do
- confidential_issue.project = build(:project, :private)
+ confidential_issue.project = create(:project, :private)
expect(permissions(author, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue)
end
@@ -117,7 +117,7 @@ RSpec.describe IssuePolicy do
end
it 'does not allow issue assignees to read or update confidential issue moved to an private project' do
- confidential_issue.project = build(:project, :private)
+ confidential_issue.project = create(:project, :private)
expect(permissions(assignee, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue)
end
@@ -188,7 +188,7 @@ RSpec.describe IssuePolicy do
context 'when issues are private' do
before do
- project.project_feature.update(issues_access_level: ProjectFeature::PRIVATE)
+ project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
end
let(:issue) { create(:issue, project: project, author: author) }
let(:visitor) { create(:user) }
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index 2f3cb2e998a..3a46d5b9226 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -51,7 +51,7 @@ RSpec.describe MergeRequestPolicy do
let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
before do
- project.project_feature.update(merge_requests_access_level: ProjectFeature::DISABLED)
+ project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
end
describe 'the author' do
@@ -83,8 +83,8 @@ RSpec.describe MergeRequestPolicy do
let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
before do
- project.update(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
- project.project_feature.update(merge_requests_access_level: ProjectFeature::PRIVATE)
+ project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+ project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
end
describe 'a non-team-member' do
diff --git a/spec/policies/personal_access_token_policy_spec.rb b/spec/policies/personal_access_token_policy_spec.rb
new file mode 100644
index 00000000000..71795202e13
--- /dev/null
+++ b/spec/policies/personal_access_token_policy_spec.rb
@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe PersonalAccessTokenPolicy do
+ include AdminModeHelper
+
+ subject { described_class.new(current_user, token) }
+
+ context 'current_user is an administrator', :enable_admin_mode do
+ let_it_be(:current_user) { build(:admin) }
+
+ context 'not the owner of the token' do
+ let_it_be(:token) { build(:personal_access_token) }
+
+ it { is_expected.to be_allowed(:read_token) }
+ it { is_expected.to be_allowed(:revoke_token) }
+ end
+
+ context 'owner of the token' do
+ let_it_be(:token) { build(:personal_access_token, user: current_user) }
+
+ it { is_expected.to be_allowed(:read_token) }
+ it { is_expected.to be_allowed(:revoke_token) }
+ end
+ end
+
+ context 'current_user is not an administrator' do
+ let_it_be(:current_user) { build(:user) }
+
+ context 'not the owner of the token' do
+ let_it_be(:token) { build(:personal_access_token) }
+
+ it { is_expected.to be_disallowed(:read_token) }
+ it { is_expected.to be_disallowed(:revoke_token) }
+ end
+
+ context 'owner of the token' do
+ let_it_be(:token) { build(:personal_access_token, user: current_user) }
+
+ it { is_expected.to be_allowed(:read_token) }
+ it { is_expected.to be_allowed(:revoke_token) }
+ end
+ end
+
+ context 'current_user is a blocked administrator', :enable_admin_mode do
+ let_it_be(:current_user) { build(:admin, :blocked) }
+
+ context 'owner of the token' do
+ let_it_be(:token) { build(:personal_access_token, user: current_user) }
+
+ it { is_expected.to be_disallowed(:read_token) }
+ it { is_expected.to be_disallowed(:revoke_token) }
+ end
+
+ context 'not the owner of the token' do
+ let_it_be(:token) { build(:personal_access_token) }
+
+ it { is_expected.to be_disallowed(:read_token) }
+ it { is_expected.to be_disallowed(:revoke_token) }
+ end
+ end
+end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index dc6ed94309b..9879fc53461 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -20,7 +20,7 @@ RSpec.describe ProjectPolicy do
read_project_for_iids read_issue_iid read_label
read_milestone read_snippet read_project_member read_note
create_project create_issue create_note upload_file create_merge_request_in
- award_emoji read_release
+ award_emoji read_release read_issue_link
]
end
@@ -30,7 +30,7 @@ RSpec.describe ProjectPolicy do
admin_issue admin_label admin_list read_commit_status read_build
read_container_image read_pipeline read_environment read_deployment
read_merge_request download_wiki_code read_sentry_issue read_metrics_dashboard_annotation
- metrics_dashboard read_confidential_issues
+ metrics_dashboard read_confidential_issues admin_issue_link
]
end
@@ -46,7 +46,7 @@ RSpec.describe ProjectPolicy do
resolve_note create_container_image update_container_image destroy_container_image daily_statistics
create_environment update_environment create_deployment update_deployment create_release update_release
create_metrics_dashboard_annotation delete_metrics_dashboard_annotation update_metrics_dashboard_annotation
- read_terraform_state
+ read_terraform_state read_pod_logs
]
end
@@ -105,7 +105,7 @@ RSpec.describe ProjectPolicy do
subject { described_class.new(owner, project) }
before do
- project.project_feature.destroy
+ project.project_feature.destroy!
project.reload
end
@@ -325,6 +325,7 @@ RSpec.describe ProjectPolicy do
allow_collaboration: true
)
end
+
let(:maintainer_abilities) do
%w(create_build create_pipeline)
end
@@ -953,7 +954,12 @@ RSpec.describe ProjectPolicy do
context 'when repository is disabled' do
before do
- project.project_feature.update(repository_access_level: ProjectFeature::DISABLED)
+ project.project_feature.update!(
+ # Disable merge_requests and builds as well, since merge_requests and
+ # builds cannot have higher visibility than repository.
+ merge_requests_access_level: ProjectFeature::DISABLED,
+ builds_access_level: ProjectFeature::DISABLED,
+ repository_access_level: ProjectFeature::DISABLED)
end
it { is_expected.to be_disallowed(:read_package) }
diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
index 1cc3581ebdd..d7338622c86 100644
--- a/spec/policies/user_policy_spec.rb
+++ b/spec/policies/user_policy_spec.rb
@@ -12,6 +12,34 @@ RSpec.describe UserPolicy do
it { is_expected.to be_allowed(:read_user) }
end
+ describe "reading a different user's Personal Access Tokens" do
+ let(:token) { create(:personal_access_token, user: user) }
+
+ context 'when user is admin' do
+ let(:current_user) { create(:user, :admin) }
+
+ context 'when admin mode is enabled', :enable_admin_mode do
+ it { is_expected.to be_allowed(:read_user_personal_access_tokens) }
+ end
+
+ context 'when admin mode is disabled' do
+ it { is_expected.not_to be_allowed(:read_user_personal_access_tokens) }
+ end
+ end
+
+ context 'when user is not an admin' do
+ context 'requesting their own personal access tokens' do
+ subject { described_class.new(current_user, current_user) }
+
+ it { is_expected.to be_allowed(:read_user_personal_access_tokens) }
+ end
+
+ context "requesting a different user's personal access tokens" do
+ it { is_expected.not_to be_allowed(:read_user_personal_access_tokens) }
+ end
+ end
+ end
+
shared_examples 'changing a user' do |ability|
context "when a regular user tries to destroy another regular user" do
it { is_expected.not_to be_allowed(ability) }