3 files changed, 96 insertions, 13 deletions

diff --git a/spec/policies/group_member_policy_spec.rb b/spec/policies/group_member_policy_spec.rb
index 9e58ea81ef3..6099e4549b1 100644
--- a/spec/policies/group_member_policy_spec.rb
+++ b/spec/policies/group_member_policy_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe GroupMemberPolicy do
+  include DesignManagementTestHelpers
+
   let(:guest) { create(:user) }
   let(:owner) { create(:user) }
   let(:group) { create(:group, :private) }
@@ -28,22 +30,64 @@ RSpec.describe GroupMemberPolicy do
     permissions.each { |p| is_expected.not_to be_allowed(p) }
   end
 
-  context 'with guest user' do
-    let(:current_user) { guest }
+  context 'with anonymous user' do
+    let(:group) { create(:group, :public) }
+    let(:current_user) { nil }
+    let(:membership) { guest.members.first }
 
     it do
-      expect_disallowed(:member_related_permissions)
+      expect_disallowed(:read_design_activity, *member_related_permissions)
+      expect_allowed(:read_group)
+    end
+
+    context 'design management is enabled' do
+      before do
+        create(:project, :public, group: group) # Necessary to enable design management
+        enable_design_management
+      end
+
+      specify do
+        expect_allowed(:read_design_activity)
+      end
+    end
+
+    context 'for a private group' do
+      let(:group) { create(:group, :private) }
+
+      specify do
+        expect_disallowed(:read_group, :read_design_activity, *member_related_permissions)
+      end
+    end
+
+    context 'for an internal group' do
+      let(:group) { create(:group, :internal) }
+
+      specify do
+        expect_disallowed(:read_group, :read_design_activity, *member_related_permissions)
+      end
     end
   end
 
+  context 'with guest user, for own membership' do
+    let(:current_user) { guest }
+
+    specify { expect_disallowed(:update_group_member) }
+    specify { expect_allowed(:read_group, :destroy_group_member) }
+  end
+
+  context 'with guest user, for other membership' do
+    let(:current_user) { guest }
+    let(:membership) { owner.members.first }
+
+    specify { expect_disallowed(:destroy_group_member, :update_group_member) }
+    specify { expect_allowed(:read_group) }
+  end
+
   context 'with one owner' do
     let(:current_user) { owner }
 
-    it do
-      expect_disallowed(:destroy_group_member)
-      expect_disallowed(:update_group_member)
-      expect_allowed(:read_group)
-    end
+    specify { expect_disallowed(*member_related_permissions) }
+    specify { expect_allowed(:read_group) }
   end
 
   context 'with more than one owner' do
@@ -53,10 +97,7 @@ RSpec.describe GroupMemberPolicy do
       group.add_owner(create(:user))
     end
 
-    it do
-      expect_allowed(:destroy_group_member)
-      expect_allowed(:update_group_member)
-    end
+    specify { expect_allowed(*member_related_permissions) }
   end
 
   context 'with the group parent' do
diff --git a/spec/policies/namespace_policy_spec.rb b/spec/policies/namespace_policy_spec.rb
index 514d7303ad7..b9823273de8 100644
--- a/spec/policies/namespace_policy_spec.rb
+++ b/spec/policies/namespace_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe NamespacePolicy do
   let(:admin) { create(:admin) }
   let(:namespace) { create(:namespace, owner: owner) }
 
-  let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects] }
+  let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :create_package_settings, :read_package_settings] }
 
   subject { described_class.new(current_user, namespace) }
 
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index c21d3b0939f..e6650549f7f 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -401,6 +401,48 @@ RSpec.describe ProjectPolicy do
     end
   end
 
+  describe 'set_pipeline_variables' do
+    context 'when user is developer' do
+      let(:current_user) { developer }
+
+      context 'when project allows user defined variables' do
+        before do
+          project.update!(restrict_user_defined_variables: false)
+        end
+
+        it { is_expected.to be_allowed(:set_pipeline_variables) }
+      end
+
+      context 'when project restricts use of user defined variables' do
+        before do
+          project.update!(restrict_user_defined_variables: true)
+        end
+
+        it { is_expected.not_to be_allowed(:set_pipeline_variables) }
+      end
+    end
+
+    context 'when user is maintainer' do
+      let(:current_user) { maintainer }
+
+      context 'when project allows user defined variables' do
+        before do
+          project.update!(restrict_user_defined_variables: false)
+        end
+
+        it { is_expected.to be_allowed(:set_pipeline_variables) }
+      end
+
+      context 'when project restricts use of user defined variables' do
+        before do
+          project.update!(restrict_user_defined_variables: true)
+        end
+
+        it { is_expected.to be_allowed(:set_pipeline_variables) }
+      end
+    end
+  end
+
   context 'support bot' do
     let(:current_user) { User.support_bot }