8 files changed, 249 insertions, 9 deletions

diff --git a/spec/policies/container_expiration_policy_policy_spec.rb b/spec/policies/container_expiration_policy_policy_spec.rb
new file mode 100644
index 00000000000..4b39dd8dace
--- /dev/null
+++ b/spec/policies/container_expiration_policy_policy_spec.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ContainerExpirationPolicyPolicy do
+  using RSpec::Parameterized::TableSyntax
+
+  let_it_be(:user) { create(:user) }
+  let_it_be(:project, reload: true) { create(:project) }
+
+  subject { described_class.new(user, project.container_expiration_policy) }
+
+  where(:user_type, :allowed_to_destroy_container_image) do
+    :anonymous  | false
+    :guest      | false
+    :developer  | false
+    :maintainer | true
+  end
+
+  with_them do
+    context "for user type #{params[:user_type]}" do
+      before do
+        project.public_send("add_#{user_type}", user) unless user_type == :anonymous
+      end
+
+      if params[:allowed_to_destroy_container_image]
+        it { is_expected.to be_allowed(:admin_container_image) }
+      else
+        it { is_expected.not_to be_allowed(:admin_container_image) }
+      end
+    end
+  end
+end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index ff59a2e04a7..05bba167bd3 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -242,6 +242,24 @@ RSpec.describe GroupPolicy do
     end
   end
 
+  context 'migration bot' do
+    let_it_be(:migration_bot) { User.migration_bot }
+    let_it_be(:current_user) { migration_bot }
+
+    it :aggregate_failures do
+      expect_allowed(:read_resource_access_tokens, :destroy_resource_access_tokens)
+      expect_disallowed(*guest_permissions)
+      expect_disallowed(*reporter_permissions)
+      expect_disallowed(*developer_permissions)
+      expect_disallowed(*maintainer_permissions)
+      expect_disallowed(*owner_permissions)
+    end
+
+    it_behaves_like 'deploy token does not get confused with user' do
+      let(:user_id) { migration_bot.id }
+    end
+  end
+
   describe 'private nested group use the highest access level from the group and inherited permissions' do
     let_it_be(:nested_group) do
       create(:group, :private, :owner_subgroup_creation_only, :crm_enabled, parent: group)
@@ -914,12 +932,21 @@ RSpec.describe GroupPolicy do
       context 'reporter' do
         let(:current_user) { reporter }
 
+        it { is_expected.to be_allowed(:read_dependency_proxy) }
         it { is_expected.to be_disallowed(:admin_dependency_proxy) }
       end
 
       context 'developer' do
         let(:current_user) { developer }
 
+        it { is_expected.to be_allowed(:read_dependency_proxy) }
+        it { is_expected.to be_disallowed(:admin_dependency_proxy) }
+      end
+
+      context 'maintainer' do
+        let(:current_user) { maintainer }
+
+        it { is_expected.to be_allowed(:read_dependency_proxy) }
         it { is_expected.to be_allowed(:admin_dependency_proxy) }
       end
     end
@@ -1171,6 +1198,24 @@ RSpec.describe GroupPolicy do
     end
   end
 
+  describe 'change_prevent_sharing_groups_outside_hierarchy' do
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_allowed(:change_prevent_sharing_groups_outside_hierarchy) }
+    end
+
+    context 'with non-owner roles' do
+      where(role: %w[admin maintainer reporter developer guest])
+
+      with_them do
+        let(:current_user) { public_send role }
+
+        it { is_expected.to be_disallowed(:change_prevent_sharing_groups_outside_hierarchy) }
+      end
+    end
+  end
+
   context 'with customer relations feature flag disabled' do
     let(:current_user) { owner }
 
diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb
index eeb298e853e..5e2a307e959 100644
--- a/spec/policies/issuable_policy_spec.rb
+++ b/spec/policies/issuable_policy_spec.rb
@@ -3,11 +3,25 @@
 require 'spec_helper'
 
 RSpec.describe IssuablePolicy, models: true do
-  let(:user) { create(:user) }
-  let(:project) { create(:project, :public) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:guest) { create(:user) }
+  let_it_be(:reporter) { create(:user) }
+  let_it_be(:developer) { create(:user) }
+  let_it_be(:project) { create(:project, :public) }
+
   let(:issue) { create(:issue, project: project) }
   let(:policies) { described_class.new(user, issue) }
 
+  before do
+    project.add_developer(developer)
+    project.add_guest(guest)
+    project.add_reporter(reporter)
+  end
+
+  def permissions(user, issue)
+    described_class.new(user, issue)
+  end
+
   describe '#rules' do
     context 'when user is author of issuable' do
       let(:merge_request) { create(:merge_request, source_project: project, author: user) }
@@ -23,6 +37,20 @@ RSpec.describe IssuablePolicy, models: true do
         end
       end
 
+      context 'Timeline events' do
+        it 'allows non-members to read time line events' do
+          expect(permissions(guest, issue)).to be_allowed(:read_incident_management_timeline_event)
+        end
+
+        it 'disallows reporters from managing timeline events' do
+          expect(permissions(reporter, issue)).to be_disallowed(:admin_incident_management_timeline_event)
+        end
+
+        it 'allows developers to manage timeline events' do
+          expect(permissions(developer, issue)).to be_allowed(:admin_incident_management_timeline_event)
+        end
+      end
+
       context 'when project is private' do
         let(:project) { create(:project, :private) }
 
@@ -37,6 +65,24 @@ RSpec.describe IssuablePolicy, models: true do
         it 'disallows user from reading and updating issuables from that project' do
           expect(policies).to be_disallowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request, :reopen_merge_request)
         end
+
+        context 'Timeline events' do
+          it 'disallows non-members from reading timeline events' do
+            expect(permissions(user, issue)).to be_disallowed(:read_incident_management_timeline_event)
+          end
+
+          it 'allows guests to read time line events' do
+            expect(permissions(guest, issue)).to be_allowed(:read_incident_management_timeline_event)
+          end
+
+          it 'disallows reporters from managing timeline events' do
+            expect(permissions(reporter, issue)).to be_disallowed(:admin_incident_management_timeline_event)
+          end
+
+          it 'allows developers to manage timeline events' do
+            expect(permissions(developer, issue)).to be_allowed(:admin_incident_management_timeline_event)
+          end
+        end
       end
     end
 
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index 1fe9e430011..557bda985af 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -397,7 +397,7 @@ RSpec.describe IssuePolicy do
     end
   end
 
-  describe 'set_issue_crm_contacts' do
+  describe 'crm permissions' do
     let(:user) { create(:user) }
     let(:subgroup) { create(:group, :crm_enabled, parent: create(:group, :crm_enabled)) }
     let(:project) { create(:project, group: subgroup) }
@@ -408,6 +408,7 @@ RSpec.describe IssuePolicy do
       it 'is disallowed' do
         project.add_reporter(user)
 
+        expect(policies).to be_disallowed(:read_crm_contacts)
         expect(policies).to be_disallowed(:set_issue_crm_contacts)
       end
     end
@@ -416,6 +417,7 @@ RSpec.describe IssuePolicy do
       it 'is allowed' do
         subgroup.add_reporter(user)
 
+        expect(policies).to be_disallowed(:read_crm_contacts)
         expect(policies).to be_disallowed(:set_issue_crm_contacts)
       end
     end
@@ -424,8 +426,31 @@ RSpec.describe IssuePolicy do
       it 'is allowed' do
         subgroup.parent.add_reporter(user)
 
+        expect(policies).to be_allowed(:read_crm_contacts)
         expect(policies).to be_allowed(:set_issue_crm_contacts)
       end
     end
+
+    context 'when crm disabled on subgroup' do
+      let(:subgroup) { create(:group, parent: create(:group, :crm_enabled)) }
+
+      it 'is disallowed' do
+        subgroup.parent.add_reporter(user)
+
+        expect(policies).to be_disallowed(:read_crm_contacts)
+        expect(policies).to be_disallowed(:set_issue_crm_contacts)
+      end
+    end
+
+    context 'when peronsal namespace' do
+      let(:project) { create(:project) }
+
+      it 'is disallowed' do
+        project.add_reporter(user)
+
+        expect(policies).to be_disallowed(:read_crm_contacts)
+        expect(policies).to be_disallowed(:set_issue_crm_contacts)
+      end
+    end
   end
 end
diff --git a/spec/policies/namespaces/project_namespace_policy_spec.rb b/spec/policies/namespaces/project_namespace_policy_spec.rb
index f1022747fab..5ceea9dfb9d 100644
--- a/spec/policies/namespaces/project_namespace_policy_spec.rb
+++ b/spec/policies/namespaces/project_namespace_policy_spec.rb
@@ -9,8 +9,8 @@ RSpec.describe Namespaces::ProjectNamespacePolicy do
 
   let(:permissions) do
     [:owner_access, :create_projects, :admin_namespace, :read_namespace,
-     :read_statistics, :transfer_projects, :create_package_settings,
-     :read_package_settings, :create_jira_connect_subscription]
+     :read_statistics, :transfer_projects, :admin_package,
+     :create_jira_connect_subscription]
   end
 
   subject { described_class.new(current_user, namespace) }
diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb
index 06db2f6e243..22c3f6a6d67 100644
--- a/spec/policies/namespaces/user_namespace_policy_spec.rb
+++ b/spec/policies/namespaces/user_namespace_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe Namespaces::UserNamespacePolicy do
   let_it_be(:admin) { create(:admin) }
   let_it_be(:namespace) { create(:user_namespace, owner: owner) }
 
-  let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :create_package_settings, :read_package_settings] }
+  let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package] }
 
   subject { described_class.new(current_user, namespace) }
 
diff --git a/spec/policies/timelog_policy_spec.rb b/spec/policies/timelog_policy_spec.rb
new file mode 100644
index 00000000000..97e61cfe5ce
--- /dev/null
+++ b/spec/policies/timelog_policy_spec.rb
@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe TimelogPolicy, models: true do
+  let_it_be(:author) { create(:user) }
+  let_it_be(:project) { create(:project, :public) }
+  let_it_be(:issue) { create(:issue, project: project) }
+  let_it_be(:timelog) { create(:timelog, user: author, issue: issue, time_spent: 1800)}
+
+  let(:user) { nil }
+  let(:policy) { described_class.new(user, timelog) }
+
+  describe '#rules' do
+    context 'when user is anonymus' do
+      it 'prevents adimistration of timelog' do
+        expect(policy).to be_disallowed(:admin_timelog)
+      end
+    end
+
+    context 'when user is the author of the timelog' do
+      let(:user) { author }
+
+      it 'allows adimistration of timelog' do
+        expect(policy).to be_allowed(:admin_timelog)
+      end
+    end
+
+    context 'when user is not the author of the timelog but maintainer of the project' do
+      let(:user) { create(:user) }
+
+      before do
+        project.add_maintainer(user)
+      end
+
+      it 'allows adimistration of timelog' do
+        expect(policy).to be_allowed(:admin_timelog)
+      end
+    end
+
+    context 'when user is not the timelog\'s author, not a maintainer but an administrator', :enable_admin_mode do
+      let(:user) { create(:user, :admin) }
+
+      it 'allows adimistration of timelog' do
+        expect(policy).to be_allowed(:admin_timelog)
+      end
+    end
+
+    context 'when user is not the author of the timelog nor a maintainer of the project nor an administrator' do
+      let(:user) { create(:user) }
+
+      it 'prevents adimistration of timelog' do
+        expect(policy).to be_disallowed(:admin_timelog)
+      end
+    end
+  end
+end
diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb
index 08a22a95540..b19f7d2557d 100644
--- a/spec/policies/work_item_policy_spec.rb
+++ b/spec/policies/work_item_policy_spec.rb
@@ -3,11 +3,13 @@
 require 'spec_helper'
 
 RSpec.describe WorkItemPolicy do
-  let_it_be(:project) { create(:project) }
-  let_it_be(:public_project) { create(:project, :public) }
+  let_it_be(:group) { create(:group) }
+  let_it_be(:project) { create(:project, group: group) }
+  let_it_be(:public_project) { create(:project, :public, group: group) }
   let_it_be(:guest) { create(:user).tap { |user| project.add_guest(user) } }
   let_it_be(:guest_author) { create(:user).tap { |user| project.add_guest(user) } }
   let_it_be(:reporter) { create(:user).tap { |user| project.add_reporter(user) } }
+  let_it_be(:group_reporter) { create(:user).tap { |user| group.add_reporter(user) } }
   let_it_be(:non_member_user) { create(:user) }
   let_it_be(:work_item) { create(:work_item, project: project) }
   let_it_be(:authored_work_item) { create(:work_item, project: project, author: guest_author) }
@@ -81,7 +83,9 @@ RSpec.describe WorkItemPolicy do
       let(:work_item_subject) { work_item }
       let(:current_user) { reporter }
 
-      it { is_expected.to be_disallowed(:delete_work_item) }
+      context 'when the user is not the author of the work item' do
+        it { is_expected.to be_disallowed(:delete_work_item) }
+      end
 
       context 'when guest authored the work item' do
         let(:work_item_subject) { authored_work_item }
@@ -90,5 +94,35 @@ RSpec.describe WorkItemPolicy do
         it { is_expected.to be_allowed(:delete_work_item) }
       end
     end
+
+    context 'when user is member of the project\'s group' do
+      let(:current_user) { group_reporter }
+
+      context 'when the user is not the author of the work item' do
+        it { is_expected.to be_disallowed(:delete_work_item) }
+      end
+
+      context 'when user authored the work item' do
+        let(:work_item_subject) { create(:work_item, project: project, author: current_user) }
+
+        it { is_expected.to be_allowed(:delete_work_item) }
+      end
+    end
+
+    context 'when user is not a member of the project' do
+      let(:current_user) { non_member_user }
+
+      context 'when the user authored the work item' do
+        let(:work_item_subject) { create(:work_item, project: public_project, author: current_user) }
+
+        it { is_expected.to be_disallowed(:delete_work_item) }
+      end
+
+      context 'when the user is not the author of the work item' do
+        let(:work_item_subject) { public_work_item }
+
+        it { is_expected.to be_disallowed(:delete_work_item) }
+      end
+    end
   end
 end