diff options
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/container_expiration_policy_policy_spec.rb | 33 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 45 | ||||
-rw-r--r-- | spec/policies/issuable_policy_spec.rb | 50 | ||||
-rw-r--r-- | spec/policies/issue_policy_spec.rb | 27 | ||||
-rw-r--r-- | spec/policies/namespaces/project_namespace_policy_spec.rb | 4 | ||||
-rw-r--r-- | spec/policies/namespaces/user_namespace_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/timelog_policy_spec.rb | 57 | ||||
-rw-r--r-- | spec/policies/work_item_policy_spec.rb | 40 |
8 files changed, 249 insertions, 9 deletions
diff --git a/spec/policies/container_expiration_policy_policy_spec.rb b/spec/policies/container_expiration_policy_policy_spec.rb new file mode 100644 index 00000000000..4b39dd8dace --- /dev/null +++ b/spec/policies/container_expiration_policy_policy_spec.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe ContainerExpirationPolicyPolicy do + using RSpec::Parameterized::TableSyntax + + let_it_be(:user) { create(:user) } + let_it_be(:project, reload: true) { create(:project) } + + subject { described_class.new(user, project.container_expiration_policy) } + + where(:user_type, :allowed_to_destroy_container_image) do + :anonymous | false + :guest | false + :developer | false + :maintainer | true + end + + with_them do + context "for user type #{params[:user_type]}" do + before do + project.public_send("add_#{user_type}", user) unless user_type == :anonymous + end + + if params[:allowed_to_destroy_container_image] + it { is_expected.to be_allowed(:admin_container_image) } + else + it { is_expected.not_to be_allowed(:admin_container_image) } + end + end + end +end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index ff59a2e04a7..05bba167bd3 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -242,6 +242,24 @@ RSpec.describe GroupPolicy do end end + context 'migration bot' do + let_it_be(:migration_bot) { User.migration_bot } + let_it_be(:current_user) { migration_bot } + + it :aggregate_failures do + expect_allowed(:read_resource_access_tokens, :destroy_resource_access_tokens) + expect_disallowed(*guest_permissions) + expect_disallowed(*reporter_permissions) + expect_disallowed(*developer_permissions) + expect_disallowed(*maintainer_permissions) + expect_disallowed(*owner_permissions) + end + + it_behaves_like 'deploy token does not get confused with user' do + let(:user_id) { migration_bot.id } + end + end + describe 'private nested group use the highest access level from the group and inherited permissions' do let_it_be(:nested_group) do create(:group, :private, :owner_subgroup_creation_only, :crm_enabled, parent: group) @@ -914,12 +932,21 @@ RSpec.describe GroupPolicy do context 'reporter' do let(:current_user) { reporter } + it { is_expected.to be_allowed(:read_dependency_proxy) } it { is_expected.to be_disallowed(:admin_dependency_proxy) } end context 'developer' do let(:current_user) { developer } + it { is_expected.to be_allowed(:read_dependency_proxy) } + it { is_expected.to be_disallowed(:admin_dependency_proxy) } + end + + context 'maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:read_dependency_proxy) } it { is_expected.to be_allowed(:admin_dependency_proxy) } end end @@ -1171,6 +1198,24 @@ RSpec.describe GroupPolicy do end end + describe 'change_prevent_sharing_groups_outside_hierarchy' do + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:change_prevent_sharing_groups_outside_hierarchy) } + end + + context 'with non-owner roles' do + where(role: %w[admin maintainer reporter developer guest]) + + with_them do + let(:current_user) { public_send role } + + it { is_expected.to be_disallowed(:change_prevent_sharing_groups_outside_hierarchy) } + end + end + end + context 'with customer relations feature flag disabled' do let(:current_user) { owner } diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb index eeb298e853e..5e2a307e959 100644 --- a/spec/policies/issuable_policy_spec.rb +++ b/spec/policies/issuable_policy_spec.rb @@ -3,11 +3,25 @@ require 'spec_helper' RSpec.describe IssuablePolicy, models: true do - let(:user) { create(:user) } - let(:project) { create(:project, :public) } + let_it_be(:user) { create(:user) } + let_it_be(:guest) { create(:user) } + let_it_be(:reporter) { create(:user) } + let_it_be(:developer) { create(:user) } + let_it_be(:project) { create(:project, :public) } + let(:issue) { create(:issue, project: project) } let(:policies) { described_class.new(user, issue) } + before do + project.add_developer(developer) + project.add_guest(guest) + project.add_reporter(reporter) + end + + def permissions(user, issue) + described_class.new(user, issue) + end + describe '#rules' do context 'when user is author of issuable' do let(:merge_request) { create(:merge_request, source_project: project, author: user) } @@ -23,6 +37,20 @@ RSpec.describe IssuablePolicy, models: true do end end + context 'Timeline events' do + it 'allows non-members to read time line events' do + expect(permissions(guest, issue)).to be_allowed(:read_incident_management_timeline_event) + end + + it 'disallows reporters from managing timeline events' do + expect(permissions(reporter, issue)).to be_disallowed(:admin_incident_management_timeline_event) + end + + it 'allows developers to manage timeline events' do + expect(permissions(developer, issue)).to be_allowed(:admin_incident_management_timeline_event) + end + end + context 'when project is private' do let(:project) { create(:project, :private) } @@ -37,6 +65,24 @@ RSpec.describe IssuablePolicy, models: true do it 'disallows user from reading and updating issuables from that project' do expect(policies).to be_disallowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request, :reopen_merge_request) end + + context 'Timeline events' do + it 'disallows non-members from reading timeline events' do + expect(permissions(user, issue)).to be_disallowed(:read_incident_management_timeline_event) + end + + it 'allows guests to read time line events' do + expect(permissions(guest, issue)).to be_allowed(:read_incident_management_timeline_event) + end + + it 'disallows reporters from managing timeline events' do + expect(permissions(reporter, issue)).to be_disallowed(:admin_incident_management_timeline_event) + end + + it 'allows developers to manage timeline events' do + expect(permissions(developer, issue)).to be_allowed(:admin_incident_management_timeline_event) + end + end end end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index 1fe9e430011..557bda985af 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -397,7 +397,7 @@ RSpec.describe IssuePolicy do end end - describe 'set_issue_crm_contacts' do + describe 'crm permissions' do let(:user) { create(:user) } let(:subgroup) { create(:group, :crm_enabled, parent: create(:group, :crm_enabled)) } let(:project) { create(:project, group: subgroup) } @@ -408,6 +408,7 @@ RSpec.describe IssuePolicy do it 'is disallowed' do project.add_reporter(user) + expect(policies).to be_disallowed(:read_crm_contacts) expect(policies).to be_disallowed(:set_issue_crm_contacts) end end @@ -416,6 +417,7 @@ RSpec.describe IssuePolicy do it 'is allowed' do subgroup.add_reporter(user) + expect(policies).to be_disallowed(:read_crm_contacts) expect(policies).to be_disallowed(:set_issue_crm_contacts) end end @@ -424,8 +426,31 @@ RSpec.describe IssuePolicy do it 'is allowed' do subgroup.parent.add_reporter(user) + expect(policies).to be_allowed(:read_crm_contacts) expect(policies).to be_allowed(:set_issue_crm_contacts) end end + + context 'when crm disabled on subgroup' do + let(:subgroup) { create(:group, parent: create(:group, :crm_enabled)) } + + it 'is disallowed' do + subgroup.parent.add_reporter(user) + + expect(policies).to be_disallowed(:read_crm_contacts) + expect(policies).to be_disallowed(:set_issue_crm_contacts) + end + end + + context 'when peronsal namespace' do + let(:project) { create(:project) } + + it 'is disallowed' do + project.add_reporter(user) + + expect(policies).to be_disallowed(:read_crm_contacts) + expect(policies).to be_disallowed(:set_issue_crm_contacts) + end + end end end diff --git a/spec/policies/namespaces/project_namespace_policy_spec.rb b/spec/policies/namespaces/project_namespace_policy_spec.rb index f1022747fab..5ceea9dfb9d 100644 --- a/spec/policies/namespaces/project_namespace_policy_spec.rb +++ b/spec/policies/namespaces/project_namespace_policy_spec.rb @@ -9,8 +9,8 @@ RSpec.describe Namespaces::ProjectNamespacePolicy do let(:permissions) do [:owner_access, :create_projects, :admin_namespace, :read_namespace, - :read_statistics, :transfer_projects, :create_package_settings, - :read_package_settings, :create_jira_connect_subscription] + :read_statistics, :transfer_projects, :admin_package, + :create_jira_connect_subscription] end subject { described_class.new(current_user, namespace) } diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb index 06db2f6e243..22c3f6a6d67 100644 --- a/spec/policies/namespaces/user_namespace_policy_spec.rb +++ b/spec/policies/namespaces/user_namespace_policy_spec.rb @@ -8,7 +8,7 @@ RSpec.describe Namespaces::UserNamespacePolicy do let_it_be(:admin) { create(:admin) } let_it_be(:namespace) { create(:user_namespace, owner: owner) } - let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :create_package_settings, :read_package_settings] } + let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package] } subject { described_class.new(current_user, namespace) } diff --git a/spec/policies/timelog_policy_spec.rb b/spec/policies/timelog_policy_spec.rb new file mode 100644 index 00000000000..97e61cfe5ce --- /dev/null +++ b/spec/policies/timelog_policy_spec.rb @@ -0,0 +1,57 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe TimelogPolicy, models: true do + let_it_be(:author) { create(:user) } + let_it_be(:project) { create(:project, :public) } + let_it_be(:issue) { create(:issue, project: project) } + let_it_be(:timelog) { create(:timelog, user: author, issue: issue, time_spent: 1800)} + + let(:user) { nil } + let(:policy) { described_class.new(user, timelog) } + + describe '#rules' do + context 'when user is anonymus' do + it 'prevents adimistration of timelog' do + expect(policy).to be_disallowed(:admin_timelog) + end + end + + context 'when user is the author of the timelog' do + let(:user) { author } + + it 'allows adimistration of timelog' do + expect(policy).to be_allowed(:admin_timelog) + end + end + + context 'when user is not the author of the timelog but maintainer of the project' do + let(:user) { create(:user) } + + before do + project.add_maintainer(user) + end + + it 'allows adimistration of timelog' do + expect(policy).to be_allowed(:admin_timelog) + end + end + + context 'when user is not the timelog\'s author, not a maintainer but an administrator', :enable_admin_mode do + let(:user) { create(:user, :admin) } + + it 'allows adimistration of timelog' do + expect(policy).to be_allowed(:admin_timelog) + end + end + + context 'when user is not the author of the timelog nor a maintainer of the project nor an administrator' do + let(:user) { create(:user) } + + it 'prevents adimistration of timelog' do + expect(policy).to be_disallowed(:admin_timelog) + end + end + end +end diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb index 08a22a95540..b19f7d2557d 100644 --- a/spec/policies/work_item_policy_spec.rb +++ b/spec/policies/work_item_policy_spec.rb @@ -3,11 +3,13 @@ require 'spec_helper' RSpec.describe WorkItemPolicy do - let_it_be(:project) { create(:project) } - let_it_be(:public_project) { create(:project, :public) } + let_it_be(:group) { create(:group) } + let_it_be(:project) { create(:project, group: group) } + let_it_be(:public_project) { create(:project, :public, group: group) } let_it_be(:guest) { create(:user).tap { |user| project.add_guest(user) } } let_it_be(:guest_author) { create(:user).tap { |user| project.add_guest(user) } } let_it_be(:reporter) { create(:user).tap { |user| project.add_reporter(user) } } + let_it_be(:group_reporter) { create(:user).tap { |user| group.add_reporter(user) } } let_it_be(:non_member_user) { create(:user) } let_it_be(:work_item) { create(:work_item, project: project) } let_it_be(:authored_work_item) { create(:work_item, project: project, author: guest_author) } @@ -81,7 +83,9 @@ RSpec.describe WorkItemPolicy do let(:work_item_subject) { work_item } let(:current_user) { reporter } - it { is_expected.to be_disallowed(:delete_work_item) } + context 'when the user is not the author of the work item' do + it { is_expected.to be_disallowed(:delete_work_item) } + end context 'when guest authored the work item' do let(:work_item_subject) { authored_work_item } @@ -90,5 +94,35 @@ RSpec.describe WorkItemPolicy do it { is_expected.to be_allowed(:delete_work_item) } end end + + context 'when user is member of the project\'s group' do + let(:current_user) { group_reporter } + + context 'when the user is not the author of the work item' do + it { is_expected.to be_disallowed(:delete_work_item) } + end + + context 'when user authored the work item' do + let(:work_item_subject) { create(:work_item, project: project, author: current_user) } + + it { is_expected.to be_allowed(:delete_work_item) } + end + end + + context 'when user is not a member of the project' do + let(:current_user) { non_member_user } + + context 'when the user authored the work item' do + let(:work_item_subject) { create(:work_item, project: public_project, author: current_user) } + + it { is_expected.to be_disallowed(:delete_work_item) } + end + + context 'when the user is not the author of the work item' do + let(:work_item_subject) { public_work_item } + + it { is_expected.to be_disallowed(:delete_work_item) } + end + end end end |