diff options
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/blob_policy_spec.rb | 1 | ||||
-rw-r--r-- | spec/policies/ci/runner_policy_spec.rb | 147 | ||||
-rw-r--r-- | spec/policies/concerns/crud_policy_helpers_spec.rb | 39 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 98 | ||||
-rw-r--r-- | spec/policies/issuable_policy_spec.rb | 24 | ||||
-rw-r--r-- | spec/policies/issue_policy_spec.rb | 7 | ||||
-rw-r--r-- | spec/policies/namespaces/user_namespace_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 127 | ||||
-rw-r--r-- | spec/policies/project_snippet_policy_spec.rb | 328 | ||||
-rw-r--r-- | spec/policies/wiki_page_policy_spec.rb | 45 |
10 files changed, 494 insertions, 324 deletions
diff --git a/spec/policies/blob_policy_spec.rb b/spec/policies/blob_policy_spec.rb index 1be2318a0fe..c1df4e66677 100644 --- a/spec/policies/blob_policy_spec.rb +++ b/spec/policies/blob_policy_spec.rb @@ -5,6 +5,7 @@ require 'spec_helper' RSpec.describe BlobPolicy do include_context 'ProjectPolicyTable context' include ProjectHelpers + include UserHelpers let_it_be_with_reload(:project) { create(:project, :repository) } diff --git a/spec/policies/ci/runner_policy_spec.rb b/spec/policies/ci/runner_policy_spec.rb index 880ff0722fa..773d3d9a01d 100644 --- a/spec/policies/ci/runner_policy_spec.rb +++ b/spec/policies/ci/runner_policy_spec.rb @@ -6,42 +6,64 @@ RSpec.describe Ci::RunnerPolicy do describe 'ability :read_runner' do let_it_be(:guest) { create(:user) } let_it_be(:developer) { create(:user) } + let_it_be(:maintainer) { create(:user) } let_it_be(:owner) { create(:user) } - let_it_be(:group1) { create(:group, name: 'top-level', path: 'top-level') } - let_it_be(:subgroup1) { create(:group, name: 'subgroup1', path: 'subgroup1', parent: group1) } - let_it_be(:project1) { create(:project, group: subgroup1) } + let_it_be_with_reload(:group) { create(:group, name: 'top-level', path: 'top-level') } + let_it_be_with_reload(:subgroup) { create(:group, name: 'subgroup', path: 'subgroup', parent: group) } + let_it_be_with_reload(:project) { create(:project, group: subgroup) } + let_it_be(:instance_runner) { create(:ci_runner, :instance) } - let_it_be(:group1_runner) { create(:ci_runner, :group, groups: [group1]) } - let_it_be(:project1_runner) { create(:ci_runner, :project, projects: [project1]) } + let_it_be(:group_runner) { create(:ci_runner, :group, groups: [group]) } + let_it_be(:project_runner) { create(:ci_runner, :project, projects: [project]) } subject(:policy) { described_class.new(user, runner) } - before do - group1.add_guest(guest) - group1.add_developer(developer) - group1.add_owner(owner) + before_all do + group.add_guest(guest) + group.add_developer(developer) + group.add_maintainer(maintainer) + group.add_owner(owner) end - shared_context 'on hierarchy with shared runners disabled' do - around do |example| - group1.update!(shared_runners_enabled: false) - project1.update!(shared_runners_enabled: false) + shared_examples 'a policy allowing reading instance runner depending on runner sharing' do + context 'with instance runner' do + let(:runner) { instance_runner } + + it { expect_allowed :read_runner } + + context 'with shared runners disabled on projects' do + before do + project.update!(shared_runners_enabled: false) + end + + it { expect_allowed :read_runner } + end - example.run - ensure - project1.update!(shared_runners_enabled: true) - group1.update!(shared_runners_enabled: true) + context 'with shared runners disabled for groups and projects' do + before do + group.update!(shared_runners_enabled: false) + project.update!(shared_runners_enabled: false) + end + + it { expect_disallowed :read_runner } + end end end - shared_context 'on hierarchy with group runners disabled' do - around do |example| - project1.update!(group_runners_enabled: false) + shared_examples 'a policy allowing reading group runner depending on runner sharing' do + context 'with group runner' do + let(:runner) { group_runner } + + it { expect_allowed :read_runner } - example.run - ensure - project1.update!(group_runners_enabled: true) + context 'with sharing of group runners disabled' do + before do + project.update!(group_runners_enabled: false) + end + + it { expect_disallowed :read_runner } + end end end @@ -51,27 +73,32 @@ RSpec.describe Ci::RunnerPolicy do it { expect_disallowed :read_runner } - context 'with shared runners disabled' do - include_context 'on hierarchy with shared runners disabled' do - it { expect_disallowed :read_runner } + context 'with shared runners disabled for groups and projects' do + before do + group.update!(shared_runners_enabled: false) + project.update!(shared_runners_enabled: false) end + + it { expect_disallowed :read_runner } end end context 'with group runner' do - let(:runner) { group1_runner } + let(:runner) { group_runner } it { expect_disallowed :read_runner } - context 'with group runner disabled' do - include_context 'on hierarchy with group runners disabled' do - it { expect_disallowed :read_runner } + context 'with sharing of group runners disabled' do + before do + project.update!(group_runners_enabled: false) end + + it { expect_disallowed :read_runner } end end context 'with project runner' do - let(:runner) { project1_runner } + let(:runner) { project_runner } it { expect_disallowed :read_runner } end @@ -92,66 +119,52 @@ RSpec.describe Ci::RunnerPolicy do context 'with developer access' do let(:user) { developer } - context 'with instance runner' do - let(:runner) { instance_runner } + it_behaves_like 'a policy allowing reading instance runner depending on runner sharing' - it { expect_allowed :read_runner } + it_behaves_like 'a policy allowing reading group runner depending on runner sharing' - context 'with shared runners disabled' do - include_context 'on hierarchy with shared runners disabled' do - it { expect_disallowed :read_runner } - end - end + context 'with project runner' do + let(:runner) { project_runner } + + it { expect_disallowed :read_runner } end + end - context 'with group runner' do - let(:runner) { group1_runner } + context 'with maintainer access' do + let(:user) { maintainer } - it { expect_allowed :read_runner } + it_behaves_like 'a policy allowing reading instance runner depending on runner sharing' - context 'with group runner disabled' do - include_context 'on hierarchy with group runners disabled' do - it { expect_disallowed :read_runner } - end - end - end + it_behaves_like 'a policy allowing reading group runner depending on runner sharing' context 'with project runner' do - let(:runner) { project1_runner } + let(:runner) { project_runner } - it { expect_disallowed :read_runner } + it { expect_allowed :read_runner } end end context 'with owner access' do let(:user) { owner } - context 'with instance runner' do - let(:runner) { instance_runner } + it_behaves_like 'a policy allowing reading instance runner depending on runner sharing' - context 'with shared runners disabled' do - include_context 'on hierarchy with shared runners disabled' do - it { expect_disallowed :read_runner } - end - end + context 'with group runner' do + let(:runner) { group_runner } it { expect_allowed :read_runner } - end - context 'with group runner' do - let(:runner) { group1_runner } - - context 'with group runners disabled' do - include_context 'on hierarchy with group runners disabled' do - it { expect_allowed :read_runner } + context 'with sharing of group runners disabled' do + before do + project.update!(group_runners_enabled: false) end - end - it { expect_allowed :read_runner } + it { expect_allowed :read_runner } + end end context 'with project runner' do - let(:runner) { project1_runner } + let(:runner) { project_runner } it { expect_allowed :read_runner } end diff --git a/spec/policies/concerns/crud_policy_helpers_spec.rb b/spec/policies/concerns/crud_policy_helpers_spec.rb index 69bf9ad12d6..1e7b99178c3 100644 --- a/spec/policies/concerns/crud_policy_helpers_spec.rb +++ b/spec/policies/concerns/crud_policy_helpers_spec.rb @@ -17,34 +17,37 @@ RSpec.describe CrudPolicyHelpers do describe '.create_read_update_admin_destroy' do it 'returns an array of the appropriate abilites given a feature name' do - expect(PolicyTestClass.create_read_update_admin_destroy(feature_name)).to eq([ - :read_foo, - :create_foo, - :update_foo, - :admin_foo, - :destroy_foo - ]) + expect(PolicyTestClass.create_read_update_admin_destroy(feature_name)).to eq( + [ + :read_foo, + :create_foo, + :update_foo, + :admin_foo, + :destroy_foo + ]) end end describe '.create_update_admin_destroy' do it 'returns an array of the appropriate abilites given a feature name' do - expect(PolicyTestClass.create_update_admin_destroy(feature_name)).to eq([ - :create_foo, - :update_foo, - :admin_foo, - :destroy_foo - ]) + expect(PolicyTestClass.create_update_admin_destroy(feature_name)).to eq( + [ + :create_foo, + :update_foo, + :admin_foo, + :destroy_foo + ]) end end describe '.create_update_admin' do it 'returns an array of the appropriate abilites given a feature name' do - expect(PolicyTestClass.create_update_admin(feature_name)).to eq([ - :create_foo, - :update_foo, - :admin_foo - ]) + expect(PolicyTestClass.create_update_admin(feature_name)).to eq( + [ + :create_foo, + :update_foo, + :admin_foo + ]) end end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index da0270c15b9..c65933c5208 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -1175,28 +1175,14 @@ RSpec.describe GroupPolicy do let(:current_user) { admin } context 'when admin mode is enabled', :enable_admin_mode do - context 'with runner_registration_control FF disabled' do - before do - stub_feature_flags(runner_registration_control: false) - end - - it { is_expected.to be_allowed(:register_group_runners) } - end + it { is_expected.to be_allowed(:register_group_runners) } - context 'with runner_registration_control FF enabled' do + context 'with group runner registration disabled' do before do - stub_feature_flags(runner_registration_control: true) + stub_application_setting(valid_runner_registrars: ['project']) end it { is_expected.to be_allowed(:register_group_runners) } - - context 'with group runner registration disabled' do - before do - stub_application_setting(valid_runner_registrars: ['project']) - end - - it { is_expected.to be_allowed(:register_group_runners) } - end end end @@ -1210,28 +1196,12 @@ RSpec.describe GroupPolicy do it { is_expected.to be_allowed(:register_group_runners) } - context 'with runner_registration_control FF disabled' do - before do - stub_feature_flags(runner_registration_control: false) - end - - it { is_expected.to be_allowed(:register_group_runners) } - end - - context 'with runner_registration_control FF enabled' do + context 'with group runner registration disabled' do before do - stub_feature_flags(runner_registration_control: true) + stub_application_setting(valid_runner_registrars: ['project']) end - it { is_expected.to be_allowed(:register_group_runners) } - - context 'with group runner registration disabled' do - before do - stub_application_setting(valid_runner_registrars: ['project']) - end - - it { is_expected.to be_disallowed(:register_group_runners) } - end + it { is_expected.to be_disallowed(:register_group_runners) } end end @@ -1266,6 +1236,62 @@ RSpec.describe GroupPolicy do end end + describe 'read_group_all_available_runners' do + context 'admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + specify { is_expected.to be_allowed(:read_group_all_available_runners) } + end + + context 'when admin mode is disabled' do + specify { is_expected.to be_disallowed(:read_group_all_available_runners) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + specify { is_expected.to be_allowed(:read_group_all_available_runners) } + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + specify { is_expected.to be_allowed(:read_group_all_available_runners) } + end + + context 'with developer' do + let(:current_user) { developer } + + specify { is_expected.to be_allowed(:read_group_all_available_runners) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + specify { is_expected.to be_disallowed(:read_group_all_available_runners) } + end + + context 'with guest' do + let(:current_user) { guest } + + specify { is_expected.to be_disallowed(:read_group_all_available_runners) } + end + + context 'with non member' do + let(:current_user) { create(:user) } + + specify { is_expected.to be_disallowed(:read_group_all_available_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + specify { is_expected.to be_disallowed(:read_group_all_available_runners) } + end + end + describe 'change_prevent_sharing_groups_outside_hierarchy' do context 'with owner' do let(:current_user) { owner } diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb index c02294571ff..2bedcf60539 100644 --- a/spec/policies/issuable_policy_spec.rb +++ b/spec/policies/issuable_policy_spec.rb @@ -31,8 +31,8 @@ RSpec.describe IssuablePolicy, models: true do expect(policies).to be_allowed(:resolve_note) end - it 'allows reading confidential notes' do - expect(policies).to be_allowed(:read_confidential_notes) + it 'allows reading internal notes' do + expect(policies).to be_allowed(:read_internal_note) end context 'when user is able to read project' do @@ -94,8 +94,8 @@ RSpec.describe IssuablePolicy, models: true do let(:issue) { create(:issue, project: project, assignees: [user]) } let(:policies) { described_class.new(user, issue) } - it 'allows reading confidential notes' do - expect(policies).to be_allowed(:read_confidential_notes) + it 'allows reading internal notes' do + expect(policies).to be_allowed(:read_internal_note) end end @@ -145,6 +145,10 @@ RSpec.describe IssuablePolicy, models: true do it 'does not allow timelogs creation' do expect(policies).to be_disallowed(:create_timelog) end + + it 'does not allow reading internal notes' do + expect(permissions(guest, issue)).to be_disallowed(:read_internal_note) + end end context 'when user is a guest member of the project' do @@ -152,8 +156,8 @@ RSpec.describe IssuablePolicy, models: true do expect(permissions(guest, issue)).to be_disallowed(:create_timelog) end - it 'does not allow reading confidential notes' do - expect(permissions(guest, issue)).to be_disallowed(:read_confidential_notes) + it 'does not allow reading internal notes' do + expect(permissions(guest, issue)).to be_disallowed(:read_internal_note) end end @@ -170,8 +174,8 @@ RSpec.describe IssuablePolicy, models: true do expect(permissions(reporter, issue)).to be_allowed(:create_timelog) end - it 'allows reading confidential notes' do - expect(permissions(reporter, issue)).to be_allowed(:read_confidential_notes) + it 'allows reading internal notes' do + expect(permissions(reporter, issue)).to be_allowed(:read_internal_note) end end @@ -188,6 +192,7 @@ RSpec.describe IssuablePolicy, models: true do it 'does not allow :read_issuable' do expect(policy).not_to be_allowed(:read_issuable) + expect(policy).not_to be_allowed(:read_issuable_participables) end end @@ -196,6 +201,7 @@ RSpec.describe IssuablePolicy, models: true do it 'allows :read_issuable' do expect(policy).to be_allowed(:read_issuable) + expect(policy).to be_allowed(:read_issuable_participables) end end end @@ -213,6 +219,7 @@ RSpec.describe IssuablePolicy, models: true do it 'does not allow :read_issuable' do expect(policy).not_to be_allowed(:read_issuable) + expect(policy).not_to be_allowed(:read_issuable_participables) end end @@ -221,6 +228,7 @@ RSpec.describe IssuablePolicy, models: true do it 'allows :read_issuable' do expect(policy).to be_allowed(:read_issuable) + expect(policy).to be_allowed(:read_issuable_participables) end end end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index 4d492deb54c..c110ca705bd 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -6,6 +6,7 @@ RSpec.describe IssuePolicy do include_context 'ProjectPolicyTable context' include ExternalAuthorizationServiceHelpers include ProjectHelpers + include UserHelpers let(:guest) { create(:user) } let(:author) { create(:user) } @@ -84,7 +85,7 @@ RSpec.describe IssuePolicy do it 'allows guests to read issues' do expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :mark_note_as_confidential) expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) @@ -92,10 +93,10 @@ RSpec.describe IssuePolicy do expect(permissions(guest, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) end - it 'allows reporters to read, update, and admin issues' do + it 'allows reporters to read, update, admin and create confidential notes' do expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) - expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality, :mark_note_as_confidential) end it 'allows reporters from group links to read, update, and admin issues' do diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb index 22c3f6a6d67..42d27d0f3d6 100644 --- a/spec/policies/namespaces/user_namespace_policy_spec.rb +++ b/spec/policies/namespaces/user_namespace_policy_spec.rb @@ -8,7 +8,7 @@ RSpec.describe Namespaces::UserNamespacePolicy do let_it_be(:admin) { create(:admin) } let_it_be(:namespace) { create(:user_namespace, owner: owner) } - let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package] } + let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package, :read_billing, :edit_billing] } subject { described_class.new(current_user, namespace) } diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index fefd9f71408..40ee2e662b2 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -103,6 +103,20 @@ RSpec.describe ProjectPolicy do end end + context 'when both issues and merge requests are disabled' do + let(:current_user) { owner } + + before do + project.issues_enabled = false + project.merge_requests_enabled = false + project.save! + end + + it 'does not include the issues permissions' do + expect_disallowed :read_cycle_analytics + end + end + context 'creating_merge_request_in' do context 'when the current_user can download_code' do before do @@ -465,15 +479,14 @@ RSpec.describe ProjectPolicy do end context 'owner access' do - let!(:owner_user) { create(:user) } - let!(:owner_of_different_thing) { create(:user) } - let(:stranger) { create(:user) } + let_it_be(:owner_user) { owner } + let_it_be(:owner_of_different_thing) { create(:user) } context 'personal project' do - let!(:project) { create(:project) } - let!(:project2) { create(:project) } + let_it_be(:project) { private_project } + let_it_be(:project2) { create(:project) } - before do + before_all do project.add_guest(guest) project.add_reporter(reporter) project.add_developer(developer) @@ -483,7 +496,7 @@ RSpec.describe ProjectPolicy do it 'allows owner access', :aggregate_failures do expect(described_class.new(owner_of_different_thing, project)).to be_disallowed(:owner_access) - expect(described_class.new(stranger, project)).to be_disallowed(:owner_access) + expect(described_class.new(non_member, project)).to be_disallowed(:owner_access) expect(described_class.new(guest, project)).to be_disallowed(:owner_access) expect(described_class.new(reporter, project)).to be_disallowed(:owner_access) expect(described_class.new(developer, project)).to be_disallowed(:owner_access) @@ -493,12 +506,12 @@ RSpec.describe ProjectPolicy do end context 'group project' do - let(:group) { create(:group) } - let!(:group2) { create(:group) } - let!(:project) { create(:project, group: group) } + let_it_be(:project) { private_project_in_group } + let_it_be(:group2) { create(:group) } + let_it_be(:group) { project.group } context 'group members' do - before do + before_all do group.add_guest(guest) group.add_reporter(reporter) group.add_developer(developer) @@ -509,7 +522,7 @@ RSpec.describe ProjectPolicy do it 'allows owner access', :aggregate_failures do expect(described_class.new(owner_of_different_thing, project)).to be_disallowed(:owner_access) - expect(described_class.new(stranger, project)).to be_disallowed(:owner_access) + expect(described_class.new(non_member, project)).to be_disallowed(:owner_access) expect(described_class.new(guest, project)).to be_disallowed(:owner_access) expect(described_class.new(reporter, project)).to be_disallowed(:owner_access) expect(described_class.new(developer, project)).to be_disallowed(:owner_access) @@ -1692,7 +1705,7 @@ RSpec.describe ProjectPolicy do let_it_be(:project_with_analytics_private) { create(:project, :analytics_private) } let_it_be(:project_with_analytics_enabled) { create(:project, :analytics_enabled) } - before do + before_all do project_with_analytics_disabled.add_guest(guest) project_with_analytics_private.add_guest(guest) project_with_analytics_enabled.add_guest(guest) @@ -2424,7 +2437,7 @@ RSpec.describe ProjectPolicy do before do current_user.set_ci_job_token_scope!(job) current_user.external = external_user - scope_project.update!(ci_job_token_scope_enabled: token_scope_enabled) + scope_project.update!(ci_outbound_job_token_scope_enabled: token_scope_enabled) end it "enforces the expected permissions" do @@ -2617,28 +2630,14 @@ RSpec.describe ProjectPolicy do let(:current_user) { admin } context 'when admin mode is enabled', :enable_admin_mode do - context 'with runner_registration_control FF disabled' do - before do - stub_feature_flags(runner_registration_control: false) - end - - it { is_expected.to be_allowed(:register_project_runners) } - end + it { is_expected.to be_allowed(:register_project_runners) } - context 'with runner_registration_control FF enabled' do + context 'with project runner registration disabled' do before do - stub_feature_flags(runner_registration_control: true) + stub_application_setting(valid_runner_registrars: ['group']) end it { is_expected.to be_allowed(:register_project_runners) } - - context 'with project runner registration disabled' do - before do - stub_application_setting(valid_runner_registrars: ['group']) - end - - it { is_expected.to be_allowed(:register_project_runners) } - end end end @@ -2652,28 +2651,12 @@ RSpec.describe ProjectPolicy do it { is_expected.to be_allowed(:register_project_runners) } - context 'with runner_registration_control FF disabled' do - before do - stub_feature_flags(runner_registration_control: false) - end - - it { is_expected.to be_allowed(:register_project_runners) } - end - - context 'with runner_registration_control FF enabled' do + context 'with project runner registration disabled' do before do - stub_feature_flags(runner_registration_control: true) + stub_application_setting(valid_runner_registrars: ['group']) end - it { is_expected.to be_allowed(:register_project_runners) } - - context 'with project runner registration disabled' do - before do - stub_application_setting(valid_runner_registrars: ['group']) - end - - it { is_expected.to be_disallowed(:register_project_runners) } - end + it { is_expected.to be_disallowed(:register_project_runners) } end end @@ -2764,6 +2747,50 @@ RSpec.describe ProjectPolicy do end end + describe 'role_enables_download_code' do + using RSpec::Parameterized::TableSyntax + + context 'default roles' do + let(:current_user) { public_send(role) } + + context 'public project' do + let(:project) { public_project } + + where(:role, :allowed) do + :owner | true + :maintainer | true + :developer | true + :reporter | true + :guest | true + + with_them do + it do + expect(subject.can?(:download_code)).to be(allowed) + end + end + end + end + + context 'private project' do + let(:project) { private_project } + + where(:role, :allowed) do + :owner | true + :maintainer | true + :developer | true + :reporter | true + :guest | false + end + + with_them do + it do + expect(subject.can?(:download_code)).to be(allowed) + end + end + end + end + end + private def project_subject(project_type) diff --git a/spec/policies/project_snippet_policy_spec.rb b/spec/policies/project_snippet_policy_spec.rb index 8b96aa99f69..c6d8ef05cfd 100644 --- a/spec/policies/project_snippet_policy_spec.rb +++ b/spec/policies/project_snippet_policy_spec.rb @@ -2,29 +2,28 @@ require 'spec_helper' -# Snippet visibility scenarios are included in more details in spec/support/snippet_visibility.rb +# Snippet visibility scenarios are included in more details in spec/finders/snippets_finder_spec.rb RSpec.describe ProjectSnippetPolicy do + let_it_be(:group) { create(:group, :public) } let_it_be(:regular_user) { create(:user) } - let_it_be(:other_user) { create(:user) } let_it_be(:external_user) { create(:user, :external) } - let_it_be(:project) { create(:project, :public) } - - let(:snippet) { create(:project_snippet, snippet_visibility, project: project, author: author) } - let(:author) { other_user } - let(:author_permissions) do + let_it_be(:author) { create(:user) } + let_it_be(:author_permissions) do [ :update_snippet, :admin_snippet ] end + let(:snippet) { build(:project_snippet, snippet_visibility, project: project, author: author) } + subject { described_class.new(current_user, snippet) } - shared_examples 'regular user access rights' do + shared_examples 'regular user member permissions' do context 'not snippet author' do - context 'project team member (non guest)' do + context 'member (guest)' do before do - project.add_developer(current_user) + membership_target.add_guest(current_user) end it do @@ -33,25 +32,35 @@ RSpec.describe ProjectSnippetPolicy do end end - context 'project team member (guest)' do + context 'member (reporter)' do before do - project.add_guest(current_user) + membership_target.add_reporter(current_user) end it do expect_allowed(:read_snippet, :create_note) - expect_disallowed(:admin_snippet) + expect_disallowed(*author_permissions) end end - context 'project team member (maintainer)' do + context 'member (developer)' do before do - project.add_maintainer(current_user) + membership_target.add_developer(current_user) end it do expect_allowed(:read_snippet, :create_note) - expect_allowed(*author_permissions) + expect_disallowed(*author_permissions) + end + end + + context 'member (maintainer)' do + before do + membership_target.add_maintainer(current_user) + end + + it do + expect_allowed(:read_snippet, :create_note, *author_permissions) end end end @@ -59,196 +68,263 @@ RSpec.describe ProjectSnippetPolicy do context 'snippet author' do let(:author) { current_user } - context 'project member (non guest)' do + context 'member (guest)' do before do - project.add_developer(current_user) + membership_target.add_guest(current_user) end it do - expect_allowed(:read_snippet, :create_note) - expect_allowed(*author_permissions) + expect_allowed(:read_snippet, :create_note, :update_snippet) + expect_disallowed(:admin_snippet) end end - context 'project member (guest)' do + context 'member (reporter)' do before do - project.add_guest(current_user) + membership_target.add_reporter(current_user) end it do - expect_allowed(:read_snippet, :create_note) - expect_disallowed(:admin_snippet) + expect_allowed(:read_snippet, :create_note, *author_permissions) end end - context 'project team member (maintainer)' do + context 'member (developer)' do before do - project.add_maintainer(current_user) + membership_target.add_developer(current_user) end it do - expect_allowed(:read_snippet, :create_note) - expect_allowed(*author_permissions) + expect_allowed(:read_snippet, :create_note, *author_permissions) end end - context 'not a project member' do + context 'member (maintainer)' do + before do + membership_target.add_maintainer(current_user) + end + it do - expect_allowed(:read_snippet, :create_note) - expect_disallowed(:admin_snippet) + expect_allowed(:read_snippet, :create_note, *author_permissions) end end end end - context 'public snippet' do - let(:snippet_visibility) { :public } - - context 'no user' do - let(:current_user) { nil } + shared_examples 'regular user non-member author permissions' do + let(:author) { current_user } - it do - expect_allowed(:read_snippet) - expect_disallowed(*author_permissions) - end + it do + expect_allowed(:read_snippet, :create_note, :update_snippet) + expect_disallowed(:admin_snippet) end + end - context 'regular user' do - let(:current_user) { regular_user } - - it do - expect_allowed(:read_snippet, :create_note) - expect_disallowed(*author_permissions) - end + context 'when project is public' do + let_it_be(:project) { create(:project, :public, group: group) } - it_behaves_like 'regular user access rights' - end + context 'with public snippet' do + let(:snippet_visibility) { :public } - context 'external user' do - let(:current_user) { external_user } + context 'no user' do + let(:current_user) { nil } - it do - expect_allowed(:read_snippet, :create_note) - expect_disallowed(*author_permissions) + it do + expect_allowed(:read_snippet) + expect_disallowed(*author_permissions) + end end - context 'project team member' do - before do - project.add_developer(external_user) + context 'regular user' do + let(:current_user) { regular_user } + let(:membership_target) { project } + + context 'when user is not a member' do + context 'and is not the snippet author' do + it do + expect_allowed(:read_snippet, :create_note) + expect_disallowed(*author_permissions) + end + end + + context 'and is the snippet author' do + it_behaves_like 'regular user non-member author permissions' + end end + context 'when user is a member' do + it_behaves_like 'regular user member permissions' + end + end + + context 'external user' do + let(:current_user) { external_user } + it do expect_allowed(:read_snippet, :create_note) expect_disallowed(*author_permissions) end - end - end - end - - context 'internal snippet' do - let(:snippet_visibility) { :internal } - context 'no user' do - let(:current_user) { nil } + context 'when user is a member' do + before do + project.add_developer(external_user) + end - it do - expect_disallowed(:read_snippet) - expect_disallowed(*author_permissions) + it do + expect_allowed(:read_snippet, :create_note) + expect_disallowed(*author_permissions) + end + end end end - context 'regular user' do - let(:current_user) { regular_user } + context 'with internal snippet' do + let(:snippet_visibility) { :internal } - it do - expect_allowed(:read_snippet, :create_note) - expect_disallowed(*author_permissions) - end + context 'no user' do + let(:current_user) { nil } - it_behaves_like 'regular user access rights' - end + it do + expect_disallowed(:read_snippet) + expect_disallowed(*author_permissions) + end + end - context 'external user' do - let(:current_user) { external_user } + context 'regular user' do + let(:current_user) { regular_user } + let(:membership_target) { project } + + context 'when user is not a member' do + context 'and is not the snippet author' do + it do + expect_allowed(:read_snippet, :create_note) + expect_disallowed(*author_permissions) + end + end + + context 'and is the snippet author' do + it_behaves_like 'regular user non-member author permissions' + end + end - it do - expect_disallowed(:read_snippet, :create_note) - expect_disallowed(*author_permissions) + context 'when user is a member' do + it_behaves_like 'regular user member permissions' + end end - context 'project team member' do - before do - project.add_developer(external_user) - end + context 'external user' do + let(:current_user) { external_user } it do - expect_allowed(:read_snippet, :create_note) + expect_disallowed(:read_snippet, :create_note) expect_disallowed(*author_permissions) end + + context 'when user is a member' do + before do + project.add_developer(external_user) + end + + it do + expect_allowed(:read_snippet, :create_note) + expect_disallowed(*author_permissions) + end + end end end - end - context 'private snippet' do - let(:snippet_visibility) { :private } + context 'with private snippet' do + let(:snippet_visibility) { :private } - context 'no user' do - let(:current_user) { nil } + context 'no user' do + let(:current_user) { nil } - it do - expect_disallowed(:read_snippet) - expect_disallowed(*author_permissions) + it do + expect_disallowed(:read_snippet) + expect_disallowed(*author_permissions) + end end - end - context 'regular user' do - let(:current_user) { regular_user } + context 'regular user' do + let(:current_user) { regular_user } + let(:membership_target) { project } + + context 'when user is not a member' do + context 'and is not the snippet author' do + it do + expect_disallowed(:read_snippet, :create_note) + expect_disallowed(*author_permissions) + end + end + + context 'and is the snippet author' do + it_behaves_like 'regular user non-member author permissions' + end + end - it do - expect_disallowed(:read_snippet, :create_note) - expect_disallowed(*author_permissions) + context 'when user is a member' do + it_behaves_like 'regular user member permissions' + end end - it_behaves_like 'regular user access rights' - end - - context 'external user' do - let(:current_user) { external_user } + context 'inherited user' do + let(:current_user) { regular_user } + let(:membership_target) { group } - it do - expect_disallowed(:read_snippet, :create_note) - expect_disallowed(*author_permissions) + it_behaves_like 'regular user member permissions' end - context 'project team member' do - before do - project.add_developer(current_user) - end + context 'external user' do + let(:current_user) { external_user } it do - expect_allowed(:read_snippet, :create_note) + expect_disallowed(:read_snippet, :create_note) expect_disallowed(*author_permissions) end - end - end - context 'admin user' do - let(:snippet_visibility) { :private } - let(:current_user) { create(:admin) } + context 'when user is a member' do + before do + project.add_developer(current_user) + end - context 'when admin mode is enabled', :enable_admin_mode do - it do - expect_allowed(:read_snippet, :create_note) - expect_allowed(*author_permissions) + it do + expect_allowed(:read_snippet, :create_note) + expect_disallowed(*author_permissions) + end end end - context 'when admin mode is disabled' do - it do - expect_disallowed(:read_snippet, :create_note) - expect_disallowed(*author_permissions) + context 'admin user' do + let(:snippet_visibility) { :private } + let(:current_user) { create(:admin) } + + context 'when admin mode is enabled', :enable_admin_mode do + it do + expect_allowed(:read_snippet, :create_note) + expect_allowed(*author_permissions) + end + end + + context 'when admin mode is disabled' do + it do + expect_disallowed(:read_snippet, :create_note) + expect_disallowed(*author_permissions) + end end end end end + + context 'when project is private' do + let_it_be(:project) { create(:project, :private, group: group) } + + let(:snippet_visibility) { :private } + + context 'inherited user' do + let(:current_user) { regular_user } + let(:membership_target) { group } + + it_behaves_like 'regular user member permissions' + end + end end diff --git a/spec/policies/wiki_page_policy_spec.rb b/spec/policies/wiki_page_policy_spec.rb index a2fa7f29135..2712026035c 100644 --- a/spec/policies/wiki_page_policy_spec.rb +++ b/spec/policies/wiki_page_policy_spec.rb @@ -5,28 +5,43 @@ require 'spec_helper' RSpec.describe WikiPagePolicy do include_context 'ProjectPolicyTable context' include ProjectHelpers + include UserHelpers using RSpec::Parameterized::TableSyntax - let(:project) { create(:project, :wiki_repo, project_level) } - let(:user) { create_user_from_membership(project, membership) } - let(:wiki_page) { create(:wiki_page, wiki: project.wiki) } + let(:group) { build(:group, :public) } + let(:project) { build(:project, :wiki_repo, project_level, group: group) } + let(:wiki_page) { build(:wiki_page, container: project) } - subject(:policy) { described_class.new(user, wiki_page) } + shared_context 'with :read_wiki_page policy' do + subject(:policy) { described_class.new(user, wiki_page) } - where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do - permission_table_for_guest_feature_access - end + where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do + permission_table_for_guest_feature_access + end - with_them do - it "grants permission" do - enable_admin_mode!(user) if admin_mode - update_feature_access_level(project, feature_access_level) + with_them do + it 'grants the expected permissions' do + enable_admin_mode!(user) if admin_mode + update_feature_access_level(project, feature_access_level) - if expected_count == 1 - expect(policy).to be_allowed(:read_wiki_page) - else - expect(policy).to be_disallowed(:read_wiki_page) + if expected_count == 1 + expect(policy).to be_allowed(:read_wiki_page) + else + expect(policy).to be_disallowed(:read_wiki_page) + end end end end + + context 'when user is a direct project member' do + let(:user) { build_user_from_membership(project, membership) } + + include_context 'with :read_wiki_page policy' + end + + context 'when user is an inherited member from the group' do + let(:user) { build_user_from_membership(group, membership) } + + include_context 'with :read_wiki_page policy' + end end |