diff options
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/blob_policy_spec.rb | 7 | ||||
-rw-r--r-- | spec/policies/group_member_policy_spec.rb | 18 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 186 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 4 |
4 files changed, 144 insertions, 71 deletions
diff --git a/spec/policies/blob_policy_spec.rb b/spec/policies/blob_policy_spec.rb index daabcd844af..2b0465f3615 100644 --- a/spec/policies/blob_policy_spec.rb +++ b/spec/policies/blob_policy_spec.rb @@ -5,9 +5,9 @@ require 'spec_helper' RSpec.describe BlobPolicy do include_context 'ProjectPolicyTable context' include ProjectHelpers - using RSpec::Parameterized::TableSyntax - let(:project) { create(:project, :repository, project_level) } + let_it_be_with_reload(:project) { create(:project, :repository) } + let(:user) { create_user_from_membership(project, membership) } let(:blob) { project.repository.blob_at(SeedRepo::FirstCommit::ID, 'README.md') } @@ -18,8 +18,9 @@ RSpec.describe BlobPolicy do end with_them do - it "grants permission" do + it 'grants permission' do enable_admin_mode!(user) if admin_mode + project.update!(visibility_level: Gitlab::VisibilityLevel.level_value(project_level.to_s)) update_feature_access_level(project, feature_access_level) if expected_count == 1 diff --git a/spec/policies/group_member_policy_spec.rb b/spec/policies/group_member_policy_spec.rb index d283b0ffda5..50774313aae 100644 --- a/spec/policies/group_member_policy_spec.rb +++ b/spec/policies/group_member_policy_spec.rb @@ -83,6 +83,23 @@ RSpec.describe GroupMemberPolicy do specify { expect_allowed(:read_group) } end + context 'with bot user' do + let(:current_user) { create(:user, :project_bot) } + + before do + group.add_owner(current_user) + end + + specify { expect_allowed(:read_group, :destroy_project_bot_member) } + end + + context 'with anonymous bot user' do + let(:current_user) { create(:user, :project_bot) } + let(:membership) { guest.members.first } + + specify { expect_disallowed(:read_group, :destroy_project_bot_member) } + end + context 'with one owner' do let(:current_user) { owner } @@ -106,6 +123,7 @@ RSpec.describe GroupMemberPolicy do end specify { expect_allowed(*member_related_permissions) } + specify { expect_disallowed(:destroy_project_bot_member) } end context 'with the group parent' do diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 7822ee2b92e..2607e285a80 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -6,15 +6,11 @@ RSpec.describe GroupPolicy do include_context 'GroupPolicy context' context 'public group with no user' do - let(:group) { create(:group, :public) } + let(:group) { create(:group, :public, :crm_enabled) } let(:current_user) { nil } it do - expect_allowed(:read_group) - expect_allowed(:read_crm_organization) - expect_allowed(:read_crm_contact) - expect_allowed(:read_counts) - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_disallowed(:upload_file) expect_disallowed(*reporter_permissions) expect_disallowed(*developer_permissions) @@ -24,34 +20,49 @@ RSpec.describe GroupPolicy do end end - context 'with no user and public project' do - let(:project) { create(:project, :public) } + context 'public group with user who is not a member' do + let(:group) { create(:group, :public, :crm_enabled) } + let(:current_user) { create(:user) } + + it do + expect_allowed(*public_permissions) + expect_disallowed(:upload_file) + expect_disallowed(*reporter_permissions) + expect_disallowed(*developer_permissions) + expect_disallowed(*maintainer_permissions) + expect_disallowed(*owner_permissions) + expect_disallowed(:read_namespace) + end + end + + context 'private group that has been invited to a public project and with no user' do + let(:project) { create(:project, :public, group: create(:group, :crm_enabled)) } let(:current_user) { nil } before do create(:project_group_link, project: project, group: group) end - it { expect_disallowed(:read_group) } - it { expect_disallowed(:read_crm_organization) } - it { expect_disallowed(:read_crm_contact) } - it { expect_disallowed(:read_counts) } - it { expect_disallowed(*read_group_permissions) } + it do + expect_disallowed(*public_permissions) + expect_disallowed(*reporter_permissions) + expect_disallowed(*owner_permissions) + end end - context 'with foreign user and public project' do - let(:project) { create(:project, :public) } + context 'private group that has been invited to a public project and with a foreign user' do + let(:project) { create(:project, :public, group: create(:group, :crm_enabled)) } let(:current_user) { create(:user) } before do create(:project_group_link, project: project, group: group) end - it { expect_disallowed(:read_group) } - it { expect_disallowed(:read_crm_organization) } - it { expect_disallowed(:read_crm_contact) } - it { expect_disallowed(:read_counts) } - it { expect_disallowed(*read_group_permissions) } + it do + expect_disallowed(*public_permissions) + expect_disallowed(*reporter_permissions) + expect_disallowed(*owner_permissions) + end end context 'has projects' do @@ -62,13 +73,13 @@ RSpec.describe GroupPolicy do project.add_developer(current_user) end - it { expect_allowed(*read_group_permissions) } + it { expect_allowed(*(public_permissions - [:read_counts])) } context 'in subgroups' do - let(:subgroup) { create(:group, :private, parent: group) } + let(:subgroup) { create(:group, :private, :crm_enabled, parent: group) } let(:project) { create(:project, namespace: subgroup) } - it { expect_allowed(*read_group_permissions) } + it { expect_allowed(*(public_permissions - [:read_counts])) } end end @@ -81,7 +92,7 @@ RSpec.describe GroupPolicy do let(:current_user) { deploy_token } it do - expect_disallowed(*read_group_permissions) + expect_disallowed(*public_permissions) expect_disallowed(*guest_permissions) expect_disallowed(*reporter_permissions) expect_disallowed(*developer_permissions) @@ -94,7 +105,7 @@ RSpec.describe GroupPolicy do let(:current_user) { guest } it do - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_disallowed(*reporter_permissions) expect_disallowed(*developer_permissions) @@ -111,7 +122,7 @@ RSpec.describe GroupPolicy do let(:current_user) { reporter } it do - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) expect_disallowed(*developer_permissions) @@ -128,7 +139,7 @@ RSpec.describe GroupPolicy do let(:current_user) { developer } it do - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) expect_allowed(*developer_permissions) @@ -156,7 +167,7 @@ RSpec.describe GroupPolicy do updated_owner_permissions = owner_permissions - create_subgroup_permission - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) expect_allowed(*developer_permissions) @@ -167,7 +178,7 @@ RSpec.describe GroupPolicy do context 'with subgroup_creation_level set to owner' do it 'allows every maintainer permission' do - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) expect_allowed(*developer_permissions) @@ -185,7 +196,7 @@ RSpec.describe GroupPolicy do let(:current_user) { owner } it do - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) expect_allowed(*developer_permissions) @@ -202,7 +213,7 @@ RSpec.describe GroupPolicy do let(:current_user) { admin } specify do - expect_disallowed(*read_group_permissions) + expect_disallowed(*public_permissions) expect_disallowed(*guest_permissions) expect_disallowed(*reporter_permissions) expect_disallowed(*developer_permissions) @@ -212,7 +223,7 @@ RSpec.describe GroupPolicy do context 'with admin mode', :enable_admin_mode do specify do - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) expect_allowed(*developer_permissions) @@ -233,7 +244,7 @@ RSpec.describe GroupPolicy do describe 'private nested group use the highest access level from the group and inherited permissions' do let_it_be(:nested_group) do - create(:group, :private, :owner_subgroup_creation_only, parent: group) + create(:group, :private, :owner_subgroup_creation_only, :crm_enabled, parent: group) end before_all do @@ -254,8 +265,7 @@ RSpec.describe GroupPolicy do let(:current_user) { nil } it do - expect_disallowed(:read_counts) - expect_disallowed(*read_group_permissions) + expect_disallowed(*public_permissions) expect_disallowed(*guest_permissions) expect_disallowed(*reporter_permissions) expect_disallowed(*developer_permissions) @@ -268,8 +278,7 @@ RSpec.describe GroupPolicy do let(:current_user) { guest } it do - expect_allowed(:read_counts) - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_disallowed(*reporter_permissions) expect_disallowed(*developer_permissions) @@ -282,8 +291,7 @@ RSpec.describe GroupPolicy do let(:current_user) { reporter } it do - expect_allowed(:read_counts) - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) expect_disallowed(*developer_permissions) @@ -296,8 +304,7 @@ RSpec.describe GroupPolicy do let(:current_user) { developer } it do - expect_allowed(:read_counts) - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) expect_allowed(*developer_permissions) @@ -310,8 +317,7 @@ RSpec.describe GroupPolicy do let(:current_user) { maintainer } it do - expect_allowed(:read_counts) - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) expect_allowed(*developer_permissions) @@ -324,8 +330,7 @@ RSpec.describe GroupPolicy do let(:current_user) { owner } it do - expect_allowed(:read_counts) - expect_allowed(*read_group_permissions) + expect_allowed(*public_permissions) expect_allowed(*guest_permissions) expect_allowed(*reporter_permissions) expect_allowed(*developer_permissions) @@ -340,7 +345,7 @@ RSpec.describe GroupPolicy do let(:current_user) { owner } context 'when the group share_with_group_lock is enabled' do - let(:group) { create(:group, share_with_group_lock: true, parent: parent) } + let(:group) { create(:group, :crm_enabled, share_with_group_lock: true, parent: parent) } before do group.add_owner(owner) @@ -348,10 +353,10 @@ RSpec.describe GroupPolicy do context 'when the parent group share_with_group_lock is enabled' do context 'when the group has a grandparent' do - let(:parent) { create(:group, share_with_group_lock: true, parent: grandparent) } + let(:parent) { create(:group, :crm_enabled, share_with_group_lock: true, parent: grandparent) } context 'when the grandparent share_with_group_lock is enabled' do - let(:grandparent) { create(:group, share_with_group_lock: true) } + let(:grandparent) { create(:group, :crm_enabled, share_with_group_lock: true) } context 'when the current_user owns the parent' do before do @@ -377,7 +382,7 @@ RSpec.describe GroupPolicy do end context 'when the grandparent share_with_group_lock is disabled' do - let(:grandparent) { create(:group) } + let(:grandparent) { create(:group, :crm_enabled) } context 'when the current_user owns the parent' do before do @@ -394,7 +399,7 @@ RSpec.describe GroupPolicy do end context 'when the group does not have a grandparent' do - let(:parent) { create(:group, share_with_group_lock: true) } + let(:parent) { create(:group, :crm_enabled, share_with_group_lock: true) } context 'when the current_user owns the parent' do before do @@ -411,7 +416,7 @@ RSpec.describe GroupPolicy do end context 'when the parent group share_with_group_lock is disabled' do - let(:parent) { create(:group) } + let(:parent) { create(:group, :crm_enabled) } it { expect_allowed(:change_share_with_group_lock) } end @@ -696,7 +701,7 @@ RSpec.describe GroupPolicy do end it_behaves_like 'clusterable policies' do - let(:clusterable) { create(:group) } + let(:clusterable) { create(:group, :crm_enabled) } let(:cluster) do create(:cluster, :provided_by_gcp, @@ -706,7 +711,7 @@ RSpec.describe GroupPolicy do end describe 'update_max_artifacts_size' do - let(:group) { create(:group, :public) } + let(:group) { create(:group, :public, :crm_enabled) } context 'when no user' do let(:current_user) { nil } @@ -736,7 +741,7 @@ RSpec.describe GroupPolicy do end describe 'design activity' do - let_it_be(:group) { create(:group, :public) } + let_it_be(:group) { create(:group, :public, :crm_enabled) } let(:current_user) { nil } @@ -904,7 +909,6 @@ RSpec.describe GroupPolicy do context 'feature enabled' do before do stub_config(dependency_proxy: { enabled: true }) - group.create_dependency_proxy_setting!(enabled: true) end context 'reporter' do @@ -933,8 +937,6 @@ RSpec.describe GroupPolicy do it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_group) } - it { is_expected.to be_allowed(:read_crm_organization) } - it { is_expected.to be_allowed(:read_crm_contact) } it { is_expected.to be_disallowed(:create_package) } end @@ -944,8 +946,6 @@ RSpec.describe GroupPolicy do it { is_expected.to be_allowed(:create_package) } it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_group) } - it { is_expected.to be_allowed(:read_crm_organization) } - it { is_expected.to be_allowed(:read_crm_contact) } it { is_expected.to be_disallowed(:destroy_package) } end @@ -954,7 +954,6 @@ RSpec.describe GroupPolicy do before do stub_config(dependency_proxy: { enabled: true }) - group.create_dependency_proxy_setting!(enabled: true) end it { is_expected.to be_allowed(:read_dependency_proxy) } @@ -965,7 +964,7 @@ RSpec.describe GroupPolicy do it_behaves_like 'Self-managed Core resource access tokens' context 'support bot' do - let_it_be(:group) { create(:group, :private) } + let_it_be(:group) { create(:group, :private, :crm_enabled) } let_it_be(:current_user) { User.support_bot } before do @@ -975,7 +974,7 @@ RSpec.describe GroupPolicy do it { expect_disallowed(:read_label) } context 'when group hierarchy has a project with service desk enabled' do - let_it_be(:subgroup) { create(:group, :private, parent: group)} + let_it_be(:subgroup) { create(:group, :private, :crm_enabled, parent: group) } let_it_be(:project) { create(:project, group: subgroup, service_desk_enabled: true) } it { expect_allowed(:read_label) } @@ -983,6 +982,49 @@ RSpec.describe GroupPolicy do end end + context "project bots" do + let(:project_bot) { create(:user, :project_bot) } + let(:user) { create(:user) } + + context "project_bot_access" do + context "when regular user and part of the group" do + let(:current_user) { user } + + before do + group.add_developer(user) + end + + it { is_expected.not_to be_allowed(:project_bot_access) } + end + + context "when project bot and not part of the project" do + let(:current_user) { project_bot } + + it { is_expected.not_to be_allowed(:project_bot_access) } + end + + context "when project bot and part of the project" do + let(:current_user) { project_bot } + + before do + group.add_developer(project_bot) + end + + it { is_expected.to be_allowed(:project_bot_access) } + end + end + + context 'with resource access tokens' do + let(:current_user) { project_bot } + + before do + group.add_maintainer(project_bot) + end + + it { is_expected.not_to be_allowed(:create_resource_access_tokens) } + end + end + describe 'update_runners_registration_token' do context 'admin' do let(:current_user) { admin } @@ -1083,9 +1125,7 @@ RSpec.describe GroupPolicy do context 'with maintainer' do let(:current_user) { maintainer } - it { is_expected.to be_allowed(:register_group_runners) } - - it_behaves_like 'expected outcome based on runner registration control' + it { is_expected.to be_disallowed(:register_group_runners) } end context 'with reporter' do @@ -1113,7 +1153,7 @@ RSpec.describe GroupPolicy do end end - context 'with customer_relations feature flag disabled' do + context 'with customer relations feature flag disabled' do let(:current_user) { owner } before do @@ -1125,4 +1165,18 @@ RSpec.describe GroupPolicy do it { is_expected.to be_disallowed(:admin_crm_contact) } it { is_expected.to be_disallowed(:admin_crm_organization) } end + + context 'when crm_enabled is false' do + let(:current_user) { owner } + + before_all do + group.crm_settings.enabled = false + group.crm_settings.save! + end + + it { is_expected.to be_disallowed(:read_crm_contact) } + it { is_expected.to be_disallowed(:read_crm_organization) } + it { is_expected.to be_disallowed(:admin_crm_contact) } + it { is_expected.to be_disallowed(:admin_crm_organization) } + end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 2953c198af6..38e4e18c894 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -61,7 +61,7 @@ RSpec.describe ProjectPolicy do end it 'does not include the issues permissions' do - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident, :create_work_item, :create_task end it 'disables boards and lists permissions' do @@ -73,7 +73,7 @@ RSpec.describe ProjectPolicy do it 'does not include the issues permissions' do create(:jira_integration, project: project) - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident, :create_work_item, :create_task end end end |