summaryrefslogtreecommitdiff
path: root/spec/policies
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies')
-rw-r--r--spec/policies/blob_policy_spec.rb1
-rw-r--r--spec/policies/ci/runner_policy_spec.rb147
-rw-r--r--spec/policies/concerns/crud_policy_helpers_spec.rb39
-rw-r--r--spec/policies/group_policy_spec.rb98
-rw-r--r--spec/policies/issuable_policy_spec.rb24
-rw-r--r--spec/policies/issue_policy_spec.rb7
-rw-r--r--spec/policies/namespaces/user_namespace_policy_spec.rb2
-rw-r--r--spec/policies/project_policy_spec.rb127
-rw-r--r--spec/policies/project_snippet_policy_spec.rb328
-rw-r--r--spec/policies/wiki_page_policy_spec.rb45
10 files changed, 494 insertions, 324 deletions
diff --git a/spec/policies/blob_policy_spec.rb b/spec/policies/blob_policy_spec.rb
index 1be2318a0fe..c1df4e66677 100644
--- a/spec/policies/blob_policy_spec.rb
+++ b/spec/policies/blob_policy_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
RSpec.describe BlobPolicy do
include_context 'ProjectPolicyTable context'
include ProjectHelpers
+ include UserHelpers
let_it_be_with_reload(:project) { create(:project, :repository) }
diff --git a/spec/policies/ci/runner_policy_spec.rb b/spec/policies/ci/runner_policy_spec.rb
index 880ff0722fa..773d3d9a01d 100644
--- a/spec/policies/ci/runner_policy_spec.rb
+++ b/spec/policies/ci/runner_policy_spec.rb
@@ -6,42 +6,64 @@ RSpec.describe Ci::RunnerPolicy do
describe 'ability :read_runner' do
let_it_be(:guest) { create(:user) }
let_it_be(:developer) { create(:user) }
+ let_it_be(:maintainer) { create(:user) }
let_it_be(:owner) { create(:user) }
- let_it_be(:group1) { create(:group, name: 'top-level', path: 'top-level') }
- let_it_be(:subgroup1) { create(:group, name: 'subgroup1', path: 'subgroup1', parent: group1) }
- let_it_be(:project1) { create(:project, group: subgroup1) }
+ let_it_be_with_reload(:group) { create(:group, name: 'top-level', path: 'top-level') }
+ let_it_be_with_reload(:subgroup) { create(:group, name: 'subgroup', path: 'subgroup', parent: group) }
+ let_it_be_with_reload(:project) { create(:project, group: subgroup) }
+
let_it_be(:instance_runner) { create(:ci_runner, :instance) }
- let_it_be(:group1_runner) { create(:ci_runner, :group, groups: [group1]) }
- let_it_be(:project1_runner) { create(:ci_runner, :project, projects: [project1]) }
+ let_it_be(:group_runner) { create(:ci_runner, :group, groups: [group]) }
+ let_it_be(:project_runner) { create(:ci_runner, :project, projects: [project]) }
subject(:policy) { described_class.new(user, runner) }
- before do
- group1.add_guest(guest)
- group1.add_developer(developer)
- group1.add_owner(owner)
+ before_all do
+ group.add_guest(guest)
+ group.add_developer(developer)
+ group.add_maintainer(maintainer)
+ group.add_owner(owner)
end
- shared_context 'on hierarchy with shared runners disabled' do
- around do |example|
- group1.update!(shared_runners_enabled: false)
- project1.update!(shared_runners_enabled: false)
+ shared_examples 'a policy allowing reading instance runner depending on runner sharing' do
+ context 'with instance runner' do
+ let(:runner) { instance_runner }
+
+ it { expect_allowed :read_runner }
+
+ context 'with shared runners disabled on projects' do
+ before do
+ project.update!(shared_runners_enabled: false)
+ end
+
+ it { expect_allowed :read_runner }
+ end
- example.run
- ensure
- project1.update!(shared_runners_enabled: true)
- group1.update!(shared_runners_enabled: true)
+ context 'with shared runners disabled for groups and projects' do
+ before do
+ group.update!(shared_runners_enabled: false)
+ project.update!(shared_runners_enabled: false)
+ end
+
+ it { expect_disallowed :read_runner }
+ end
end
end
- shared_context 'on hierarchy with group runners disabled' do
- around do |example|
- project1.update!(group_runners_enabled: false)
+ shared_examples 'a policy allowing reading group runner depending on runner sharing' do
+ context 'with group runner' do
+ let(:runner) { group_runner }
+
+ it { expect_allowed :read_runner }
- example.run
- ensure
- project1.update!(group_runners_enabled: true)
+ context 'with sharing of group runners disabled' do
+ before do
+ project.update!(group_runners_enabled: false)
+ end
+
+ it { expect_disallowed :read_runner }
+ end
end
end
@@ -51,27 +73,32 @@ RSpec.describe Ci::RunnerPolicy do
it { expect_disallowed :read_runner }
- context 'with shared runners disabled' do
- include_context 'on hierarchy with shared runners disabled' do
- it { expect_disallowed :read_runner }
+ context 'with shared runners disabled for groups and projects' do
+ before do
+ group.update!(shared_runners_enabled: false)
+ project.update!(shared_runners_enabled: false)
end
+
+ it { expect_disallowed :read_runner }
end
end
context 'with group runner' do
- let(:runner) { group1_runner }
+ let(:runner) { group_runner }
it { expect_disallowed :read_runner }
- context 'with group runner disabled' do
- include_context 'on hierarchy with group runners disabled' do
- it { expect_disallowed :read_runner }
+ context 'with sharing of group runners disabled' do
+ before do
+ project.update!(group_runners_enabled: false)
end
+
+ it { expect_disallowed :read_runner }
end
end
context 'with project runner' do
- let(:runner) { project1_runner }
+ let(:runner) { project_runner }
it { expect_disallowed :read_runner }
end
@@ -92,66 +119,52 @@ RSpec.describe Ci::RunnerPolicy do
context 'with developer access' do
let(:user) { developer }
- context 'with instance runner' do
- let(:runner) { instance_runner }
+ it_behaves_like 'a policy allowing reading instance runner depending on runner sharing'
- it { expect_allowed :read_runner }
+ it_behaves_like 'a policy allowing reading group runner depending on runner sharing'
- context 'with shared runners disabled' do
- include_context 'on hierarchy with shared runners disabled' do
- it { expect_disallowed :read_runner }
- end
- end
+ context 'with project runner' do
+ let(:runner) { project_runner }
+
+ it { expect_disallowed :read_runner }
end
+ end
- context 'with group runner' do
- let(:runner) { group1_runner }
+ context 'with maintainer access' do
+ let(:user) { maintainer }
- it { expect_allowed :read_runner }
+ it_behaves_like 'a policy allowing reading instance runner depending on runner sharing'
- context 'with group runner disabled' do
- include_context 'on hierarchy with group runners disabled' do
- it { expect_disallowed :read_runner }
- end
- end
- end
+ it_behaves_like 'a policy allowing reading group runner depending on runner sharing'
context 'with project runner' do
- let(:runner) { project1_runner }
+ let(:runner) { project_runner }
- it { expect_disallowed :read_runner }
+ it { expect_allowed :read_runner }
end
end
context 'with owner access' do
let(:user) { owner }
- context 'with instance runner' do
- let(:runner) { instance_runner }
+ it_behaves_like 'a policy allowing reading instance runner depending on runner sharing'
- context 'with shared runners disabled' do
- include_context 'on hierarchy with shared runners disabled' do
- it { expect_disallowed :read_runner }
- end
- end
+ context 'with group runner' do
+ let(:runner) { group_runner }
it { expect_allowed :read_runner }
- end
- context 'with group runner' do
- let(:runner) { group1_runner }
-
- context 'with group runners disabled' do
- include_context 'on hierarchy with group runners disabled' do
- it { expect_allowed :read_runner }
+ context 'with sharing of group runners disabled' do
+ before do
+ project.update!(group_runners_enabled: false)
end
- end
- it { expect_allowed :read_runner }
+ it { expect_allowed :read_runner }
+ end
end
context 'with project runner' do
- let(:runner) { project1_runner }
+ let(:runner) { project_runner }
it { expect_allowed :read_runner }
end
diff --git a/spec/policies/concerns/crud_policy_helpers_spec.rb b/spec/policies/concerns/crud_policy_helpers_spec.rb
index 69bf9ad12d6..1e7b99178c3 100644
--- a/spec/policies/concerns/crud_policy_helpers_spec.rb
+++ b/spec/policies/concerns/crud_policy_helpers_spec.rb
@@ -17,34 +17,37 @@ RSpec.describe CrudPolicyHelpers do
describe '.create_read_update_admin_destroy' do
it 'returns an array of the appropriate abilites given a feature name' do
- expect(PolicyTestClass.create_read_update_admin_destroy(feature_name)).to eq([
- :read_foo,
- :create_foo,
- :update_foo,
- :admin_foo,
- :destroy_foo
- ])
+ expect(PolicyTestClass.create_read_update_admin_destroy(feature_name)).to eq(
+ [
+ :read_foo,
+ :create_foo,
+ :update_foo,
+ :admin_foo,
+ :destroy_foo
+ ])
end
end
describe '.create_update_admin_destroy' do
it 'returns an array of the appropriate abilites given a feature name' do
- expect(PolicyTestClass.create_update_admin_destroy(feature_name)).to eq([
- :create_foo,
- :update_foo,
- :admin_foo,
- :destroy_foo
- ])
+ expect(PolicyTestClass.create_update_admin_destroy(feature_name)).to eq(
+ [
+ :create_foo,
+ :update_foo,
+ :admin_foo,
+ :destroy_foo
+ ])
end
end
describe '.create_update_admin' do
it 'returns an array of the appropriate abilites given a feature name' do
- expect(PolicyTestClass.create_update_admin(feature_name)).to eq([
- :create_foo,
- :update_foo,
- :admin_foo
- ])
+ expect(PolicyTestClass.create_update_admin(feature_name)).to eq(
+ [
+ :create_foo,
+ :update_foo,
+ :admin_foo
+ ])
end
end
end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index da0270c15b9..c65933c5208 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -1175,28 +1175,14 @@ RSpec.describe GroupPolicy do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
- context 'with runner_registration_control FF disabled' do
- before do
- stub_feature_flags(runner_registration_control: false)
- end
-
- it { is_expected.to be_allowed(:register_group_runners) }
- end
+ it { is_expected.to be_allowed(:register_group_runners) }
- context 'with runner_registration_control FF enabled' do
+ context 'with group runner registration disabled' do
before do
- stub_feature_flags(runner_registration_control: true)
+ stub_application_setting(valid_runner_registrars: ['project'])
end
it { is_expected.to be_allowed(:register_group_runners) }
-
- context 'with group runner registration disabled' do
- before do
- stub_application_setting(valid_runner_registrars: ['project'])
- end
-
- it { is_expected.to be_allowed(:register_group_runners) }
- end
end
end
@@ -1210,28 +1196,12 @@ RSpec.describe GroupPolicy do
it { is_expected.to be_allowed(:register_group_runners) }
- context 'with runner_registration_control FF disabled' do
- before do
- stub_feature_flags(runner_registration_control: false)
- end
-
- it { is_expected.to be_allowed(:register_group_runners) }
- end
-
- context 'with runner_registration_control FF enabled' do
+ context 'with group runner registration disabled' do
before do
- stub_feature_flags(runner_registration_control: true)
+ stub_application_setting(valid_runner_registrars: ['project'])
end
- it { is_expected.to be_allowed(:register_group_runners) }
-
- context 'with group runner registration disabled' do
- before do
- stub_application_setting(valid_runner_registrars: ['project'])
- end
-
- it { is_expected.to be_disallowed(:register_group_runners) }
- end
+ it { is_expected.to be_disallowed(:register_group_runners) }
end
end
@@ -1266,6 +1236,62 @@ RSpec.describe GroupPolicy do
end
end
+ describe 'read_group_all_available_runners' do
+ context 'admin' do
+ let(:current_user) { admin }
+
+ context 'when admin mode is enabled', :enable_admin_mode do
+ specify { is_expected.to be_allowed(:read_group_all_available_runners) }
+ end
+
+ context 'when admin mode is disabled' do
+ specify { is_expected.to be_disallowed(:read_group_all_available_runners) }
+ end
+ end
+
+ context 'with owner' do
+ let(:current_user) { owner }
+
+ specify { is_expected.to be_allowed(:read_group_all_available_runners) }
+ end
+
+ context 'with maintainer' do
+ let(:current_user) { maintainer }
+
+ specify { is_expected.to be_allowed(:read_group_all_available_runners) }
+ end
+
+ context 'with developer' do
+ let(:current_user) { developer }
+
+ specify { is_expected.to be_allowed(:read_group_all_available_runners) }
+ end
+
+ context 'with reporter' do
+ let(:current_user) { reporter }
+
+ specify { is_expected.to be_disallowed(:read_group_all_available_runners) }
+ end
+
+ context 'with guest' do
+ let(:current_user) { guest }
+
+ specify { is_expected.to be_disallowed(:read_group_all_available_runners) }
+ end
+
+ context 'with non member' do
+ let(:current_user) { create(:user) }
+
+ specify { is_expected.to be_disallowed(:read_group_all_available_runners) }
+ end
+
+ context 'with anonymous' do
+ let(:current_user) { nil }
+
+ specify { is_expected.to be_disallowed(:read_group_all_available_runners) }
+ end
+ end
+
describe 'change_prevent_sharing_groups_outside_hierarchy' do
context 'with owner' do
let(:current_user) { owner }
diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb
index c02294571ff..2bedcf60539 100644
--- a/spec/policies/issuable_policy_spec.rb
+++ b/spec/policies/issuable_policy_spec.rb
@@ -31,8 +31,8 @@ RSpec.describe IssuablePolicy, models: true do
expect(policies).to be_allowed(:resolve_note)
end
- it 'allows reading confidential notes' do
- expect(policies).to be_allowed(:read_confidential_notes)
+ it 'allows reading internal notes' do
+ expect(policies).to be_allowed(:read_internal_note)
end
context 'when user is able to read project' do
@@ -94,8 +94,8 @@ RSpec.describe IssuablePolicy, models: true do
let(:issue) { create(:issue, project: project, assignees: [user]) }
let(:policies) { described_class.new(user, issue) }
- it 'allows reading confidential notes' do
- expect(policies).to be_allowed(:read_confidential_notes)
+ it 'allows reading internal notes' do
+ expect(policies).to be_allowed(:read_internal_note)
end
end
@@ -145,6 +145,10 @@ RSpec.describe IssuablePolicy, models: true do
it 'does not allow timelogs creation' do
expect(policies).to be_disallowed(:create_timelog)
end
+
+ it 'does not allow reading internal notes' do
+ expect(permissions(guest, issue)).to be_disallowed(:read_internal_note)
+ end
end
context 'when user is a guest member of the project' do
@@ -152,8 +156,8 @@ RSpec.describe IssuablePolicy, models: true do
expect(permissions(guest, issue)).to be_disallowed(:create_timelog)
end
- it 'does not allow reading confidential notes' do
- expect(permissions(guest, issue)).to be_disallowed(:read_confidential_notes)
+ it 'does not allow reading internal notes' do
+ expect(permissions(guest, issue)).to be_disallowed(:read_internal_note)
end
end
@@ -170,8 +174,8 @@ RSpec.describe IssuablePolicy, models: true do
expect(permissions(reporter, issue)).to be_allowed(:create_timelog)
end
- it 'allows reading confidential notes' do
- expect(permissions(reporter, issue)).to be_allowed(:read_confidential_notes)
+ it 'allows reading internal notes' do
+ expect(permissions(reporter, issue)).to be_allowed(:read_internal_note)
end
end
@@ -188,6 +192,7 @@ RSpec.describe IssuablePolicy, models: true do
it 'does not allow :read_issuable' do
expect(policy).not_to be_allowed(:read_issuable)
+ expect(policy).not_to be_allowed(:read_issuable_participables)
end
end
@@ -196,6 +201,7 @@ RSpec.describe IssuablePolicy, models: true do
it 'allows :read_issuable' do
expect(policy).to be_allowed(:read_issuable)
+ expect(policy).to be_allowed(:read_issuable_participables)
end
end
end
@@ -213,6 +219,7 @@ RSpec.describe IssuablePolicy, models: true do
it 'does not allow :read_issuable' do
expect(policy).not_to be_allowed(:read_issuable)
+ expect(policy).not_to be_allowed(:read_issuable_participables)
end
end
@@ -221,6 +228,7 @@ RSpec.describe IssuablePolicy, models: true do
it 'allows :read_issuable' do
expect(policy).to be_allowed(:read_issuable)
+ expect(policy).to be_allowed(:read_issuable_participables)
end
end
end
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index 4d492deb54c..c110ca705bd 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -6,6 +6,7 @@ RSpec.describe IssuePolicy do
include_context 'ProjectPolicyTable context'
include ExternalAuthorizationServiceHelpers
include ProjectHelpers
+ include UserHelpers
let(:guest) { create(:user) }
let(:author) { create(:user) }
@@ -84,7 +85,7 @@ RSpec.describe IssuePolicy do
it 'allows guests to read issues' do
expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid)
- expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :mark_note_as_confidential)
expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
@@ -92,10 +93,10 @@ RSpec.describe IssuePolicy do
expect(permissions(guest, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality)
end
- it 'allows reporters to read, update, and admin issues' do
+ it 'allows reporters to read, update, admin and create confidential notes' do
expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality, :mark_note_as_confidential)
end
it 'allows reporters from group links to read, update, and admin issues' do
diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb
index 22c3f6a6d67..42d27d0f3d6 100644
--- a/spec/policies/namespaces/user_namespace_policy_spec.rb
+++ b/spec/policies/namespaces/user_namespace_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe Namespaces::UserNamespacePolicy do
let_it_be(:admin) { create(:admin) }
let_it_be(:namespace) { create(:user_namespace, owner: owner) }
- let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package] }
+ let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package, :read_billing, :edit_billing] }
subject { described_class.new(current_user, namespace) }
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index fefd9f71408..40ee2e662b2 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -103,6 +103,20 @@ RSpec.describe ProjectPolicy do
end
end
+ context 'when both issues and merge requests are disabled' do
+ let(:current_user) { owner }
+
+ before do
+ project.issues_enabled = false
+ project.merge_requests_enabled = false
+ project.save!
+ end
+
+ it 'does not include the issues permissions' do
+ expect_disallowed :read_cycle_analytics
+ end
+ end
+
context 'creating_merge_request_in' do
context 'when the current_user can download_code' do
before do
@@ -465,15 +479,14 @@ RSpec.describe ProjectPolicy do
end
context 'owner access' do
- let!(:owner_user) { create(:user) }
- let!(:owner_of_different_thing) { create(:user) }
- let(:stranger) { create(:user) }
+ let_it_be(:owner_user) { owner }
+ let_it_be(:owner_of_different_thing) { create(:user) }
context 'personal project' do
- let!(:project) { create(:project) }
- let!(:project2) { create(:project) }
+ let_it_be(:project) { private_project }
+ let_it_be(:project2) { create(:project) }
- before do
+ before_all do
project.add_guest(guest)
project.add_reporter(reporter)
project.add_developer(developer)
@@ -483,7 +496,7 @@ RSpec.describe ProjectPolicy do
it 'allows owner access', :aggregate_failures do
expect(described_class.new(owner_of_different_thing, project)).to be_disallowed(:owner_access)
- expect(described_class.new(stranger, project)).to be_disallowed(:owner_access)
+ expect(described_class.new(non_member, project)).to be_disallowed(:owner_access)
expect(described_class.new(guest, project)).to be_disallowed(:owner_access)
expect(described_class.new(reporter, project)).to be_disallowed(:owner_access)
expect(described_class.new(developer, project)).to be_disallowed(:owner_access)
@@ -493,12 +506,12 @@ RSpec.describe ProjectPolicy do
end
context 'group project' do
- let(:group) { create(:group) }
- let!(:group2) { create(:group) }
- let!(:project) { create(:project, group: group) }
+ let_it_be(:project) { private_project_in_group }
+ let_it_be(:group2) { create(:group) }
+ let_it_be(:group) { project.group }
context 'group members' do
- before do
+ before_all do
group.add_guest(guest)
group.add_reporter(reporter)
group.add_developer(developer)
@@ -509,7 +522,7 @@ RSpec.describe ProjectPolicy do
it 'allows owner access', :aggregate_failures do
expect(described_class.new(owner_of_different_thing, project)).to be_disallowed(:owner_access)
- expect(described_class.new(stranger, project)).to be_disallowed(:owner_access)
+ expect(described_class.new(non_member, project)).to be_disallowed(:owner_access)
expect(described_class.new(guest, project)).to be_disallowed(:owner_access)
expect(described_class.new(reporter, project)).to be_disallowed(:owner_access)
expect(described_class.new(developer, project)).to be_disallowed(:owner_access)
@@ -1692,7 +1705,7 @@ RSpec.describe ProjectPolicy do
let_it_be(:project_with_analytics_private) { create(:project, :analytics_private) }
let_it_be(:project_with_analytics_enabled) { create(:project, :analytics_enabled) }
- before do
+ before_all do
project_with_analytics_disabled.add_guest(guest)
project_with_analytics_private.add_guest(guest)
project_with_analytics_enabled.add_guest(guest)
@@ -2424,7 +2437,7 @@ RSpec.describe ProjectPolicy do
before do
current_user.set_ci_job_token_scope!(job)
current_user.external = external_user
- scope_project.update!(ci_job_token_scope_enabled: token_scope_enabled)
+ scope_project.update!(ci_outbound_job_token_scope_enabled: token_scope_enabled)
end
it "enforces the expected permissions" do
@@ -2617,28 +2630,14 @@ RSpec.describe ProjectPolicy do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
- context 'with runner_registration_control FF disabled' do
- before do
- stub_feature_flags(runner_registration_control: false)
- end
-
- it { is_expected.to be_allowed(:register_project_runners) }
- end
+ it { is_expected.to be_allowed(:register_project_runners) }
- context 'with runner_registration_control FF enabled' do
+ context 'with project runner registration disabled' do
before do
- stub_feature_flags(runner_registration_control: true)
+ stub_application_setting(valid_runner_registrars: ['group'])
end
it { is_expected.to be_allowed(:register_project_runners) }
-
- context 'with project runner registration disabled' do
- before do
- stub_application_setting(valid_runner_registrars: ['group'])
- end
-
- it { is_expected.to be_allowed(:register_project_runners) }
- end
end
end
@@ -2652,28 +2651,12 @@ RSpec.describe ProjectPolicy do
it { is_expected.to be_allowed(:register_project_runners) }
- context 'with runner_registration_control FF disabled' do
- before do
- stub_feature_flags(runner_registration_control: false)
- end
-
- it { is_expected.to be_allowed(:register_project_runners) }
- end
-
- context 'with runner_registration_control FF enabled' do
+ context 'with project runner registration disabled' do
before do
- stub_feature_flags(runner_registration_control: true)
+ stub_application_setting(valid_runner_registrars: ['group'])
end
- it { is_expected.to be_allowed(:register_project_runners) }
-
- context 'with project runner registration disabled' do
- before do
- stub_application_setting(valid_runner_registrars: ['group'])
- end
-
- it { is_expected.to be_disallowed(:register_project_runners) }
- end
+ it { is_expected.to be_disallowed(:register_project_runners) }
end
end
@@ -2764,6 +2747,50 @@ RSpec.describe ProjectPolicy do
end
end
+ describe 'role_enables_download_code' do
+ using RSpec::Parameterized::TableSyntax
+
+ context 'default roles' do
+ let(:current_user) { public_send(role) }
+
+ context 'public project' do
+ let(:project) { public_project }
+
+ where(:role, :allowed) do
+ :owner | true
+ :maintainer | true
+ :developer | true
+ :reporter | true
+ :guest | true
+
+ with_them do
+ it do
+ expect(subject.can?(:download_code)).to be(allowed)
+ end
+ end
+ end
+ end
+
+ context 'private project' do
+ let(:project) { private_project }
+
+ where(:role, :allowed) do
+ :owner | true
+ :maintainer | true
+ :developer | true
+ :reporter | true
+ :guest | false
+ end
+
+ with_them do
+ it do
+ expect(subject.can?(:download_code)).to be(allowed)
+ end
+ end
+ end
+ end
+ end
+
private
def project_subject(project_type)
diff --git a/spec/policies/project_snippet_policy_spec.rb b/spec/policies/project_snippet_policy_spec.rb
index 8b96aa99f69..c6d8ef05cfd 100644
--- a/spec/policies/project_snippet_policy_spec.rb
+++ b/spec/policies/project_snippet_policy_spec.rb
@@ -2,29 +2,28 @@
require 'spec_helper'
-# Snippet visibility scenarios are included in more details in spec/support/snippet_visibility.rb
+# Snippet visibility scenarios are included in more details in spec/finders/snippets_finder_spec.rb
RSpec.describe ProjectSnippetPolicy do
+ let_it_be(:group) { create(:group, :public) }
let_it_be(:regular_user) { create(:user) }
- let_it_be(:other_user) { create(:user) }
let_it_be(:external_user) { create(:user, :external) }
- let_it_be(:project) { create(:project, :public) }
-
- let(:snippet) { create(:project_snippet, snippet_visibility, project: project, author: author) }
- let(:author) { other_user }
- let(:author_permissions) do
+ let_it_be(:author) { create(:user) }
+ let_it_be(:author_permissions) do
[
:update_snippet,
:admin_snippet
]
end
+ let(:snippet) { build(:project_snippet, snippet_visibility, project: project, author: author) }
+
subject { described_class.new(current_user, snippet) }
- shared_examples 'regular user access rights' do
+ shared_examples 'regular user member permissions' do
context 'not snippet author' do
- context 'project team member (non guest)' do
+ context 'member (guest)' do
before do
- project.add_developer(current_user)
+ membership_target.add_guest(current_user)
end
it do
@@ -33,25 +32,35 @@ RSpec.describe ProjectSnippetPolicy do
end
end
- context 'project team member (guest)' do
+ context 'member (reporter)' do
before do
- project.add_guest(current_user)
+ membership_target.add_reporter(current_user)
end
it do
expect_allowed(:read_snippet, :create_note)
- expect_disallowed(:admin_snippet)
+ expect_disallowed(*author_permissions)
end
end
- context 'project team member (maintainer)' do
+ context 'member (developer)' do
before do
- project.add_maintainer(current_user)
+ membership_target.add_developer(current_user)
end
it do
expect_allowed(:read_snippet, :create_note)
- expect_allowed(*author_permissions)
+ expect_disallowed(*author_permissions)
+ end
+ end
+
+ context 'member (maintainer)' do
+ before do
+ membership_target.add_maintainer(current_user)
+ end
+
+ it do
+ expect_allowed(:read_snippet, :create_note, *author_permissions)
end
end
end
@@ -59,196 +68,263 @@ RSpec.describe ProjectSnippetPolicy do
context 'snippet author' do
let(:author) { current_user }
- context 'project member (non guest)' do
+ context 'member (guest)' do
before do
- project.add_developer(current_user)
+ membership_target.add_guest(current_user)
end
it do
- expect_allowed(:read_snippet, :create_note)
- expect_allowed(*author_permissions)
+ expect_allowed(:read_snippet, :create_note, :update_snippet)
+ expect_disallowed(:admin_snippet)
end
end
- context 'project member (guest)' do
+ context 'member (reporter)' do
before do
- project.add_guest(current_user)
+ membership_target.add_reporter(current_user)
end
it do
- expect_allowed(:read_snippet, :create_note)
- expect_disallowed(:admin_snippet)
+ expect_allowed(:read_snippet, :create_note, *author_permissions)
end
end
- context 'project team member (maintainer)' do
+ context 'member (developer)' do
before do
- project.add_maintainer(current_user)
+ membership_target.add_developer(current_user)
end
it do
- expect_allowed(:read_snippet, :create_note)
- expect_allowed(*author_permissions)
+ expect_allowed(:read_snippet, :create_note, *author_permissions)
end
end
- context 'not a project member' do
+ context 'member (maintainer)' do
+ before do
+ membership_target.add_maintainer(current_user)
+ end
+
it do
- expect_allowed(:read_snippet, :create_note)
- expect_disallowed(:admin_snippet)
+ expect_allowed(:read_snippet, :create_note, *author_permissions)
end
end
end
end
- context 'public snippet' do
- let(:snippet_visibility) { :public }
-
- context 'no user' do
- let(:current_user) { nil }
+ shared_examples 'regular user non-member author permissions' do
+ let(:author) { current_user }
- it do
- expect_allowed(:read_snippet)
- expect_disallowed(*author_permissions)
- end
+ it do
+ expect_allowed(:read_snippet, :create_note, :update_snippet)
+ expect_disallowed(:admin_snippet)
end
+ end
- context 'regular user' do
- let(:current_user) { regular_user }
-
- it do
- expect_allowed(:read_snippet, :create_note)
- expect_disallowed(*author_permissions)
- end
+ context 'when project is public' do
+ let_it_be(:project) { create(:project, :public, group: group) }
- it_behaves_like 'regular user access rights'
- end
+ context 'with public snippet' do
+ let(:snippet_visibility) { :public }
- context 'external user' do
- let(:current_user) { external_user }
+ context 'no user' do
+ let(:current_user) { nil }
- it do
- expect_allowed(:read_snippet, :create_note)
- expect_disallowed(*author_permissions)
+ it do
+ expect_allowed(:read_snippet)
+ expect_disallowed(*author_permissions)
+ end
end
- context 'project team member' do
- before do
- project.add_developer(external_user)
+ context 'regular user' do
+ let(:current_user) { regular_user }
+ let(:membership_target) { project }
+
+ context 'when user is not a member' do
+ context 'and is not the snippet author' do
+ it do
+ expect_allowed(:read_snippet, :create_note)
+ expect_disallowed(*author_permissions)
+ end
+ end
+
+ context 'and is the snippet author' do
+ it_behaves_like 'regular user non-member author permissions'
+ end
end
+ context 'when user is a member' do
+ it_behaves_like 'regular user member permissions'
+ end
+ end
+
+ context 'external user' do
+ let(:current_user) { external_user }
+
it do
expect_allowed(:read_snippet, :create_note)
expect_disallowed(*author_permissions)
end
- end
- end
- end
-
- context 'internal snippet' do
- let(:snippet_visibility) { :internal }
- context 'no user' do
- let(:current_user) { nil }
+ context 'when user is a member' do
+ before do
+ project.add_developer(external_user)
+ end
- it do
- expect_disallowed(:read_snippet)
- expect_disallowed(*author_permissions)
+ it do
+ expect_allowed(:read_snippet, :create_note)
+ expect_disallowed(*author_permissions)
+ end
+ end
end
end
- context 'regular user' do
- let(:current_user) { regular_user }
+ context 'with internal snippet' do
+ let(:snippet_visibility) { :internal }
- it do
- expect_allowed(:read_snippet, :create_note)
- expect_disallowed(*author_permissions)
- end
+ context 'no user' do
+ let(:current_user) { nil }
- it_behaves_like 'regular user access rights'
- end
+ it do
+ expect_disallowed(:read_snippet)
+ expect_disallowed(*author_permissions)
+ end
+ end
- context 'external user' do
- let(:current_user) { external_user }
+ context 'regular user' do
+ let(:current_user) { regular_user }
+ let(:membership_target) { project }
+
+ context 'when user is not a member' do
+ context 'and is not the snippet author' do
+ it do
+ expect_allowed(:read_snippet, :create_note)
+ expect_disallowed(*author_permissions)
+ end
+ end
+
+ context 'and is the snippet author' do
+ it_behaves_like 'regular user non-member author permissions'
+ end
+ end
- it do
- expect_disallowed(:read_snippet, :create_note)
- expect_disallowed(*author_permissions)
+ context 'when user is a member' do
+ it_behaves_like 'regular user member permissions'
+ end
end
- context 'project team member' do
- before do
- project.add_developer(external_user)
- end
+ context 'external user' do
+ let(:current_user) { external_user }
it do
- expect_allowed(:read_snippet, :create_note)
+ expect_disallowed(:read_snippet, :create_note)
expect_disallowed(*author_permissions)
end
+
+ context 'when user is a member' do
+ before do
+ project.add_developer(external_user)
+ end
+
+ it do
+ expect_allowed(:read_snippet, :create_note)
+ expect_disallowed(*author_permissions)
+ end
+ end
end
end
- end
- context 'private snippet' do
- let(:snippet_visibility) { :private }
+ context 'with private snippet' do
+ let(:snippet_visibility) { :private }
- context 'no user' do
- let(:current_user) { nil }
+ context 'no user' do
+ let(:current_user) { nil }
- it do
- expect_disallowed(:read_snippet)
- expect_disallowed(*author_permissions)
+ it do
+ expect_disallowed(:read_snippet)
+ expect_disallowed(*author_permissions)
+ end
end
- end
- context 'regular user' do
- let(:current_user) { regular_user }
+ context 'regular user' do
+ let(:current_user) { regular_user }
+ let(:membership_target) { project }
+
+ context 'when user is not a member' do
+ context 'and is not the snippet author' do
+ it do
+ expect_disallowed(:read_snippet, :create_note)
+ expect_disallowed(*author_permissions)
+ end
+ end
+
+ context 'and is the snippet author' do
+ it_behaves_like 'regular user non-member author permissions'
+ end
+ end
- it do
- expect_disallowed(:read_snippet, :create_note)
- expect_disallowed(*author_permissions)
+ context 'when user is a member' do
+ it_behaves_like 'regular user member permissions'
+ end
end
- it_behaves_like 'regular user access rights'
- end
-
- context 'external user' do
- let(:current_user) { external_user }
+ context 'inherited user' do
+ let(:current_user) { regular_user }
+ let(:membership_target) { group }
- it do
- expect_disallowed(:read_snippet, :create_note)
- expect_disallowed(*author_permissions)
+ it_behaves_like 'regular user member permissions'
end
- context 'project team member' do
- before do
- project.add_developer(current_user)
- end
+ context 'external user' do
+ let(:current_user) { external_user }
it do
- expect_allowed(:read_snippet, :create_note)
+ expect_disallowed(:read_snippet, :create_note)
expect_disallowed(*author_permissions)
end
- end
- end
- context 'admin user' do
- let(:snippet_visibility) { :private }
- let(:current_user) { create(:admin) }
+ context 'when user is a member' do
+ before do
+ project.add_developer(current_user)
+ end
- context 'when admin mode is enabled', :enable_admin_mode do
- it do
- expect_allowed(:read_snippet, :create_note)
- expect_allowed(*author_permissions)
+ it do
+ expect_allowed(:read_snippet, :create_note)
+ expect_disallowed(*author_permissions)
+ end
end
end
- context 'when admin mode is disabled' do
- it do
- expect_disallowed(:read_snippet, :create_note)
- expect_disallowed(*author_permissions)
+ context 'admin user' do
+ let(:snippet_visibility) { :private }
+ let(:current_user) { create(:admin) }
+
+ context 'when admin mode is enabled', :enable_admin_mode do
+ it do
+ expect_allowed(:read_snippet, :create_note)
+ expect_allowed(*author_permissions)
+ end
+ end
+
+ context 'when admin mode is disabled' do
+ it do
+ expect_disallowed(:read_snippet, :create_note)
+ expect_disallowed(*author_permissions)
+ end
end
end
end
end
+
+ context 'when project is private' do
+ let_it_be(:project) { create(:project, :private, group: group) }
+
+ let(:snippet_visibility) { :private }
+
+ context 'inherited user' do
+ let(:current_user) { regular_user }
+ let(:membership_target) { group }
+
+ it_behaves_like 'regular user member permissions'
+ end
+ end
end
diff --git a/spec/policies/wiki_page_policy_spec.rb b/spec/policies/wiki_page_policy_spec.rb
index a2fa7f29135..2712026035c 100644
--- a/spec/policies/wiki_page_policy_spec.rb
+++ b/spec/policies/wiki_page_policy_spec.rb
@@ -5,28 +5,43 @@ require 'spec_helper'
RSpec.describe WikiPagePolicy do
include_context 'ProjectPolicyTable context'
include ProjectHelpers
+ include UserHelpers
using RSpec::Parameterized::TableSyntax
- let(:project) { create(:project, :wiki_repo, project_level) }
- let(:user) { create_user_from_membership(project, membership) }
- let(:wiki_page) { create(:wiki_page, wiki: project.wiki) }
+ let(:group) { build(:group, :public) }
+ let(:project) { build(:project, :wiki_repo, project_level, group: group) }
+ let(:wiki_page) { build(:wiki_page, container: project) }
- subject(:policy) { described_class.new(user, wiki_page) }
+ shared_context 'with :read_wiki_page policy' do
+ subject(:policy) { described_class.new(user, wiki_page) }
- where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
- permission_table_for_guest_feature_access
- end
+ where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
+ permission_table_for_guest_feature_access
+ end
- with_them do
- it "grants permission" do
- enable_admin_mode!(user) if admin_mode
- update_feature_access_level(project, feature_access_level)
+ with_them do
+ it 'grants the expected permissions' do
+ enable_admin_mode!(user) if admin_mode
+ update_feature_access_level(project, feature_access_level)
- if expected_count == 1
- expect(policy).to be_allowed(:read_wiki_page)
- else
- expect(policy).to be_disallowed(:read_wiki_page)
+ if expected_count == 1
+ expect(policy).to be_allowed(:read_wiki_page)
+ else
+ expect(policy).to be_disallowed(:read_wiki_page)
+ end
end
end
end
+
+ context 'when user is a direct project member' do
+ let(:user) { build_user_from_membership(project, membership) }
+
+ include_context 'with :read_wiki_page policy'
+ end
+
+ context 'when user is an inherited member from the group' do
+ let(:user) { build_user_from_membership(group, membership) }
+
+ include_context 'with :read_wiki_page policy'
+ end
end
View Lorry Controller Status