From 4e8d19c61f6658f3e74f040db5862ab52d8df060 Mon Sep 17 00:00:00 2001 From: Alex Kalderimis Date: Fri, 19 Jul 2019 18:15:06 -0400 Subject: Use rspec-parameterized declarative syntax This aids clarity. Also includes changelog fixes. --- .../unreleased/allow-all-users-to-see-history.yml | 4 +- spec/policies/project_policy_spec.rb | 125 ++++++++++++++++----- 2 files changed, 96 insertions(+), 33 deletions(-) diff --git a/changelogs/unreleased/allow-all-users-to-see-history.yml b/changelogs/unreleased/allow-all-users-to-see-history.yml index 6e6bf9a2a36..7423fa079cc 100644 --- a/changelogs/unreleased/allow-all-users-to-see-history.yml +++ b/changelogs/unreleased/allow-all-users-to-see-history.yml @@ -1,4 +1,4 @@ --- -title: 'Fixes #29528, by allowing all users to view history' -merge_request: '30470' +title: Align access permissions for wiki history to those of wiki pages +merge_request: 30470 type: fixed diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 2aa244c52e1..8fd54e0bf1d 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -130,56 +130,119 @@ describe ProjectPolicy do describe 'read_wiki' do subject { described_class.new(user, project) } - user_roles = %i[anonymous non_member guest developer] + member_roles = %i[guest developer] + stranger_roles = %i[anonymous non_member] - def member?(role) - %i[guest developer].include?(role) + user_roles = stranger_roles + member_roles + + # When a user is anonymous, their `current_user == nil` + let(:user) { create(:user) unless user_role == :anonymous } + + before do + project.visibility = project_visibility + project.project_feature.update_attribute(:wiki_access_level, wiki_access_level) + project.add_user(user, user_role) if member_roles.include?(user_role) + end + + title = ->(project_visibility, wiki_access_level, user_role) do + [ + "project is #{Gitlab::VisibilityLevel.level_name project_visibility}", + "wiki is #{ProjectFeature.str_from_access_level wiki_access_level}", + "user is #{user_role}" + ].join(', ') end - Viz = Gitlab::VisibilityLevel - WikiAccess = ProjectFeature + describe 'Situations where :read_wiki is always false' do + where(case_names: title, + project_visibility: Gitlab::VisibilityLevel.options.values, + wiki_access_level: [ProjectFeature::DISABLED], + user_role: user_roles) - must_be_member = [[Viz::PUBLIC, WikiAccess::PRIVATE], - [Viz::INTERNAL, WikiAccess::PRIVATE], - [Viz::PRIVATE, WikiAccess::ENABLED]] + with_them do + it { is_expected.to be_disallowed(:read_wiki) } + end + end + + describe 'Situations where :read_wiki is always true' do + where(case_names: title, + project_visibility: [Gitlab::VisibilityLevel::PUBLIC], + wiki_access_level: [ProjectFeature::ENABLED], + user_role: user_roles) - where(:project_visibility, :wiki_access_level, :user_role, :allowed_access) do - # Situations where :read_wiki is always false: - disabled = Viz.options.values.flat_map do |pv| - user_roles.map { |role| [pv, WikiAccess::DISABLED, role, false] } + with_them do + it { is_expected.to be_allowed(:read_wiki) } end + end + + describe 'Situations where :read_wiki requires project membership' do + context 'the wiki is private, and the user is a member' do + where(case_names: title, + project_visibility: [Gitlab::VisibilityLevel::PUBLIC, + Gitlab::VisibilityLevel::INTERNAL], + wiki_access_level: [ProjectFeature::PRIVATE], + user_role: member_roles) - # Situations where :read_wiki is always true - public_and_enabled = user_roles.map do |role| - [Viz::PUBLIC, WikiAccess::ENABLED, role, true] + with_them do + it { is_expected.to be_allowed(:read_wiki) } + end end - # Situations where :read_wiki requires project membership - membership_required = must_be_member.flat_map do |(pv, wa)| - user_roles.map { |role| [pv, wa, role, member?(role)] } + context 'the wiki is private, and the user is not member' do + where(case_names: title, + project_visibility: [Gitlab::VisibilityLevel::PUBLIC, + Gitlab::VisibilityLevel::INTERNAL], + wiki_access_level: [ProjectFeature::PRIVATE], + user_role: stranger_roles) + + with_them do + it { is_expected.to be_disallowed(:read_wiki) } + end end - # Situations where :read_wiki prohibits anonymous access - internal_project = user_roles.flat_map do |role| - [WikiAccess::ENABLED, WikiAccess::PUBLIC].map do |wa| - [Viz::INTERNAL, wa, role, role != :anonymous] + context 'the wiki is enabled, and the user is a member' do + where(case_names: title, + project_visibility: [Gitlab::VisibilityLevel::PRIVATE], + wiki_access_level: [ProjectFeature::ENABLED], + user_role: member_roles) + + with_them do + it { is_expected.to be_allowed(:read_wiki) } end end - disabled + public_and_enabled + membership_required + internal_project + context 'the wiki is enabled, and the user is not a member' do + where(case_names: title, + project_visibility: [Gitlab::VisibilityLevel::PRIVATE], + wiki_access_level: [ProjectFeature::ENABLED], + user_role: stranger_roles) + + with_them do + it { is_expected.to be_disallowed(:read_wiki) } + end + end end - with_them do - let(:user) { create(:user) unless user_role == :anonymous } + describe 'Situations where :read_wiki prohibits anonymous access' do + context 'the user is not anonymous' do + where(case_names: title, + project_visibility: [Gitlab::VisibilityLevel::INTERNAL], + wiki_access_level: [ProjectFeature::ENABLED, ProjectFeature::PUBLIC], + user_role: user_roles.reject { |u| u == :anonymous }) - before do - project.visibility = project_visibility - project.project_feature.update_attribute(:wiki_access_level, wiki_access_level) - project.add_user(user, user_role) if user.present? && user_role != :non_member + with_them do + it { is_expected.to be_allowed(:read_wiki) } + end end - it do - is_expected.send(allowed_access ? :to : :not_to, be_allowed(:read_wiki)) + context 'the user is not anonymous' do + where(case_names: title, + project_visibility: [Gitlab::VisibilityLevel::INTERNAL], + wiki_access_level: [ProjectFeature::ENABLED, ProjectFeature::PUBLIC], + user_role: %i[anonymous]) + + with_them do + it { is_expected.to be_disallowed(:read_wiki) } + end end end end -- cgit v1.2.1