spec/support/shared_examples/policies/wiki_policies_shared_examples.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

# frozen_string_literal: true

RSpec.shared_examples 'model with wiki policies' do
  let(:container) { raise NotImplementedError }
  let(:permissions) { %i(read_wiki create_wiki update_wiki admin_wiki download_wiki_code) }

  # TODO: Remove this helper once we implement group features
  # https://gitlab.com/gitlab-org/gitlab/-/issues/208412
  def set_access_level(access_level)
    raise NotImplementedError
  end

  subject { described_class.new(owner, container) }

  context 'when the feature is disabled' do
    before do
      set_access_level(ProjectFeature::DISABLED)
    end

    it 'does not include the wiki permissions' do
      expect_disallowed(*permissions)
    end

    context 'when there is an external wiki' do
      it 'does not include the wiki permissions' do
        allow(container).to receive(:has_external_wiki?).and_return(true)

        expect_disallowed(*permissions)
      end
    end
  end

  describe 'read_wiki' do
    subject { described_class.new(user, container) }

    member_roles = %i[guest developer]
    stranger_roles = %i[anonymous non_member]

    user_roles = stranger_roles + member_roles

    # When a user is anonymous, their `current_user == nil`
    let(:user) { create(:user) unless user_role == :anonymous }

    before do
      container.visibility = container_visibility
      set_access_level(wiki_access_level)
      container.add_user(user, user_role) if member_roles.include?(user_role)
    end

    title = ->(container_visibility, wiki_access_level, user_role) do
      [
        "container is #{Gitlab::VisibilityLevel.level_name container_visibility}",
        "wiki is #{ProjectFeature.str_from_access_level wiki_access_level}",
        "user is #{user_role}"
      ].join(', ')
    end

    describe 'Situations where :read_wiki is always false' do
      where(case_names: title,
            container_visibility: Gitlab::VisibilityLevel.options.values,
            wiki_access_level: [ProjectFeature::DISABLED],
            user_role: user_roles)

      with_them do
        it { is_expected.to be_disallowed(:read_wiki) }
      end
    end

    describe 'Situations where :read_wiki is always true' do
      where(case_names: title,
            container_visibility: [Gitlab::VisibilityLevel::PUBLIC],
            wiki_access_level: [ProjectFeature::ENABLED],
            user_role: user_roles)

      with_them do
        it { is_expected.to be_allowed(:read_wiki) }
      end
    end

    describe 'Situations where :read_wiki requires membership' do
      context 'the wiki is private, and the user is a member' do
        where(case_names: title,
              container_visibility: [Gitlab::VisibilityLevel::PUBLIC,
                                     Gitlab::VisibilityLevel::INTERNAL],
              wiki_access_level: [ProjectFeature::PRIVATE],
              user_role: member_roles)

        with_them do
          it { is_expected.to be_allowed(:read_wiki) }
        end
      end

      context 'the wiki is private, and the user is not member' do
        where(case_names: title,
              container_visibility: [Gitlab::VisibilityLevel::PUBLIC,
                                     Gitlab::VisibilityLevel::INTERNAL],
              wiki_access_level: [ProjectFeature::PRIVATE],
              user_role: stranger_roles)

        with_them do
          it { is_expected.to be_disallowed(:read_wiki) }
        end
      end

      context 'the wiki is enabled, and the user is a member' do
        where(case_names: title,
              container_visibility: [Gitlab::VisibilityLevel::PRIVATE],
              wiki_access_level: [ProjectFeature::ENABLED],
              user_role: member_roles)

        with_them do
          it { is_expected.to be_allowed(:read_wiki) }
        end
      end

      context 'the wiki is enabled, and the user is not a member' do
        where(case_names: title,
              container_visibility: [Gitlab::VisibilityLevel::PRIVATE],
              wiki_access_level: [ProjectFeature::ENABLED],
              user_role: stranger_roles)

        with_them do
          it { is_expected.to be_disallowed(:read_wiki) }
        end
      end
    end

    describe 'Situations where :read_wiki prohibits anonymous access' do
      context 'the user is not anonymous' do
        where(case_names: title,
              container_visibility: [Gitlab::VisibilityLevel::INTERNAL],
              wiki_access_level: [ProjectFeature::ENABLED, ProjectFeature::PUBLIC],
              user_role: user_roles.reject { |u| u == :anonymous })

        with_them do
          it { is_expected.to be_allowed(:read_wiki) }
        end
      end

      context 'the user is anonymous' do
        where(case_names: title,
              container_visibility: [Gitlab::VisibilityLevel::INTERNAL],
              wiki_access_level: [ProjectFeature::ENABLED, ProjectFeature::PUBLIC],
              user_role: %i[anonymous])

        with_them do
          it { is_expected.to be_disallowed(:read_wiki) }
        end
      end
    end
  end
end