Add latest changes from gitlab-org/gitlab@master

2 files changed, 149 insertions, 0 deletions

diff --git a/qa/qa/specs/features/api/1_manage/user_access_termination_spec.rb b/qa/qa/specs/features/api/1_manage/user_access_termination_spec.rb
new file mode 100644
index 00000000000..b7f71ad5bcd
--- /dev/null
+++ b/qa/qa/specs/features/api/1_manage/user_access_termination_spec.rb
@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Manage' do
+    describe 'User', :requires_admin do
+      before(:all) do
+        admin_api_client = Runtime::API::Client.as_admin
+
+        @user = Resource::User.fabricate_via_api! do |user|
+          user.api_client = admin_api_client
+        end
+
+        @user_api_client = Runtime::API::Client.new(:gitlab, user: @user)
+
+        @group = Resource::Group.fabricate_via_api!
+
+        @group.sandbox.add_member(@user)
+
+        @project = Resource::Project.fabricate_via_api! do |project|
+          project.group = @group
+          project.name = "project-for-user-group-access-termination"
+          project.initialize_with_readme = true
+        end
+      end
+
+      context 'after parent group membership termination' do
+        before do
+          @group.sandbox.remove_member(@user)
+        end
+
+        it 'is not allowed to push code via the CLI', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1660' do
+          expect do
+            Resource::Repository::Push.fabricate! do |push|
+              push.repository_http_uri = @project.repository_http_location.uri
+              push.file_name = 'test.txt'
+              push.file_content = "# This is a test project named #{@project.name}"
+              push.commit_message = 'Add test.txt'
+              push.branch_name = 'new_branch'
+              push.user = @user
+            end
+          end.to raise_error(QA::Support::Run::CommandError, /You are not allowed to push code to this project/)
+        end
+
+        it 'is not allowed to create a file via the API', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1661' do
+          expect do
+            Resource::File.fabricate_via_api! do |file|
+              file.api_client = @user_api_client
+              file.project = @project
+              file.branch = 'new_branch'
+              file.commit_message = 'Add new file'
+              file.name = 'test.txt'
+              file.content = "New file"
+            end
+          end.to raise_error(Resource::ApiFabricator::ResourceFabricationFailedError, /403 Forbidden/)
+        end
+
+        it 'is not allowed to commit via the API', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1662' do
+          expect do
+            Resource::Repository::Commit.fabricate_via_api! do |commit|
+              commit.api_client = @user_api_client
+              commit.project = @project
+              commit.branch = 'new_branch'
+              commit.start_branch = @project.default_branch
+              commit.commit_message = 'Add new file'
+              commit.add_files([
+                { file_path: 'test.txt', content: 'new file' }
+              ])
+            end
+          end.to raise_error(Resource::ApiFabricator::ResourceFabricationFailedError, /403 Forbidden - You are not allowed to push into this branch/)
+        end
+      end
+
+      after(:all) do
+        @user.remove_via_api!
+        @project.remove_via_api!
+        begin
+          @group.remove_via_api!
+        rescue Resource::ApiFabricator::ResourceNotDeletedError
+          # It is ok if the group is already marked for deletion by another test
+        end
+      end
+    end
+  end
+end
diff --git a/qa/qa/specs/features/browser_ui/1_manage/user/user_access_termination_spec.rb b/qa/qa/specs/features/browser_ui/1_manage/user/user_access_termination_spec.rb
new file mode 100644
index 00000000000..7ec217cb47d
--- /dev/null
+++ b/qa/qa/specs/features/browser_ui/1_manage/user/user_access_termination_spec.rb
@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Manage' do
+    describe 'User', :requires_admin do
+      let(:admin_api_client) { Runtime::API::Client.as_admin }
+
+      let!(:user) do
+        Resource::User.fabricate_via_api! do |user|
+          user.api_client = admin_api_client
+        end
+      end
+
+      let!(:group) do
+        group = Resource::Group.fabricate_via_api!
+        group.sandbox.add_member(user)
+        group
+      end
+
+      let!(:project) do
+        Resource::Project.fabricate_via_api! do |project|
+          project.group = group
+          project.name = "project-for-user-access-termination"
+          project.initialize_with_readme = true
+        end
+      end
+
+      context 'after parent group membership termination' do
+        before do
+          Flow::Login.while_signed_in_as_admin do
+            group.sandbox.visit!
+
+            Page::Group::Menu.perform(&:click_group_members_item)
+            Page::Group::Members.perform do |members_page|
+              members_page.remove_member(user.username)
+            end
+          end
+        end
+
+        it 'is not allowed to edit the project files', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1663' do
+          Flow::Login.sign_in(as: user)
+          project.visit!
+
+          Page::Project::Show.perform do |project|
+            project.click_file('README.md')
+          end
+
+          Page::File::Show.perform(&:click_edit)
+
+          expect(page).to have_text("You're not allowed to edit files in this project directly.")
+        end
+
+        after do
+          user.remove_via_api!
+          project.remove_via_api!
+          begin
+            group.remove_via_api!
+          rescue Resource::ApiFabricator::ResourceNotDeletedError
+            # It is ok if the group is already marked for deletion by another test
+          end
+        end
+      end
+    end
+  end
+end