Consistently check permission for creating pipelines,

updating builds and updating pipelines. We check against being able to merge or push if the ref is protected.
author: Lin Jen-Shin <godfat@godfat.org> 2017-07-04 00:01:05 +0300
committer: Lin Jen-Shin <godfat@godfat.org> 2017-07-04 00:01:05 +0300
commit: 23bfd8c13c803f4efdb9eaf8e6e3c1ffd17640e8 (patch)
tree: 03db93cdd953b49d28fbe62da4655dcb0c23af04 /spec/policies/ci
parent: 24a1f0d833941a30b91813f36d184d3e7c3f7425 (diff)
2 files changed, 64 insertions, 35 deletions
diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb
index 48a139d4b83..b4c6f3141fb 100644
--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -96,55 +96,37 @@ describe Ci::BuildPolicy, :models do
       end
     end
 
-    describe 'rules for manual actions' do
+    describe 'rules for protected branch' do
       let(:project) { create(:project) }
 
       before do
         project.add_developer(user)
-      end
-
-      context 'when branch build is assigned to is protected' do
-        before do
-          create(:protected_branch, :no_one_can_push,
-                 name: 'some-ref', project: project)
-        end
 
-        context 'when build is a manual action' do
-          let(:build) do
-            create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline)
-          end
-
-          it 'does not include ability to update build' do
-            expect(policies).not_to include :update_build
-          end
-        end
+        create(:protected_branch, branch_policy,
+               name: build.ref, project: project)
+      end
 
-        context 'when build is not a manual action' do
-          let(:build) do
-            create(:ci_build, ref: 'some-ref', pipeline: pipeline)
-          end
+      context 'when no one can push or merge to the branch' do
+        let(:branch_policy) { :no_one_can_push }
 
-          it 'includes ability to update build' do
-            expect(policies).to include :update_build
-          end
+        it 'does not include ability to update build' do
+          expect(policies).not_to include :update_build
         end
       end
 
-      context 'when branch build is assigned to is not protected' do
-        context 'when build is a manual action' do
-          let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
+      context 'when developers can push to the branch' do
+        let(:branch_policy) { :developers_can_push }
 
-          it 'includes ability to update build' do
-            expect(policies).to include :update_build
-          end
+        it 'includes ability to update build' do
+          expect(policies).to include :update_build
         end
+      end
 
-        context 'when build is not a manual action' do
-          let(:build) { create(:ci_build, pipeline: pipeline) }
+      context 'when developers can push to the branch' do
+        let(:branch_policy) { :developers_can_merge }
 
-          it 'includes ability to update build' do
-            expect(policies).to include :update_build
-          end
+        it 'includes ability to update build' do
+          expect(policies).to include :update_build
         end
       end
     end
diff --git a/spec/policies/ci/pipeline_policy_spec.rb b/spec/policies/ci/pipeline_policy_spec.rb
new file mode 100644
index 00000000000..4ecf07a1bf2
--- /dev/null
+++ b/spec/policies/ci/pipeline_policy_spec.rb
@@ -0,0 +1,47 @@
+require 'spec_helper'
+
+describe Ci::PipelinePolicy, :models do
+  let(:user) { create(:user) }
+  let(:pipeline) { create(:ci_empty_pipeline, project: project) }
+
+  let(:policies) do
+    described_class.abilities(user, pipeline).to_set
+  end
+
+  describe 'rules' do
+    describe 'rules for protected branch' do
+      let(:project) { create(:project) }
+
+      before do
+        project.add_developer(user)
+
+        create(:protected_branch, branch_policy,
+               name: pipeline.ref, project: project)
+      end
+
+      context 'when no one can push or merge to the branch' do
+        let(:branch_policy) { :no_one_can_push }
+
+        it 'does not include ability to update pipeline' do
+          expect(policies).not_to include :update_pipeline
+        end
+      end
+
+      context 'when developers can push to the branch' do
+        let(:branch_policy) { :developers_can_push }
+
+        it 'includes ability to update pipeline' do
+          expect(policies).to include :update_pipeline
+        end
+      end
+
+      context 'when developers can push to the branch' do
+        let(:branch_policy) { :developers_can_merge }
+
+        it 'includes ability to update pipeline' do
+          expect(policies).to include :update_pipeline
+        end
+      end
+    end
+  end
+end
author	Lin Jen-Shin <godfat@godfat.org>	2017-07-04 00:01:05 +0300
committer	Lin Jen-Shin <godfat@godfat.org>	2017-07-04 00:01:05 +0300
commit	23bfd8c13c803f4efdb9eaf8e6e3c1ffd17640e8 (patch)
tree	03db93cdd953b49d28fbe62da4655dcb0c23af04 /spec/policies/ci
parent	24a1f0d833941a30b91813f36d184d3e7c3f7425 (diff)