Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-12-20 17:22:11 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2022-12-20 17:22:11 +0300
commit0c872e02b2c822e3397515ec324051ff540f0cd5 (patch)
treece2fb6ce7030e4dad0f4118d21ab6453e5938cdd /spec/policies
parentf7e05a6853b12f02911494c4b3fe53d9540d74fc (diff)
Add latest changes from gitlab-org/gitlab@15-7-stable-eev15.7.0-rc42
Diffstat (limited to 'spec/policies')
-rw-r--r--spec/policies/ci/runner_policy_spec.rb2
-rw-r--r--spec/policies/concerns/archived_abilities_spec.rb27
-rw-r--r--spec/policies/concerns/readonly_abilities_spec.rb27
-rw-r--r--spec/policies/group_policy_spec.rb53
-rw-r--r--spec/policies/issue_policy_spec.rb44
-rw-r--r--spec/policies/merge_request_policy_spec.rb102
-rw-r--r--spec/policies/namespaces/user_namespace_policy_spec.rb7
-rw-r--r--spec/policies/note_policy_spec.rb29
-rw-r--r--spec/policies/project_policy_spec.rb81
9 files changed, 255 insertions, 117 deletions
diff --git a/spec/policies/ci/runner_policy_spec.rb b/spec/policies/ci/runner_policy_spec.rb
index 773d3d9a01d..6039d60ec2f 100644
--- a/spec/policies/ci/runner_policy_spec.rb
+++ b/spec/policies/ci/runner_policy_spec.rb
@@ -2,7 +2,7 @@
require 'spec_helper'
-RSpec.describe Ci::RunnerPolicy do
+RSpec.describe Ci::RunnerPolicy, feature_category: :runner do
describe 'ability :read_runner' do
let_it_be(:guest) { create(:user) }
let_it_be(:developer) { create(:user) }
diff --git a/spec/policies/concerns/archived_abilities_spec.rb b/spec/policies/concerns/archived_abilities_spec.rb
new file mode 100644
index 00000000000..8e3fd8a209f
--- /dev/null
+++ b/spec/policies/concerns/archived_abilities_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ArchivedAbilities, feature_category: :projects do
+ let(:test_class) do
+ Class.new do
+ include ArchivedAbilities
+ end
+ end
+
+ before do
+ stub_const('TestClass', test_class)
+ end
+
+ describe '.archived_abilities' do
+ it 'returns an array of abilites to be prevented when archived' do
+ expect(TestClass.archived_abilities).to include(*described_class::ARCHIVED_ABILITIES)
+ end
+ end
+
+ describe '.archived_features' do
+ it 'returns an array of features to be prevented when archived' do
+ expect(TestClass.archived_features).to include(*described_class::ARCHIVED_FEATURES)
+ end
+ end
+end
diff --git a/spec/policies/concerns/readonly_abilities_spec.rb b/spec/policies/concerns/readonly_abilities_spec.rb
deleted file mode 100644
index 864924a091d..00000000000
--- a/spec/policies/concerns/readonly_abilities_spec.rb
+++ /dev/null
@@ -1,27 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe ReadonlyAbilities do
- let(:test_class) do
- Class.new do
- include ReadonlyAbilities
- end
- end
-
- before do
- stub_const('TestClass', test_class)
- end
-
- describe '.readonly_abilities' do
- it 'returns an array of abilites to be prevented when readonly' do
- expect(TestClass.readonly_abilities).to include(*described_class::READONLY_ABILITIES)
- end
- end
-
- describe '.readonly_features' do
- it 'returns an array of features to be prevented when readonly' do
- expect(TestClass.readonly_features).to include(*described_class::READONLY_FEATURES)
- end
- end
-end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 60acacac814..65abb43b6c4 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -3,6 +3,7 @@
require 'spec_helper'
RSpec.describe GroupPolicy do
+ include AdminModeHelper
include_context 'GroupPolicy context'
context 'public group with no user' do
@@ -1190,12 +1191,28 @@ RSpec.describe GroupPolicy do
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:register_group_runners) }
+ context 'with specific group runner registration disabled' do
+ before do
+ group.runner_registration_enabled = false
+ end
+
+ it { is_expected.to be_allowed(:register_group_runners) }
+ end
+
context 'with group runner registration disabled' do
before do
stub_application_setting(valid_runner_registrars: ['project'])
end
it { is_expected.to be_allowed(:register_group_runners) }
+
+ context 'with specific group runner registration disabled' do
+ before do
+ group.runner_registration_enabled = false
+ end
+
+ it { is_expected.to be_allowed(:register_group_runners) }
+ end
end
end
@@ -1216,6 +1233,14 @@ RSpec.describe GroupPolicy do
it { is_expected.to be_disallowed(:register_group_runners) }
end
+
+ context 'with specific group runner registration disabled' do
+ before do
+ group.runner_registration_enabled = false
+ end
+
+ it { is_expected.to be_disallowed(:register_group_runners) }
+ end
end
context 'with maintainer' do
@@ -1344,4 +1369,32 @@ RSpec.describe GroupPolicy do
subject { described_class.new(current_user, group) }
end
+
+ describe 'read_usage_quotas policy' do
+ context 'reading usage quotas' do
+ using RSpec::Parameterized::TableSyntax
+
+ let(:policy) { :read_usage_quotas }
+
+ where(:role, :admin_mode, :allowed) do
+ :owner | nil | true
+ :admin | true | true
+ :admin | false | false
+ :maintainer | nil | false
+ :developer | nil | false
+ :reporter | nil | false
+ :guest | nil | false
+ end
+
+ with_them do
+ let(:current_user) { public_send(role) }
+
+ before do
+ enable_admin_mode!(current_user) if admin_mode
+ end
+
+ it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
+ end
+ end
+ end
end
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index c110ca705bd..905ef591b53 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -2,16 +2,19 @@
require 'spec_helper'
-RSpec.describe IssuePolicy do
+RSpec.describe IssuePolicy, feature_category: :team_planning do
include_context 'ProjectPolicyTable context'
include ExternalAuthorizationServiceHelpers
include ProjectHelpers
include UserHelpers
+ let(:admin) { create(:user, :admin) }
let(:guest) { create(:user) }
let(:author) { create(:user) }
let(:assignee) { create(:user) }
let(:reporter) { create(:user) }
+ let(:maintainer) { create(:user) }
+ let(:owner) { create(:user) }
let(:group) { create(:group, :public) }
let(:reporter_from_group_link) { create(:user) }
let(:non_member) { create(:user) }
@@ -197,6 +200,8 @@ RSpec.describe IssuePolicy do
before do
project.add_guest(guest)
project.add_reporter(reporter)
+ project.add_maintainer(maintainer)
+ project.add_owner(owner)
group.add_reporter(reporter_from_group_link)
@@ -305,7 +310,6 @@ RSpec.describe IssuePolicy do
let(:issue) { create(:issue, project: project, author: author) }
let(:visitor) { create(:user) }
- let(:admin) { create(:user, :admin) }
it 'forbids visitors from viewing issues' do
expect(permissions(visitor, issue)).to be_disallowed(:read_issue)
@@ -394,12 +398,15 @@ RSpec.describe IssuePolicy do
expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
end
+
+ it 'allows admins to read confidential issues' do
+ expect(permissions(admin, confidential_issue)).to be_allowed(:read_issue)
+ end
end
context 'with a hidden issue' do
let(:user) { create(:user) }
let(:banned_user) { create(:user, :banned) }
- let(:admin) { create(:user, :admin) }
let(:hidden_issue) { create(:issue, project: project, author: banned_user) }
it 'does not allow non-admin user to read the issue' do
@@ -410,6 +417,37 @@ RSpec.describe IssuePolicy do
expect(permissions(admin, hidden_issue)).to be_allowed(:read_issue)
end
end
+
+ context 'when accounting for notes widget' do
+ let(:policy) { described_class.new(reporter, note) }
+
+ before do
+ widgets_per_type = WorkItems::Type::WIDGETS_FOR_TYPE.dup
+ widgets_per_type[:task] = [::WorkItems::Widgets::Description]
+ stub_const('WorkItems::Type::WIDGETS_FOR_TYPE', widgets_per_type)
+ end
+
+ context 'and notes widget is disabled for task' do
+ let(:task) { create(:work_item, :task, project: project) }
+
+ it 'does not allow accessing notes' do
+ # if notes widget is disabled not even maintainer can access notes
+ expect(permissions(maintainer, task)).to be_disallowed(:create_note, :read_note, :mark_note_as_confidential, :read_internal_note)
+ expect(permissions(admin, task)).to be_disallowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential, :set_note_created_at)
+ end
+ end
+
+ context 'and notes widget is enabled for issue' do
+ it 'allows accessing notes' do
+ # with notes widget enabled, even guests can access notes
+ expect(permissions(guest, issue)).to be_allowed(:create_note, :read_note)
+ expect(permissions(guest, issue)).to be_disallowed(:read_internal_note, :mark_note_as_confidential, :set_note_created_at)
+ expect(permissions(reporter, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential)
+ expect(permissions(maintainer, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential)
+ expect(permissions(owner, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential, :set_note_created_at)
+ end
+ end
+ end
end
context 'with external authorization enabled' do
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index 7e1af132b1d..741a0db3009 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -10,6 +10,7 @@ RSpec.describe MergeRequestPolicy do
let_it_be(:reporter) { create(:user) }
let_it_be(:developer) { create(:user) }
let_it_be(:non_team_member) { create(:user) }
+ let_it_be(:bot) { create(:user, :project_bot) }
def permissions(user, merge_request)
described_class.new(user, merge_request)
@@ -72,6 +73,7 @@ RSpec.describe MergeRequestPolicy do
project.add_guest(guest)
project.add_guest(author)
project.add_developer(developer)
+ project.add_developer(bot)
end
context 'when merge request is public' do
@@ -95,6 +97,18 @@ RSpec.describe MergeRequestPolicy do
it do
is_expected.to be_allowed(:approve_merge_request)
end
+
+ it do
+ is_expected.to be_disallowed(:reset_merge_request_approvals)
+ end
+ end
+
+ context 'and the user is a bot' do
+ let(:user) { bot }
+
+ it do
+ is_expected.to be_allowed(:reset_merge_request_approvals)
+ end
end
end
end
@@ -123,6 +137,14 @@ RSpec.describe MergeRequestPolicy do
it_behaves_like 'a denied user'
end
+
+ describe 'a bot' do
+ let(:subject) { permissions(bot, merge_request) }
+
+ it do
+ is_expected.to be_disallowed(:reset_merge_request_approvals)
+ end
+ end
end
context 'when merge requests are private' do
@@ -144,6 +166,14 @@ RSpec.describe MergeRequestPolicy do
it_behaves_like 'a user with full access'
end
+
+ describe 'a bot' do
+ let(:subject) { permissions(bot, merge_request) }
+
+ it do
+ is_expected.to be_allowed(:reset_merge_request_approvals)
+ end
+ end
end
context 'when merge request is unlocked' do
@@ -214,6 +244,7 @@ RSpec.describe MergeRequestPolicy do
group.add_guest(author)
group.add_reporter(reporter)
group.add_developer(developer)
+ group.add_developer(bot)
end
context 'when project is public' do
@@ -222,9 +253,25 @@ RSpec.describe MergeRequestPolicy do
describe 'the merge request author' do
subject { permissions(author, merge_request) }
- specify do
+ it do
is_expected.to be_allowed(:approve_merge_request)
end
+
+ it do
+ is_expected.to be_disallowed(:reset_merge_request_approvals)
+ end
+ end
+
+ describe 'a bot' do
+ subject { permissions(bot, merge_request) }
+
+ it do
+ is_expected.to be_allowed(:approve_merge_request)
+ end
+
+ it do
+ is_expected.to be_allowed(:reset_merge_request_approvals)
+ end
end
context 'and merge requests are private' do
@@ -250,6 +297,14 @@ RSpec.describe MergeRequestPolicy do
it_behaves_like 'a user with full access'
end
+
+ describe 'a bot' do
+ let(:subject) { permissions(bot, merge_request) }
+
+ it do
+ is_expected.to be_allowed(:reset_merge_request_approvals)
+ end
+ end
end
end
@@ -273,6 +328,14 @@ RSpec.describe MergeRequestPolicy do
it_behaves_like 'a user with full access'
end
+
+ describe 'a bot' do
+ let(:subject) { permissions(bot, merge_request) }
+
+ it do
+ is_expected.to be_allowed(:reset_merge_request_approvals)
+ end
+ end
end
end
@@ -297,11 +360,28 @@ RSpec.describe MergeRequestPolicy do
group_access: Gitlab::Access::DEVELOPER)
group.add_guest(non_team_member)
+ group.add_guest(bot)
end
- specify do
+ it do
is_expected.to be_allowed(:approve_merge_request)
end
+
+ it do
+ is_expected.to be_disallowed(:reset_merge_request_approvals)
+ end
+
+ context 'and the user is a bot' do
+ let(:user) { bot }
+
+ it do
+ is_expected.to be_allowed(:approve_merge_request)
+ end
+
+ it do
+ is_expected.to be_allowed(:reset_merge_request_approvals)
+ end
+ end
end
end
@@ -313,9 +393,25 @@ RSpec.describe MergeRequestPolicy do
subject { permissions(non_team_member, merge_request) }
- specify do
+ it do
is_expected.not_to be_allowed(:approve_merge_request)
end
+
+ it do
+ is_expected.not_to be_allowed(:reset_merge_request_approvals)
+ end
+
+ context 'and the user is a bot' do
+ subject { permissions(bot, merge_request) }
+
+ it do
+ is_expected.not_to be_allowed(:approve_merge_request)
+ end
+
+ it do
+ is_expected.not_to be_allowed(:reset_merge_request_approvals)
+ end
+ end
end
context 'when merge requests are disabled' do
diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb
index 42d27d0f3d6..bb821490e30 100644
--- a/spec/policies/namespaces/user_namespace_policy_spec.rb
+++ b/spec/policies/namespaces/user_namespace_policy_spec.rb
@@ -35,6 +35,13 @@ RSpec.describe Namespaces::UserNamespacePolicy do
it { is_expected.to be_disallowed(:create_projects) }
it { is_expected.to be_disallowed(:transfer_projects) }
end
+
+ context 'bot user' do
+ let(:owner) { create(:user, :project_bot) }
+
+ it { is_expected.to be_disallowed(:create_projects) }
+ it { is_expected.to be_disallowed(:transfer_projects) }
+ end
end
context 'admin' do
diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb
index 6a261b4ff5b..dcfc398806a 100644
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -2,7 +2,7 @@
require 'spec_helper'
-RSpec.describe NotePolicy do
+RSpec.describe NotePolicy, feature_category: :team_planning do
describe '#rules', :aggregate_failures do
let(:user) { create(:user) }
let(:project) { create(:project, :public) }
@@ -255,6 +255,31 @@ RSpec.describe NotePolicy do
it_behaves_like 'user can read the note'
end
+
+ context 'when notes widget is disabled for task' do
+ let(:policy) { described_class.new(developer, note) }
+
+ before do
+ widgets_per_type = WorkItems::Type::WIDGETS_FOR_TYPE.dup
+ widgets_per_type[:task] = [::WorkItems::Widgets::Description]
+ stub_const('WorkItems::Type::WIDGETS_FOR_TYPE', widgets_per_type)
+ end
+
+ context 'when noteable is task' do
+ let(:noteable) { create(:work_item, :task, project: project) }
+ let(:note) { create(:note, system: true, noteable: noteable, author: user, project: project) }
+
+ it_behaves_like 'user cannot read or act on the note'
+ end
+
+ context 'when noteable is issue' do
+ let(:noteable) { create(:work_item, :issue, project: project) }
+ let(:note) { create(:note, system: true, noteable: noteable, author: user, project: project) }
+
+ it_behaves_like 'user can read the note'
+ it_behaves_like 'user can act on the note'
+ end
+ end
end
context 'when it is a system note referencing a confidential issue' do
@@ -313,7 +338,7 @@ RSpec.describe NotePolicy do
end
it 'does not allow guests to read confidential notes and replies' do
- expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
+ expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :read_internal_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
end
it 'allows reporter to read all notes but not resolve and admin them' do
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 973ed66b8d8..9b2d10283f1 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -1965,87 +1965,6 @@ RSpec.describe ProjectPolicy do
it_behaves_like 'Self-managed Core resource access tokens'
- describe 'operations feature' do
- using RSpec::Parameterized::TableSyntax
-
- let(:guest_permissions) { [:read_environment, :read_deployment] }
-
- let(:developer_permissions) do
- guest_permissions + [
- :read_feature_flag, :read_sentry_issue, :read_alert_management_alert, :read_terraform_state,
- :metrics_dashboard, :read_pod_logs, :read_prometheus, :create_feature_flag,
- :create_environment, :create_deployment, :update_feature_flag, :update_environment,
- :update_sentry_issue, :update_alert_management_alert, :update_deployment,
- :destroy_feature_flag, :destroy_environment, :admin_feature_flag
- ]
- end
-
- let(:maintainer_permissions) do
- developer_permissions + [
- :read_cluster, :create_cluster, :update_cluster, :admin_environment,
- :admin_cluster, :admin_terraform_state, :admin_deployment
- ]
- end
-
- before do
- stub_feature_flags(split_operations_visibility_permissions: false)
- end
-
- where(:project_visibility, :access_level, :role, :allowed) do
- :public | ProjectFeature::ENABLED | :maintainer | true
- :public | ProjectFeature::ENABLED | :developer | true
- :public | ProjectFeature::ENABLED | :guest | true
- :public | ProjectFeature::ENABLED | :anonymous | true
- :public | ProjectFeature::PRIVATE | :maintainer | true
- :public | ProjectFeature::PRIVATE | :developer | true
- :public | ProjectFeature::PRIVATE | :guest | true
- :public | ProjectFeature::PRIVATE | :anonymous | false
- :public | ProjectFeature::DISABLED | :maintainer | false
- :public | ProjectFeature::DISABLED | :developer | false
- :public | ProjectFeature::DISABLED | :guest | false
- :public | ProjectFeature::DISABLED | :anonymous | false
- :internal | ProjectFeature::ENABLED | :maintainer | true
- :internal | ProjectFeature::ENABLED | :developer | true
- :internal | ProjectFeature::ENABLED | :guest | true
- :internal | ProjectFeature::ENABLED | :anonymous | false
- :internal | ProjectFeature::PRIVATE | :maintainer | true
- :internal | ProjectFeature::PRIVATE | :developer | true
- :internal | ProjectFeature::PRIVATE | :guest | true
- :internal | ProjectFeature::PRIVATE | :anonymous | false
- :internal | ProjectFeature::DISABLED | :maintainer | false
- :internal | ProjectFeature::DISABLED | :developer | false
- :internal | ProjectFeature::DISABLED | :guest | false
- :internal | ProjectFeature::DISABLED | :anonymous | false
- :private | ProjectFeature::ENABLED | :maintainer | true
- :private | ProjectFeature::ENABLED | :developer | true
- :private | ProjectFeature::ENABLED | :guest | false
- :private | ProjectFeature::ENABLED | :anonymous | false
- :private | ProjectFeature::PRIVATE | :maintainer | true
- :private | ProjectFeature::PRIVATE | :developer | true
- :private | ProjectFeature::PRIVATE | :guest | false
- :private | ProjectFeature::PRIVATE | :anonymous | false
- :private | ProjectFeature::DISABLED | :maintainer | false
- :private | ProjectFeature::DISABLED | :developer | false
- :private | ProjectFeature::DISABLED | :guest | false
- :private | ProjectFeature::DISABLED | :anonymous | false
- end
-
- with_them do
- let(:current_user) { user_subject(role) }
- let(:project) { project_subject(project_visibility) }
-
- it 'allows/disallows the abilities based on the operation feature access level' do
- project.project_feature.update!(operations_access_level: access_level)
-
- if allowed
- expect_allowed(*permissions_abilities(role))
- else
- expect_disallowed(*permissions_abilities(role))
- end
- end
- end
- end
-
describe 'environments feature' do
using RSpec::Parameterized::TableSyntax
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-02 21:57:27 +0300