diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-12-20 17:22:11 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-12-20 17:22:11 +0300 |
commit | 0c872e02b2c822e3397515ec324051ff540f0cd5 (patch) | |
tree | ce2fb6ce7030e4dad0f4118d21ab6453e5938cdd /spec/policies | |
parent | f7e05a6853b12f02911494c4b3fe53d9540d74fc (diff) |
Add latest changes from gitlab-org/gitlab@15-7-stable-eev15.7.0-rc42
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/ci/runner_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/concerns/archived_abilities_spec.rb | 27 | ||||
-rw-r--r-- | spec/policies/concerns/readonly_abilities_spec.rb | 27 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 53 | ||||
-rw-r--r-- | spec/policies/issue_policy_spec.rb | 44 | ||||
-rw-r--r-- | spec/policies/merge_request_policy_spec.rb | 102 | ||||
-rw-r--r-- | spec/policies/namespaces/user_namespace_policy_spec.rb | 7 | ||||
-rw-r--r-- | spec/policies/note_policy_spec.rb | 29 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 81 |
9 files changed, 255 insertions, 117 deletions
diff --git a/spec/policies/ci/runner_policy_spec.rb b/spec/policies/ci/runner_policy_spec.rb index 773d3d9a01d..6039d60ec2f 100644 --- a/spec/policies/ci/runner_policy_spec.rb +++ b/spec/policies/ci/runner_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe Ci::RunnerPolicy do +RSpec.describe Ci::RunnerPolicy, feature_category: :runner do describe 'ability :read_runner' do let_it_be(:guest) { create(:user) } let_it_be(:developer) { create(:user) } diff --git a/spec/policies/concerns/archived_abilities_spec.rb b/spec/policies/concerns/archived_abilities_spec.rb new file mode 100644 index 00000000000..8e3fd8a209f --- /dev/null +++ b/spec/policies/concerns/archived_abilities_spec.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe ArchivedAbilities, feature_category: :projects do + let(:test_class) do + Class.new do + include ArchivedAbilities + end + end + + before do + stub_const('TestClass', test_class) + end + + describe '.archived_abilities' do + it 'returns an array of abilites to be prevented when archived' do + expect(TestClass.archived_abilities).to include(*described_class::ARCHIVED_ABILITIES) + end + end + + describe '.archived_features' do + it 'returns an array of features to be prevented when archived' do + expect(TestClass.archived_features).to include(*described_class::ARCHIVED_FEATURES) + end + end +end diff --git a/spec/policies/concerns/readonly_abilities_spec.rb b/spec/policies/concerns/readonly_abilities_spec.rb deleted file mode 100644 index 864924a091d..00000000000 --- a/spec/policies/concerns/readonly_abilities_spec.rb +++ /dev/null @@ -1,27 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -RSpec.describe ReadonlyAbilities do - let(:test_class) do - Class.new do - include ReadonlyAbilities - end - end - - before do - stub_const('TestClass', test_class) - end - - describe '.readonly_abilities' do - it 'returns an array of abilites to be prevented when readonly' do - expect(TestClass.readonly_abilities).to include(*described_class::READONLY_ABILITIES) - end - end - - describe '.readonly_features' do - it 'returns an array of features to be prevented when readonly' do - expect(TestClass.readonly_features).to include(*described_class::READONLY_FEATURES) - end - end -end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 60acacac814..65abb43b6c4 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -3,6 +3,7 @@ require 'spec_helper' RSpec.describe GroupPolicy do + include AdminModeHelper include_context 'GroupPolicy context' context 'public group with no user' do @@ -1190,12 +1191,28 @@ RSpec.describe GroupPolicy do context 'when admin mode is enabled', :enable_admin_mode do it { is_expected.to be_allowed(:register_group_runners) } + context 'with specific group runner registration disabled' do + before do + group.runner_registration_enabled = false + end + + it { is_expected.to be_allowed(:register_group_runners) } + end + context 'with group runner registration disabled' do before do stub_application_setting(valid_runner_registrars: ['project']) end it { is_expected.to be_allowed(:register_group_runners) } + + context 'with specific group runner registration disabled' do + before do + group.runner_registration_enabled = false + end + + it { is_expected.to be_allowed(:register_group_runners) } + end end end @@ -1216,6 +1233,14 @@ RSpec.describe GroupPolicy do it { is_expected.to be_disallowed(:register_group_runners) } end + + context 'with specific group runner registration disabled' do + before do + group.runner_registration_enabled = false + end + + it { is_expected.to be_disallowed(:register_group_runners) } + end end context 'with maintainer' do @@ -1344,4 +1369,32 @@ RSpec.describe GroupPolicy do subject { described_class.new(current_user, group) } end + + describe 'read_usage_quotas policy' do + context 'reading usage quotas' do + using RSpec::Parameterized::TableSyntax + + let(:policy) { :read_usage_quotas } + + where(:role, :admin_mode, :allowed) do + :owner | nil | true + :admin | true | true + :admin | false | false + :maintainer | nil | false + :developer | nil | false + :reporter | nil | false + :guest | nil | false + end + + with_them do + let(:current_user) { public_send(role) } + + before do + enable_admin_mode!(current_user) if admin_mode + end + + it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) } + end + end + end end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index c110ca705bd..905ef591b53 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -2,16 +2,19 @@ require 'spec_helper' -RSpec.describe IssuePolicy do +RSpec.describe IssuePolicy, feature_category: :team_planning do include_context 'ProjectPolicyTable context' include ExternalAuthorizationServiceHelpers include ProjectHelpers include UserHelpers + let(:admin) { create(:user, :admin) } let(:guest) { create(:user) } let(:author) { create(:user) } let(:assignee) { create(:user) } let(:reporter) { create(:user) } + let(:maintainer) { create(:user) } + let(:owner) { create(:user) } let(:group) { create(:group, :public) } let(:reporter_from_group_link) { create(:user) } let(:non_member) { create(:user) } @@ -197,6 +200,8 @@ RSpec.describe IssuePolicy do before do project.add_guest(guest) project.add_reporter(reporter) + project.add_maintainer(maintainer) + project.add_owner(owner) group.add_reporter(reporter_from_group_link) @@ -305,7 +310,6 @@ RSpec.describe IssuePolicy do let(:issue) { create(:issue, project: project, author: author) } let(:visitor) { create(:user) } - let(:admin) { create(:user, :admin) } it 'forbids visitors from viewing issues' do expect(permissions(visitor, issue)).to be_disallowed(:read_issue) @@ -394,12 +398,15 @@ RSpec.describe IssuePolicy do expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) end + + it 'allows admins to read confidential issues' do + expect(permissions(admin, confidential_issue)).to be_allowed(:read_issue) + end end context 'with a hidden issue' do let(:user) { create(:user) } let(:banned_user) { create(:user, :banned) } - let(:admin) { create(:user, :admin) } let(:hidden_issue) { create(:issue, project: project, author: banned_user) } it 'does not allow non-admin user to read the issue' do @@ -410,6 +417,37 @@ RSpec.describe IssuePolicy do expect(permissions(admin, hidden_issue)).to be_allowed(:read_issue) end end + + context 'when accounting for notes widget' do + let(:policy) { described_class.new(reporter, note) } + + before do + widgets_per_type = WorkItems::Type::WIDGETS_FOR_TYPE.dup + widgets_per_type[:task] = [::WorkItems::Widgets::Description] + stub_const('WorkItems::Type::WIDGETS_FOR_TYPE', widgets_per_type) + end + + context 'and notes widget is disabled for task' do + let(:task) { create(:work_item, :task, project: project) } + + it 'does not allow accessing notes' do + # if notes widget is disabled not even maintainer can access notes + expect(permissions(maintainer, task)).to be_disallowed(:create_note, :read_note, :mark_note_as_confidential, :read_internal_note) + expect(permissions(admin, task)).to be_disallowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential, :set_note_created_at) + end + end + + context 'and notes widget is enabled for issue' do + it 'allows accessing notes' do + # with notes widget enabled, even guests can access notes + expect(permissions(guest, issue)).to be_allowed(:create_note, :read_note) + expect(permissions(guest, issue)).to be_disallowed(:read_internal_note, :mark_note_as_confidential, :set_note_created_at) + expect(permissions(reporter, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential) + expect(permissions(maintainer, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential) + expect(permissions(owner, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential, :set_note_created_at) + end + end + end end context 'with external authorization enabled' do diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb index 7e1af132b1d..741a0db3009 100644 --- a/spec/policies/merge_request_policy_spec.rb +++ b/spec/policies/merge_request_policy_spec.rb @@ -10,6 +10,7 @@ RSpec.describe MergeRequestPolicy do let_it_be(:reporter) { create(:user) } let_it_be(:developer) { create(:user) } let_it_be(:non_team_member) { create(:user) } + let_it_be(:bot) { create(:user, :project_bot) } def permissions(user, merge_request) described_class.new(user, merge_request) @@ -72,6 +73,7 @@ RSpec.describe MergeRequestPolicy do project.add_guest(guest) project.add_guest(author) project.add_developer(developer) + project.add_developer(bot) end context 'when merge request is public' do @@ -95,6 +97,18 @@ RSpec.describe MergeRequestPolicy do it do is_expected.to be_allowed(:approve_merge_request) end + + it do + is_expected.to be_disallowed(:reset_merge_request_approvals) + end + end + + context 'and the user is a bot' do + let(:user) { bot } + + it do + is_expected.to be_allowed(:reset_merge_request_approvals) + end end end end @@ -123,6 +137,14 @@ RSpec.describe MergeRequestPolicy do it_behaves_like 'a denied user' end + + describe 'a bot' do + let(:subject) { permissions(bot, merge_request) } + + it do + is_expected.to be_disallowed(:reset_merge_request_approvals) + end + end end context 'when merge requests are private' do @@ -144,6 +166,14 @@ RSpec.describe MergeRequestPolicy do it_behaves_like 'a user with full access' end + + describe 'a bot' do + let(:subject) { permissions(bot, merge_request) } + + it do + is_expected.to be_allowed(:reset_merge_request_approvals) + end + end end context 'when merge request is unlocked' do @@ -214,6 +244,7 @@ RSpec.describe MergeRequestPolicy do group.add_guest(author) group.add_reporter(reporter) group.add_developer(developer) + group.add_developer(bot) end context 'when project is public' do @@ -222,9 +253,25 @@ RSpec.describe MergeRequestPolicy do describe 'the merge request author' do subject { permissions(author, merge_request) } - specify do + it do is_expected.to be_allowed(:approve_merge_request) end + + it do + is_expected.to be_disallowed(:reset_merge_request_approvals) + end + end + + describe 'a bot' do + subject { permissions(bot, merge_request) } + + it do + is_expected.to be_allowed(:approve_merge_request) + end + + it do + is_expected.to be_allowed(:reset_merge_request_approvals) + end end context 'and merge requests are private' do @@ -250,6 +297,14 @@ RSpec.describe MergeRequestPolicy do it_behaves_like 'a user with full access' end + + describe 'a bot' do + let(:subject) { permissions(bot, merge_request) } + + it do + is_expected.to be_allowed(:reset_merge_request_approvals) + end + end end end @@ -273,6 +328,14 @@ RSpec.describe MergeRequestPolicy do it_behaves_like 'a user with full access' end + + describe 'a bot' do + let(:subject) { permissions(bot, merge_request) } + + it do + is_expected.to be_allowed(:reset_merge_request_approvals) + end + end end end @@ -297,11 +360,28 @@ RSpec.describe MergeRequestPolicy do group_access: Gitlab::Access::DEVELOPER) group.add_guest(non_team_member) + group.add_guest(bot) end - specify do + it do is_expected.to be_allowed(:approve_merge_request) end + + it do + is_expected.to be_disallowed(:reset_merge_request_approvals) + end + + context 'and the user is a bot' do + let(:user) { bot } + + it do + is_expected.to be_allowed(:approve_merge_request) + end + + it do + is_expected.to be_allowed(:reset_merge_request_approvals) + end + end end end @@ -313,9 +393,25 @@ RSpec.describe MergeRequestPolicy do subject { permissions(non_team_member, merge_request) } - specify do + it do is_expected.not_to be_allowed(:approve_merge_request) end + + it do + is_expected.not_to be_allowed(:reset_merge_request_approvals) + end + + context 'and the user is a bot' do + subject { permissions(bot, merge_request) } + + it do + is_expected.not_to be_allowed(:approve_merge_request) + end + + it do + is_expected.not_to be_allowed(:reset_merge_request_approvals) + end + end end context 'when merge requests are disabled' do diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb index 42d27d0f3d6..bb821490e30 100644 --- a/spec/policies/namespaces/user_namespace_policy_spec.rb +++ b/spec/policies/namespaces/user_namespace_policy_spec.rb @@ -35,6 +35,13 @@ RSpec.describe Namespaces::UserNamespacePolicy do it { is_expected.to be_disallowed(:create_projects) } it { is_expected.to be_disallowed(:transfer_projects) } end + + context 'bot user' do + let(:owner) { create(:user, :project_bot) } + + it { is_expected.to be_disallowed(:create_projects) } + it { is_expected.to be_disallowed(:transfer_projects) } + end end context 'admin' do diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb index 6a261b4ff5b..dcfc398806a 100644 --- a/spec/policies/note_policy_spec.rb +++ b/spec/policies/note_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe NotePolicy do +RSpec.describe NotePolicy, feature_category: :team_planning do describe '#rules', :aggregate_failures do let(:user) { create(:user) } let(:project) { create(:project, :public) } @@ -255,6 +255,31 @@ RSpec.describe NotePolicy do it_behaves_like 'user can read the note' end + + context 'when notes widget is disabled for task' do + let(:policy) { described_class.new(developer, note) } + + before do + widgets_per_type = WorkItems::Type::WIDGETS_FOR_TYPE.dup + widgets_per_type[:task] = [::WorkItems::Widgets::Description] + stub_const('WorkItems::Type::WIDGETS_FOR_TYPE', widgets_per_type) + end + + context 'when noteable is task' do + let(:noteable) { create(:work_item, :task, project: project) } + let(:note) { create(:note, system: true, noteable: noteable, author: user, project: project) } + + it_behaves_like 'user cannot read or act on the note' + end + + context 'when noteable is issue' do + let(:noteable) { create(:work_item, :issue, project: project) } + let(:note) { create(:note, system: true, noteable: noteable, author: user, project: project) } + + it_behaves_like 'user can read the note' + it_behaves_like 'user can act on the note' + end + end end context 'when it is a system note referencing a confidential issue' do @@ -313,7 +338,7 @@ RSpec.describe NotePolicy do end it 'does not allow guests to read confidential notes and replies' do - expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential) + expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :read_internal_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential) end it 'allows reporter to read all notes but not resolve and admin them' do diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 973ed66b8d8..9b2d10283f1 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -1965,87 +1965,6 @@ RSpec.describe ProjectPolicy do it_behaves_like 'Self-managed Core resource access tokens' - describe 'operations feature' do - using RSpec::Parameterized::TableSyntax - - let(:guest_permissions) { [:read_environment, :read_deployment] } - - let(:developer_permissions) do - guest_permissions + [ - :read_feature_flag, :read_sentry_issue, :read_alert_management_alert, :read_terraform_state, - :metrics_dashboard, :read_pod_logs, :read_prometheus, :create_feature_flag, - :create_environment, :create_deployment, :update_feature_flag, :update_environment, - :update_sentry_issue, :update_alert_management_alert, :update_deployment, - :destroy_feature_flag, :destroy_environment, :admin_feature_flag - ] - end - - let(:maintainer_permissions) do - developer_permissions + [ - :read_cluster, :create_cluster, :update_cluster, :admin_environment, - :admin_cluster, :admin_terraform_state, :admin_deployment - ] - end - - before do - stub_feature_flags(split_operations_visibility_permissions: false) - end - - where(:project_visibility, :access_level, :role, :allowed) do - :public | ProjectFeature::ENABLED | :maintainer | true - :public | ProjectFeature::ENABLED | :developer | true - :public | ProjectFeature::ENABLED | :guest | true - :public | ProjectFeature::ENABLED | :anonymous | true - :public | ProjectFeature::PRIVATE | :maintainer | true - :public | ProjectFeature::PRIVATE | :developer | true - :public | ProjectFeature::PRIVATE | :guest | true - :public | ProjectFeature::PRIVATE | :anonymous | false - :public | ProjectFeature::DISABLED | :maintainer | false - :public | ProjectFeature::DISABLED | :developer | false - :public | ProjectFeature::DISABLED | :guest | false - :public | ProjectFeature::DISABLED | :anonymous | false - :internal | ProjectFeature::ENABLED | :maintainer | true - :internal | ProjectFeature::ENABLED | :developer | true - :internal | ProjectFeature::ENABLED | :guest | true - :internal | ProjectFeature::ENABLED | :anonymous | false - :internal | ProjectFeature::PRIVATE | :maintainer | true - :internal | ProjectFeature::PRIVATE | :developer | true - :internal | ProjectFeature::PRIVATE | :guest | true - :internal | ProjectFeature::PRIVATE | :anonymous | false - :internal | ProjectFeature::DISABLED | :maintainer | false - :internal | ProjectFeature::DISABLED | :developer | false - :internal | ProjectFeature::DISABLED | :guest | false - :internal | ProjectFeature::DISABLED | :anonymous | false - :private | ProjectFeature::ENABLED | :maintainer | true - :private | ProjectFeature::ENABLED | :developer | true - :private | ProjectFeature::ENABLED | :guest | false - :private | ProjectFeature::ENABLED | :anonymous | false - :private | ProjectFeature::PRIVATE | :maintainer | true - :private | ProjectFeature::PRIVATE | :developer | true - :private | ProjectFeature::PRIVATE | :guest | false - :private | ProjectFeature::PRIVATE | :anonymous | false - :private | ProjectFeature::DISABLED | :maintainer | false - :private | ProjectFeature::DISABLED | :developer | false - :private | ProjectFeature::DISABLED | :guest | false - :private | ProjectFeature::DISABLED | :anonymous | false - end - - with_them do - let(:current_user) { user_subject(role) } - let(:project) { project_subject(project_visibility) } - - it 'allows/disallows the abilities based on the operation feature access level' do - project.project_feature.update!(operations_access_level: access_level) - - if allowed - expect_allowed(*permissions_abilities(role)) - else - expect_disallowed(*permissions_abilities(role)) - end - end - end - end - describe 'environments feature' do using RSpec::Parameterized::TableSyntax |