diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-17 14:33:21 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-17 14:33:21 +0300 |
commit | 7021455bd1ed7b125c55eb1b33c5a01f2bc55ee0 (patch) | |
tree | 5bdc2229f5198d516781f8d24eace62fc7e589e9 /spec/policies | |
parent | 185b095e93520f96e9cfc31d9c3e69b498cdab7c (diff) |
Add latest changes from gitlab-org/gitlab@15-6-stable-eev15.6.0-rc42
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/global_policy_spec.rb | 30 | ||||
-rw-r--r-- | spec/policies/group_member_policy_spec.rb | 130 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 13 | ||||
-rw-r--r-- | spec/policies/issuable_policy_spec.rb | 8 | ||||
-rw-r--r-- | spec/policies/note_policy_spec.rb | 24 | ||||
-rw-r--r-- | spec/policies/project_member_policy_spec.rb | 32 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 138 | ||||
-rw-r--r-- | spec/policies/user_policy_spec.rb | 44 |
8 files changed, 309 insertions, 110 deletions
diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index da0427420e4..4a8855f1da7 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -591,34 +591,4 @@ RSpec.describe GlobalPolicy do it { is_expected.not_to be_allowed(:log_in) } end end - - describe 'delete runners' do - context 'when anonymous' do - let(:current_user) { nil } - - it { is_expected.not_to be_allowed(:delete_runners) } - end - - context 'regular user' do - it { is_expected.not_to be_allowed(:delete_runners) } - end - - context 'when external' do - let(:current_user) { build(:user, :external) } - - it { is_expected.not_to be_allowed(:delete_runners) } - end - - context 'admin user' do - let_it_be(:current_user) { create(:user, :admin) } - - context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:delete_runners) } - end - - context 'when admin mode is disabled' do - it { is_expected.to be_disallowed(:delete_runners) } - end - end - end end diff --git a/spec/policies/group_member_policy_spec.rb b/spec/policies/group_member_policy_spec.rb index 27ce683861c..6ae5e43def4 100644 --- a/spec/policies/group_member_policy_spec.rb +++ b/spec/policies/group_member_policy_spec.rb @@ -83,6 +83,31 @@ RSpec.describe GroupMemberPolicy do specify { expect_allowed(:read_group) } end + context 'for access requests' do + let_it_be(:group) { create(:group, :public) } + let_it_be(:user) { create(:user) } + + let(:current_user) { user } + + context 'for own access request' do + let(:membership) { create(:group_member, :access_request, group: group, user: user) } + + specify { expect_allowed(:withdraw_member_access_request) } + end + + context "for another user's access request" do + let(:membership) { create(:group_member, :access_request, group: group, user: create(:user)) } + + specify { expect_disallowed(:withdraw_member_access_request) } + end + + context 'for own, valid membership' do + let(:membership) { create(:group_member, :developer, group: group, user: user) } + + specify { expect_disallowed(:withdraw_member_access_request) } + end + end + context 'with bot user' do let(:current_user) { create(:user, :project_bot) } @@ -100,74 +125,83 @@ RSpec.describe GroupMemberPolicy do specify { expect_disallowed(:read_group, :destroy_project_bot_member) } end - context 'with one owner' do + context 'with owner' do let(:current_user) { owner } - specify { expect_disallowed(*member_related_permissions) } - specify { expect_allowed(:read_group) } - end + context 'with group with one owner' do + specify { expect_disallowed(*member_related_permissions) } + specify { expect_allowed(:read_group) } + end - context 'with one blocked owner' do - let(:owner) { create(:user, :blocked) } - let(:current_user) { owner } + context 'with group with bot user owner' do + before do + group.add_owner(create(:user, :project_bot)) + end - specify { expect_disallowed(*member_related_permissions) } - specify { expect_disallowed(:read_group) } - end + specify { expect_disallowed(*member_related_permissions) } + end - context 'with more than one owner' do - let(:current_user) { owner } + context 'with group with more than one owner' do + before do + group.add_owner(create(:user)) + end - before do - group.add_owner(create(:user)) + specify { expect_allowed(*member_related_permissions) } + specify { expect_disallowed(:destroy_project_bot_member) } end - specify { expect_allowed(*member_related_permissions) } - specify { expect_disallowed(:destroy_project_bot_member) } - end + context 'with group with owners from a parent' do + context 'when top-level group' do + context 'with group sharing' do + let!(:subgroup) { create(:group, :private, parent: group) } - context 'with the group parent' do - let(:current_user) { create :user } - let(:subgroup) { create(:group, :private, parent: group) } + before do + create(:group_group_link, :owner, shared_group: group, shared_with_group: subgroup) + create(:group_member, :owner, group: subgroup) + end - before do - group.add_owner(owner) - subgroup.add_owner(current_user) - end + specify { expect_disallowed(*member_related_permissions) } + specify { expect_allowed(:read_group) } + end + end - it do - expect_allowed(:destroy_group_member) - expect_allowed(:update_group_member) - end - end + context 'when subgroup' do + let(:current_user) { create :user } - context 'without group parent' do - let(:current_user) { create :user } - let(:subgroup) { create(:group, :private) } + let!(:subgroup) { create(:group, :private, parent: group) } - before do - subgroup.add_owner(current_user) - end + before do + subgroup.add_owner(current_user) + end - it do - expect_disallowed(:destroy_group_member) - expect_disallowed(:update_group_member) + specify { expect_allowed(*member_related_permissions) } + specify { expect_allowed(:read_group) } + end end end - context 'without group parent with two owners' do - let(:current_user) { create :user } - let(:other_user) { create :user } - let(:subgroup) { create(:group, :private) } + context 'with blocked owner' do + let(:owner) { create(:user, :blocked) } + let(:current_user) { owner } - before do - subgroup.add_owner(current_user) - subgroup.add_owner(other_user) + specify { expect_disallowed(*member_related_permissions) } + specify { expect_disallowed(:read_group) } + + context 'with group with bot user owner' do + before do + group.add_owner(create(:user, :project_bot)) + end + + specify { expect_disallowed(*member_related_permissions) } + specify { expect_disallowed(:read_group) } end - it do - expect_allowed(:destroy_group_member) - expect_allowed(:update_group_member) + context 'with group with more than one blocked owner' do + before do + group.add_owner(create(:user, :blocked)) + end + + specify { expect_allowed(:destroy_group_member) } end end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index c65933c5208..60acacac814 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -258,6 +258,19 @@ RSpec.describe GroupPolicy do it_behaves_like 'deploy token does not get confused with user' do let(:user_id) { migration_bot.id } end + + context 'with no user' do + let(:current_user) { nil } + + it :aggregate_failures do + expect_disallowed(:read_resource_access_tokens, :destroy_resource_access_tokens) + expect_disallowed(*guest_permissions) + expect_disallowed(*reporter_permissions) + expect_disallowed(*developer_permissions) + expect_disallowed(*maintainer_permissions) + expect_disallowed(*owner_permissions) + end + end end describe 'private nested group use the highest access level from the group and inherited permissions' do diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb index 2bedcf60539..c8c322b02db 100644 --- a/spec/policies/issuable_policy_spec.rb +++ b/spec/policies/issuable_policy_spec.rb @@ -31,8 +31,8 @@ RSpec.describe IssuablePolicy, models: true do expect(policies).to be_allowed(:resolve_note) end - it 'allows reading internal notes' do - expect(policies).to be_allowed(:read_internal_note) + it 'does not allow reading internal notes' do + expect(policies).to be_disallowed(:read_internal_note) end context 'when user is able to read project' do @@ -94,8 +94,8 @@ RSpec.describe IssuablePolicy, models: true do let(:issue) { create(:issue, project: project, assignees: [user]) } let(:policies) { described_class.new(user, issue) } - it 'allows reading internal notes' do - expect(policies).to be_allowed(:read_internal_note) + it 'does not allow reading internal notes' do + expect(policies).to be_disallowed(:read_internal_note) end end diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb index eeaa77a4589..6a261b4ff5b 100644 --- a/spec/policies/note_policy_spec.rb +++ b/spec/policies/note_policy_spec.rb @@ -309,42 +309,41 @@ RSpec.describe NotePolicy do shared_examples_for 'confidential notes permissions' do it 'does not allow non members to read confidential notes and replies' do - expect(permissions(non_member, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji) + expect(permissions(non_member, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential) end it 'does not allow guests to read confidential notes and replies' do - expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji) + expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential) end it 'allows reporter to read all notes but not resolve and admin them' do - expect(permissions(reporter, confidential_note)).to be_allowed(:read_note, :award_emoji) + expect(permissions(reporter, confidential_note)).to be_allowed(:read_note, :award_emoji, :mark_note_as_confidential) expect(permissions(reporter, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note) end it 'allows developer to read and resolve all notes' do - expect(permissions(developer, confidential_note)).to be_allowed(:read_note, :award_emoji, :resolve_note) + expect(permissions(developer, confidential_note)).to be_allowed(:read_note, :award_emoji, :resolve_note, :mark_note_as_confidential) expect(permissions(developer, confidential_note)).to be_disallowed(:admin_note, :reposition_note) end it 'allows maintainers to read all notes and admin them' do - expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji) + expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential) end context 'when admin mode is enabled', :enable_admin_mode do it 'allows admins to read all notes and admin them' do - expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji) + expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential) end end context 'when admin mode is disabled' do it 'does not allow non members to read confidential notes and replies' do - expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji) + expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential) end end - it 'allows noteable author to read and resolve all notes' do - expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji) - expect(permissions(author, confidential_note)).to be_disallowed(:admin_note, :reposition_note) + it 'disallows noteable author to read and resolve all notes' do + expect(permissions(author, confidential_note)).to be_disallowed(:read_note, :resolve_note, :award_emoji, :mark_note_as_confidential, :admin_note, :reposition_note) end end @@ -354,9 +353,8 @@ RSpec.describe NotePolicy do it_behaves_like 'confidential notes permissions' - it 'allows noteable assignees to read all notes' do - expect(permissions(assignee, confidential_note)).to be_allowed(:read_note, :award_emoji) - expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note) + it 'disallows noteable assignees to read all notes' do + expect(permissions(assignee, confidential_note)).to be_disallowed(:read_note, :award_emoji, :mark_note_as_confidential, :admin_note, :reposition_note, :resolve_note) end end end diff --git a/spec/policies/project_member_policy_spec.rb b/spec/policies/project_member_policy_spec.rb index b19ab71fcb5..d7c155b39f5 100644 --- a/spec/policies/project_member_policy_spec.rb +++ b/spec/policies/project_member_policy_spec.rb @@ -4,13 +4,14 @@ require 'spec_helper' RSpec.describe ProjectMemberPolicy do let(:project) { create(:project) } - let(:maintainer_user) { create(:user) } + let(:maintainer) { create(:user) } let(:member) { create(:project_member, project: project, user: member_user) } + let(:current_user) { maintainer } - subject { described_class.new(maintainer_user, member) } + subject { described_class.new(current_user, member) } before do - create(:project_member, :maintainer, project: project, user: maintainer_user) + create(:project_member, :maintainer, project: project, user: maintainer) end context 'with regular member' do @@ -40,4 +41,29 @@ RSpec.describe ProjectMemberPolicy do it { is_expected.not_to be_allowed(:update_project_member) } it { is_expected.not_to be_allowed(:destroy_project_member) } end + + context 'for access requests' do + let_it_be(:project) { create(:project, :public) } + let_it_be(:user) { create(:user) } + + let(:current_user) { user } + + context 'for own access request' do + let(:member) { create(:project_member, :access_request, project: project, user: user) } + + specify { expect_allowed(:withdraw_member_access_request) } + end + + context "for another user's access request" do + let(:member) { create(:project_member, :access_request, project: project, user: create(:user)) } + + specify { expect_disallowed(:withdraw_member_access_request) } + end + + context 'for own, valid membership' do + let(:member) { create(:project_member, :developer, project: project, user: user) } + + specify { expect_disallowed(:withdraw_member_access_request) } + end + end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 40ee2e662b2..973ed66b8d8 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -323,7 +323,7 @@ RSpec.describe ProjectPolicy do :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment, - :destroy_release, :download_code, :build_download_code + :download_code, :build_download_code ] end @@ -533,6 +533,41 @@ RSpec.describe ProjectPolicy do end end + context 'with timeline event tags' do + context 'when user is member of the project' do + it 'allows access to timeline event tags' do + expect(described_class.new(owner, project)).to be_allowed(:read_incident_management_timeline_event_tag) + expect(described_class.new(developer, project)).to be_allowed(:read_incident_management_timeline_event_tag) + expect(described_class.new(guest, project)).to be_allowed(:read_incident_management_timeline_event_tag) + expect(described_class.new(admin, project)).to be_allowed(:read_incident_management_timeline_event_tag) + end + end + + context 'when user is a maintainer/owner' do + it 'allows to create timeline event tags' do + expect(described_class.new(maintainer, project)).to be_allowed(:admin_incident_management_timeline_event_tag) + expect(described_class.new(owner, project)).to be_allowed(:admin_incident_management_timeline_event_tag) + end + end + + context 'when user is a developer/guest/reporter' do + it 'disallows creation' do + expect(described_class.new(developer, project)).to be_disallowed(:admin_incident_management_timeline_event_tag) + expect(described_class.new(guest, project)).to be_disallowed(:admin_incident_management_timeline_event_tag) + expect(described_class.new(reporter, project)).to be_disallowed(:admin_incident_management_timeline_event_tag) + end + end + + context 'when user is not a member of the project' do + let(:project) { private_project } + + it 'disallows access to the timeline event tags' do + expect(described_class.new(non_member, project)).to be_disallowed(:read_incident_management_timeline_event_tag) + expect(described_class.new(non_member, project)).to be_disallowed(:admin_incident_management_timeline_event_tag) + end + end + end + context 'reading a project' do it 'allows access when a user has read access to the repo' do expect(described_class.new(owner, project)).to be_allowed(:read_project) @@ -629,17 +664,7 @@ RSpec.describe ProjectPolicy do context 'when user is member of the project' do let(:current_user) { developer } - context 'when work_items feature flag is enabled' do - it { expect_allowed(:create_task) } - end - - context 'when work_items feature flag is disabled' do - before do - stub_feature_flags(work_items: false) - end - - it { expect_disallowed(:create_task) } - end + it { expect_allowed(:create_task) } end end @@ -2299,6 +2324,74 @@ RSpec.describe ProjectPolicy do end end + describe 'infrastructure feature' do + using RSpec::Parameterized::TableSyntax + + let(:guest_permissions) { [] } + + let(:developer_permissions) do + guest_permissions + [:read_terraform_state, :read_pod_logs, :read_prometheus] + end + + let(:maintainer_permissions) do + developer_permissions + [:create_cluster, :read_cluster, :update_cluster, :admin_cluster, :admin_terraform_state, :admin_project_google_cloud] + end + + where(:project_visibility, :access_level, :role, :allowed) do + :public | ProjectFeature::ENABLED | :maintainer | true + :public | ProjectFeature::ENABLED | :developer | true + :public | ProjectFeature::ENABLED | :guest | true + :public | ProjectFeature::ENABLED | :anonymous | true + :public | ProjectFeature::PRIVATE | :maintainer | true + :public | ProjectFeature::PRIVATE | :developer | true + :public | ProjectFeature::PRIVATE | :guest | true + :public | ProjectFeature::PRIVATE | :anonymous | false + :public | ProjectFeature::DISABLED | :maintainer | false + :public | ProjectFeature::DISABLED | :developer | false + :public | ProjectFeature::DISABLED | :guest | false + :public | ProjectFeature::DISABLED | :anonymous | false + :internal | ProjectFeature::ENABLED | :maintainer | true + :internal | ProjectFeature::ENABLED | :developer | true + :internal | ProjectFeature::ENABLED | :guest | true + :internal | ProjectFeature::ENABLED | :anonymous | false + :internal | ProjectFeature::PRIVATE | :maintainer | true + :internal | ProjectFeature::PRIVATE | :developer | true + :internal | ProjectFeature::PRIVATE | :guest | true + :internal | ProjectFeature::PRIVATE | :anonymous | false + :internal | ProjectFeature::DISABLED | :maintainer | false + :internal | ProjectFeature::DISABLED | :developer | false + :internal | ProjectFeature::DISABLED | :guest | false + :internal | ProjectFeature::DISABLED | :anonymous | false + :private | ProjectFeature::ENABLED | :maintainer | true + :private | ProjectFeature::ENABLED | :developer | true + :private | ProjectFeature::ENABLED | :guest | true + :private | ProjectFeature::ENABLED | :anonymous | false + :private | ProjectFeature::PRIVATE | :maintainer | true + :private | ProjectFeature::PRIVATE | :developer | true + :private | ProjectFeature::PRIVATE | :guest | true + :private | ProjectFeature::PRIVATE | :anonymous | false + :private | ProjectFeature::DISABLED | :maintainer | false + :private | ProjectFeature::DISABLED | :developer | false + :private | ProjectFeature::DISABLED | :guest | false + :private | ProjectFeature::DISABLED | :anonymous | false + end + + with_them do + let(:current_user) { user_subject(role) } + let(:project) { project_subject(project_visibility) } + + it 'allows/disallows the abilities based on the infrastructure access level' do + project.project_feature.update!(infrastructure_access_level: access_level) + + if allowed + expect_allowed(*permissions_abilities(role)) + else + expect_disallowed(*permissions_abilities(role)) + end + end + end + end + describe 'access_security_and_compliance' do context 'when the "Security & Compliance" is enabled' do before do @@ -2791,6 +2884,27 @@ RSpec.describe ProjectPolicy do end end + describe 'read_code' do + let(:current_user) { create(:user) } + + before do + allow(subject).to receive(:allowed?).and_call_original + allow(subject).to receive(:allowed?).with(:download_code).and_return(can_download_code) + end + + context 'when the current_user can download_code' do + let(:can_download_code) { true } + + it { expect_allowed(:read_code) } + end + + context 'when the current_user cannot download_code' do + let(:can_download_code) { false } + + it { expect_disallowed(:read_code) } + end + end + private def project_subject(project_type) diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb index b800e7dbc43..d02a94b810e 100644 --- a/spec/policies/user_policy_spec.rb +++ b/spec/policies/user_policy_spec.rb @@ -84,6 +84,50 @@ RSpec.describe UserPolicy do end end + describe "reading a user's associations count" do + context 'when current_user is not an admin' do + context 'fetching their own data' do + subject { described_class.new(current_user, current_user) } + + context 'when current_user is not blocked' do + it { is_expected.to be_allowed(:get_user_associations_count ) } + end + + context 'when current_user is blocked' do + let(:current_user) { create(:user, :blocked) } + + it { is_expected.not_to be_allowed(:get_user_associations_count) } + end + end + + context "fetching a different user's data" do + it { is_expected.not_to be_allowed(:get_user_associations_count) } + end + end + + context 'when current_user is an admin' do + let(:current_user) { admin } + + context 'fetching their own data', :enable_admin_mode do + subject { described_class.new(current_user, current_user) } + + context 'when current_user is not blocked' do + it { is_expected.to be_allowed(:get_user_associations_count ) } + end + + context 'when current_user is blocked' do + let(:current_user) { create(:admin, :blocked) } + + it { is_expected.not_to be_allowed(:get_user_associations_count) } + end + end + + context "fetching a different user's data", :enable_admin_mode do + it { is_expected.to be_allowed(:get_user_associations_count) } + end + end + end + shared_examples 'changing a user' do |ability| context "when a regular user tries to destroy another regular user" do it { is_expected.not_to be_allowed(ability) } |