diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-08-18 11:17:02 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-08-18 11:17:02 +0300 |
commit | b39512ed755239198a9c294b6a45e65c05900235 (patch) | |
tree | d234a3efade1de67c46b9e5a38ce813627726aa7 /spec/policies | |
parent | d31474cf3b17ece37939d20082b07f6657cc79a9 (diff) |
Add latest changes from gitlab-org/gitlab@15-3-stable-eev15.3.0-rc42
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/group_policy_spec.rb | 29 | ||||
-rw-r--r-- | spec/policies/issuable_policy_spec.rb | 40 | ||||
-rw-r--r-- | spec/policies/issue_policy_spec.rb | 55 | ||||
-rw-r--r-- | spec/policies/namespaces/project_namespace_policy_spec.rb | 42 | ||||
-rw-r--r-- | spec/policies/namespaces/user_namespace_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/project_hook_policy_spec.rb | 31 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 275 | ||||
-rw-r--r-- | spec/policies/system_hook_policy_spec.rb | 29 | ||||
-rw-r--r-- | spec/policies/timelog_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/upload_policy_spec.rb | 76 | ||||
-rw-r--r-- | spec/policies/work_item_policy_spec.rb | 41 |
11 files changed, 535 insertions, 87 deletions
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 3ef859376a4..57923142648 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -4,7 +4,6 @@ require 'spec_helper' RSpec.describe GroupPolicy do include_context 'GroupPolicy context' - using RSpec::Parameterized::TableSyntax context 'public group with no user' do let(:group) { create(:group, :public, :crm_enabled) } @@ -1231,29 +1230,11 @@ RSpec.describe GroupPolicy do it { is_expected.to be_disallowed(:admin_crm_organization) } end - describe 'maintain_namespace' do - context 'with non-admin roles' do - where(:role, :allowed) do - :guest | false - :reporter | false - :developer | false - :maintainer | true - :owner | true - end - - with_them do - let(:current_user) { public_send(role) } + it_behaves_like 'checks timelog categories permissions' do + let(:group) { create(:group) } + let(:namespace) { group } + let(:users_container) { group } - it do - expect(subject.allowed?(:maintain_namespace)).to eq allowed - end - end - end - - context 'as an admin', :enable_admin_mode do - let(:current_user) { admin } - - it { is_expected.to be_allowed(:maintain_namespace) } - end + subject { described_class.new(current_user, group) } end end diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb index 5e2a307e959..706570babd5 100644 --- a/spec/policies/issuable_policy_spec.rb +++ b/spec/policies/issuable_policy_spec.rb @@ -113,5 +113,45 @@ RSpec.describe IssuablePolicy, models: true do end end end + + context 'when user is anonymous' do + it 'does not allow timelogs creation' do + expect(permissions(nil, issue)).to be_disallowed(:create_timelog) + end + end + + context 'when user is not a member of the project' do + it 'does not allow timelogs creation' do + expect(policies).to be_disallowed(:create_timelog) + end + end + + context 'when user is not a member of the project but the author of the issuable' do + let(:issue) { create(:issue, project: project, author: user) } + + it 'does not allow timelogs creation' do + expect(policies).to be_disallowed(:create_timelog) + end + end + + context 'when user is a guest member of the project' do + it 'does not allow timelogs creation' do + expect(permissions(guest, issue)).to be_disallowed(:create_timelog) + end + end + + context 'when user is a guest member of the project and the author of the issuable' do + let(:issue) { create(:issue, project: project, author: guest) } + + it 'does not allow timelogs creation' do + expect(permissions(guest, issue)).to be_disallowed(:create_timelog) + end + end + + context 'when user is at least reporter of the project' do + it 'allows timelogs creation' do + expect(permissions(reporter, issue)).to be_allowed(:create_timelog) + end + end end end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index fefbb59a830..7ca4baddb79 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -3,7 +3,9 @@ require 'spec_helper' RSpec.describe IssuePolicy do + include_context 'ProjectPolicyTable context' include ExternalAuthorizationServiceHelpers + include ProjectHelpers let(:guest) { create(:user) } let(:author) { create(:user) } @@ -50,6 +52,19 @@ RSpec.describe IssuePolicy do end end + shared_examples 'grants the expected permissions' do |policy| + specify do + enable_admin_mode!(user) if admin_mode + update_feature_access_level(project, feature_access_level) + + if expected_count == 1 + expect(permissions(user, issue)).to be_allowed(policy) + else + expect(permissions(user, issue)).to be_disallowed(policy) + end + end + end + context 'a private project' do let(:project) { create(:project, :private) } let(:issue) { create(:issue, project: project, assignees: [assignee], author: author) } @@ -85,7 +100,6 @@ RSpec.describe IssuePolicy do it 'allows reporters from group links to read, update, and admin issues' do expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) - expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(reporter_from_group_link, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) end @@ -217,7 +231,7 @@ RSpec.describe IssuePolicy do it 'allows reporters from group links to read, update, reopen and admin issues' do expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) - expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality) + expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:reopen_issue) expect(permissions(reporter_from_group_link, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality) expect(permissions(reporter_from_group_link, issue_locked)).to be_disallowed(:reopen_issue) expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality) @@ -295,18 +309,23 @@ RSpec.describe IssuePolicy do it 'forbids visitors from viewing issues' do expect(permissions(visitor, issue)).to be_disallowed(:read_issue) end + it 'forbids visitors from commenting' do expect(permissions(visitor, issue)).to be_disallowed(:create_note) end + it 'forbids visitors from subscribing' do expect(permissions(visitor, issue)).to be_disallowed(:update_subscription) end + it 'allows guests to view' do expect(permissions(guest, issue)).to be_allowed(:read_issue) end + it 'allows guests to comment' do expect(permissions(guest, issue)).to be_allowed(:create_note) end + it 'allows guests to subscribe' do expect(permissions(guest, issue)).to be_allowed(:update_subscription) end @@ -454,7 +473,7 @@ RSpec.describe IssuePolicy do end end - context 'when peronsal namespace' do + context 'when personal namespace' do let(:project) { create(:project) } it 'is disallowed' do @@ -465,4 +484,34 @@ RSpec.describe IssuePolicy do end end end + + context 'when user is an inherited member from the group' do + let(:user) { create_user_from_membership(group, membership) } + let(:project) { create(:project, project_level, group: group) } + let(:issue) { create(:issue, project: project) } + + context 'and policy allows guest access' do + where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do + permission_table_for_guest_feature_access + end + + with_them do + it_behaves_like 'grants the expected permissions', :read_issue + it_behaves_like 'grants the expected permissions', :read_issue_iid + end + end + + context 'and policy allows reporter access' do + where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do + permission_table_for_reporter_issue_access + end + + with_them do + it_behaves_like 'grants the expected permissions', :update_issue + it_behaves_like 'grants the expected permissions', :admin_issue + it_behaves_like 'grants the expected permissions', :set_issue_metadata + it_behaves_like 'grants the expected permissions', :set_confidentiality + end + end + end end diff --git a/spec/policies/namespaces/project_namespace_policy_spec.rb b/spec/policies/namespaces/project_namespace_policy_spec.rb index 5ceea9dfb9d..4519f44a6ad 100644 --- a/spec/policies/namespaces/project_namespace_policy_spec.rb +++ b/spec/policies/namespaces/project_namespace_policy_spec.rb @@ -3,45 +3,11 @@ require 'spec_helper' RSpec.describe Namespaces::ProjectNamespacePolicy do - let_it_be(:parent) { create(:namespace) } - let_it_be(:project) { create(:project, namespace: parent) } - let_it_be(:namespace) { project.project_namespace } - - let(:permissions) do - [:owner_access, :create_projects, :admin_namespace, :read_namespace, - :read_statistics, :transfer_projects, :admin_package, - :create_jira_connect_subscription] - end - subject { described_class.new(current_user, namespace) } - context 'with no user' do - let_it_be(:current_user) { nil } - - it { is_expected.to be_disallowed(*permissions) } - end - - context 'regular user' do - let_it_be(:current_user) { create(:user) } - - it { is_expected.to be_disallowed(*permissions) } - end - - context 'parent owner' do - let_it_be(:current_user) { parent.first_owner } - - it { is_expected.to be_disallowed(*permissions) } - end - - context 'admin' do - let_it_be(:current_user) { create(:admin) } - - context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_disallowed(*permissions) } - end - - context 'when admin mode is disabled' do - it { is_expected.to be_disallowed(*permissions) } - end + it_behaves_like 'checks timelog categories permissions' do + let(:project) { create(:project) } + let(:namespace) { project.project_namespace } + let(:users_container) { project } end end diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb index e8a3c9b828d..22c3f6a6d67 100644 --- a/spec/policies/namespaces/user_namespace_policy_spec.rb +++ b/spec/policies/namespaces/user_namespace_policy_spec.rb @@ -8,7 +8,7 @@ RSpec.describe Namespaces::UserNamespacePolicy do let_it_be(:admin) { create(:admin) } let_it_be(:namespace) { create(:user_namespace, owner: owner) } - let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package, :maintain_namespace] } + let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package] } subject { described_class.new(current_user, namespace) } diff --git a/spec/policies/project_hook_policy_spec.rb b/spec/policies/project_hook_policy_spec.rb new file mode 100644 index 00000000000..cfa7b6ee4bf --- /dev/null +++ b/spec/policies/project_hook_policy_spec.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe ProjectHookPolicy do + let_it_be(:user) { create(:user) } + + let(:hook) { create(:project_hook) } + + subject(:policy) { described_class.new(user, hook) } + + context 'when the user is not a maintainer' do + before do + hook.project.add_developer(user) + end + + it "cannot read and destroy web-hooks" do + expect(policy).to be_disallowed(:read_web_hook, :destroy_web_hook) + end + end + + context 'when the user is a maintainer' do + before do + hook.project.add_maintainer(user) + end + + it "can read and destroy web-hooks" do + expect(policy).to be_allowed(:read_web_hook, :destroy_web_hook) + end + end +end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index c041c72a0be..e8fdf9a8e25 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -1930,6 +1930,10 @@ RSpec.describe ProjectPolicy do describe 'operations feature' do using RSpec::Parameterized::TableSyntax + before do + stub_feature_flags(split_operations_visibility_permissions: false) + end + let(:guest_operations_permissions) { [:read_environment, :read_deployment] } let(:developer_operations_permissions) do @@ -2002,38 +2006,234 @@ RSpec.describe ProjectPolicy do end end - def project_subject(project_type) - case project_type - when :public - public_project - when :internal - internal_project + def permissions_abilities(role) + case role + when :maintainer + maintainer_operations_permissions + when :developer + developer_operations_permissions else - private_project + guest_operations_permissions end end + end + end - def user_subject(role) - case role - when :maintainer - maintainer - when :developer - developer - when :guest - guest - when :anonymous - anonymous + describe 'environments feature' do + using RSpec::Parameterized::TableSyntax + + let(:guest_environments_permissions) { [:read_environment, :read_deployment] } + + let(:developer_environments_permissions) do + guest_environments_permissions + [ + :create_environment, :create_deployment, :update_environment, :update_deployment, :destroy_environment + ] + end + + let(:maintainer_environments_permissions) do + developer_environments_permissions + [:admin_environment, :admin_deployment] + end + + where(:project_visibility, :access_level, :role, :allowed) do + :public | ProjectFeature::ENABLED | :maintainer | true + :public | ProjectFeature::ENABLED | :developer | true + :public | ProjectFeature::ENABLED | :guest | true + :public | ProjectFeature::ENABLED | :anonymous | true + :public | ProjectFeature::PRIVATE | :maintainer | true + :public | ProjectFeature::PRIVATE | :developer | true + :public | ProjectFeature::PRIVATE | :guest | true + :public | ProjectFeature::PRIVATE | :anonymous | false + :public | ProjectFeature::DISABLED | :maintainer | false + :public | ProjectFeature::DISABLED | :developer | false + :public | ProjectFeature::DISABLED | :guest | false + :public | ProjectFeature::DISABLED | :anonymous | false + :internal | ProjectFeature::ENABLED | :maintainer | true + :internal | ProjectFeature::ENABLED | :developer | true + :internal | ProjectFeature::ENABLED | :guest | true + :internal | ProjectFeature::ENABLED | :anonymous | false + :internal | ProjectFeature::PRIVATE | :maintainer | true + :internal | ProjectFeature::PRIVATE | :developer | true + :internal | ProjectFeature::PRIVATE | :guest | true + :internal | ProjectFeature::PRIVATE | :anonymous | false + :internal | ProjectFeature::DISABLED | :maintainer | false + :internal | ProjectFeature::DISABLED | :developer | false + :internal | ProjectFeature::DISABLED | :guest | false + :internal | ProjectFeature::DISABLED | :anonymous | false + :private | ProjectFeature::ENABLED | :maintainer | true + :private | ProjectFeature::ENABLED | :developer | true + :private | ProjectFeature::ENABLED | :guest | false + :private | ProjectFeature::ENABLED | :anonymous | false + :private | ProjectFeature::PRIVATE | :maintainer | true + :private | ProjectFeature::PRIVATE | :developer | true + :private | ProjectFeature::PRIVATE | :guest | false + :private | ProjectFeature::PRIVATE | :anonymous | false + :private | ProjectFeature::DISABLED | :maintainer | false + :private | ProjectFeature::DISABLED | :developer | false + :private | ProjectFeature::DISABLED | :guest | false + :private | ProjectFeature::DISABLED | :anonymous | false + end + + with_them do + let(:current_user) { user_subject(role) } + let(:project) { project_subject(project_visibility) } + + it 'allows/disallows the abilities based on the environments feature access level' do + project.project_feature.update!(environments_access_level: access_level) + + if allowed + expect_allowed(*permissions_abilities(role)) + else + expect_disallowed(*permissions_abilities(role)) end end def permissions_abilities(role) case role when :maintainer - maintainer_operations_permissions + maintainer_environments_permissions when :developer - developer_operations_permissions + developer_environments_permissions else - guest_operations_permissions + guest_environments_permissions + end + end + end + end + + describe 'feature flags feature' do + using RSpec::Parameterized::TableSyntax + + let(:guest_permissions) { [] } + + let(:developer_permissions) do + guest_permissions + [ + :read_feature_flag, :create_feature_flag, :update_feature_flag, :destroy_feature_flag, :admin_feature_flag, + :admin_feature_flags_user_lists + ] + end + + let(:maintainer_permissions) do + developer_permissions + [:admin_feature_flags_client] + end + + where(:project_visibility, :access_level, :role, :allowed) do + :public | ProjectFeature::ENABLED | :maintainer | true + :public | ProjectFeature::ENABLED | :developer | true + :public | ProjectFeature::ENABLED | :guest | true + :public | ProjectFeature::ENABLED | :anonymous | true + :public | ProjectFeature::PRIVATE | :maintainer | true + :public | ProjectFeature::PRIVATE | :developer | true + :public | ProjectFeature::PRIVATE | :guest | true + :public | ProjectFeature::PRIVATE | :anonymous | false + :public | ProjectFeature::DISABLED | :maintainer | false + :public | ProjectFeature::DISABLED | :developer | false + :public | ProjectFeature::DISABLED | :guest | false + :public | ProjectFeature::DISABLED | :anonymous | false + :internal | ProjectFeature::ENABLED | :maintainer | true + :internal | ProjectFeature::ENABLED | :developer | true + :internal | ProjectFeature::ENABLED | :guest | true + :internal | ProjectFeature::ENABLED | :anonymous | false + :internal | ProjectFeature::PRIVATE | :maintainer | true + :internal | ProjectFeature::PRIVATE | :developer | true + :internal | ProjectFeature::PRIVATE | :guest | true + :internal | ProjectFeature::PRIVATE | :anonymous | false + :internal | ProjectFeature::DISABLED | :maintainer | false + :internal | ProjectFeature::DISABLED | :developer | false + :internal | ProjectFeature::DISABLED | :guest | false + :internal | ProjectFeature::DISABLED | :anonymous | false + :private | ProjectFeature::ENABLED | :maintainer | true + :private | ProjectFeature::ENABLED | :developer | true + :private | ProjectFeature::ENABLED | :guest | false + :private | ProjectFeature::ENABLED | :anonymous | false + :private | ProjectFeature::PRIVATE | :maintainer | true + :private | ProjectFeature::PRIVATE | :developer | true + :private | ProjectFeature::PRIVATE | :guest | false + :private | ProjectFeature::PRIVATE | :anonymous | false + :private | ProjectFeature::DISABLED | :maintainer | false + :private | ProjectFeature::DISABLED | :developer | false + :private | ProjectFeature::DISABLED | :guest | false + :private | ProjectFeature::DISABLED | :anonymous | false + end + + with_them do + let(:current_user) { user_subject(role) } + let(:project) { project_subject(project_visibility) } + + it 'allows/disallows the abilities based on the feature flags access level' do + project.project_feature.update!(feature_flags_access_level: access_level) + + if allowed + expect_allowed(*permissions_abilities(role)) + else + expect_disallowed(*permissions_abilities(role)) + end + end + end + end + + describe 'Releases feature' do + using RSpec::Parameterized::TableSyntax + + let(:guest_permissions) { [:read_release] } + + let(:developer_permissions) do + guest_permissions + [:create_release, :update_release, :destroy_release] + end + + let(:maintainer_permissions) do + developer_permissions + end + + where(:project_visibility, :access_level, :role, :allowed) do + :public | ProjectFeature::ENABLED | :maintainer | true + :public | ProjectFeature::ENABLED | :developer | true + :public | ProjectFeature::ENABLED | :guest | true + :public | ProjectFeature::ENABLED | :anonymous | true + :public | ProjectFeature::PRIVATE | :maintainer | true + :public | ProjectFeature::PRIVATE | :developer | true + :public | ProjectFeature::PRIVATE | :guest | true + :public | ProjectFeature::PRIVATE | :anonymous | false + :public | ProjectFeature::DISABLED | :maintainer | false + :public | ProjectFeature::DISABLED | :developer | false + :public | ProjectFeature::DISABLED | :guest | false + :public | ProjectFeature::DISABLED | :anonymous | false + :internal | ProjectFeature::ENABLED | :maintainer | true + :internal | ProjectFeature::ENABLED | :developer | true + :internal | ProjectFeature::ENABLED | :guest | true + :internal | ProjectFeature::ENABLED | :anonymous | false + :internal | ProjectFeature::PRIVATE | :maintainer | true + :internal | ProjectFeature::PRIVATE | :developer | true + :internal | ProjectFeature::PRIVATE | :guest | true + :internal | ProjectFeature::PRIVATE | :anonymous | false + :internal | ProjectFeature::DISABLED | :maintainer | false + :internal | ProjectFeature::DISABLED | :developer | false + :internal | ProjectFeature::DISABLED | :guest | false + :internal | ProjectFeature::DISABLED | :anonymous | false + :private | ProjectFeature::ENABLED | :maintainer | true + :private | ProjectFeature::ENABLED | :developer | true + :private | ProjectFeature::ENABLED | :guest | true + :private | ProjectFeature::ENABLED | :anonymous | false + :private | ProjectFeature::PRIVATE | :maintainer | true + :private | ProjectFeature::PRIVATE | :developer | true + :private | ProjectFeature::PRIVATE | :guest | true + :private | ProjectFeature::PRIVATE | :anonymous | false + :private | ProjectFeature::DISABLED | :maintainer | false + :private | ProjectFeature::DISABLED | :developer | false + :private | ProjectFeature::DISABLED | :guest | false + :private | ProjectFeature::DISABLED | :anonymous | false + end + + with_them do + let(:current_user) { user_subject(role) } + let(:project) { project_subject(project_visibility) } + + it 'allows/disallows the abilities based on the Releases access level' do + project.project_feature.update!(releases_access_level: access_level) + + if allowed + expect_allowed(*permissions_abilities(role)) + else + expect_disallowed(*permissions_abilities(role)) end end end @@ -2481,4 +2681,39 @@ RSpec.describe ProjectPolicy do end end end + + def project_subject(project_type) + case project_type + when :public + public_project + when :internal + internal_project + else + private_project + end + end + + def user_subject(role) + case role + when :maintainer + maintainer + when :developer + developer + when :guest + guest + when :anonymous + anonymous + end + end + + def permissions_abilities(role) + case role + when :maintainer + maintainer_permissions + when :developer + developer_permissions + else + guest_permissions + end + end end diff --git a/spec/policies/system_hook_policy_spec.rb b/spec/policies/system_hook_policy_spec.rb new file mode 100644 index 00000000000..37f97a8a3d1 --- /dev/null +++ b/spec/policies/system_hook_policy_spec.rb @@ -0,0 +1,29 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe SystemHookPolicy do + let(:hook) { create(:system_hook) } + + subject(:policy) { described_class.new(user, hook) } + + context 'when the user is not an admin' do + let(:user) { create(:user) } + + %i[read_web_hook destroy_web_hook].each do |thing| + it "cannot #{thing}" do + expect(policy).to be_disallowed(thing) + end + end + end + + context 'when the user is an admin', :enable_admin_mode do + let(:user) { create(:admin) } + + %i[read_web_hook destroy_web_hook].each do |thing| + it "can #{thing}" do + expect(policy).to be_allowed(thing) + end + end + end +end diff --git a/spec/policies/timelog_policy_spec.rb b/spec/policies/timelog_policy_spec.rb index 97e61cfe5ce..31912c637ce 100644 --- a/spec/policies/timelog_policy_spec.rb +++ b/spec/policies/timelog_policy_spec.rb @@ -6,7 +6,7 @@ RSpec.describe TimelogPolicy, models: true do let_it_be(:author) { create(:user) } let_it_be(:project) { create(:project, :public) } let_it_be(:issue) { create(:issue, project: project) } - let_it_be(:timelog) { create(:timelog, user: author, issue: issue, time_spent: 1800)} + let_it_be(:timelog) { create(:timelog, user: author, issue: issue, time_spent: 1800) } let(:user) { nil } let(:policy) { described_class.new(user, timelog) } diff --git a/spec/policies/upload_policy_spec.rb b/spec/policies/upload_policy_spec.rb new file mode 100644 index 00000000000..1169df0b300 --- /dev/null +++ b/spec/policies/upload_policy_spec.rb @@ -0,0 +1,76 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe UploadPolicy do + let_it_be(:group) { create(:group) } + let_it_be(:project) { create(:project, group: group) } + let_it_be(:guest) { create(:user).tap { |user| group.add_guest(user) } } + let_it_be(:developer) { create(:user).tap { |user| group.add_developer(user) } } + let_it_be(:maintainer) { create(:user).tap { |user| group.add_maintainer(user) } } + let_it_be(:owner) { create(:user).tap { |user| group.add_owner(user) } } + let_it_be(:admin) { create(:admin) } + let_it_be(:non_member_user) { create(:user) } + + let(:upload_permissions) { [:read_upload, :destroy_upload] } + + shared_examples_for 'uploads policy' do + subject { described_class.new(current_user, upload) } + + context 'when user is guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(*upload_permissions) } + end + + context 'when user is developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(*upload_permissions) } + end + + context 'when user is maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(*upload_permissions) } + end + + context 'when user is owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(*upload_permissions) } + end + + context 'when user is admin' do + let(:current_user) { admin } + + it { is_expected.to be_disallowed(*upload_permissions) } + + context 'with admin mode', :enable_admin_mode do + it { is_expected.to be_allowed(*upload_permissions) } + end + end + end + + describe 'destroy_upload' do + context 'when deleting project upload' do + let_it_be(:upload) { create(:upload, model: project) } + + it_behaves_like 'uploads policy' + end + + context 'when deleting group upload' do + let_it_be(:upload) { create(:upload, model: group) } + + it_behaves_like 'uploads policy' + end + + context 'when deleting upload associated with other model' do + let_it_be(:upload) { create(:upload, model: maintainer) } + + subject { described_class.new(maintainer, upload) } + + it { is_expected.to be_disallowed(*upload_permissions) } + end + end +end diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb index f8ec7d9f9bc..ed76ec1eccf 100644 --- a/spec/policies/work_item_policy_spec.rb +++ b/spec/policies/work_item_policy_spec.rb @@ -63,6 +63,27 @@ RSpec.describe WorkItemPolicy do end end + describe 'admin_work_item' do + context 'when user is reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:admin_work_item) } + end + + context 'when user is guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:admin_work_item) } + + context 'when guest authored the work item' do + let(:work_item_subject) { authored_work_item } + let(:current_user) { guest_author } + + it { is_expected.to be_disallowed(:admin_work_item) } + end + end + end + describe 'update_work_item' do context 'when user is reporter' do let(:current_user) { reporter } @@ -160,4 +181,24 @@ RSpec.describe WorkItemPolicy do end end end + + describe 'set_work_item_metadata' do + context 'when user is reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:set_work_item_metadata) } + end + + context 'when user is guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:set_work_item_metadata) } + + context 'when the work item is not persisted yet' do + let(:work_item_subject) { build(:work_item, project: project) } + + it { is_expected.to be_allowed(:set_work_item_metadata) } + end + end + end end |