Add latest changes from gitlab-org/gitlab@14-2-stable-eev14.2.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-08-19 12:08:42 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-08-19 12:08:42 +0300
commit: b76ae638462ab0f673e5915986070518dd3f9ad3 (patch)
tree: bdab0533383b52873be0ec0eb4d3c66598ff8b91 /spec/policies
parent: 434373eabe7b4be9593d18a585fb763f1e5f1a6f (diff)
3 files changed, 70 insertions, 86 deletions
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index 8ff936d5a35..d62271eedf6 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -360,6 +360,21 @@ RSpec.describe IssuePolicy do
         expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata)
       end
     end
+
+    context 'with a hidden issue' do
+      let(:user) { create(:user) }
+      let(:banned_user) { create(:user, :banned) }
+      let(:admin) { create(:user, :admin)}
+      let(:hidden_issue) { create(:issue, project: project, author: banned_user) }
+
+      it 'does not allow non-admin user to read the issue' do
+        expect(permissions(user, hidden_issue)).not_to be_allowed(:read_issue)
+      end
+
+      it 'allows admin to read the issue', :enable_admin_mode do
+        expect(permissions(admin, hidden_issue)).to be_allowed(:read_issue)
+      end
+    end
   end
 
   context 'with external authorization enabled' do
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 051a4420e73..f36b0a62aa3 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -840,6 +840,8 @@ RSpec.describe ProjectPolicy do
       it { is_expected.to be_allowed(:read_package) }
       it { is_expected.to be_allowed(:read_project) }
       it { is_expected.to be_disallowed(:create_package) }
+
+      it_behaves_like 'package access with repository disabled'
     end
 
     context 'a deploy token with write_package_registry scope' do
@@ -849,6 +851,8 @@ RSpec.describe ProjectPolicy do
       it { is_expected.to be_allowed(:read_package) }
       it { is_expected.to be_allowed(:read_project) }
       it { is_expected.to be_disallowed(:destroy_package) }
+
+      it_behaves_like 'package access with repository disabled'
     end
   end
 
@@ -1021,18 +1025,7 @@ RSpec.describe ProjectPolicy do
 
       it { is_expected.to be_allowed(:read_package) }
 
-      context 'when repository is disabled' do
-        before do
-          project.project_feature.update!(
-            # Disable merge_requests and builds as well, since merge_requests and
-            # builds cannot have higher visibility than repository.
-            merge_requests_access_level: ProjectFeature::DISABLED,
-            builds_access_level: ProjectFeature::DISABLED,
-            repository_access_level: ProjectFeature::DISABLED)
-        end
-
-        it { is_expected.to be_disallowed(:read_package) }
-      end
+      it_behaves_like 'package access with repository disabled'
     end
 
     context 'with owner' do
@@ -1460,66 +1453,65 @@ RSpec.describe ProjectPolicy do
   end
 
   describe 'when user is authenticated via CI_JOB_TOKEN', :request_store do
-    let(:current_user) { developer }
-    let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) }
+    using RSpec::Parameterized::TableSyntax
 
-    before do
-      current_user.set_ci_job_token_scope!(job)
-      scope_project.update!(ci_job_token_scope_enabled: true)
+    where(:project_visibility, :user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do
+      :private  | :reporter | false | :same      | true  | true
+      :private  | :reporter | false | :same      | false | true
+      :private  | :reporter | false | :different | true  | false
+      :private  | :reporter | false | :different | false | true
+      :private  | :guest    | false | :same      | true  | true
+      :private  | :guest    | false | :same      | false | true
+      :private  | :guest    | false | :different | true  | false
+      :private  | :guest    | false | :different | false | true
+
+      :internal | :reporter | false | :same      | true  | true
+      :internal | :reporter | true  | :same      | true  | true
+      :internal | :reporter | false | :same      | false | true
+      :internal | :reporter | false | :different | true  | true
+      :internal | :reporter | true  | :different | true  | false
+      :internal | :reporter | false | :different | false | true
+      :internal | :guest    | false | :same      | true  | true
+      :internal | :guest    | true  | :same      | true  | true
+      :internal | :guest    | false | :same      | false | true
+      :internal | :guest    | false | :different | true  | true
+      :internal | :guest    | true  | :different | true  | false
+      :internal | :guest    | false | :different | false | true
+
+      :public   | :reporter | false | :same      | true  | true
+      :public   | :reporter | false | :same      | false | true
+      :public   | :reporter | false | :different | true  | true
+      :public   | :reporter | false | :different | false | true
+      :public   | :guest    | false | :same      | true  | true
+      :public   | :guest    | false | :same      | false | true
+      :public   | :guest    | false | :different | true  | true
+      :public   | :guest    | false | :different | false | true
     end
 
-    context 'when accessing a private project' do
-      let(:project) { private_project }
-
-      context 'when the job token comes from the same project' do
-        let(:scope_project) { project }
-
-        it { is_expected.to be_allowed(:developer_access) }
-      end
-
-      context 'when the job token comes from another project' do
-        let(:scope_project) { create(:project, :private) }
-
-        before do
-          scope_project.add_developer(current_user)
-        end
-
-        it { is_expected.to be_disallowed(:guest_access) }
-
-        context 'when job token scope is disabled' do
-          before do
-            scope_project.update!(ci_job_token_scope_enabled: false)
-          end
+    with_them do
+      let(:current_user) { public_send(user_role) }
+      let(:project) { public_send("#{project_visibility}_project") }
+      let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) }
 
-          it { is_expected.to be_allowed(:guest_access) }
+      let(:scope_project) do
+        if scope_project_type == :same
+          project
+        else
+          create(:project, :private)
         end
       end
-    end
-
-    context 'when accessing a public project' do
-      let(:project) { public_project }
-
-      context 'when the job token comes from the same project' do
-        let(:scope_project) { project }
 
-        it { is_expected.to be_allowed(:developer_access) }
+      before do
+        current_user.set_ci_job_token_scope!(job)
+        current_user.external = external_user
+        scope_project.update!(ci_job_token_scope_enabled: token_scope_enabled)
       end
 
-      context 'when the job token comes from another project' do
-        let(:scope_project) { create(:project, :private) }
-
-        before do
-          scope_project.add_developer(current_user)
-        end
-
-        it { is_expected.to be_disallowed(:public_access) }
-
-        context 'when job token scope is disabled' do
-          before do
-            scope_project.update!(ci_job_token_scope_enabled: false)
-          end
-
-          it { is_expected.to be_allowed(:public_access) }
+      it "enforces the expected permissions" do
+        if result
+          is_expected.to be_allowed("#{user_role}_access".to_sym)
+        else
+          is_expected.to be_disallowed("#{user_role}_access".to_sym)
         end
       end
     end
diff --git a/spec/policies/release_policy_spec.rb b/spec/policies/release_policy_spec.rb
index 25468ae2ea2..5a34b1f4236 100644
--- a/spec/policies/release_policy_spec.rb
+++ b/spec/policies/release_policy_spec.rb
@@ -17,29 +17,6 @@ RSpec.describe ReleasePolicy, :request_store do
 
   subject { described_class.new(user, release) }
 
-  context 'when the evalute_protected_tag_for_release_permissions feature flag is disabled' do
-    before do
-      stub_feature_flags(evalute_protected_tag_for_release_permissions: false)
-    end
-
-    it 'allows the user to create and update a release' do
-      is_expected.to be_allowed(:create_release)
-      is_expected.to be_allowed(:update_release)
-    end
-
-    it 'prevents the user from destroying a release' do
-      is_expected.to be_disallowed(:destroy_release)
-    end
-
-    context 'when the user is maintainer' do
-      let(:user) { maintainer }
-
-      it 'allows the user to destroy a release' do
-        is_expected.to be_allowed(:destroy_release)
-      end
-    end
-  end
-
   context 'when the user has access to the protected tag' do
     let_it_be(:protected_tag) { create(:protected_tag, :developers_can_create, name: release.tag, project: project) }
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-08-19 12:08:42 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-08-19 12:08:42 +0300
commit	b76ae638462ab0f673e5915986070518dd3f9ad3 (patch)
tree	bdab0533383b52873be0ec0eb4d3c66598ff8b91 /spec/policies
parent	434373eabe7b4be9593d18a585fb763f1e5f1a6f (diff)