Don't treat anonymous users as owners when group has pending invites

The `members` table can have entries where `user_id: nil`, because people can invite group members by email. We never want to include those as members, because it might cause confusion with the anonymous (logged out) user.
author: Sean McGivern <sean@gitlab.com> 2017-07-24 13:35:54 +0300
committer: Sean McGivern <sean@gitlab.com> 2017-07-24 18:58:04 +0300
commit: ccac2abeba419f16029c40f29063f1812c9e159c (patch)
tree: 975ca2e9f3fc91fae1ce0c775c8c267256fa7480 /spec/policies
parent: f81ed493e1f02e5a197df3e2df9c5e42cb09e7ff (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 4ed788af811..f244975e597 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -127,6 +127,24 @@ describe ProjectPolicy, models: true do
     end
   end
 
+  context 'when a project has pending invites, and the current user is anonymous' do
+    let(:group) { create(:group, :public) }
+    let(:project) { create(:empty_project, :public, namespace: group) }
+    let(:user_permissions) { [:create_project, :create_issue, :create_note, :upload_file] }
+    let(:anonymous_permissions) { guest_permissions - user_permissions }
+
+    subject { described_class.new(nil, project) }
+
+    before do
+      create(:group_member, :invited, group: group)
+    end
+
+    it 'does not grant owner access' do
+      expect_allowed(*anonymous_permissions)
+      expect_disallowed(*user_permissions)
+    end
+  end
+
   context 'abilities for non-public projects' do
     let(:project) { create(:empty_project, namespace: owner.namespace) }
author	Sean McGivern <sean@gitlab.com>	2017-07-24 13:35:54 +0300
committer	Sean McGivern <sean@gitlab.com>	2017-07-24 18:58:04 +0300
commit	ccac2abeba419f16029c40f29063f1812c9e159c (patch)
tree	975ca2e9f3fc91fae1ce0c775c8c267256fa7480 /spec/policies
parent	f81ed493e1f02e5a197df3e2df9c5e42cb09e7ff (diff)