Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-10-21 10:08:36 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2020-10-21 10:08:36 +0300
commit48aff82709769b098321c738f3444b9bdaa694c6 (patch)
treee00c7c43e2d9b603a5a6af576b1685e400410dee /spec/policies
parent879f5329ee916a948223f8f43d77fba4da6cd028 (diff)
Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42
Diffstat (limited to 'spec/policies')
-rw-r--r--spec/policies/ci/bridge_policy_spec.rb39
-rw-r--r--spec/policies/design_management/design_policy_spec.rb36
-rw-r--r--spec/policies/global_policy_spec.rb76
-rw-r--r--spec/policies/group_policy_spec.rb70
-rw-r--r--spec/policies/project_policy_spec.rb2
-rw-r--r--spec/policies/terraform/state_policy_spec.rb33
6 files changed, 211 insertions, 45 deletions
diff --git a/spec/policies/ci/bridge_policy_spec.rb b/spec/policies/ci/bridge_policy_spec.rb
new file mode 100644
index 00000000000..e598e2f7626
--- /dev/null
+++ b/spec/policies/ci/bridge_policy_spec.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ci::BridgePolicy do
+ let_it_be(:user, reload: true) { create(:user) }
+ let_it_be(:project, reload: true) { create(:project) }
+ let_it_be(:downstream_project, reload: true) { create(:project, :repository) }
+ let_it_be(:pipeline, reload: true) { create(:ci_empty_pipeline, project: project) }
+ let_it_be(:bridge, reload: true) { create(:ci_bridge, pipeline: pipeline, downstream: downstream_project) }
+
+ let(:policy) do
+ described_class.new(user, bridge)
+ end
+
+ describe '#play_job' do
+ before do
+ fake_access = double('Gitlab::UserAccess')
+ expect(fake_access).to receive(:can_update_branch?).with('master').and_return(can_update_branch)
+ expect(Gitlab::UserAccess).to receive(:new).with(user, container: downstream_project).and_return(fake_access)
+ end
+
+ context 'when user can update the downstream branch' do
+ let(:can_update_branch) { true }
+
+ it 'allows' do
+ expect(policy).to be_allowed :play_job
+ end
+ end
+
+ context 'when user can not update the downstream branch' do
+ let(:can_update_branch) { false }
+
+ it 'does not allow' do
+ expect(policy).not_to be_allowed :play_job
+ end
+ end
+ end
+end
diff --git a/spec/policies/design_management/design_policy_spec.rb b/spec/policies/design_management/design_policy_spec.rb
index 5a74d979ef3..117279d1638 100644
--- a/spec/policies/design_management/design_policy_spec.rb
+++ b/spec/policies/design_management/design_policy_spec.rb
@@ -71,6 +71,11 @@ RSpec.describe DesignManagement::DesignPolicy do
end
end
+ shared_examples_for "read-only design abilities" do
+ it { is_expected.to be_allowed(*guest_design_abilities) }
+ it { is_expected.to be_disallowed(*developer_design_abilities) }
+ end
+
shared_examples_for "design abilities available for members" do
context "for owners" do
let(:current_user) { owner }
@@ -86,8 +91,7 @@ RSpec.describe DesignManagement::DesignPolicy do
end
context "when admin mode disabled" do
- it { is_expected.to be_allowed(*guest_design_abilities) }
- it { is_expected.to be_disallowed(*developer_design_abilities) }
+ it_behaves_like "read-only design abilities"
end
end
@@ -106,16 +110,10 @@ RSpec.describe DesignManagement::DesignPolicy do
context "for reporters" do
let(:current_user) { reporter }
- it { is_expected.to be_allowed(*guest_design_abilities) }
- it { is_expected.to be_disallowed(*developer_design_abilities) }
+ it_behaves_like "read-only design abilities"
end
end
- shared_examples_for "read-only design abilities" do
- it { is_expected.to be_allowed(:read_design) }
- it { is_expected.to be_disallowed(:create_design, :destroy_design) }
- end
-
context "when DesignManagement is not enabled" do
before do
enable_design_management(false)
@@ -135,15 +133,13 @@ RSpec.describe DesignManagement::DesignPolicy do
let_it_be(:project) { create(:project, :private) }
let(:current_user) { guest }
- it { is_expected.to be_allowed(*guest_design_abilities) }
- it { is_expected.to be_disallowed(*developer_design_abilities) }
+ it_behaves_like "read-only design abilities"
end
context "for anonymous users in public projects" do
let(:current_user) { nil }
- it { is_expected.to be_allowed(*guest_design_abilities) }
- it { is_expected.to be_disallowed(*developer_design_abilities) }
+ it_behaves_like "read-only design abilities"
end
context "when the issue is confidential" do
@@ -164,20 +160,6 @@ RSpec.describe DesignManagement::DesignPolicy do
end
end
- context "when the issue is locked" do
- let_it_be(:issue) { create(:issue, :locked, project: project) }
- let(:current_user) { owner }
-
- it_behaves_like "read-only design abilities"
- end
-
- context "when the issue has moved" do
- let_it_be(:issue) { create(:issue, project: project, moved_to: create(:issue)) }
- let(:current_user) { owner }
-
- it_behaves_like "read-only design abilities"
- end
-
context "when the project is archived" do
let_it_be(:project) { create(:project, :public, :archived) }
let_it_be(:issue) { create(:issue, project: project) }
diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb
index 6cd1c201c62..2f9376f9b0a 100644
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -130,6 +130,24 @@ RSpec.describe GlobalPolicy do
end
end
+ describe 'approving users' do
+ context 'regular user' do
+ it { is_expected.not_to be_allowed(:approve_user) }
+ end
+
+ context 'admin' do
+ let(:current_user) { create(:admin) }
+
+ context 'when admin mode is enabled', :enable_admin_mode do
+ it { is_expected.to be_allowed(:approve_user) }
+ end
+
+ context 'when admin mode is disabled' do
+ it { is_expected.to be_disallowed(:approve_user) }
+ end
+ end
+ end
+
describe 'using project statistics filters' do
context 'regular user' do
it { is_expected.not_to be_allowed(:use_project_statistics_filters) }
@@ -187,6 +205,14 @@ RSpec.describe GlobalPolicy do
it { is_expected.not_to be_allowed(:access_api) }
end
+ context 'user blocked pending approval' do
+ before do
+ current_user.block_pending_approval
+ end
+
+ it { is_expected.not_to be_allowed(:access_api) }
+ end
+
context 'when terms are enforced' do
before do
enforce_terms
@@ -229,12 +255,6 @@ RSpec.describe GlobalPolicy do
it { is_expected.not_to be_allowed(:access_api) }
end
-
- it 'when `inactive_policy_condition` feature flag is turned off' do
- stub_feature_flags(inactive_policy_condition: false)
-
- is_expected.to be_allowed(:access_api)
- end
end
end
@@ -282,6 +302,14 @@ RSpec.describe GlobalPolicy do
it { is_expected.not_to be_allowed(:receive_notifications) }
end
+
+ context 'user blocked pending approval' do
+ before do
+ current_user.block_pending_approval
+ end
+
+ it { is_expected.not_to be_allowed(:receive_notifications) }
+ end
end
describe 'git access' do
@@ -321,12 +349,6 @@ RSpec.describe GlobalPolicy do
end
it { is_expected.not_to be_allowed(:access_git) }
-
- it 'when `inactive_policy_condition` feature flag is turned off' do
- stub_feature_flags(inactive_policy_condition: false)
-
- is_expected.to be_allowed(:access_git)
- end
end
context 'when terms are enforced' do
@@ -356,6 +378,14 @@ RSpec.describe GlobalPolicy do
it { is_expected.to be_allowed(:access_git) }
end
+
+ context 'user blocked pending approval' do
+ before do
+ current_user.block_pending_approval
+ end
+
+ it { is_expected.not_to be_allowed(:access_git) }
+ end
end
describe 'read instance metadata' do
@@ -403,12 +433,6 @@ RSpec.describe GlobalPolicy do
end
it { is_expected.not_to be_allowed(:use_slash_commands) }
-
- it 'when `inactive_policy_condition` feature flag is turned off' do
- stub_feature_flags(inactive_policy_condition: false)
-
- is_expected.to be_allowed(:use_slash_commands)
- end
end
context 'when access locked' do
@@ -430,6 +454,14 @@ RSpec.describe GlobalPolicy do
it { is_expected.not_to be_allowed(:use_slash_commands) }
end
+
+ context 'user blocked pending approval' do
+ before do
+ current_user.block_pending_approval
+ end
+
+ it { is_expected.not_to be_allowed(:use_slash_commands) }
+ end
end
describe 'create_snippet' do
@@ -462,5 +494,13 @@ RSpec.describe GlobalPolicy do
it { is_expected.not_to be_allowed(:log_in) }
end
+
+ context 'user blocked pending approval' do
+ before do
+ current_user.block_pending_approval
+ end
+
+ it { is_expected.not_to be_allowed(:log_in) }
+ end
end
end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index dbe444acb58..fecf5f3e4f8 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -812,4 +812,74 @@ RSpec.describe GroupPolicy do
it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
end
end
+
+ describe 'read_package' do
+ context 'admin' do
+ let(:current_user) { admin }
+
+ it { is_expected.to be_allowed(:read_package) }
+ end
+
+ context 'with owner' do
+ let(:current_user) { owner }
+
+ it { is_expected.to be_allowed(:read_package) }
+ end
+
+ context 'with maintainer' do
+ let(:current_user) { maintainer }
+
+ it { is_expected.to be_allowed(:read_package) }
+ end
+
+ context 'with reporter' do
+ let(:current_user) { reporter }
+
+ it { is_expected.to be_allowed(:read_package) }
+ end
+
+ context 'with guest' do
+ let(:current_user) { guest }
+
+ it { is_expected.to be_disallowed(:read_package) }
+ end
+
+ context 'with non member' do
+ let(:current_user) { create(:user) }
+
+ it { is_expected.to be_disallowed(:read_package) }
+ end
+
+ context 'with anonymous' do
+ let(:current_user) { nil }
+
+ it { is_expected.to be_disallowed(:read_package) }
+ end
+ end
+
+ context 'deploy token access' do
+ let!(:group_deploy_token) do
+ create(:group_deploy_token, group: group, deploy_token: deploy_token)
+ end
+
+ subject { described_class.new(deploy_token, group) }
+
+ context 'a deploy token with read_package_registry scope' do
+ let(:deploy_token) { create(:deploy_token, :group, read_package_registry: true) }
+
+ it { is_expected.to be_allowed(:read_package) }
+ it { is_expected.to be_allowed(:read_group) }
+ it { is_expected.to be_disallowed(:create_package) }
+ end
+
+ context 'a deploy token with write_package_registry scope' do
+ let(:deploy_token) { create(:deploy_token, :group, write_package_registry: true) }
+
+ it { is_expected.to be_allowed(:create_package) }
+ it { is_expected.to be_allowed(:read_group) }
+ it { is_expected.to be_disallowed(:destroy_package) }
+ end
+ end
+
+ it_behaves_like 'Self-managed Core resource access tokens'
end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 0c457148b4d..d66ef81efca 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -941,4 +941,6 @@ RSpec.describe ProjectPolicy do
end
end
end
+
+ it_behaves_like 'Self-managed Core resource access tokens'
end
diff --git a/spec/policies/terraform/state_policy_spec.rb b/spec/policies/terraform/state_policy_spec.rb
new file mode 100644
index 00000000000..82152920997
--- /dev/null
+++ b/spec/policies/terraform/state_policy_spec.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Terraform::StatePolicy do
+ let_it_be(:project) { create(:project) }
+ let_it_be(:terraform_state) { create(:terraform_state, project: project)}
+
+ subject { described_class.new(user, terraform_state) }
+
+ describe 'rules' do
+ context 'no access' do
+ let(:user) { create(:user) }
+
+ it { is_expected.to be_disallowed(:read_terraform_state) }
+ it { is_expected.to be_disallowed(:admin_terraform_state) }
+ end
+
+ context 'developer' do
+ let(:user) { create(:user, developer_projects: [project]) }
+
+ it { is_expected.to be_allowed(:read_terraform_state) }
+ it { is_expected.to be_disallowed(:admin_terraform_state) }
+ end
+
+ context 'maintainer' do
+ let(:user) { create(:user, maintainer_projects: [project]) }
+
+ it { is_expected.to be_allowed(:read_terraform_state) }
+ it { is_expected.to be_allowed(:admin_terraform_state) }
+ end
+ end
+end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-11 22:19:31 +0300