diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-21 10:08:36 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-21 10:08:36 +0300 |
commit | 48aff82709769b098321c738f3444b9bdaa694c6 (patch) | |
tree | e00c7c43e2d9b603a5a6af576b1685e400410dee /spec/policies | |
parent | 879f5329ee916a948223f8f43d77fba4da6cd028 (diff) |
Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/ci/bridge_policy_spec.rb | 39 | ||||
-rw-r--r-- | spec/policies/design_management/design_policy_spec.rb | 36 | ||||
-rw-r--r-- | spec/policies/global_policy_spec.rb | 76 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 70 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/terraform/state_policy_spec.rb | 33 |
6 files changed, 211 insertions, 45 deletions
diff --git a/spec/policies/ci/bridge_policy_spec.rb b/spec/policies/ci/bridge_policy_spec.rb new file mode 100644 index 00000000000..e598e2f7626 --- /dev/null +++ b/spec/policies/ci/bridge_policy_spec.rb @@ -0,0 +1,39 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Ci::BridgePolicy do + let_it_be(:user, reload: true) { create(:user) } + let_it_be(:project, reload: true) { create(:project) } + let_it_be(:downstream_project, reload: true) { create(:project, :repository) } + let_it_be(:pipeline, reload: true) { create(:ci_empty_pipeline, project: project) } + let_it_be(:bridge, reload: true) { create(:ci_bridge, pipeline: pipeline, downstream: downstream_project) } + + let(:policy) do + described_class.new(user, bridge) + end + + describe '#play_job' do + before do + fake_access = double('Gitlab::UserAccess') + expect(fake_access).to receive(:can_update_branch?).with('master').and_return(can_update_branch) + expect(Gitlab::UserAccess).to receive(:new).with(user, container: downstream_project).and_return(fake_access) + end + + context 'when user can update the downstream branch' do + let(:can_update_branch) { true } + + it 'allows' do + expect(policy).to be_allowed :play_job + end + end + + context 'when user can not update the downstream branch' do + let(:can_update_branch) { false } + + it 'does not allow' do + expect(policy).not_to be_allowed :play_job + end + end + end +end diff --git a/spec/policies/design_management/design_policy_spec.rb b/spec/policies/design_management/design_policy_spec.rb index 5a74d979ef3..117279d1638 100644 --- a/spec/policies/design_management/design_policy_spec.rb +++ b/spec/policies/design_management/design_policy_spec.rb @@ -71,6 +71,11 @@ RSpec.describe DesignManagement::DesignPolicy do end end + shared_examples_for "read-only design abilities" do + it { is_expected.to be_allowed(*guest_design_abilities) } + it { is_expected.to be_disallowed(*developer_design_abilities) } + end + shared_examples_for "design abilities available for members" do context "for owners" do let(:current_user) { owner } @@ -86,8 +91,7 @@ RSpec.describe DesignManagement::DesignPolicy do end context "when admin mode disabled" do - it { is_expected.to be_allowed(*guest_design_abilities) } - it { is_expected.to be_disallowed(*developer_design_abilities) } + it_behaves_like "read-only design abilities" end end @@ -106,16 +110,10 @@ RSpec.describe DesignManagement::DesignPolicy do context "for reporters" do let(:current_user) { reporter } - it { is_expected.to be_allowed(*guest_design_abilities) } - it { is_expected.to be_disallowed(*developer_design_abilities) } + it_behaves_like "read-only design abilities" end end - shared_examples_for "read-only design abilities" do - it { is_expected.to be_allowed(:read_design) } - it { is_expected.to be_disallowed(:create_design, :destroy_design) } - end - context "when DesignManagement is not enabled" do before do enable_design_management(false) @@ -135,15 +133,13 @@ RSpec.describe DesignManagement::DesignPolicy do let_it_be(:project) { create(:project, :private) } let(:current_user) { guest } - it { is_expected.to be_allowed(*guest_design_abilities) } - it { is_expected.to be_disallowed(*developer_design_abilities) } + it_behaves_like "read-only design abilities" end context "for anonymous users in public projects" do let(:current_user) { nil } - it { is_expected.to be_allowed(*guest_design_abilities) } - it { is_expected.to be_disallowed(*developer_design_abilities) } + it_behaves_like "read-only design abilities" end context "when the issue is confidential" do @@ -164,20 +160,6 @@ RSpec.describe DesignManagement::DesignPolicy do end end - context "when the issue is locked" do - let_it_be(:issue) { create(:issue, :locked, project: project) } - let(:current_user) { owner } - - it_behaves_like "read-only design abilities" - end - - context "when the issue has moved" do - let_it_be(:issue) { create(:issue, project: project, moved_to: create(:issue)) } - let(:current_user) { owner } - - it_behaves_like "read-only design abilities" - end - context "when the project is archived" do let_it_be(:project) { create(:project, :public, :archived) } let_it_be(:issue) { create(:issue, project: project) } diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 6cd1c201c62..2f9376f9b0a 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -130,6 +130,24 @@ RSpec.describe GlobalPolicy do end end + describe 'approving users' do + context 'regular user' do + it { is_expected.not_to be_allowed(:approve_user) } + end + + context 'admin' do + let(:current_user) { create(:admin) } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:approve_user) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:approve_user) } + end + end + end + describe 'using project statistics filters' do context 'regular user' do it { is_expected.not_to be_allowed(:use_project_statistics_filters) } @@ -187,6 +205,14 @@ RSpec.describe GlobalPolicy do it { is_expected.not_to be_allowed(:access_api) } end + context 'user blocked pending approval' do + before do + current_user.block_pending_approval + end + + it { is_expected.not_to be_allowed(:access_api) } + end + context 'when terms are enforced' do before do enforce_terms @@ -229,12 +255,6 @@ RSpec.describe GlobalPolicy do it { is_expected.not_to be_allowed(:access_api) } end - - it 'when `inactive_policy_condition` feature flag is turned off' do - stub_feature_flags(inactive_policy_condition: false) - - is_expected.to be_allowed(:access_api) - end end end @@ -282,6 +302,14 @@ RSpec.describe GlobalPolicy do it { is_expected.not_to be_allowed(:receive_notifications) } end + + context 'user blocked pending approval' do + before do + current_user.block_pending_approval + end + + it { is_expected.not_to be_allowed(:receive_notifications) } + end end describe 'git access' do @@ -321,12 +349,6 @@ RSpec.describe GlobalPolicy do end it { is_expected.not_to be_allowed(:access_git) } - - it 'when `inactive_policy_condition` feature flag is turned off' do - stub_feature_flags(inactive_policy_condition: false) - - is_expected.to be_allowed(:access_git) - end end context 'when terms are enforced' do @@ -356,6 +378,14 @@ RSpec.describe GlobalPolicy do it { is_expected.to be_allowed(:access_git) } end + + context 'user blocked pending approval' do + before do + current_user.block_pending_approval + end + + it { is_expected.not_to be_allowed(:access_git) } + end end describe 'read instance metadata' do @@ -403,12 +433,6 @@ RSpec.describe GlobalPolicy do end it { is_expected.not_to be_allowed(:use_slash_commands) } - - it 'when `inactive_policy_condition` feature flag is turned off' do - stub_feature_flags(inactive_policy_condition: false) - - is_expected.to be_allowed(:use_slash_commands) - end end context 'when access locked' do @@ -430,6 +454,14 @@ RSpec.describe GlobalPolicy do it { is_expected.not_to be_allowed(:use_slash_commands) } end + + context 'user blocked pending approval' do + before do + current_user.block_pending_approval + end + + it { is_expected.not_to be_allowed(:use_slash_commands) } + end end describe 'create_snippet' do @@ -462,5 +494,13 @@ RSpec.describe GlobalPolicy do it { is_expected.not_to be_allowed(:log_in) } end + + context 'user blocked pending approval' do + before do + current_user.block_pending_approval + end + + it { is_expected.not_to be_allowed(:log_in) } + end end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index dbe444acb58..fecf5f3e4f8 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -812,4 +812,74 @@ RSpec.describe GroupPolicy do it { is_expected.to be_disallowed(:create_jira_connect_subscription) } end end + + describe 'read_package' do + context 'admin' do + let(:current_user) { admin } + + it { is_expected.to be_allowed(:read_package) } + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:read_package) } + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:read_package) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:read_package) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:read_package) } + end + + context 'with non member' do + let(:current_user) { create(:user) } + + it { is_expected.to be_disallowed(:read_package) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:read_package) } + end + end + + context 'deploy token access' do + let!(:group_deploy_token) do + create(:group_deploy_token, group: group, deploy_token: deploy_token) + end + + subject { described_class.new(deploy_token, group) } + + context 'a deploy token with read_package_registry scope' do + let(:deploy_token) { create(:deploy_token, :group, read_package_registry: true) } + + it { is_expected.to be_allowed(:read_package) } + it { is_expected.to be_allowed(:read_group) } + it { is_expected.to be_disallowed(:create_package) } + end + + context 'a deploy token with write_package_registry scope' do + let(:deploy_token) { create(:deploy_token, :group, write_package_registry: true) } + + it { is_expected.to be_allowed(:create_package) } + it { is_expected.to be_allowed(:read_group) } + it { is_expected.to be_disallowed(:destroy_package) } + end + end + + it_behaves_like 'Self-managed Core resource access tokens' end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 0c457148b4d..d66ef81efca 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -941,4 +941,6 @@ RSpec.describe ProjectPolicy do end end end + + it_behaves_like 'Self-managed Core resource access tokens' end diff --git a/spec/policies/terraform/state_policy_spec.rb b/spec/policies/terraform/state_policy_spec.rb new file mode 100644 index 00000000000..82152920997 --- /dev/null +++ b/spec/policies/terraform/state_policy_spec.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Terraform::StatePolicy do + let_it_be(:project) { create(:project) } + let_it_be(:terraform_state) { create(:terraform_state, project: project)} + + subject { described_class.new(user, terraform_state) } + + describe 'rules' do + context 'no access' do + let(:user) { create(:user) } + + it { is_expected.to be_disallowed(:read_terraform_state) } + it { is_expected.to be_disallowed(:admin_terraform_state) } + end + + context 'developer' do + let(:user) { create(:user, developer_projects: [project]) } + + it { is_expected.to be_allowed(:read_terraform_state) } + it { is_expected.to be_disallowed(:admin_terraform_state) } + end + + context 'maintainer' do + let(:user) { create(:user, maintainer_projects: [project]) } + + it { is_expected.to be_allowed(:read_terraform_state) } + it { is_expected.to be_allowed(:admin_terraform_state) } + end + end +end |