diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-19 12:08:42 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-19 12:08:42 +0300 |
commit | b76ae638462ab0f673e5915986070518dd3f9ad3 (patch) | |
tree | bdab0533383b52873be0ec0eb4d3c66598ff8b91 /spec/policies | |
parent | 434373eabe7b4be9593d18a585fb763f1e5f1a6f (diff) |
Add latest changes from gitlab-org/gitlab@14-2-stable-eev14.2.0-rc42
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/issue_policy_spec.rb | 15 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 118 | ||||
-rw-r--r-- | spec/policies/release_policy_spec.rb | 23 |
3 files changed, 70 insertions, 86 deletions
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index 8ff936d5a35..d62271eedf6 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -360,6 +360,21 @@ RSpec.describe IssuePolicy do expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) end end + + context 'with a hidden issue' do + let(:user) { create(:user) } + let(:banned_user) { create(:user, :banned) } + let(:admin) { create(:user, :admin)} + let(:hidden_issue) { create(:issue, project: project, author: banned_user) } + + it 'does not allow non-admin user to read the issue' do + expect(permissions(user, hidden_issue)).not_to be_allowed(:read_issue) + end + + it 'allows admin to read the issue', :enable_admin_mode do + expect(permissions(admin, hidden_issue)).to be_allowed(:read_issue) + end + end end context 'with external authorization enabled' do diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 051a4420e73..f36b0a62aa3 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -840,6 +840,8 @@ RSpec.describe ProjectPolicy do it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_project) } it { is_expected.to be_disallowed(:create_package) } + + it_behaves_like 'package access with repository disabled' end context 'a deploy token with write_package_registry scope' do @@ -849,6 +851,8 @@ RSpec.describe ProjectPolicy do it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_project) } it { is_expected.to be_disallowed(:destroy_package) } + + it_behaves_like 'package access with repository disabled' end end @@ -1021,18 +1025,7 @@ RSpec.describe ProjectPolicy do it { is_expected.to be_allowed(:read_package) } - context 'when repository is disabled' do - before do - project.project_feature.update!( - # Disable merge_requests and builds as well, since merge_requests and - # builds cannot have higher visibility than repository. - merge_requests_access_level: ProjectFeature::DISABLED, - builds_access_level: ProjectFeature::DISABLED, - repository_access_level: ProjectFeature::DISABLED) - end - - it { is_expected.to be_disallowed(:read_package) } - end + it_behaves_like 'package access with repository disabled' end context 'with owner' do @@ -1460,66 +1453,65 @@ RSpec.describe ProjectPolicy do end describe 'when user is authenticated via CI_JOB_TOKEN', :request_store do - let(:current_user) { developer } - let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) } + using RSpec::Parameterized::TableSyntax - before do - current_user.set_ci_job_token_scope!(job) - scope_project.update!(ci_job_token_scope_enabled: true) + where(:project_visibility, :user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do + :private | :reporter | false | :same | true | true + :private | :reporter | false | :same | false | true + :private | :reporter | false | :different | true | false + :private | :reporter | false | :different | false | true + :private | :guest | false | :same | true | true + :private | :guest | false | :same | false | true + :private | :guest | false | :different | true | false + :private | :guest | false | :different | false | true + + :internal | :reporter | false | :same | true | true + :internal | :reporter | true | :same | true | true + :internal | :reporter | false | :same | false | true + :internal | :reporter | false | :different | true | true + :internal | :reporter | true | :different | true | false + :internal | :reporter | false | :different | false | true + :internal | :guest | false | :same | true | true + :internal | :guest | true | :same | true | true + :internal | :guest | false | :same | false | true + :internal | :guest | false | :different | true | true + :internal | :guest | true | :different | true | false + :internal | :guest | false | :different | false | true + + :public | :reporter | false | :same | true | true + :public | :reporter | false | :same | false | true + :public | :reporter | false | :different | true | true + :public | :reporter | false | :different | false | true + :public | :guest | false | :same | true | true + :public | :guest | false | :same | false | true + :public | :guest | false | :different | true | true + :public | :guest | false | :different | false | true end - context 'when accessing a private project' do - let(:project) { private_project } - - context 'when the job token comes from the same project' do - let(:scope_project) { project } - - it { is_expected.to be_allowed(:developer_access) } - end - - context 'when the job token comes from another project' do - let(:scope_project) { create(:project, :private) } - - before do - scope_project.add_developer(current_user) - end - - it { is_expected.to be_disallowed(:guest_access) } - - context 'when job token scope is disabled' do - before do - scope_project.update!(ci_job_token_scope_enabled: false) - end + with_them do + let(:current_user) { public_send(user_role) } + let(:project) { public_send("#{project_visibility}_project") } + let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) } - it { is_expected.to be_allowed(:guest_access) } + let(:scope_project) do + if scope_project_type == :same + project + else + create(:project, :private) end end - end - - context 'when accessing a public project' do - let(:project) { public_project } - - context 'when the job token comes from the same project' do - let(:scope_project) { project } - it { is_expected.to be_allowed(:developer_access) } + before do + current_user.set_ci_job_token_scope!(job) + current_user.external = external_user + scope_project.update!(ci_job_token_scope_enabled: token_scope_enabled) end - context 'when the job token comes from another project' do - let(:scope_project) { create(:project, :private) } - - before do - scope_project.add_developer(current_user) - end - - it { is_expected.to be_disallowed(:public_access) } - - context 'when job token scope is disabled' do - before do - scope_project.update!(ci_job_token_scope_enabled: false) - end - - it { is_expected.to be_allowed(:public_access) } + it "enforces the expected permissions" do + if result + is_expected.to be_allowed("#{user_role}_access".to_sym) + else + is_expected.to be_disallowed("#{user_role}_access".to_sym) end end end diff --git a/spec/policies/release_policy_spec.rb b/spec/policies/release_policy_spec.rb index 25468ae2ea2..5a34b1f4236 100644 --- a/spec/policies/release_policy_spec.rb +++ b/spec/policies/release_policy_spec.rb @@ -17,29 +17,6 @@ RSpec.describe ReleasePolicy, :request_store do subject { described_class.new(user, release) } - context 'when the evalute_protected_tag_for_release_permissions feature flag is disabled' do - before do - stub_feature_flags(evalute_protected_tag_for_release_permissions: false) - end - - it 'allows the user to create and update a release' do - is_expected.to be_allowed(:create_release) - is_expected.to be_allowed(:update_release) - end - - it 'prevents the user from destroying a release' do - is_expected.to be_disallowed(:destroy_release) - end - - context 'when the user is maintainer' do - let(:user) { maintainer } - - it 'allows the user to destroy a release' do - is_expected.to be_allowed(:destroy_release) - end - end - end - context 'when the user has access to the protected tag' do let_it_be(:protected_tag) { create(:protected_tag, :developers_can_create, name: release.tag, project: project) } |