Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies
diff options
context:
space:
mode:
authorRobert Speicher <rspeicher@gmail.com>2019-08-30 01:17:37 +0300
committerRobert Speicher <rspeicher@gmail.com>2019-08-30 01:17:37 +0300
commit7698d405506bc10dfd7fb2e6e02b419dd5925725 (patch)
treeb2c188fd3bc588f15d04d8ce6137f9447f7a72c7 /spec/policies
parentfa160c26b14d233eb2e3b861a0742766d1ac734b (diff)
parent090956259c47d839b136f9391c3f74255764da81 (diff)
Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq
Diffstat (limited to 'spec/policies')
-rw-r--r--spec/policies/issue_policy_spec.rb28
-rw-r--r--spec/policies/merge_request_policy_spec.rb89
2 files changed, 117 insertions, 0 deletions
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index b149dbcf871..25267d36ab8 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -172,6 +172,34 @@ describe IssuePolicy do
expect(permissions(assignee, issue_locked)).to be_disallowed(:admin_issue, :reopen_issue)
end
+ context 'when issues are private' do
+ before do
+ project.project_feature.update(issues_access_level: ProjectFeature::PRIVATE)
+ end
+ let(:issue) { create(:issue, project: project, author: author) }
+ let(:visitor) { create(:user) }
+ let(:admin) { create(:user, :admin) }
+
+ it 'forbids visitors from viewing issues' do
+ expect(permissions(visitor, issue)).to be_disallowed(:read_issue)
+ end
+ it 'forbids visitors from commenting' do
+ expect(permissions(visitor, issue)).to be_disallowed(:create_note)
+ end
+ it 'allows guests to view' do
+ expect(permissions(guest, issue)).to be_allowed(:read_issue)
+ end
+ it 'allows guests to comment' do
+ expect(permissions(guest, issue)).to be_allowed(:create_note)
+ end
+ it 'allows admins to view' do
+ expect(permissions(admin, issue)).to be_allowed(:read_issue)
+ end
+ it 'allows admins to comment' do
+ expect(permissions(admin, issue)).to be_allowed(:create_note)
+ end
+ end
+
context 'with confidential issues' do
let(:confidential_issue) { create(:issue, :confidential, project: project, assignees: [assignee], author: author) }
let(:confidential_issue_no_assignee) { create(:issue, :confidential, project: project) }
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index 81279225d61..87205f56589 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -6,6 +6,7 @@ describe MergeRequestPolicy do
let(:guest) { create(:user) }
let(:author) { create(:user) }
let(:developer) { create(:user) }
+ let(:non_team_member) { create(:user) }
let(:project) { create(:project, :public) }
def permissions(user, merge_request)
@@ -18,6 +19,78 @@ describe MergeRequestPolicy do
project.add_developer(developer)
end
+ MR_PERMS = %i[create_merge_request_in
+ create_merge_request_from
+ read_merge_request
+ create_note].freeze
+
+ shared_examples_for 'a denied user' do
+ let(:perms) { permissions(subject, merge_request) }
+
+ MR_PERMS.each do |thing|
+ it "cannot #{thing}" do
+ expect(perms).to be_disallowed(thing)
+ end
+ end
+ end
+
+ shared_examples_for 'a user with access' do
+ let(:perms) { permissions(subject, merge_request) }
+
+ MR_PERMS.each do |thing|
+ it "can #{thing}" do
+ expect(perms).to be_allowed(thing)
+ end
+ end
+ end
+
+ context 'when merge requests have been disabled' do
+ let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
+
+ before do
+ project.project_feature.update(merge_requests_access_level: ProjectFeature::DISABLED)
+ end
+
+ describe 'the author' do
+ subject { author }
+ it_behaves_like 'a denied user'
+ end
+
+ describe 'a guest' do
+ subject { guest }
+ it_behaves_like 'a denied user'
+ end
+
+ describe 'a developer' do
+ subject { developer }
+ it_behaves_like 'a denied user'
+ end
+
+ describe 'any other user' do
+ subject { non_team_member }
+ it_behaves_like 'a denied user'
+ end
+ end
+
+ context 'when merge requests are private' do
+ let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
+
+ before do
+ project.update(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+ project.project_feature.update(merge_requests_access_level: ProjectFeature::PRIVATE)
+ end
+
+ describe 'a non-team-member' do
+ subject { non_team_member }
+ it_behaves_like 'a denied user'
+ end
+
+ describe 'a developer' do
+ subject { developer }
+ it_behaves_like 'a user with access'
+ end
+ end
+
context 'when merge request is unlocked' do
let(:merge_request) { create(:merge_request, :closed, source_project: project, target_project: project, author: author) }
@@ -48,6 +121,22 @@ describe MergeRequestPolicy do
it 'prevents guests from reopening merge request' do
expect(permissions(guest, merge_request_locked)).to be_disallowed(:reopen_merge_request)
end
+
+ context 'when the user is not a project member' do
+ let(:user) { create(:user) }
+
+ it 'cannot create a note' do
+ expect(permissions(user, merge_request_locked)).to be_disallowed(:create_note)
+ end
+ end
+
+ context 'when the user is project member, with at least guest access' do
+ let(:user) { guest }
+
+ it 'can create a note' do
+ expect(permissions(user, merge_request_locked)).to be_allowed(:create_note)
+ end
+ end
end
context 'with external authorization enabled' do
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-15 02:16:00 +0300