Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-05-15 18:08:04 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-05-15 18:08:04 +0300
commit: c4c1fc5fe7c756fc6f8f79eb1624b1bbe4fe2d69 (patch)
tree: 8c95e39fc4956cdd9178c46ea85cbeeeac3bc360 /spec/policies
parent: 927df95cc4453bdacbc59960df32008b02c4e28a (diff)
17 files changed, 194 insertions, 45 deletions
diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb
index e15221492c3..67f7452528a 100644
--- a/spec/policies/base_policy_spec.rb
+++ b/spec/policies/base_policy_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe BasePolicy, :do_not_mock_admin_mode do
+describe BasePolicy do
   include ExternalAuthorizationServiceHelpers
   include AdminModeHelper
 
diff --git a/spec/policies/blob_policy_spec.rb b/spec/policies/blob_policy_spec.rb
index 20c8a55f437..e48dd751a8f 100644
--- a/spec/policies/blob_policy_spec.rb
+++ b/spec/policies/blob_policy_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe BlobPolicy do
+describe BlobPolicy, :enable_admin_mode do
   include_context 'ProjectPolicyTable context'
   include ProjectHelpers
   using RSpec::Parameterized::TableSyntax
diff --git a/spec/policies/clusters/cluster_policy_spec.rb b/spec/policies/clusters/cluster_policy_spec.rb
index 55c3351a171..26cfc19862a 100644
--- a/spec/policies/clusters/cluster_policy_spec.rb
+++ b/spec/policies/clusters/cluster_policy_spec.rb
@@ -80,8 +80,15 @@ describe Clusters::ClusterPolicy, :models do
       context 'when admin' do
         let(:user) { create(:admin) }
 
-        it { expect(policy).to be_allowed :update_cluster }
-        it { expect(policy).to be_allowed :admin_cluster }
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it { expect(policy).to be_allowed :update_cluster }
+          it { expect(policy).to be_allowed :admin_cluster }
+        end
+
+        context 'when admin mode is disabled' do
+          it { expect(policy).to be_disallowed :update_cluster }
+          it { expect(policy).to be_disallowed :admin_cluster }
+        end
       end
     end
   end
diff --git a/spec/policies/clusters/instance_policy_spec.rb b/spec/policies/clusters/instance_policy_spec.rb
index 2373fef8aa6..dfe480d7fa4 100644
--- a/spec/policies/clusters/instance_policy_spec.rb
+++ b/spec/policies/clusters/instance_policy_spec.rb
@@ -18,11 +18,21 @@ describe Clusters::InstancePolicy do
     context 'when admin' do
       let(:user) { create(:admin) }
 
-      it { expect(policy).to be_allowed :read_cluster }
-      it { expect(policy).to be_allowed :add_cluster }
-      it { expect(policy).to be_allowed :create_cluster }
-      it { expect(policy).to be_allowed :update_cluster }
-      it { expect(policy).to be_allowed :admin_cluster }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { expect(policy).to be_allowed :read_cluster }
+        it { expect(policy).to be_allowed :add_cluster }
+        it { expect(policy).to be_allowed :create_cluster }
+        it { expect(policy).to be_allowed :update_cluster }
+        it { expect(policy).to be_allowed :admin_cluster }
+      end
+
+      context 'when admin mode is disabled' do
+        it { expect(policy).to be_disallowed :read_cluster }
+        it { expect(policy).to be_disallowed :add_cluster }
+        it { expect(policy).to be_disallowed :create_cluster }
+        it { expect(policy).to be_disallowed :update_cluster }
+        it { expect(policy).to be_disallowed :admin_cluster }
+      end
     end
   end
 end
diff --git a/spec/policies/deploy_key_policy_spec.rb b/spec/policies/deploy_key_policy_spec.rb
index aca93d8fe85..545647e2c67 100644
--- a/spec/policies/deploy_key_policy_spec.rb
+++ b/spec/policies/deploy_key_policy_spec.rb
@@ -42,16 +42,28 @@ describe DeployKeyPolicy do
     context 'when an admin user' do
       let(:current_user) { create(:user, :admin) }
 
-      context ' tries to update private deploy key' do
+      context 'tries to update private deploy key' do
         let(:deploy_key) { create(:deploy_key, public: false) }
 
-        it { is_expected.to be_allowed(:update_deploy_key) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          it { is_expected.to be_allowed(:update_deploy_key) }
+        end
+
+        context 'when admin mode disabled' do
+          it { is_expected.to be_disallowed(:update_deploy_key) }
+        end
       end
 
       context 'when an admin user tries to update public deploy key' do
         let(:deploy_key) { create(:another_deploy_key, public: true) }
 
-        it { is_expected.to be_allowed(:update_deploy_key) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          it { is_expected.to be_allowed(:update_deploy_key) }
+        end
+
+        context 'when admin mode disabled' do
+          it { is_expected.to be_disallowed(:update_deploy_key) }
+        end
       end
     end
   end
diff --git a/spec/policies/design_management/design_policy_spec.rb b/spec/policies/design_management/design_policy_spec.rb
index 154a9f5ad6b..a566aecc4b7 100644
--- a/spec/policies/design_management/design_policy_spec.rb
+++ b/spec/policies/design_management/design_policy_spec.rb
@@ -71,7 +71,14 @@ describe DesignManagement::DesignPolicy do
     context "for admins" do
       let(:current_user) { admin }
 
-      it { is_expected.to be_allowed(*design_abilities) }
+      context 'when admin mode enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(*design_abilities) }
+      end
+
+      context 'when admin mode disabled' do
+        it { is_expected.to be_allowed(*guest_design_abilities) }
+        it { is_expected.to be_disallowed(*developer_design_abilities) }
+      end
     end
 
     context "for maintainers" do
diff --git a/spec/policies/environment_policy_spec.rb b/spec/policies/environment_policy_spec.rb
index a098b52023d..75fca464ec8 100644
--- a/spec/policies/environment_policy_spec.rb
+++ b/spec/policies/environment_policy_spec.rb
@@ -37,7 +37,13 @@ describe EnvironmentPolicy do
         context 'when an admin user' do
           let(:user) { create(:user, :admin) }
 
-          it { expect(policy).to be_allowed :stop_environment }
+          context 'when admin mode is enabled', :enable_admin_mode do
+            it { expect(policy).to be_allowed :stop_environment }
+          end
+
+          context 'when admin mode is disabled' do
+            it { expect(policy).to be_disallowed :stop_environment }
+          end
         end
 
         context 'with protected branch' do
@@ -54,7 +60,13 @@ describe EnvironmentPolicy do
           context 'when an admin user' do
             let(:user) { create(:user, :admin) }
 
-            it { expect(policy).to be_allowed :stop_environment }
+            context 'when admin mode is enabled', :enable_admin_mode do
+              it { expect(policy).to be_allowed :stop_environment }
+            end
+
+            context 'when admin mode is disabled' do
+              it { expect(policy).to be_disallowed :stop_environment }
+            end
           end
         end
       end
@@ -83,7 +95,13 @@ describe EnvironmentPolicy do
         context 'when an admin user' do
           let(:user) { create(:user, :admin) }
 
-          it { expect(policy).to be_allowed :stop_environment }
+          context 'when admin mode is enabled', :enable_admin_mode do
+            it { expect(policy).to be_allowed :stop_environment }
+          end
+
+          context 'when admin mode is disabled' do
+            it { expect(policy).to be_disallowed :stop_environment }
+          end
         end
       end
 
@@ -126,7 +144,13 @@ describe EnvironmentPolicy do
               environment.stop!
             end
 
-            it { expect(policy).to be_allowed :destroy_environment }
+            context 'when admin mode is enabled', :enable_admin_mode do
+              it { expect(policy).to be_allowed :destroy_environment }
+            end
+
+            context 'when admin mode is disabled' do
+              it { expect(policy).to be_disallowed :destroy_environment }
+            end
           end
         end
       end
diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb
index bd0722ce20a..e8ba4eed4ec 100644
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -118,8 +118,15 @@ describe GlobalPolicy do
     context 'admin' do
       let(:current_user) { create(:user, :admin) }
 
-      it { is_expected.to be_allowed(:read_custom_attribute) }
-      it { is_expected.to be_allowed(:update_custom_attribute) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:read_custom_attribute) }
+        it { is_expected.to be_allowed(:update_custom_attribute) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:read_custom_attribute) }
+        it { is_expected.to be_disallowed(:update_custom_attribute) }
+      end
     end
   end
 
@@ -368,7 +375,13 @@ describe GlobalPolicy do
           stub_application_setting(instance_statistics_visibility_private: true)
         end
 
-        it { is_expected.to be_allowed(:read_instance_statistics) }
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it { is_expected.to be_allowed(:read_instance_statistics) }
+        end
+
+        context 'when admin mode is disabled' do
+          it { is_expected.to be_disallowed(:read_instance_statistics) }
+        end
       end
     end
 
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 5a9ca9f7b7e..9faddfd00e5 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -644,7 +644,13 @@ describe GroupPolicy do
     context 'admin' do
       let(:current_user) { admin }
 
-      it { expect_allowed(:update_max_artifacts_size) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { expect_allowed(:update_max_artifacts_size) }
+      end
+
+      context 'when admin mode is enabled' do
+        it { expect_disallowed(:update_max_artifacts_size) }
+      end
     end
 
     %w(guest reporter developer maintainer owner).each do |role|
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index 242a002bc23..9d52079e4be 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -206,11 +206,25 @@ describe IssuePolicy do
       it 'allows guests to comment' do
         expect(permissions(guest, issue)).to be_allowed(:create_note)
       end
-      it 'allows admins to view' do
-        expect(permissions(admin, issue)).to be_allowed(:read_issue)
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it 'allows admins to view' do
+          expect(permissions(admin, issue)).to be_allowed(:read_issue)
+        end
+
+        it 'allows admins to comment' do
+          expect(permissions(admin, issue)).to be_allowed(:create_note)
+        end
       end
-      it 'allows admins to comment' do
-        expect(permissions(admin, issue)).to be_allowed(:create_note)
+
+      context 'when admin mode is disabled' do
+        it 'forbids admins to view' do
+          expect(permissions(admin, issue)).to be_disallowed(:read_issue)
+        end
+
+        it 'forbids admins to comment' do
+          expect(permissions(admin, issue)).to be_disallowed(:create_note)
+        end
       end
     end
 
diff --git a/spec/policies/namespace_policy_spec.rb b/spec/policies/namespace_policy_spec.rb
index c0a5119c550..01162dc0fc4 100644
--- a/spec/policies/namespace_policy_spec.rb
+++ b/spec/policies/namespace_policy_spec.rb
@@ -40,6 +40,12 @@ describe NamespacePolicy do
   context 'admin' do
     let(:current_user) { admin }
 
-    it { is_expected.to be_allowed(*owner_permissions) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed(*owner_permissions) }
+    end
+
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_disallowed(*owner_permissions) }
+    end
   end
 end
diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb
index e9dd5ee1c51..1e3bd0d9147 100644
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -295,8 +295,16 @@ describe NotePolicy do
             expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
           end
 
-          it 'allows admins to read all notes and admin them' do
-            expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+          context 'when admin mode is enabled', :enable_admin_mode do
+            it 'allows admins to read all notes and admin them' do
+              expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+            end
+          end
+
+          context 'when admin mode is disabled' do
+            it 'does not allow non members to read confidential notes and replies' do
+              expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+            end
           end
 
           it 'allows noteable author to read and resolve all notes' do
diff --git a/spec/policies/personal_snippet_policy_spec.rb b/spec/policies/personal_snippet_policy_spec.rb
index a6b76620c29..5fc48717d86 100644
--- a/spec/policies/personal_snippet_policy_spec.rb
+++ b/spec/policies/personal_snippet_policy_spec.rb
@@ -19,8 +19,8 @@ describe PersonalSnippetPolicy do
     described_class.new(user, snippet)
   end
 
-  shared_examples 'admin access' do
-    context 'admin user' do
+  shared_examples 'admin access with admin mode' do
+    context 'admin user', :enable_admin_mode do
       subject { permissions(admin_user) }
 
       it do
@@ -68,7 +68,7 @@ describe PersonalSnippetPolicy do
       end
     end
 
-    it_behaves_like 'admin access'
+    it_behaves_like 'admin access with admin mode'
   end
 
   context 'internal snippet' do
@@ -118,7 +118,7 @@ describe PersonalSnippetPolicy do
       end
     end
 
-    it_behaves_like 'admin access'
+    it_behaves_like 'admin access with admin mode'
   end
 
   context 'private snippet' do
@@ -168,6 +168,6 @@ describe PersonalSnippetPolicy do
       end
     end
 
-    it_behaves_like 'admin access'
+    it_behaves_like 'admin access with admin mode'
   end
 end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index a1fd0f07895..bbe769c6973 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -275,7 +275,8 @@ describe ProjectPolicy do
   it_behaves_like 'project policies as developer'
   it_behaves_like 'project policies as maintainer'
   it_behaves_like 'project policies as owner'
-  it_behaves_like 'project policies as admin'
+  it_behaves_like 'project policies as admin with admin mode'
+  it_behaves_like 'project policies as admin without admin mode'
 
   context 'when a public project has merge requests allowing access' do
     include ProjectForksHelper
@@ -306,7 +307,7 @@ describe ProjectPolicy do
       expect_allowed(*maintainer_abilities)
     end
 
-    it 'dissallows abilities to a maintainer if the merge request was closed' do
+    it 'disallows abilities to a maintainer if the merge request was closed' do
       target_project.add_developer(user)
       merge_request.close!
 
@@ -350,10 +351,24 @@ describe ProjectPolicy do
         expect(described_class.new(developer, project)).to be_allowed(:read_project)
       end
 
-      it 'does not check the external service for admins and allows access' do
-        expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
+      context 'with an admin' do
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it 'does not check the external service and allows access' do
+            expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
 
-        expect(described_class.new(admin, project)).to be_allowed(:read_project)
+            expect(described_class.new(admin, project)).to be_allowed(:read_project)
+          end
+        end
+
+        context 'when admin mode is disabled' do
+          it 'checks the external service and allows access' do
+            external_service_allow_access(admin, project)
+
+            expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?)
+
+            expect(described_class.new(admin, project)).to be_allowed(:read_project)
+          end
+        end
       end
 
       it 'prevents all but seeing a public project in a list when access is denied' do
@@ -416,7 +431,13 @@ describe ProjectPolicy do
     context 'admin' do
       let(:current_user) { admin }
 
-      it { expect_allowed(:update_max_artifacts_size) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { expect_allowed(:update_max_artifacts_size) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { expect_disallowed(:update_max_artifacts_size) }
+      end
     end
 
     %w(guest reporter developer maintainer owner).each do |role|
@@ -448,7 +469,13 @@ describe ProjectPolicy do
     context 'with admin' do
       let(:current_user) { admin }
 
-      it { is_expected.to be_allowed(:read_prometheus_alerts) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:read_prometheus_alerts) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+      end
     end
 
     context 'with owner' do
diff --git a/spec/policies/project_snippet_policy_spec.rb b/spec/policies/project_snippet_policy_spec.rb
index c5077e119bc..3864666f587 100644
--- a/spec/policies/project_snippet_policy_spec.rb
+++ b/spec/policies/project_snippet_policy_spec.rb
@@ -235,9 +235,18 @@ describe ProjectSnippetPolicy do
       let(:snippet_visibility) { :private }
       let(:current_user) { create(:admin) }
 
-      it do
-        expect_allowed(:read_snippet, :create_note)
-        expect_allowed(*author_permissions)
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it do
+          expect_allowed(:read_snippet, :create_note)
+          expect_allowed(*author_permissions)
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it do
+          expect_disallowed(:read_snippet, :create_note)
+          expect_disallowed(*author_permissions)
+        end
       end
     end
   end
diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
index 9da9d2ce49b..63c4bd05836 100644
--- a/spec/policies/user_policy_spec.rb
+++ b/spec/policies/user_policy_spec.rb
@@ -26,7 +26,13 @@ describe UserPolicy do
     context "when an admin user tries to destroy a regular user" do
       let(:current_user) { create(:user, :admin) }
 
-      it { is_expected.to be_allowed(ability) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(ability) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(ability) }
+      end
     end
 
     context "when an admin user tries to destroy a ghost user" do
diff --git a/spec/policies/wiki_page_policy_spec.rb b/spec/policies/wiki_page_policy_spec.rb
index e550ccf6d65..0dedccb6e88 100644
--- a/spec/policies/wiki_page_policy_spec.rb
+++ b/spec/policies/wiki_page_policy_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe WikiPagePolicy do
+describe WikiPagePolicy, :enable_admin_mode do
   include_context 'ProjectPolicyTable context'
   include ProjectHelpers
   using RSpec::Parameterized::TableSyntax
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-05-15 18:08:04 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-05-15 18:08:04 +0300
commit	c4c1fc5fe7c756fc6f8f79eb1624b1bbe4fe2d69 (patch)
tree	8c95e39fc4956cdd9178c46ea85cbeeeac3bc360 /spec/policies
parent	927df95cc4453bdacbc59960df32008b02c4e28a (diff)