diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-15 18:08:04 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-15 18:08:04 +0300 |
commit | c4c1fc5fe7c756fc6f8f79eb1624b1bbe4fe2d69 (patch) | |
tree | 8c95e39fc4956cdd9178c46ea85cbeeeac3bc360 /spec/policies | |
parent | 927df95cc4453bdacbc59960df32008b02c4e28a (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/base_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/blob_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/clusters/cluster_policy_spec.rb | 11 | ||||
-rw-r--r-- | spec/policies/clusters/instance_policy_spec.rb | 20 | ||||
-rw-r--r-- | spec/policies/deploy_key_policy_spec.rb | 18 | ||||
-rw-r--r-- | spec/policies/design_management/design_policy_spec.rb | 9 | ||||
-rw-r--r-- | spec/policies/environment_policy_spec.rb | 32 | ||||
-rw-r--r-- | spec/policies/global_policy_spec.rb | 19 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 8 | ||||
-rw-r--r-- | spec/policies/issue_policy_spec.rb | 22 | ||||
-rw-r--r-- | spec/policies/namespace_policy_spec.rb | 8 | ||||
-rw-r--r-- | spec/policies/note_policy_spec.rb | 12 | ||||
-rw-r--r-- | spec/policies/personal_snippet_policy_spec.rb | 10 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 41 | ||||
-rw-r--r-- | spec/policies/project_snippet_policy_spec.rb | 15 | ||||
-rw-r--r-- | spec/policies/user_policy_spec.rb | 8 | ||||
-rw-r--r-- | spec/policies/wiki_page_policy_spec.rb | 2 |
17 files changed, 194 insertions, 45 deletions
diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb index e15221492c3..67f7452528a 100644 --- a/spec/policies/base_policy_spec.rb +++ b/spec/policies/base_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -describe BasePolicy, :do_not_mock_admin_mode do +describe BasePolicy do include ExternalAuthorizationServiceHelpers include AdminModeHelper diff --git a/spec/policies/blob_policy_spec.rb b/spec/policies/blob_policy_spec.rb index 20c8a55f437..e48dd751a8f 100644 --- a/spec/policies/blob_policy_spec.rb +++ b/spec/policies/blob_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -describe BlobPolicy do +describe BlobPolicy, :enable_admin_mode do include_context 'ProjectPolicyTable context' include ProjectHelpers using RSpec::Parameterized::TableSyntax diff --git a/spec/policies/clusters/cluster_policy_spec.rb b/spec/policies/clusters/cluster_policy_spec.rb index 55c3351a171..26cfc19862a 100644 --- a/spec/policies/clusters/cluster_policy_spec.rb +++ b/spec/policies/clusters/cluster_policy_spec.rb @@ -80,8 +80,15 @@ describe Clusters::ClusterPolicy, :models do context 'when admin' do let(:user) { create(:admin) } - it { expect(policy).to be_allowed :update_cluster } - it { expect(policy).to be_allowed :admin_cluster } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :update_cluster } + it { expect(policy).to be_allowed :admin_cluster } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :update_cluster } + it { expect(policy).to be_disallowed :admin_cluster } + end end end end diff --git a/spec/policies/clusters/instance_policy_spec.rb b/spec/policies/clusters/instance_policy_spec.rb index 2373fef8aa6..dfe480d7fa4 100644 --- a/spec/policies/clusters/instance_policy_spec.rb +++ b/spec/policies/clusters/instance_policy_spec.rb @@ -18,11 +18,21 @@ describe Clusters::InstancePolicy do context 'when admin' do let(:user) { create(:admin) } - it { expect(policy).to be_allowed :read_cluster } - it { expect(policy).to be_allowed :add_cluster } - it { expect(policy).to be_allowed :create_cluster } - it { expect(policy).to be_allowed :update_cluster } - it { expect(policy).to be_allowed :admin_cluster } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :read_cluster } + it { expect(policy).to be_allowed :add_cluster } + it { expect(policy).to be_allowed :create_cluster } + it { expect(policy).to be_allowed :update_cluster } + it { expect(policy).to be_allowed :admin_cluster } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :read_cluster } + it { expect(policy).to be_disallowed :add_cluster } + it { expect(policy).to be_disallowed :create_cluster } + it { expect(policy).to be_disallowed :update_cluster } + it { expect(policy).to be_disallowed :admin_cluster } + end end end end diff --git a/spec/policies/deploy_key_policy_spec.rb b/spec/policies/deploy_key_policy_spec.rb index aca93d8fe85..545647e2c67 100644 --- a/spec/policies/deploy_key_policy_spec.rb +++ b/spec/policies/deploy_key_policy_spec.rb @@ -42,16 +42,28 @@ describe DeployKeyPolicy do context 'when an admin user' do let(:current_user) { create(:user, :admin) } - context ' tries to update private deploy key' do + context 'tries to update private deploy key' do let(:deploy_key) { create(:deploy_key, public: false) } - it { is_expected.to be_allowed(:update_deploy_key) } + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:update_deploy_key) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:update_deploy_key) } + end end context 'when an admin user tries to update public deploy key' do let(:deploy_key) { create(:another_deploy_key, public: true) } - it { is_expected.to be_allowed(:update_deploy_key) } + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:update_deploy_key) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:update_deploy_key) } + end end end end diff --git a/spec/policies/design_management/design_policy_spec.rb b/spec/policies/design_management/design_policy_spec.rb index 154a9f5ad6b..a566aecc4b7 100644 --- a/spec/policies/design_management/design_policy_spec.rb +++ b/spec/policies/design_management/design_policy_spec.rb @@ -71,7 +71,14 @@ describe DesignManagement::DesignPolicy do context "for admins" do let(:current_user) { admin } - it { is_expected.to be_allowed(*design_abilities) } + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(*design_abilities) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_allowed(*guest_design_abilities) } + it { is_expected.to be_disallowed(*developer_design_abilities) } + end end context "for maintainers" do diff --git a/spec/policies/environment_policy_spec.rb b/spec/policies/environment_policy_spec.rb index a098b52023d..75fca464ec8 100644 --- a/spec/policies/environment_policy_spec.rb +++ b/spec/policies/environment_policy_spec.rb @@ -37,7 +37,13 @@ describe EnvironmentPolicy do context 'when an admin user' do let(:user) { create(:user, :admin) } - it { expect(policy).to be_allowed :stop_environment } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :stop_environment } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :stop_environment } + end end context 'with protected branch' do @@ -54,7 +60,13 @@ describe EnvironmentPolicy do context 'when an admin user' do let(:user) { create(:user, :admin) } - it { expect(policy).to be_allowed :stop_environment } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :stop_environment } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :stop_environment } + end end end end @@ -83,7 +95,13 @@ describe EnvironmentPolicy do context 'when an admin user' do let(:user) { create(:user, :admin) } - it { expect(policy).to be_allowed :stop_environment } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :stop_environment } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :stop_environment } + end end end @@ -126,7 +144,13 @@ describe EnvironmentPolicy do environment.stop! end - it { expect(policy).to be_allowed :destroy_environment } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect(policy).to be_allowed :destroy_environment } + end + + context 'when admin mode is disabled' do + it { expect(policy).to be_disallowed :destroy_environment } + end end end end diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index bd0722ce20a..e8ba4eed4ec 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -118,8 +118,15 @@ describe GlobalPolicy do context 'admin' do let(:current_user) { create(:user, :admin) } - it { is_expected.to be_allowed(:read_custom_attribute) } - it { is_expected.to be_allowed(:update_custom_attribute) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:read_custom_attribute) } + it { is_expected.to be_allowed(:update_custom_attribute) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:read_custom_attribute) } + it { is_expected.to be_disallowed(:update_custom_attribute) } + end end end @@ -368,7 +375,13 @@ describe GlobalPolicy do stub_application_setting(instance_statistics_visibility_private: true) end - it { is_expected.to be_allowed(:read_instance_statistics) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:read_instance_statistics) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:read_instance_statistics) } + end end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 5a9ca9f7b7e..9faddfd00e5 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -644,7 +644,13 @@ describe GroupPolicy do context 'admin' do let(:current_user) { admin } - it { expect_allowed(:update_max_artifacts_size) } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect_allowed(:update_max_artifacts_size) } + end + + context 'when admin mode is enabled' do + it { expect_disallowed(:update_max_artifacts_size) } + end end %w(guest reporter developer maintainer owner).each do |role| diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index 242a002bc23..9d52079e4be 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -206,11 +206,25 @@ describe IssuePolicy do it 'allows guests to comment' do expect(permissions(guest, issue)).to be_allowed(:create_note) end - it 'allows admins to view' do - expect(permissions(admin, issue)).to be_allowed(:read_issue) + + context 'when admin mode is enabled', :enable_admin_mode do + it 'allows admins to view' do + expect(permissions(admin, issue)).to be_allowed(:read_issue) + end + + it 'allows admins to comment' do + expect(permissions(admin, issue)).to be_allowed(:create_note) + end end - it 'allows admins to comment' do - expect(permissions(admin, issue)).to be_allowed(:create_note) + + context 'when admin mode is disabled' do + it 'forbids admins to view' do + expect(permissions(admin, issue)).to be_disallowed(:read_issue) + end + + it 'forbids admins to comment' do + expect(permissions(admin, issue)).to be_disallowed(:create_note) + end end end diff --git a/spec/policies/namespace_policy_spec.rb b/spec/policies/namespace_policy_spec.rb index c0a5119c550..01162dc0fc4 100644 --- a/spec/policies/namespace_policy_spec.rb +++ b/spec/policies/namespace_policy_spec.rb @@ -40,6 +40,12 @@ describe NamespacePolicy do context 'admin' do let(:current_user) { admin } - it { is_expected.to be_allowed(*owner_permissions) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(*owner_permissions) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(*owner_permissions) } + end end end diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb index e9dd5ee1c51..1e3bd0d9147 100644 --- a/spec/policies/note_policy_spec.rb +++ b/spec/policies/note_policy_spec.rb @@ -295,8 +295,16 @@ describe NotePolicy do expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) end - it 'allows admins to read all notes and admin them' do - expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) + context 'when admin mode is enabled', :enable_admin_mode do + it 'allows admins to read all notes and admin them' do + expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) + end + end + + context 'when admin mode is disabled' do + it 'does not allow non members to read confidential notes and replies' do + expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji) + end end it 'allows noteable author to read and resolve all notes' do diff --git a/spec/policies/personal_snippet_policy_spec.rb b/spec/policies/personal_snippet_policy_spec.rb index a6b76620c29..5fc48717d86 100644 --- a/spec/policies/personal_snippet_policy_spec.rb +++ b/spec/policies/personal_snippet_policy_spec.rb @@ -19,8 +19,8 @@ describe PersonalSnippetPolicy do described_class.new(user, snippet) end - shared_examples 'admin access' do - context 'admin user' do + shared_examples 'admin access with admin mode' do + context 'admin user', :enable_admin_mode do subject { permissions(admin_user) } it do @@ -68,7 +68,7 @@ describe PersonalSnippetPolicy do end end - it_behaves_like 'admin access' + it_behaves_like 'admin access with admin mode' end context 'internal snippet' do @@ -118,7 +118,7 @@ describe PersonalSnippetPolicy do end end - it_behaves_like 'admin access' + it_behaves_like 'admin access with admin mode' end context 'private snippet' do @@ -168,6 +168,6 @@ describe PersonalSnippetPolicy do end end - it_behaves_like 'admin access' + it_behaves_like 'admin access with admin mode' end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index a1fd0f07895..bbe769c6973 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -275,7 +275,8 @@ describe ProjectPolicy do it_behaves_like 'project policies as developer' it_behaves_like 'project policies as maintainer' it_behaves_like 'project policies as owner' - it_behaves_like 'project policies as admin' + it_behaves_like 'project policies as admin with admin mode' + it_behaves_like 'project policies as admin without admin mode' context 'when a public project has merge requests allowing access' do include ProjectForksHelper @@ -306,7 +307,7 @@ describe ProjectPolicy do expect_allowed(*maintainer_abilities) end - it 'dissallows abilities to a maintainer if the merge request was closed' do + it 'disallows abilities to a maintainer if the merge request was closed' do target_project.add_developer(user) merge_request.close! @@ -350,10 +351,24 @@ describe ProjectPolicy do expect(described_class.new(developer, project)).to be_allowed(:read_project) end - it 'does not check the external service for admins and allows access' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) + context 'with an admin' do + context 'when admin mode is enabled', :enable_admin_mode do + it 'does not check the external service and allows access' do + expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - expect(described_class.new(admin, project)).to be_allowed(:read_project) + expect(described_class.new(admin, project)).to be_allowed(:read_project) + end + end + + context 'when admin mode is disabled' do + it 'checks the external service and allows access' do + external_service_allow_access(admin, project) + + expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?) + + expect(described_class.new(admin, project)).to be_allowed(:read_project) + end + end end it 'prevents all but seeing a public project in a list when access is denied' do @@ -416,7 +431,13 @@ describe ProjectPolicy do context 'admin' do let(:current_user) { admin } - it { expect_allowed(:update_max_artifacts_size) } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect_allowed(:update_max_artifacts_size) } + end + + context 'when admin mode is disabled' do + it { expect_disallowed(:update_max_artifacts_size) } + end end %w(guest reporter developer maintainer owner).each do |role| @@ -448,7 +469,13 @@ describe ProjectPolicy do context 'with admin' do let(:current_user) { admin } - it { is_expected.to be_allowed(:read_prometheus_alerts) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:read_prometheus_alerts) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:read_prometheus_alerts) } + end end context 'with owner' do diff --git a/spec/policies/project_snippet_policy_spec.rb b/spec/policies/project_snippet_policy_spec.rb index c5077e119bc..3864666f587 100644 --- a/spec/policies/project_snippet_policy_spec.rb +++ b/spec/policies/project_snippet_policy_spec.rb @@ -235,9 +235,18 @@ describe ProjectSnippetPolicy do let(:snippet_visibility) { :private } let(:current_user) { create(:admin) } - it do - expect_allowed(:read_snippet, :create_note) - expect_allowed(*author_permissions) + context 'when admin mode is enabled', :enable_admin_mode do + it do + expect_allowed(:read_snippet, :create_note) + expect_allowed(*author_permissions) + end + end + + context 'when admin mode is disabled' do + it do + expect_disallowed(:read_snippet, :create_note) + expect_disallowed(*author_permissions) + end end end end diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb index 9da9d2ce49b..63c4bd05836 100644 --- a/spec/policies/user_policy_spec.rb +++ b/spec/policies/user_policy_spec.rb @@ -26,7 +26,13 @@ describe UserPolicy do context "when an admin user tries to destroy a regular user" do let(:current_user) { create(:user, :admin) } - it { is_expected.to be_allowed(ability) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(ability) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(ability) } + end end context "when an admin user tries to destroy a ghost user" do diff --git a/spec/policies/wiki_page_policy_spec.rb b/spec/policies/wiki_page_policy_spec.rb index e550ccf6d65..0dedccb6e88 100644 --- a/spec/policies/wiki_page_policy_spec.rb +++ b/spec/policies/wiki_page_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -describe WikiPagePolicy do +describe WikiPagePolicy, :enable_admin_mode do include_context 'ProjectPolicyTable context' include ProjectHelpers using RSpec::Parameterized::TableSyntax |