Add latest changes from gitlab-org/security/gitlab@16-2-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-09-28 01:34:09 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-09-28 01:34:09 +0300
commit: 190831bff0c152eac613b89a3188c7901d5a2c01 (patch)
tree: 337348a010b6aecfac381b5d3ece534caac479fc /spec
parent: 7876ab520632ed36f678ccd8a9c16dc569638904 (diff)
4 files changed, 90 insertions, 3 deletions
diff --git a/spec/helpers/projects/ml/experiments_helper_spec.rb b/spec/helpers/projects/ml/experiments_helper_spec.rb
index 021d518a329..569fd0f9ec5 100644
--- a/spec/helpers/projects/ml/experiments_helper_spec.rb
+++ b/spec/helpers/projects/ml/experiments_helper_spec.rb
@@ -36,7 +36,7 @@ RSpec.describe Projects::Ml::ExperimentsHelper, feature_category: :mlops do
   let_it_be(:candidates) { [candidate0, candidate1] }
 
   describe '#candidates_table_items' do
-    subject { Gitlab::Json.parse(helper.candidates_table_items(candidates)) }
+    subject { Gitlab::Json.parse(helper.candidates_table_items(candidates, project.creator)) }
 
     it 'creates the correct model for the table', :aggregate_failures do
       expected_values = [
@@ -72,6 +72,18 @@ RSpec.describe Projects::Ml::ExperimentsHelper, feature_category: :mlops do
         expect(subject[0]['user']).to be_nil
       end
     end
+
+    context 'when user is not allowed to read the project' do
+      before do
+        allow(Ability).to receive(:allowed?)
+                            .with(project.creator, :read_build, build)
+                            .and_return(false)
+      end
+
+      it 'does not include ci info' do
+        expect(subject[0]['ci_job']).to be_nil
+      end
+    end
   end
 
   describe '#unique_logged_names' do
diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb
index 01fd17bfe10..5457fe2abaf 100644
--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -1504,6 +1504,45 @@ RSpec.describe Group, feature_category: :groups_and_projects do
     it { expect(subject.parent).to be_kind_of(described_class) }
   end
 
+  describe '#member?' do
+    let_it_be(:group) { create(:group) }
+    let_it_be(:user) { create(:user) }
+
+    before_all do
+      group.add_developer(user)
+    end
+
+    subject { group.member?(user) }
+
+    context 'when user is a developer' do
+      it 'returns true' do
+        expect(group.member?(user)).to be_truthy
+      end
+
+      it 'returns false with maintainer as min_access_level param' do
+        expect(group.member?(user, Gitlab::Access::MAINTAINER)).to be_falsey
+      end
+    end
+
+    context 'in shared group' do
+      let(:shared_group) { create(:group) }
+      let(:member_shared) { create(:user) }
+
+      before do
+        create(:group_group_link, shared_group: group, shared_with_group: shared_group)
+        shared_group.add_developer(member_shared)
+      end
+
+      it 'return true for shared group member' do
+        expect(group.member?(member_shared)).to be_truthy
+      end
+
+      it 'returns false with maintainer as min_access_level param' do
+        expect(group.member?(member_shared, Gitlab::Access::MAINTAINER)).to be_falsey
+      end
+    end
+  end
+
   describe '#max_member_access_for_user' do
     let_it_be(:group_user) { create(:user) }
 
diff --git a/spec/presenters/ml/candidate_details_presenter_spec.rb b/spec/presenters/ml/candidate_details_presenter_spec.rb
index 9d1f6f634e4..0ecf80b683e 100644
--- a/spec/presenters/ml/candidate_details_presenter_spec.rb
+++ b/spec/presenters/ml/candidate_details_presenter_spec.rb
@@ -25,7 +25,9 @@ RSpec.describe ::Ml::CandidateDetailsPresenter, feature_category: :mlops do
     ]
   end
 
-  subject { Gitlab::Json.parse(described_class.new(candidate).present)['candidate'] }
+  let(:include_ci_job) { true }
+
+  subject { Gitlab::Json.parse(described_class.new(candidate, include_ci_job).present)['candidate'] }
 
   before do
     allow(candidate).to receive(:latest_metrics).and_return(metrics)
@@ -68,6 +70,8 @@ RSpec.describe ::Ml::CandidateDetailsPresenter, feature_category: :mlops do
       let_it_be(:pipeline) { build_stubbed(:ci_pipeline, project: project, user: user) }
       let_it_be(:build) { candidate.ci_build = build_stubbed(:ci_build, pipeline: pipeline, user: user) }
 
+      let(:can_read_build) { true }
+
       it 'generates the correct ci' do
         expected_info = {
           'path' => "/#{project.full_path}/-/jobs/#{build.id}",
@@ -109,6 +113,14 @@ RSpec.describe ::Ml::CandidateDetailsPresenter, feature_category: :mlops do
           expect(subject.dig('info', 'ci_job', 'merge_request')).to include(expected_info)
         end
       end
+
+      context 'when ci job is not to be added' do
+        let(:include_ci_job) { false }
+
+        it 'ci_job is nil' do
+          expect(subject.dig('info', 'ci_job')).to be_nil
+        end
+      end
     end
   end
 end
diff --git a/spec/requests/projects/ml/candidates_controller_spec.rb b/spec/requests/projects/ml/candidates_controller_spec.rb
index 4c7491970e1..78f31be26d1 100644
--- a/spec/requests/projects/ml/candidates_controller_spec.rb
+++ b/spec/requests/projects/ml/candidates_controller_spec.rb
@@ -6,7 +6,11 @@ RSpec.describe Projects::Ml::CandidatesController, feature_category: :mlops do
   let_it_be(:project) { create(:project, :repository) }
   let_it_be(:user) { project.first_owner }
   let_it_be(:experiment) { create(:ml_experiments, project: project, user: user) }
-  let_it_be(:candidate) { create(:ml_candidates, experiment: experiment, user: user, project: project) }
+  let_it_be(:candidate) do
+    create(:ml_candidates, experiment: experiment, user: user, project: project).tap do |c|
+      c.update!(ci_build: create(:ci_build))
+    end
+  end
 
   let(:ff_value) { true }
   let(:candidate_iid) { candidate.iid }
@@ -47,7 +51,13 @@ RSpec.describe Projects::Ml::CandidatesController, feature_category: :mlops do
   end
 
   describe 'GET show' do
+    let(:can_read_build) { true }
+
     before do
+      allow(Ability).to receive(:allowed?)
+                          .with(user, :read_build, candidate.ci_build)
+                          .and_return(can_read_build)
+
       show_candidate
     end
 
@@ -64,6 +74,20 @@ RSpec.describe Projects::Ml::CandidatesController, feature_category: :mlops do
       expect { show_candidate }.not_to exceed_all_query_limit(control_count)
     end
 
+    context 'when user has permission to read the build' do
+      it 'includes ci build info' do
+        expect(assigns[:include_ci_info]).to eq(true)
+      end
+    end
+
+    context 'when user has no permission to read the build' do
+      let(:can_read_build) { false }
+
+      it 'sets include_ci_job to false' do
+        expect(assigns[:include_ci_info]).to eq(false)
+      end
+    end
+
     it_behaves_like '404 if candidate does not exist'
     it_behaves_like 'requires read_model_experiments'
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-09-28 01:34:09 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-09-28 01:34:09 +0300
commit	190831bff0c152eac613b89a3188c7901d5a2c01 (patch)
tree	337348a010b6aecfac381b5d3ece534caac479fc /spec
parent	7876ab520632ed36f678ccd8a9c16dc569638904 (diff)