Merge branch 'fix-restricted-visibility' into 'master'

Restricted visibility levels - bug fix and new feature

This allows admin users to override restricted visibility settings when creating and updating projects and snippets, and moves the restricted visibility configuration from gitlab.yml to the web UI.  See #1903.

## Move configuration location

I added a new section to the application settings page for restricted visibility levels.  Each level has a checkbox, styled with Bootstrap to look like a toggle button.  A checked box means that the level is restricted.  I added a glowing text shadow and changed the background color for checked buttons because the default styles made it hard to distinguish between checked and unchecked.  This image shows the new section with the "Public" box checked:

![restricted_visibility_settings](https://dev.gitlab.org/Okada/gitlabhq/uploads/629562e4313f89b795e81c3bb0f95893/restricted_visibility_settings.png)

## Allow admins to override

To allow admin users to override the restricted visibility levels, I had to remove the `visibility_level` validation from the `Project` class.  The model doesn't know about the `current_user`, which should determine whether the restrictions can be overridden.  We could use the creator in the validation, but that wouldn't work correctly for projects where a non-admin user is the creator and an admin tries to change the project to a restricted visibility level.

The `Project::UpdateService` and `Project::CreateService` classes already had code to determine whether the current user is allowed to use a given visibility level; now all visibility level validation is done in those classes.  Currently, when a non-admin tries to create or update a project using a restricted level, these classes silently set the visibility level to the global default (create) or the project's existing value (update).  I changed this behavior to be more like an Active Model validation, where using a restricted level causes the entire request to be rejected.

Project and personal snippets didn't have service classes, and restricted visibility levels weren't being enforced in the model or the controllers.  The UI disabled radio buttons for restricted levels, but that wouldn't be difficult to circumvent.  I created the `CreateSnippetService` and `UpdateSnippetService` classes to do the same restricted visibility check that the project classes do.  And since I was dealing with snippet visibility levels, I updated the API endpoints for project snippets to allow users to set and update the visibility level.

## TODO

* [x] Add more tests for restricted visibility functionality

cc @sytse @dzaporozhets

See merge request !1655

6 files changed, 167 insertions, 15 deletions

diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb
index d1027f64d13..b4f0b2c201a 100644
--- a/spec/models/application_setting_spec.rb
+++ b/spec/models/application_setting_spec.rb
@@ -2,17 +2,19 @@
 #
 # Table name: application_settings
 #
-#  id                        :integer          not null, primary key
-#  default_projects_limit    :integer
-#  signup_enabled            :boolean
-#  signin_enabled            :boolean
-#  gravatar_enabled          :boolean
-#  sign_in_text              :text
-#  created_at                :datetime
-#  updated_at                :datetime
-#  home_page_url             :string(255)
-#  default_branch_protection :integer          default(2)
-#  twitter_sharing_enabled   :boolean          default(TRUE)
+#  id                           :integer          not null, primary key
+#  default_projects_limit       :integer
+#  default_branch_protection    :integer
+#  signup_enabled               :boolean
+#  signin_enabled               :boolean
+#  gravatar_enabled             :boolean
+#  sign_in_text                 :text
+#  created_at                   :datetime
+#  updated_at                   :datetime
+#  home_page_url                :string(255)
+#  default_branch_protection    :integer          default(2)
+#  twitter_sharing_enabled      :boolean          default(TRUE)
+#  restricted_visibility_levels :text
 #
 
 require 'spec_helper'
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index 0b3a47e3273..f28dfea3ccf 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -3,6 +3,7 @@ require 'spec_helper'
 
 describe API::API, api: true  do
   include ApiHelpers
+  include Gitlab::CurrentSettings
   let(:user) { create(:user) }
   let(:user2) { create(:user) }
   let(:user3) { create(:user) }
@@ -202,6 +203,31 @@ describe API::API, api: true  do
       expect(json_response['public']).to be_falsey
       expect(json_response['visibility_level']).to eq(Gitlab::VisibilityLevel::PRIVATE)
     end
+
+    context 'when a visibility level is restricted' do
+      before do
+        @project = attributes_for(:project, { public: true })
+        allow_any_instance_of(ApplicationSetting).to(
+          receive(:restricted_visibility_levels).and_return([20])
+        )
+      end
+
+      it 'should not allow a non-admin to use a restricted visibility level' do
+        post api('/projects', user), @project
+        expect(response.status).to eq(400)
+        expect(json_response['message']['visibility_level'].first).to(
+          match('restricted by your GitLab administrator')
+        )
+      end
+
+      it 'should allow an admin to override restricted visibility settings' do
+        post api('/projects', admin), @project
+        expect(json_response['public']).to be_truthy
+        expect(json_response['visibility_level']).to(
+          eq(Gitlab::VisibilityLevel::PUBLIC)
+        )
+      end
+    end
   end
 
   describe 'POST /projects/user/:id' do
@@ -399,7 +425,8 @@ describe API::API, api: true  do
   describe 'POST /projects/:id/snippets' do
     it 'should create a new project snippet' do
       post api("/projects/#{project.id}/snippets", user),
-        title: 'api test', file_name: 'sample.rb', code: 'test'
+        title: 'api test', file_name: 'sample.rb', code: 'test',
+        visibility_level: '0'
       expect(response.status).to eq(201)
       expect(json_response['title']).to eq('api test')
     end
diff --git a/spec/services/create_snippet_service_spec.rb b/spec/services/create_snippet_service_spec.rb
new file mode 100644
index 00000000000..08689c15ca8
--- /dev/null
+++ b/spec/services/create_snippet_service_spec.rb
@@ -0,0 +1,44 @@
+require 'spec_helper'
+
+describe CreateSnippetService do
+  before do
+    @user = create :user
+    @admin = create :user, admin: true
+    @opts = {
+      title: 'Test snippet',
+      file_name: 'snippet.rb',
+      content: 'puts "hello world"',
+      visibility_level: Gitlab::VisibilityLevel::PRIVATE
+    }
+  end
+
+  context 'When public visibility is restricted' do
+    before do
+      allow_any_instance_of(ApplicationSetting).to(
+        receive(:restricted_visibility_levels).and_return(
+          [Gitlab::VisibilityLevel::PUBLIC]
+        )
+      )
+
+      @opts.merge!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+    end
+
+    it 'non-admins should not be able to create a public snippet' do
+      snippet = create_snippet(nil, @user, @opts)
+      expect(snippet.errors.messages).to have_key(:visibility_level)
+      expect(snippet.errors.messages[:visibility_level].first).to(
+        match('Public visibility has been restricted')
+      )
+    end
+
+    it 'admins should be able to create a public snippet' do
+      snippet = create_snippet(nil, @admin, @opts)
+      expect(snippet.errors.any?).to be_falsey
+      expect(snippet.visibility_level).to eq(Gitlab::VisibilityLevel::PUBLIC)
+    end
+  end
+
+  def create_snippet(project, user, opts)
+    CreateSnippetService.new(project, user, opts).execute
+  end
+end
diff --git a/spec/services/projects/create_service_spec.rb b/spec/services/projects/create_service_spec.rb
index 8bb48346202..337dae592dd 100644
--- a/spec/services/projects/create_service_spec.rb
+++ b/spec/services/projects/create_service_spec.rb
@@ -55,6 +55,33 @@ describe Projects::CreateService do
         it { expect(File.exists?(@path)).to be_falsey }
       end
     end
+
+    context 'restricted visibility level' do
+      before do
+        allow_any_instance_of(ApplicationSetting).to(
+          receive(:restricted_visibility_levels).and_return([20])
+        )
+
+        @opts.merge!(
+          visibility_level: Gitlab::VisibilityLevel.options['Public']
+        )
+      end
+
+      it 'should not allow a restricted visibility level for non-admins' do
+        project = create_project(@user, @opts)
+        expect(project).to respond_to(:errors)
+        expect(project.errors.messages).to have_key(:visibility_level)
+        expect(project.errors.messages[:visibility_level].first).to(
+          match('restricted by your GitLab administrator')
+        )
+      end
+
+      it 'should allow a restricted visibility level for admins' do
+        project = create_project(@admin, @opts)
+        expect(project.errors.any?).to be(false)
+        expect(project.saved?).to be(true)
+      end
+    end
   end
 
   def create_project(user, opts)
diff --git a/spec/services/projects/update_service_spec.rb b/spec/services/projects/update_service_spec.rb
index 10dbc548e86..ea5b8813105 100644
--- a/spec/services/projects/update_service_spec.rb
+++ b/spec/services/projects/update_service_spec.rb
@@ -47,9 +47,9 @@ describe Projects::UpdateService do
 
     context 'respect configured visibility restrictions setting' do
       before(:each) do
-        @restrictions = double("restrictions")
-        allow(@restrictions).to receive(:restricted_visibility_levels) { [ "public" ] }
-        Settings.stub_chain(:gitlab).and_return(@restrictions)
+        allow_any_instance_of(ApplicationSetting).to(
+          receive(:restricted_visibility_levels).and_return([20])
+        )
       end
 
       context 'should be private when updated to private' do
diff --git a/spec/services/update_snippet_service_spec.rb b/spec/services/update_snippet_service_spec.rb
new file mode 100644
index 00000000000..841ef9bfed1
--- /dev/null
+++ b/spec/services/update_snippet_service_spec.rb
@@ -0,0 +1,52 @@
+require 'spec_helper'
+
+describe UpdateSnippetService do
+  before do
+    @user = create :user
+    @admin = create :user, admin: true
+    @opts = {
+      title: 'Test snippet',
+      file_name: 'snippet.rb',
+      content: 'puts "hello world"',
+      visibility_level: Gitlab::VisibilityLevel::PRIVATE
+    }
+  end
+
+  context 'When public visibility is restricted' do
+    before do
+      allow_any_instance_of(ApplicationSetting).to(
+        receive(:restricted_visibility_levels).and_return(
+          [Gitlab::VisibilityLevel::PUBLIC]
+        )
+      )
+
+      @snippet = create_snippet(@project, @user, @opts)
+      @opts.merge!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+    end
+
+    it 'non-admins should not be able to update to public visibility' do
+      old_visibility = @snippet.visibility_level
+      update_snippet(@project, @user, @snippet, @opts)
+      expect(@snippet.errors.messages).to have_key(:visibility_level)
+      expect(@snippet.errors.messages[:visibility_level].first).to(
+        match('Public visibility has been restricted')
+      )
+      expect(@snippet.visibility_level).to eq(old_visibility)
+    end
+
+    it 'admins should be able to update to pubic visibility' do
+      old_visibility = @snippet.visibility_level
+      update_snippet(@project, @admin, @snippet, @opts)
+      expect(@snippet.visibility_level).not_to eq(old_visibility)
+      expect(@snippet.visibility_level).to eq(Gitlab::VisibilityLevel::PUBLIC)
+    end
+  end
+
+  def create_snippet(project, user, opts)
+    CreateSnippetService.new(project, user, opts).execute
+  end
+
+  def update_snippet(project = nil, user, snippet, opts)
+    UpdateSnippetService.new(project, user, snippet, opts).execute
+  end
+end