Merge branch 'issue_20078' into 'master'

Test if issue authors can access private projects See merge request !6419
author: Yorick Peterse <yorickpeterse@gmail.com> 2016-09-20 22:37:47 +0300
committer: Yorick Peterse <yorickpeterse@gmail.com> 2016-09-20 22:37:47 +0300
commit: 0c7f38bd5b59458a94a9637e06287c8bbbaec82d (patch)
tree: 6a1e169e0cc960f5d7e16a35c9c2ad7e95f4b2bc /spec
parent: f683349723dd30b7721d283ea20ce9788f2d16b9 (diff)
parent: 98559adf710eb2142ba072f2ac91a1db9d0578cf (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index eda1cafd65e..a7a06744428 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -33,4 +33,17 @@ describe ProjectPolicy, models: true do
   it 'returns increasing permissions for each level' do
     expect(users_permissions).to eq(users_permissions.sort.uniq)
   end
+
+  it 'does not include the read_issue permission when the issue author is not a member of the private project' do
+    project = create(:project, :private)
+    issue   = create(:issue, project: project)
+    user    = issue.author
+
+    expect(project.team.member?(issue.author)).to eq(false)
+
+    expect(BasePolicy.class_for(project).abilities(user, project).can_set).
+      not_to include(:read_issue)
+
+    expect(Ability.allowed?(user, :read_issue, project)).to be_falsy
+  end
 end
author	Yorick Peterse <yorickpeterse@gmail.com>	2016-09-20 22:37:47 +0300
committer	Yorick Peterse <yorickpeterse@gmail.com>	2016-09-20 22:37:47 +0300
commit	0c7f38bd5b59458a94a9637e06287c8bbbaec82d (patch)
tree	6a1e169e0cc960f5d7e16a35c9c2ad7e95f4b2bc /spec
parent	f683349723dd30b7721d283ea20ce9788f2d16b9 (diff)
parent	98559adf710eb2142ba072f2ac91a1db9d0578cf (diff)