Add latest changes from gitlab-org/security/gitlab@14-0-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-08-03 15:03:36 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-08-03 15:03:36 +0300
commit: 8f55c567e2da284ea78fabe1994f234bbd7b6023 (patch)
tree: 84b709cc9bf53778af3a0e8a40b467fadd91ac2b /spec
parent: acd33ab4ff107fc73b9dd310ba65e60bd3119c0b (diff)
3 files changed, 79 insertions, 14 deletions
diff --git a/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb b/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb
index c0367f7d42e..ccc861baae5 100644
--- a/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb
+++ b/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb
@@ -5,14 +5,24 @@ require 'spec_helper'
 RSpec.describe Resolvers::ProjectPipelineStatisticsResolver do
   include GraphqlHelpers
 
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, :private) }
+  let_it_be(:guest) { create(:user) }
+  let_it_be(:reporter) { create(:user) }
+
+  let(:current_user) { reporter }
+
+  before_all do
+    project.add_guest(guest)
+    project.add_reporter(reporter)
+  end
 
   specify do
     expect(described_class).to have_nullable_graphql_type(::Types::Ci::AnalyticsType)
   end
 
   def resolve_statistics(project, args)
-    resolve(described_class, obj: project, args: args)
+    ctx = { current_user: current_user }
+    resolve(described_class, obj: project, args: args, ctx: ctx)
   end
 
   describe '#resolve' do
@@ -32,5 +42,15 @@ RSpec.describe Resolvers::ProjectPipelineStatisticsResolver do
         :pipeline_times_values
       )
     end
+
+    context 'when the user does not have access to the CI/CD analytics data' do
+      let(:current_user) { guest }
+
+      it 'returns nil' do
+        result = resolve_statistics(project, {})
+
+        expect(result).to be_nil
+      end
+    end
   end
 end
diff --git a/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb b/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb
index ed94b81520e..9d5f029fff5 100644
--- a/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb
+++ b/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb
@@ -4,15 +4,19 @@ require 'spec_helper'
 
 RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do
   let_it_be(:project) { create(:project, :repository) }
+  let_it_be(:guest) do
+    create(:user).tap { |u| project.add_guest(u) }
+  end
 
-  let(:user) { project.owner }
-  let(:context) { Sidebars::Projects::Context.new(current_user: user, container: project, current_ref: project.repository.root_ref) }
+  let(:owner) { project.owner }
+  let(:current_user) { owner }
+  let(:context) { Sidebars::Projects::Context.new(current_user: current_user, container: project, current_ref: project.repository.root_ref) }
 
   subject { described_class.new(context) }
 
   describe '#render?' do
     context 'whe user cannot read analytics' do
-      let(:user) { nil }
+      let(:current_user) { nil }
 
       it 'returns false' do
         expect(subject.render?).to be false
@@ -79,7 +83,7 @@ RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do
       end
 
       describe 'when the user does not have access' do
-        let(:user) { nil }
+        let(:current_user) { guest }
 
         specify { is_expected.to be_nil }
       end
@@ -99,7 +103,7 @@ RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do
       end
 
       describe 'when the user does not have access' do
-        let(:user) { nil }
+        let(:current_user) { nil }
 
         specify { is_expected.to be_nil }
       end
@@ -111,7 +115,7 @@ RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do
       specify { is_expected.not_to be_nil }
 
       describe 'when the user does not have access' do
-        let(:user) { nil }
+        let(:current_user) { nil }
 
         specify { is_expected.to be_nil }
       end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 8f3cac205be..a94c3748e7d 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -1130,12 +1130,20 @@ RSpec.describe ProjectPolicy do
       let_it_be(:project_with_analytics_enabled) { create(:project, :analytics_enabled) }
 
       before do
+        project_with_analytics_disabled.add_guest(guest)
+        project_with_analytics_private.add_guest(guest)
+        project_with_analytics_enabled.add_guest(guest)
+
+        project_with_analytics_disabled.add_reporter(reporter)
+        project_with_analytics_private.add_reporter(reporter)
+        project_with_analytics_enabled.add_reporter(reporter)
+
         project_with_analytics_disabled.add_developer(developer)
         project_with_analytics_private.add_developer(developer)
         project_with_analytics_enabled.add_developer(developer)
       end
 
-      context 'when analytics is enabled for the project' do
+      context 'when analytics is disabled for the project' do
         let(:project) { project_with_analytics_disabled }
 
         context 'for guest user' do
@@ -1144,6 +1152,16 @@ RSpec.describe ProjectPolicy do
           it { is_expected.to be_disallowed(:read_cycle_analytics) }
           it { is_expected.to be_disallowed(:read_insights) }
           it { is_expected.to be_disallowed(:read_repository_graphs) }
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+        end
+
+        context 'for reporter user' do
+          let(:current_user) { reporter }
+
+          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_disallowed(:read_repository_graphs) }
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
         end
 
         context 'for developer' do
@@ -1152,6 +1170,7 @@ RSpec.describe ProjectPolicy do
           it { is_expected.to be_disallowed(:read_cycle_analytics) }
           it { is_expected.to be_disallowed(:read_insights) }
           it { is_expected.to be_disallowed(:read_repository_graphs) }
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
         end
       end
 
@@ -1161,9 +1180,19 @@ RSpec.describe ProjectPolicy do
         context 'for guest user' do
           let(:current_user) { guest }
 
-          it { is_expected.to be_disallowed(:read_cycle_analytics) }
-          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_insights) }
           it { is_expected.to be_disallowed(:read_repository_graphs) }
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+        end
+
+        context 'for reporter user' do
+          let(:current_user) { reporter }
+
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_repository_graphs) }
+          it { is_expected.to be_allowed(:read_ci_cd_analytics) }
         end
 
         context 'for developer' do
@@ -1172,18 +1201,29 @@ RSpec.describe ProjectPolicy do
           it { is_expected.to be_allowed(:read_cycle_analytics) }
           it { is_expected.to be_allowed(:read_insights) }
           it { is_expected.to be_allowed(:read_repository_graphs) }
+          it { is_expected.to be_allowed(:read_ci_cd_analytics) }
         end
       end
 
       context 'when analytics is enabled for the project' do
-        let(:project) { project_with_analytics_private }
+        let(:project) { project_with_analytics_enabled }
 
         context 'for guest user' do
           let(:current_user) { guest }
 
-          it { is_expected.to be_disallowed(:read_cycle_analytics) }
-          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_insights) }
           it { is_expected.to be_disallowed(:read_repository_graphs) }
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+        end
+
+        context 'for reporter user' do
+          let(:current_user) { reporter }
+
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_repository_graphs) }
+          it { is_expected.to be_allowed(:read_ci_cd_analytics) }
         end
 
         context 'for developer' do
@@ -1192,6 +1232,7 @@ RSpec.describe ProjectPolicy do
           it { is_expected.to be_allowed(:read_cycle_analytics) }
           it { is_expected.to be_allowed(:read_insights) }
           it { is_expected.to be_allowed(:read_repository_graphs) }
+          it { is_expected.to be_allowed(:read_ci_cd_analytics) }
         end
       end
     end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-08-03 15:03:36 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-08-03 15:03:36 +0300
commit	8f55c567e2da284ea78fabe1994f234bbd7b6023 (patch)
tree	84b709cc9bf53778af3a0e8a40b467fadd91ac2b /spec
parent	acd33ab4ff107fc73b9dd310ba65e60bd3119c0b (diff)