diff options
-rw-r--r-- | app/models/ability.rb | 2 | ||||
-rw-r--r-- | spec/features/security/group/internal_access_spec.rb | 104 | ||||
-rw-r--r-- | spec/features/security/group/private_access_spec.rb | 104 | ||||
-rw-r--r-- | spec/features/security/group/public_access_spec.rb | 104 | ||||
-rw-r--r-- | spec/features/security/group_access_spec.rb | 40 | ||||
-rw-r--r-- | spec/support/group_access_helper.rb | 17 |
6 files changed, 330 insertions, 41 deletions
diff --git a/app/models/ability.rb b/app/models/ability.rb index 1c9b15069aa..fe460ccdaca 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -296,7 +296,7 @@ class Ability def can_read_group?(user, group) is_project_member = ProjectsFinder.new.execute(user, group: group).any? - user.admin? || group.public? || group.internal? || group.users.include?(user) + user.admin? || group.public? || group.internal? || is_project_member || group.users.include?(user) end def namespace_abilities(user, namespace) diff --git a/spec/features/security/group/internal_access_spec.rb b/spec/features/security/group/internal_access_spec.rb new file mode 100644 index 00000000000..69a0fbb4468 --- /dev/null +++ b/spec/features/security/group/internal_access_spec.rb @@ -0,0 +1,104 @@ +require 'rails_helper' + +describe 'Internal group access', feature: true do + include AccessMatchers + include GroupAccessHelper + + + + describe 'GET /groups/:path' do + subject { group_path(group(Gitlab::VisibilityLevel::INTERNAL)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to be_allowed_for :user } + it { is_expected.to_not be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to_not be_allowed_for :visitor } + end + end + + describe 'GET /groups/:path/issues' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to be_allowed_for :user } + it { is_expected.to_not be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to_not be_allowed_for :visitor } + end + end + + describe 'GET /groups/:path/merge_requests' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to be_allowed_for :user } + it { is_expected.to_not be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to_not be_allowed_for :visitor } + end + end + + + describe 'GET /groups/:path/group_members' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to be_allowed_for :user } + it { is_expected.to_not be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to_not be_allowed_for :visitor } + end + end + + describe 'GET /groups/:path/edit' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to be_allowed_for :user } + it { is_expected.to_not be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to_not be_allowed_for :visitor } + end + end +end diff --git a/spec/features/security/group/private_access_spec.rb b/spec/features/security/group/private_access_spec.rb new file mode 100644 index 00000000000..0d01310b449 --- /dev/null +++ b/spec/features/security/group/private_access_spec.rb @@ -0,0 +1,104 @@ +require 'rails_helper' + +describe 'Private group access', feature: true do + include AccessMatchers + include GroupAccessHelper + + + + describe 'GET /groups/:path' do + subject { group_path(group(Gitlab::VisibilityLevel::PRIVATE)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to_not be_allowed_for :user } + it { is_expected.to_not be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to_not be_allowed_for :visitor } + end + end + + describe 'GET /groups/:path/issues' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to_not be_allowed_for :user } + it { is_expected.to_not be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to_not be_allowed_for :visitor } + end + end + + describe 'GET /groups/:path/merge_requests' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to_not be_allowed_for :user } + it { is_expected.to_not be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to_not be_allowed_for :visitor } + end + end + + + describe 'GET /groups/:path/group_members' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to_not be_allowed_for :user } + it { is_expected.to_not be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to_not be_allowed_for :visitor } + end + end + + describe 'GET /groups/:path/edit' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to_not be_allowed_for :user } + it { is_expected.to_not be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to_not be_allowed_for :visitor } + end + end +end diff --git a/spec/features/security/group/public_access_spec.rb b/spec/features/security/group/public_access_spec.rb new file mode 100644 index 00000000000..75d208f2949 --- /dev/null +++ b/spec/features/security/group/public_access_spec.rb @@ -0,0 +1,104 @@ +require 'rails_helper' + +describe 'Public group access', feature: true do + include AccessMatchers + include GroupAccessHelper + + + + describe 'GET /groups/:path' do + subject { group_path(group(Gitlab::VisibilityLevel::PUBLIC)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to be_allowed_for :user } + it { is_expected.to be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to be_allowed_for :visitor } + end + end + + describe 'GET /groups/:path/issues' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to be_allowed_for :user } + it { is_expected.to be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to be_allowed_for :visitor } + end + end + + describe 'GET /groups/:path/merge_requests' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to be_allowed_for :user } + it { is_expected.to be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to be_allowed_for :visitor } + end + end + + + describe 'GET /groups/:path/group_members' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to be_allowed_for :user } + it { is_expected.to be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to be_allowed_for :visitor } + end + end + + describe 'GET /groups/:path/edit' do + subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) } + + context "when user not in group project" do + it { is_expected.to be_allowed_for group_member(:owner) } + it { is_expected.to be_allowed_for group_member(:master) } + it { is_expected.to be_allowed_for group_member(:reporter) } + it { is_expected.to be_allowed_for group_member(:guest) } + it { is_expected.to be_allowed_for :admin } + it { is_expected.to be_allowed_for :user } + it { is_expected.to be_allowed_for :visitor } + end + + context "when user in group project" do + it { is_expected.to be_allowed_for project_group_member(:user) } + it { is_expected.to be_allowed_for :visitor } + end + end +end diff --git a/spec/features/security/group_access_spec.rb b/spec/features/security/group_access_spec.rb index 65f8073c693..0194581dfd1 100644 --- a/spec/features/security/group_access_spec.rb +++ b/spec/features/security/group_access_spec.rb @@ -43,8 +43,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_allowed_for :visitor } end context 'with mixed projects' do @@ -55,8 +53,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_allowed_for :visitor } end context 'with internal projects' do @@ -67,8 +63,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_allowed_for :visitor } end context 'with no projects' do @@ -77,8 +71,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_allowed_for :visitor } end end @@ -93,8 +85,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_allowed_for :visitor } end context 'with mixed projects' do @@ -105,8 +95,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_allowed_for :visitor } end context 'with internal projects' do @@ -117,8 +105,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_denied_for :visitor } end context 'with no projects' do @@ -127,8 +113,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_denied_for :user } - it { is_expected.to be_denied_for :visitor } end end @@ -143,8 +127,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_allowed_for :visitor } end context 'with mixed projects' do @@ -155,8 +137,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_allowed_for :visitor } end context 'with internal projects' do @@ -167,8 +147,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_denied_for :visitor } end context 'with no projects' do @@ -177,8 +155,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_denied_for :user } - it { is_expected.to be_denied_for :visitor } end end @@ -193,8 +169,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_allowed_for :visitor } end context 'with mixed projects' do @@ -205,8 +179,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_allowed_for :visitor } end context 'with internal projects' do @@ -217,8 +189,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_allowed_for :user } - it { is_expected.to be_denied_for :visitor } end context 'with no projects' do @@ -227,8 +197,6 @@ describe 'Group access', feature: true do it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_denied_for :user } - it { is_expected.to be_denied_for :visitor } end end @@ -243,8 +211,6 @@ describe 'Group access', feature: true do it { is_expected.to be_denied_for group_member(:reporter) } it { is_expected.to be_denied_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_denied_for :user } - it { is_expected.to be_denied_for :visitor } end context 'with mixed projects' do @@ -255,8 +221,6 @@ describe 'Group access', feature: true do it { is_expected.to be_denied_for group_member(:reporter) } it { is_expected.to be_denied_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_denied_for :user } - it { is_expected.to be_denied_for :visitor } end context 'with internal projects' do @@ -267,8 +231,6 @@ describe 'Group access', feature: true do it { is_expected.to be_denied_for group_member(:reporter) } it { is_expected.to be_denied_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_denied_for :user } - it { is_expected.to be_denied_for :visitor } end context 'with no projects' do @@ -277,8 +239,6 @@ describe 'Group access', feature: true do it { is_expected.to be_denied_for group_member(:reporter) } it { is_expected.to be_denied_for group_member(:guest) } it { is_expected.to be_allowed_for :admin } - it { is_expected.to be_denied_for :user } - it { is_expected.to be_denied_for :visitor } end end end diff --git a/spec/support/group_access_helper.rb b/spec/support/group_access_helper.rb new file mode 100644 index 00000000000..a1a8fb2bd72 --- /dev/null +++ b/spec/support/group_access_helper.rb @@ -0,0 +1,17 @@ +module GroupAccessHelper + def group(visibility_level=0) + @group ||= create(:group, visibility_level: visibility_level) + end + + def project_group_member(access_level) + project = create(:project, visibility_level: group.visibility_level, group: group, name: 'B', path: 'B') + + create(:user).tap { |user| project.team.add_user(user, Gitlab::Access::DEVELOPER) } + end + + def group_member(access_level, grp=group()) + level = Object.const_get("Gitlab::Access::#{access_level.upcase}") + + create(:user).tap { |user| grp.add_user(user, level) } + end +end |