Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies/group_policy_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies/group_policy_spec.rb')
-rw-r--r--spec/policies/group_policy_spec.rb272
1 files changed, 232 insertions, 40 deletions
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 451db9eaf9c..5e85a6e187b 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -2,9 +2,10 @@
require 'spec_helper'
-RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization do
+RSpec.describe GroupPolicy, feature_category: :system_access do
include AdminModeHelper
include_context 'GroupPolicy context'
+ using RSpec::Parameterized::TableSyntax
context 'public group with no user' do
let(:group) { create(:group, :public, :crm_enabled) }
@@ -668,6 +669,177 @@ RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization
it { is_expected.to be_allowed(:create_projects) }
end
end
+
+ context 'with visibility levels restricted by the administrator' do
+ let_it_be(:public) { Gitlab::VisibilityLevel::PUBLIC }
+ let_it_be(:internal) { Gitlab::VisibilityLevel::INTERNAL }
+ let_it_be(:private) { Gitlab::VisibilityLevel::PRIVATE }
+ let_it_be(:policy) { :create_projects }
+
+ where(:restricted_visibility_levels, :group_visibility, :can_create_project?) do
+ [] | ref(:public) | true
+ [] | ref(:internal) | true
+ [] | ref(:private) | true
+ [ref(:public)] | ref(:public) | true
+ [ref(:public)] | ref(:internal) | true
+ [ref(:public)] | ref(:private) | true
+ [ref(:internal)] | ref(:public) | true
+ [ref(:internal)] | ref(:internal) | true
+ [ref(:internal)] | ref(:private) | true
+ [ref(:private)] | ref(:public) | true
+ [ref(:private)] | ref(:internal) | true
+ [ref(:private)] | ref(:private) | false
+ [ref(:public), ref(:internal)] | ref(:public) | true
+ [ref(:public), ref(:internal)] | ref(:internal) | true
+ [ref(:public), ref(:internal)] | ref(:private) | true
+ [ref(:public), ref(:private)] | ref(:public) | true
+ [ref(:public), ref(:private)] | ref(:internal) | true
+ [ref(:public), ref(:private)] | ref(:private) | false
+ [ref(:private), ref(:internal)] | ref(:public) | true
+ [ref(:private), ref(:internal)] | ref(:internal) | false
+ [ref(:private), ref(:internal)] | ref(:private) | false
+ [ref(:public), ref(:internal), ref(:private)] | ref(:public) | false
+ [ref(:public), ref(:internal), ref(:private)] | ref(:internal) | false
+ [ref(:public), ref(:internal), ref(:private)] | ref(:private) | false
+ end
+
+ with_them do
+ before do
+ group.update!(visibility_level: group_visibility)
+ stub_application_setting(restricted_visibility_levels: restricted_visibility_levels)
+ end
+
+ context 'with non-admin user' do
+ let(:current_user) { owner }
+
+ it { is_expected.to(can_create_project? ? be_allowed(policy) : be_disallowed(policy)) }
+ end
+
+ context 'with admin user', :enable_admin_mode do
+ let(:current_user) { admin }
+
+ it { is_expected.to be_allowed(policy) }
+ end
+ end
+ end
+ end
+
+ context 'import_projects' do
+ before do
+ group.update!(project_creation_level: project_creation_level)
+ end
+
+ context 'when group has no project creation level set' do
+ let(:project_creation_level) { nil }
+
+ context 'reporter' do
+ let(:current_user) { reporter }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'developer' do
+ let(:current_user) { developer }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'maintainer' do
+ let(:current_user) { maintainer }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+
+ context 'owner' do
+ let(:current_user) { owner }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+ end
+
+ context 'when group has project creation level set to no one' do
+ let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS }
+
+ context 'reporter' do
+ let(:current_user) { reporter }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'developer' do
+ let(:current_user) { developer }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'maintainer' do
+ let(:current_user) { maintainer }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'owner' do
+ let(:current_user) { owner }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+ end
+
+ context 'when group has project creation level set to maintainer only' do
+ let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS }
+
+ context 'reporter' do
+ let(:current_user) { reporter }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'developer' do
+ let(:current_user) { developer }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'maintainer' do
+ let(:current_user) { maintainer }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+
+ context 'owner' do
+ let(:current_user) { owner }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+ end
+
+ context 'when group has project creation level set to developers + maintainer' do
+ let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS }
+
+ context 'reporter' do
+ let(:current_user) { reporter }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'developer' do
+ let(:current_user) { developer }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'maintainer' do
+ let(:current_user) { maintainer }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+
+ context 'owner' do
+ let(:current_user) { owner }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+ end
end
context 'create_subgroup' do
@@ -735,10 +907,7 @@ RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization
it_behaves_like 'clusterable policies' do
let(:clusterable) { create(:group, :crm_enabled) }
let(:cluster) do
- create(:cluster,
- :provided_by_gcp,
- :group,
- groups: [clusterable])
+ create(:cluster, :provided_by_gcp, :group, groups: [clusterable])
end
end
@@ -763,7 +932,7 @@ RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization
end
end
- %w(guest reporter developer maintainer owner).each do |role|
+ %w[guest reporter developer maintainer owner].each do |role|
context role do
let(:current_user) { send(role) }
@@ -931,15 +1100,14 @@ RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization
end
describe 'observability' do
- using RSpec::Parameterized::TableSyntax
-
- let(:allowed) { be_allowed(:read_observability) }
- let(:disallowed) { be_disallowed(:read_observability) }
+ let(:allowed_admin) { be_allowed(:read_observability) && be_allowed(:admin_observability) }
+ let(:allowed_read) { be_allowed(:read_observability) && be_disallowed(:admin_observability) }
+ let(:disallowed) { be_disallowed(:read_observability) && be_disallowed(:admin_observability) }
# rubocop:disable Layout/LineLength
where(:feature_enabled, :admin_matcher, :owner_matcher, :maintainer_matcher, :developer_matcher, :reporter_matcher, :guest_matcher, :non_member_matcher, :anonymous_matcher) do
false | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed)
- true | ref(:allowed) | ref(:allowed) | ref(:allowed) | ref(:allowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed)
+ true | ref(:allowed_admin) | ref(:allowed_admin) | ref(:allowed_admin) | ref(:allowed_read) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed)
end
# rubocop:enable Layout/LineLength
@@ -1274,7 +1442,7 @@ RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization
end
end
- describe 'create_group_runners' do
+ describe 'create_runner' do
shared_examples 'disallowed when group runner registration disabled' do
context 'with group runner registration disabled' do
before do
@@ -1285,34 +1453,34 @@ RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization
context 'with specific group runner registration enabled' do
let(:runner_registration_enabled) { true }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with specific group runner registration disabled' do
let(:runner_registration_enabled) { false }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
end
- context 'create_runner_workflow flag enabled' do
+ context 'create_runner_workflow_for_namespace flag enabled' do
before do
- stub_feature_flags(create_runner_workflow: true)
+ stub_feature_flags(create_runner_workflow_for_namespace: [group])
end
context 'admin' do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
- it { is_expected.to be_allowed(:create_group_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
context 'with specific group runner registration disabled' do
before do
group.runner_registration_enabled = false
end
- it { is_expected.to be_allowed(:create_group_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
end
context 'with group runner registration disabled' do
@@ -1324,26 +1492,26 @@ RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization
context 'with specific group runner registration enabled' do
let(:runner_registration_enabled) { true }
- it { is_expected.to be_allowed(:create_group_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
end
context 'with specific group runner registration disabled' do
let(:runner_registration_enabled) { false }
- it { is_expected.to be_allowed(:create_group_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
end
end
end
context 'when admin mode is disabled' do
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
context 'with owner' do
let(:current_user) { owner }
- it { is_expected.to be_allowed(:create_group_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
it_behaves_like 'disallowed when group runner registration disabled'
end
@@ -1351,65 +1519,67 @@ RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization
context 'with maintainer' do
let(:current_user) { maintainer }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with reporter' do
let(:current_user) { reporter }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with guest' do
let(:current_user) { guest }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with developer' do
let(:current_user) { developer }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with anonymous' do
let(:current_user) { nil }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
- context 'with create_runner_workflow flag disabled' do
+ context 'with create_runner_workflow_for_namespace flag disabled' do
before do
- stub_feature_flags(create_runner_workflow: false)
+ stub_feature_flags(create_runner_workflow_for_namespace: [other_group])
end
+ let_it_be(:other_group) { create(:group) }
+
context 'admin' do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
context 'with specific group runner registration disabled' do
before do
group.runner_registration_enabled = false
end
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
it_behaves_like 'disallowed when group runner registration disabled'
end
context 'when admin mode is disabled' do
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
context 'with owner' do
let(:current_user) { owner }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
it_behaves_like 'disallowed when group runner registration disabled'
end
@@ -1417,31 +1587,31 @@ RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization
context 'with maintainer' do
let(:current_user) { maintainer }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with reporter' do
let(:current_user) { reporter }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with guest' do
let(:current_user) { guest }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with developer' do
let(:current_user) { developer }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with anonymous' do
let(:current_user) { nil }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
end
@@ -1543,8 +1713,6 @@ RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization
describe 'read_usage_quotas policy' do
context 'reading usage quotas' do
- using RSpec::Parameterized::TableSyntax
-
let(:policy) { :read_usage_quotas }
where(:role, :admin_mode, :allowed) do
@@ -1568,4 +1736,28 @@ RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization
end
end
end
+
+ describe 'achievements' do
+ let(:current_user) { owner }
+
+ specify { is_expected.to be_allowed(:read_achievement) }
+ specify { is_expected.to be_allowed(:admin_achievement) }
+ specify { is_expected.to be_allowed(:award_achievement) }
+
+ context 'with feature flag disabled' do
+ before do
+ stub_feature_flags(achievements: false)
+ end
+
+ specify { is_expected.to be_disallowed(:read_achievement) }
+ specify { is_expected.to be_disallowed(:admin_achievement) }
+ specify { is_expected.to be_disallowed(:award_achievement) }
+ end
+
+ context 'when current user can not see the group' do
+ let(:current_user) { non_group_member }
+
+ specify { is_expected.to be_allowed(:read_achievement) }
+ end
+ end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-19 09:58:47 +0300