Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies/project_policy_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies/project_policy_spec.rb')
-rw-r--r--spec/policies/project_policy_spec.rb129
1 files changed, 42 insertions, 87 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index fda889ff422..a9a4575d747 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -2573,7 +2573,7 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
RSpec.shared_examples 'CI_JOB_TOKEN enforces the expected permissions' do
with_them do
let(:current_user) { public_send(user_role) }
- let(:project) { public_send("#{project_visibility}_project") }
+ let(:project) { public_project }
let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) }
let(:scope_project) do
@@ -2607,20 +2607,19 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
end
end
- # Remove project_visibility on FF restrict_ci_job_token_for_public_and_internal_projects cleanup
- where(:project_visibility, :user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do
- :public | :reporter | false | :same | true | true
- :public | :reporter | true | :same | true | true
- :public | :reporter | false | :same | false | true
- :public | :reporter | false | :different | true | false
- :public | :reporter | true | :different | true | false
- :public | :reporter | false | :different | false | true
- :public | :guest | false | :same | true | true
- :public | :guest | true | :same | true | true
- :public | :guest | false | :same | false | true
- :public | :guest | false | :different | true | false
- :public | :guest | true | :different | true | false
- :public | :guest | false | :different | false | true
+ where(:user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do
+ :reporter | false | :same | true | true
+ :reporter | true | :same | true | true
+ :reporter | false | :same | false | true
+ :reporter | false | :different | true | false
+ :reporter | true | :different | true | false
+ :reporter | false | :different | false | true
+ :guest | false | :same | true | true
+ :guest | true | :same | true | true
+ :guest | false | :same | false | true
+ :guest | false | :different | true | false
+ :guest | true | :different | true | false
+ :guest | false | :different | false | true
end
include_examples "CI_JOB_TOKEN enforces the expected permissions"
@@ -2663,61 +2662,8 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
permissions.each { |p| expect_disallowed(p) }
end
-
- context "with restrict_ci_job_token_for_public_and_internal_projects disabled" do
- before do
- stub_feature_flags(restrict_ci_job_token_for_public_and_internal_projects: false)
- end
-
- it 'allows all permissions for private' do
- project.project_feature.update!("#{feature}_access_level": ProjectFeature::PRIVATE)
-
- permissions.each { |p| expect_allowed(p) }
- end
- end
end
end
-
- context "with FF restrict_ci_job_token_for_public_and_internal_projects disabled" do
- before do
- stub_feature_flags(restrict_ci_job_token_for_public_and_internal_projects: false)
- end
-
- where(:project_visibility, :user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do
- :private | :reporter | false | :same | true | true
- :private | :reporter | false | :same | false | true
- :private | :reporter | false | :different | true | false
- :private | :reporter | false | :different | false | true
- :private | :guest | false | :same | true | true
- :private | :guest | false | :same | false | true
- :private | :guest | false | :different | true | false
- :private | :guest | false | :different | false | true
-
- :internal | :reporter | false | :same | true | true
- :internal | :reporter | true | :same | true | true
- :internal | :reporter | false | :same | false | true
- :internal | :reporter | false | :different | true | true
- :internal | :reporter | true | :different | true | false
- :internal | :reporter | false | :different | false | true
- :internal | :guest | false | :same | true | true
- :internal | :guest | true | :same | true | true
- :internal | :guest | false | :same | false | true
- :internal | :guest | false | :different | true | true
- :internal | :guest | true | :different | true | false
- :internal | :guest | false | :different | false | true
-
- :public | :reporter | false | :same | true | true
- :public | :reporter | false | :same | false | true
- :public | :reporter | false | :different | true | true
- :public | :reporter | false | :different | false | true
- :public | :guest | false | :same | true | true
- :public | :guest | false | :same | false | true
- :public | :guest | false | :different | true | true
- :public | :guest | false | :different | false | true
- end
-
- include_examples "CI_JOB_TOKEN enforces the expected permissions"
- end
end
describe 'container_image policies' do
@@ -3321,37 +3267,46 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
end
describe 'read_model_registry' do
- let(:project_with_feature) { project }
- let(:current_user) { owner }
-
- before do
- stub_feature_flags(model_registry: false)
- stub_feature_flags(model_registry: project_with_feature) if project_with_feature
- end
+ using RSpec::Parameterized::TableSyntax
- context 'feature flag is enabled' do
- specify { is_expected.to be_allowed(:read_model_registry) }
+ where(:feature_flag_enabled, :current_user, :access_level, :allowed) do
+ false | ref(:owner) | Featurable::ENABLED | false
+ true | ref(:guest) | Featurable::ENABLED | true
+ true | ref(:guest) | Featurable::PRIVATE | true
+ true | ref(:guest) | Featurable::DISABLED | false
+ true | ref(:non_member) | Featurable::ENABLED | true
+ true | ref(:non_member) | Featurable::PRIVATE | false
+ true | ref(:non_member) | Featurable::DISABLED | false
end
+ with_them do
+ before do
+ stub_feature_flags(model_registry: feature_flag_enabled)
+ project.project_feature.update!(model_registry_access_level: access_level)
+ end
- context 'feature flag is disabled' do
- let(:project_with_feature) { nil }
-
- specify { is_expected.not_to be_allowed(:read_model_registry) }
+ if params[:allowed]
+ it { expect_allowed(:read_model_registry) }
+ else
+ it { expect_disallowed(:read_model_registry) }
+ end
end
end
describe 'write_model_registry' do
using RSpec::Parameterized::TableSyntax
- where(:ff_model_registry_enabled, :current_user, :allowed) do
- true | ref(:reporter) | true
- true | ref(:guest) | false
- false | ref(:owner) | false
+ where(:feature_flag_enabled, :current_user, :access_level, :allowed) do
+ false | ref(:owner) | Featurable::ENABLED | false
+ true | ref(:reporter) | Featurable::ENABLED | true
+ true | ref(:reporter) | Featurable::PRIVATE | true
+ true | ref(:reporter) | Featurable::DISABLED | false
+ true | ref(:guest) | Featurable::ENABLED | false
+ true | ref(:non_member) | Featurable::ENABLED | false
end
with_them do
before do
- stub_feature_flags(model_registry: false)
- stub_feature_flags(model_registry: project) if ff_model_registry_enabled
+ stub_feature_flags(model_registry: feature_flag_enabled)
+ project.project_feature.update!(model_registry_access_level: access_level)
end
if params[:allowed]
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-14 23:30:44 +0300