diff options
Diffstat (limited to 'spec/policies/project_policy_spec.rb')
-rw-r--r-- | spec/policies/project_policy_spec.rb | 159 |
1 files changed, 154 insertions, 5 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index b77ccb83509..7b3d1abadc1 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -32,7 +32,7 @@ RSpec.describe ProjectPolicy do end end - it 'does not include the read_issue permission when the issue author is not a member of the private project' do + it 'does not include the read permissions when the issue author is not a member of the private project' do project = create(:project, :private) issue = create(:issue, project: project, author: create(:user)) user = issue.author @@ -40,6 +40,7 @@ RSpec.describe ProjectPolicy do expect(project.team.member?(issue.author)).to be false expect(Ability).not_to be_allowed(user, :read_issue, project) + expect(Ability).not_to be_allowed(user, :read_work_item, project) end it_behaves_like 'model with wiki policies' do @@ -61,7 +62,7 @@ RSpec.describe ProjectPolicy do end it 'does not include the issues permissions' do - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident, :create_work_item, :create_task + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident, :create_work_item, :create_task, :read_work_item end it 'disables boards and lists permissions' do @@ -73,7 +74,7 @@ RSpec.describe ProjectPolicy do it 'does not include the issues permissions' do create(:jira_integration, project: project) - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident, :create_work_item, :create_task + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident, :create_work_item, :create_task, :read_work_item end end end @@ -463,6 +464,62 @@ RSpec.describe ProjectPolicy do end end + context 'owner access' do + let!(:owner_user) { create(:user) } + let!(:owner_of_different_thing) { create(:user) } + let(:stranger) { create(:user) } + + context 'personal project' do + let!(:project) { create(:project) } + let!(:project2) { create(:project) } + + before do + project.add_guest(guest) + project.add_reporter(reporter) + project.add_developer(developer) + project.add_maintainer(maintainer) + project2.add_owner(owner_of_different_thing) + end + + it 'allows owner access', :aggregate_failures do + expect(described_class.new(owner_of_different_thing, project)).to be_disallowed(:owner_access) + expect(described_class.new(stranger, project)).to be_disallowed(:owner_access) + expect(described_class.new(guest, project)).to be_disallowed(:owner_access) + expect(described_class.new(reporter, project)).to be_disallowed(:owner_access) + expect(described_class.new(developer, project)).to be_disallowed(:owner_access) + expect(described_class.new(maintainer, project)).to be_disallowed(:owner_access) + expect(described_class.new(project.owner, project)).to be_allowed(:owner_access) + end + end + + context 'group project' do + let(:group) { create(:group) } + let!(:group2) { create(:group) } + let!(:project) { create(:project, group: group) } + + context 'group members' do + before do + group.add_guest(guest) + group.add_reporter(reporter) + group.add_developer(developer) + group.add_maintainer(maintainer) + group.add_owner(owner_user) + group2.add_owner(owner_of_different_thing) + end + + it 'allows owner access', :aggregate_failures do + expect(described_class.new(owner_of_different_thing, project)).to be_disallowed(:owner_access) + expect(described_class.new(stranger, project)).to be_disallowed(:owner_access) + expect(described_class.new(guest, project)).to be_disallowed(:owner_access) + expect(described_class.new(reporter, project)).to be_disallowed(:owner_access) + expect(described_class.new(developer, project)).to be_disallowed(:owner_access) + expect(described_class.new(maintainer, project)).to be_disallowed(:owner_access) + expect(described_class.new(owner_user, project)).to be_allowed(:owner_access) + end + end + end + end + context 'reading a project' do it 'allows access when a user has read access to the repo' do expect(described_class.new(owner, project)).to be_allowed(:read_project) @@ -678,14 +735,14 @@ RSpec.describe ProjectPolicy do allow(project).to receive(:service_desk_enabled?).and_return(true) end - it { expect_allowed(:reporter_access, :create_note, :read_issue) } + it { expect_allowed(:reporter_access, :create_note, :read_issue, :read_work_item) } context 'when issues are protected members only' do before do project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE) end - it { expect_allowed(:reporter_access, :create_note, :read_issue) } + it { expect_allowed(:reporter_access, :create_note, :read_issue, :read_work_item) } end end end @@ -1282,6 +1339,98 @@ RSpec.describe ProjectPolicy do end end + describe 'admin_package' do + context 'with admin' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:admin_package) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:admin_package) } + end + end + + %i[owner maintainer].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_allowed(:admin_package) } + end + end + + %i[developer reporter guest non_member anonymous].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:admin_package) } + end + end + end + + describe 'view_package_registry_project_settings' do + context 'with registry enabled' do + before do + stub_config(registry: { enabled: true }) + end + + context 'with an admin user' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:view_package_registry_project_settings) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + + %i[owner maintainer].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_allowed(:view_package_registry_project_settings) } + end + end + + %i[developer reporter guest non_member anonymous].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + end + + context 'with registry disabled' do + before do + stub_config(registry: { enabled: false }) + end + + context 'with admin user' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + + %i[owner maintainer developer reporter guest non_member anonymous].each do |role| + context "with #{role}" do + let(:current_user) { public_send(role) } + + it { is_expected.to be_disallowed(:view_package_registry_project_settings) } + end + end + end + end + describe 'read_feature_flag' do subject { described_class.new(current_user, project) } |