Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies/project_policy_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies/project_policy_spec.rb')
-rw-r--r--spec/policies/project_policy_spec.rb233
1 files changed, 83 insertions, 150 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 9879fc53461..0c457148b4d 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -5,93 +5,10 @@ require 'spec_helper'
RSpec.describe ProjectPolicy do
include ExternalAuthorizationServiceHelpers
include_context 'ProjectPolicy context'
- let_it_be(:other_user) { create(:user) }
- let_it_be(:guest) { create(:user) }
- let_it_be(:reporter) { create(:user) }
- let_it_be(:developer) { create(:user) }
- let_it_be(:maintainer) { create(:user) }
- let_it_be(:owner) { create(:user) }
- let_it_be(:admin) { create(:admin) }
- let(:project) { create(:project, :public, namespace: owner.namespace) }
-
- let(:base_guest_permissions) do
- %i[
- read_project read_board read_list read_wiki read_issue
- read_project_for_iids read_issue_iid read_label
- read_milestone read_snippet read_project_member read_note
- create_project create_issue create_note upload_file create_merge_request_in
- award_emoji read_release read_issue_link
- ]
- end
-
- let(:base_reporter_permissions) do
- %i[
- download_code fork_project create_snippet update_issue
- admin_issue admin_label admin_list read_commit_status read_build
- read_container_image read_pipeline read_environment read_deployment
- read_merge_request download_wiki_code read_sentry_issue read_metrics_dashboard_annotation
- metrics_dashboard read_confidential_issues admin_issue_link
- ]
- end
-
- let(:team_member_reporter_permissions) do
- %i[build_download_code build_read_container_image]
- end
-
- let(:developer_permissions) do
- %i[
- admin_tag admin_milestone admin_merge_request update_merge_request create_commit_status
- update_commit_status create_build update_build create_pipeline
- update_pipeline create_merge_request_from create_wiki push_code
- resolve_note create_container_image update_container_image destroy_container_image daily_statistics
- create_environment update_environment create_deployment update_deployment create_release update_release
- create_metrics_dashboard_annotation delete_metrics_dashboard_annotation update_metrics_dashboard_annotation
- read_terraform_state read_pod_logs
- ]
- end
-
- let(:base_maintainer_permissions) do
- %i[
- push_to_delete_protected_branch update_snippet
- admin_snippet admin_project_member admin_note admin_wiki admin_project
- admin_commit_status admin_build admin_container_image
- admin_pipeline admin_environment admin_deployment destroy_release add_cluster
- read_deploy_token create_deploy_token destroy_deploy_token
- admin_terraform_state
- ]
- end
- let(:public_permissions) do
- %i[
- download_code fork_project read_commit_status read_pipeline
- read_container_image build_download_code build_read_container_image
- download_wiki_code read_release
- ]
- end
-
- let(:owner_permissions) do
- %i[
- change_namespace change_visibility_level rename_project remove_project
- archive_project remove_fork_project destroy_merge_request destroy_issue
- set_issue_iid set_issue_created_at set_issue_updated_at set_note_created_at
- ]
- end
+ let(:project) { public_project }
- # Used in EE specs
- let(:additional_guest_permissions) { [] }
- let(:additional_reporter_permissions) { [] }
- let(:additional_maintainer_permissions) { [] }
-
- let(:guest_permissions) { base_guest_permissions + additional_guest_permissions }
- let(:reporter_permissions) { base_reporter_permissions + additional_reporter_permissions }
- let(:maintainer_permissions) { base_maintainer_permissions + additional_maintainer_permissions }
-
- before do
- project.add_guest(guest)
- project.add_maintainer(maintainer)
- project.add_developer(developer)
- project.add_reporter(reporter)
- end
+ subject { described_class.new(current_user, project) }
def expect_allowed(*permissions)
permissions.each { |p| is_expected.to be_allowed(p) }
@@ -102,7 +19,7 @@ RSpec.describe ProjectPolicy do
end
context 'with no project feature' do
- subject { described_class.new(owner, project) }
+ let(:current_user) { owner }
before do
project.project_feature.destroy!
@@ -134,7 +51,7 @@ RSpec.describe ProjectPolicy do
end
context 'issues feature' do
- subject { described_class.new(owner, project) }
+ let(:current_user) { owner }
context 'when the feature is disabled' do
before do
@@ -162,7 +79,7 @@ RSpec.describe ProjectPolicy do
end
context 'merge requests feature' do
- subject { described_class.new(owner, project) }
+ let(:current_user) { owner }
it 'disallows all permissions when the feature is disabled' do
project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
@@ -176,9 +93,8 @@ RSpec.describe ProjectPolicy do
end
context 'for a guest in a private project' do
- let(:project) { create(:project, :private) }
-
- subject { described_class.new(guest, project) }
+ let(:current_user) { guest }
+ let(:project) { private_project }
it 'disallows the guest from reading the merge request and merge request iid' do
expect_disallowed(:read_merge_request)
@@ -187,12 +103,10 @@ RSpec.describe ProjectPolicy do
end
context 'pipeline feature' do
- let(:project) { create(:project) }
+ let(:project) { private_project }
describe 'for unconfirmed user' do
- let(:unconfirmed_user) { create(:user, confirmed_at: nil) }
-
- subject { described_class.new(unconfirmed_user, project) }
+ let(:current_user) { create(:user, confirmed_at: nil) }
it 'disallows to modify pipelines' do
expect_disallowed(:create_pipeline)
@@ -202,7 +116,7 @@ RSpec.describe ProjectPolicy do
end
describe 'for confirmed user' do
- subject { described_class.new(developer, project) }
+ let(:current_user) { developer }
it 'allows modify pipelines' do
expect_allowed(:create_pipeline)
@@ -214,7 +128,7 @@ RSpec.describe ProjectPolicy do
context 'builds feature' do
context 'when builds are disabled' do
- subject { described_class.new(owner, project) }
+ let(:current_user) { owner }
before do
project.project_feature.update!(builds_access_level: ProjectFeature::DISABLED)
@@ -234,7 +148,7 @@ RSpec.describe ProjectPolicy do
end
context 'when builds are disabled only for some users' do
- subject { described_class.new(guest, project) }
+ let(:current_user) { guest }
before do
project.project_feature.update!(builds_access_level: ProjectFeature::PRIVATE)
@@ -265,7 +179,7 @@ RSpec.describe ProjectPolicy do
end
context 'when user is a project member' do
- subject { described_class.new(owner, project) }
+ let(:current_user) { owner }
context 'when it is disabled' do
before do
@@ -283,8 +197,8 @@ RSpec.describe ProjectPolicy do
end
end
- context 'when user is some other user' do
- subject { described_class.new(other_user, project) }
+ context 'when user is non-member' do
+ let(:current_user) { non_member }
context 'when access level is private' do
before do
@@ -314,7 +228,7 @@ RSpec.describe ProjectPolicy do
context 'when a public project has merge requests allowing access' do
include ProjectForksHelper
- let(:user) { create(:user) }
+ let(:current_user) { create(:user) }
let(:target_project) { create(:project, :public) }
let(:project) { fork_project(target_project) }
let!(:merge_request) do
@@ -330,20 +244,18 @@ RSpec.describe ProjectPolicy do
%w(create_build create_pipeline)
end
- subject { described_class.new(user, project) }
-
it 'does not allow pushing code' do
expect_disallowed(*maintainer_abilities)
end
it 'allows pushing if the user is a member with push access to the target project' do
- target_project.add_developer(user)
+ target_project.add_developer(current_user)
expect_allowed(*maintainer_abilities)
end
it 'disallows abilities to a maintainer if the merge request was closed' do
- target_project.add_developer(user)
+ target_project.add_developer(current_user)
merge_request.close!
expect_disallowed(*maintainer_abilities)
@@ -351,12 +263,9 @@ RSpec.describe ProjectPolicy do
end
it_behaves_like 'clusterable policies' do
- let(:clusterable) { create(:project, :repository) }
- let(:cluster) do
- create(:cluster,
- :provided_by_gcp,
- :project,
- projects: [clusterable])
+ let_it_be(:clusterable) { create(:project, :repository) }
+ let_it_be(:cluster) do
+ create(:cluster, :provided_by_gcp, :project, projects: [clusterable])
end
end
@@ -427,16 +336,14 @@ RSpec.describe ProjectPolicy do
end
context 'forking a project' do
- subject { described_class.new(current_user, project) }
-
context 'anonymous user' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:fork_project) }
end
context 'project member' do
- let_it_be(:project) { create(:project, :private) }
+ let(:project) { private_project }
context 'guest' do
let(:current_user) { guest }
@@ -455,10 +362,8 @@ RSpec.describe ProjectPolicy do
end
describe 'update_max_artifacts_size' do
- subject { described_class.new(current_user, project) }
-
context 'when no user' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { expect_disallowed(:update_max_artifacts_size) }
end
@@ -487,12 +392,10 @@ RSpec.describe ProjectPolicy do
context 'alert bot' do
let(:current_user) { User.alert_bot }
- subject { described_class.new(current_user, project) }
-
it { is_expected.to be_allowed(:reporter_access) }
context 'within a private project' do
- let(:project) { create(:project, :private) }
+ let(:project) { private_project }
it { is_expected.to be_allowed(:admin_issue) }
end
@@ -501,8 +404,6 @@ RSpec.describe ProjectPolicy do
context 'support bot' do
let(:current_user) { User.support_bot }
- subject { described_class.new(current_user, project) }
-
context 'with service desk disabled' do
it { expect_allowed(:guest_access) }
it { expect_disallowed(:create_note, :read_project) }
@@ -526,8 +427,6 @@ RSpec.describe ProjectPolicy do
end
describe 'read_prometheus_alerts' do
- subject { described_class.new(current_user, project) }
-
context 'with admin' do
let(:current_user) { admin }
@@ -571,17 +470,15 @@ RSpec.describe ProjectPolicy do
end
context 'with anonymous' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:read_prometheus_alerts) }
end
end
describe 'metrics_dashboard feature' do
- subject { described_class.new(current_user, project) }
-
context 'public project' do
- let(:project) { create(:project, :public) }
+ let(:project) { public_project }
context 'feature private' do
context 'with reporter' do
@@ -601,7 +498,7 @@ RSpec.describe ProjectPolicy do
end
context 'with anonymous' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
@@ -633,7 +530,7 @@ RSpec.describe ProjectPolicy do
end
context 'with anonymous' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { is_expected.to be_allowed(:metrics_dashboard) }
it { is_expected.to be_allowed(:read_prometheus) }
@@ -645,7 +542,7 @@ RSpec.describe ProjectPolicy do
end
context 'internal project' do
- let(:project) { create(:project, :internal) }
+ let(:project) { internal_project }
context 'feature private' do
context 'with reporter' do
@@ -665,7 +562,7 @@ RSpec.describe ProjectPolicy do
end
context 'with anonymous' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:metrics_dashboard)}
end
@@ -697,7 +594,7 @@ RSpec.describe ProjectPolicy do
end
context 'with anonymous' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
@@ -705,7 +602,7 @@ RSpec.describe ProjectPolicy do
end
context 'private project' do
- let(:project) { create(:project, :private) }
+ let(:project) { private_project }
context 'feature private' do
context 'with reporter' do
@@ -725,7 +622,7 @@ RSpec.describe ProjectPolicy do
end
context 'with anonymous' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
@@ -749,7 +646,7 @@ RSpec.describe ProjectPolicy do
end
context 'with anonymous' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
@@ -774,7 +671,7 @@ RSpec.describe ProjectPolicy do
end
context 'with anonymous' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
@@ -806,8 +703,6 @@ RSpec.describe ProjectPolicy do
end
describe 'create_web_ide_terminal' do
- subject { described_class.new(current_user, project) }
-
context 'with admin' do
let(:current_user) { admin }
@@ -851,20 +746,20 @@ RSpec.describe ProjectPolicy do
end
context 'with non member' do
- let(:current_user) { create(:user) }
+ let(:current_user) { non_member }
it { is_expected.to be_disallowed(:create_web_ide_terminal) }
end
context 'with anonymous' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:create_web_ide_terminal) }
end
end
describe 'read_repository_graphs' do
- subject { described_class.new(guest, project) }
+ let(:current_user) { guest }
before do
allow(subject).to receive(:allowed?).with(:read_repository_graphs).and_call_original
@@ -885,7 +780,7 @@ RSpec.describe ProjectPolicy do
end
describe 'design permissions' do
- subject { described_class.new(guest, project) }
+ let(:current_user) { guest }
let(:design_permissions) do
%i[read_design_activity read_design]
@@ -907,7 +802,7 @@ RSpec.describe ProjectPolicy do
end
describe 'read_build_report_results' do
- subject { described_class.new(guest, project) }
+ let(:current_user) { guest }
before do
allow(subject).to receive(:allowed?).with(:read_build_report_results).and_call_original
@@ -945,8 +840,6 @@ RSpec.describe ProjectPolicy do
end
describe 'read_package' do
- subject { described_class.new(current_user, project) }
-
context 'with admin' do
let(:current_user) { admin }
@@ -997,15 +890,55 @@ RSpec.describe ProjectPolicy do
end
context 'with non member' do
- let(:current_user) { create(:user) }
+ let(:current_user) { non_member }
it { is_expected.to be_allowed(:read_package) }
end
context 'with anonymous' do
- let(:current_user) { nil }
+ let(:current_user) { anonymous }
it { is_expected.to be_allowed(:read_package) }
end
end
+
+ describe 'read_feature_flag' do
+ subject { described_class.new(current_user, project) }
+
+ context 'with maintainer' do
+ let(:current_user) { maintainer }
+
+ context 'when repository is available' do
+ it { is_expected.to be_allowed(:read_feature_flag) }
+ end
+
+ context 'when repository is disabled' do
+ before do
+ project.project_feature.update!(
+ merge_requests_access_level: ProjectFeature::DISABLED,
+ builds_access_level: ProjectFeature::DISABLED,
+ repository_access_level: ProjectFeature::DISABLED
+ )
+ end
+
+ it { is_expected.to be_disallowed(:read_feature_flag) }
+ end
+ end
+
+ context 'with developer' do
+ let(:current_user) { developer }
+
+ context 'when repository is available' do
+ it { is_expected.to be_allowed(:read_feature_flag) }
+ end
+ end
+
+ context 'with reporter' do
+ let(:current_user) { reporter }
+
+ context 'when repository is available' do
+ it { is_expected.to be_disallowed(:read_feature_flag) }
+ end
+ end
+ end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-13 20:40:32 +0300