diff options
Diffstat (limited to 'spec/policies/project_policy_spec.rb')
-rw-r--r-- | spec/policies/project_policy_spec.rb | 158 |
1 files changed, 121 insertions, 37 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index e8fdf9a8e25..fefd9f71408 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -777,13 +777,13 @@ RSpec.describe ProjectPolicy do project.add_developer(user) end - it { is_expected.not_to be_allowed(:project_bot_access)} + it { is_expected.not_to be_allowed(:project_bot_access) } end context "when project bot and not part of the project" do let(:current_user) { project_bot } - it { is_expected.not_to be_allowed(:project_bot_access)} + it { is_expected.not_to be_allowed(:project_bot_access) } end context "when project bot and part of the project" do @@ -793,7 +793,7 @@ RSpec.describe ProjectPolicy do project.add_developer(project_bot) end - it { is_expected.to be_allowed(:project_bot_access)} + it { is_expected.to be_allowed(:project_bot_access) } end end @@ -804,7 +804,7 @@ RSpec.describe ProjectPolicy do project.add_maintainer(project_bot) end - it { is_expected.not_to be_allowed(:create_resource_access_tokens)} + it { is_expected.not_to be_allowed(:create_resource_access_tokens) } end end @@ -946,7 +946,7 @@ RSpec.describe ProjectPolicy do context 'with anonymous' do let(:current_user) { anonymous } - it { is_expected.to be_disallowed(:metrics_dashboard)} + it { is_expected.to be_disallowed(:metrics_dashboard) } end end @@ -1930,14 +1930,10 @@ RSpec.describe ProjectPolicy do describe 'operations feature' do using RSpec::Parameterized::TableSyntax - before do - stub_feature_flags(split_operations_visibility_permissions: false) - end + let(:guest_permissions) { [:read_environment, :read_deployment] } - let(:guest_operations_permissions) { [:read_environment, :read_deployment] } - - let(:developer_operations_permissions) do - guest_operations_permissions + [ + let(:developer_permissions) do + guest_permissions + [ :read_feature_flag, :read_sentry_issue, :read_alert_management_alert, :read_terraform_state, :metrics_dashboard, :read_pod_logs, :read_prometheus, :create_feature_flag, :create_environment, :create_deployment, :update_feature_flag, :update_environment, @@ -1946,13 +1942,17 @@ RSpec.describe ProjectPolicy do ] end - let(:maintainer_operations_permissions) do - developer_operations_permissions + [ + let(:maintainer_permissions) do + developer_permissions + [ :read_cluster, :create_cluster, :update_cluster, :admin_environment, :admin_cluster, :admin_terraform_state, :admin_deployment ] end + before do + stub_feature_flags(split_operations_visibility_permissions: false) + end + where(:project_visibility, :access_level, :role, :allowed) do :public | ProjectFeature::ENABLED | :maintainer | true :public | ProjectFeature::ENABLED | :developer | true @@ -2005,33 +2005,22 @@ RSpec.describe ProjectPolicy do expect_disallowed(*permissions_abilities(role)) end end - - def permissions_abilities(role) - case role - when :maintainer - maintainer_operations_permissions - when :developer - developer_operations_permissions - else - guest_operations_permissions - end - end end end describe 'environments feature' do using RSpec::Parameterized::TableSyntax - let(:guest_environments_permissions) { [:read_environment, :read_deployment] } + let(:guest_permissions) { [:read_environment, :read_deployment] } - let(:developer_environments_permissions) do - guest_environments_permissions + [ + let(:developer_permissions) do + guest_permissions + [ :create_environment, :create_deployment, :update_environment, :update_deployment, :destroy_environment ] end - let(:maintainer_environments_permissions) do - developer_environments_permissions + [:admin_environment, :admin_deployment] + let(:maintainer_permissions) do + developer_permissions + [:admin_environment, :admin_deployment] end where(:project_visibility, :access_level, :role, :allowed) do @@ -2086,15 +2075,73 @@ RSpec.describe ProjectPolicy do expect_disallowed(*permissions_abilities(role)) end end + end + end - def permissions_abilities(role) - case role - when :maintainer - maintainer_environments_permissions - when :developer - developer_environments_permissions + describe 'monitor feature' do + using RSpec::Parameterized::TableSyntax + + let(:guest_permissions) { [] } + + let(:developer_permissions) do + guest_permissions + [ + :read_sentry_issue, :read_alert_management_alert, :metrics_dashboard, + :update_sentry_issue, :update_alert_management_alert + ] + end + + let(:maintainer_permissions) { developer_permissions } + + where(:project_visibility, :access_level, :role, :allowed) do + :public | ProjectFeature::ENABLED | :maintainer | true + :public | ProjectFeature::ENABLED | :developer | true + :public | ProjectFeature::ENABLED | :guest | true + :public | ProjectFeature::ENABLED | :anonymous | true + :public | ProjectFeature::PRIVATE | :maintainer | true + :public | ProjectFeature::PRIVATE | :developer | true + :public | ProjectFeature::PRIVATE | :guest | true + :public | ProjectFeature::PRIVATE | :anonymous | false + :public | ProjectFeature::DISABLED | :maintainer | false + :public | ProjectFeature::DISABLED | :developer | false + :public | ProjectFeature::DISABLED | :guest | false + :public | ProjectFeature::DISABLED | :anonymous | false + :internal | ProjectFeature::ENABLED | :maintainer | true + :internal | ProjectFeature::ENABLED | :developer | true + :internal | ProjectFeature::ENABLED | :guest | true + :internal | ProjectFeature::ENABLED | :anonymous | false + :internal | ProjectFeature::PRIVATE | :maintainer | true + :internal | ProjectFeature::PRIVATE | :developer | true + :internal | ProjectFeature::PRIVATE | :guest | true + :internal | ProjectFeature::PRIVATE | :anonymous | false + :internal | ProjectFeature::DISABLED | :maintainer | false + :internal | ProjectFeature::DISABLED | :developer | false + :internal | ProjectFeature::DISABLED | :guest | false + :internal | ProjectFeature::DISABLED | :anonymous | false + :private | ProjectFeature::ENABLED | :maintainer | true + :private | ProjectFeature::ENABLED | :developer | true + :private | ProjectFeature::ENABLED | :guest | false + :private | ProjectFeature::ENABLED | :anonymous | false + :private | ProjectFeature::PRIVATE | :maintainer | true + :private | ProjectFeature::PRIVATE | :developer | true + :private | ProjectFeature::PRIVATE | :guest | false + :private | ProjectFeature::PRIVATE | :anonymous | false + :private | ProjectFeature::DISABLED | :maintainer | false + :private | ProjectFeature::DISABLED | :developer | false + :private | ProjectFeature::DISABLED | :guest | false + :private | ProjectFeature::DISABLED | :anonymous | false + end + + with_them do + let(:current_user) { user_subject(role) } + let(:project) { project_subject(project_visibility) } + + it 'allows/disallows the abilities based on the monitor feature access level' do + project.project_feature.update!(monitor_access_level: access_level) + + if allowed + expect_allowed(*permissions_abilities(role)) else - guest_environments_permissions + expect_disallowed(*permissions_abilities(role)) end end end @@ -2682,6 +2729,43 @@ RSpec.describe ProjectPolicy do end end + describe 'read_milestone' do + context 'when project is public' do + let(:project) { public_project_in_group } + + context 'and issues and merge requests are private' do + before do + project.project_feature.update!( + issues_access_level: ProjectFeature::PRIVATE, + merge_requests_access_level: ProjectFeature::PRIVATE + ) + end + + context 'when user is an inherited member from the group' do + context 'and user is a guest' do + let(:current_user) { inherited_guest } + + it { is_expected.to be_allowed(:read_milestone) } + end + + context 'and user is a reporter' do + let(:current_user) { inherited_reporter } + + it { is_expected.to be_allowed(:read_milestone) } + end + + context 'and user is a developer' do + let(:current_user) { inherited_developer } + + it { is_expected.to be_allowed(:read_milestone) } + end + end + end + end + end + + private + def project_subject(project_type) case project_type when :public |