Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies')
-rw-r--r--spec/policies/achievements/user_achievement_policy_spec.rb78
-rw-r--r--spec/policies/ci/build_policy_spec.rb30
-rw-r--r--spec/policies/ci/pipeline_policy_spec.rb18
-rw-r--r--spec/policies/ci/pipeline_schedule_policy_spec.rb12
-rw-r--r--spec/policies/ci/runner_manager_policy_spec.rb (renamed from spec/policies/ci/runner_machine_policy_spec.rb)64
-rw-r--r--spec/policies/environment_policy_spec.rb3
-rw-r--r--spec/policies/global_policy_spec.rb51
-rw-r--r--spec/policies/group_policy_spec.rb169
-rw-r--r--spec/policies/issue_policy_spec.rb4
-rw-r--r--spec/policies/project_policy_spec.rb200
10 files changed, 472 insertions, 157 deletions
diff --git a/spec/policies/achievements/user_achievement_policy_spec.rb b/spec/policies/achievements/user_achievement_policy_spec.rb
new file mode 100644
index 00000000000..47f6188e178
--- /dev/null
+++ b/spec/policies/achievements/user_achievement_policy_spec.rb
@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Achievements::UserAchievementPolicy, feature_category: :user_profile do
+ let(:maintainer) { create(:user) }
+
+ let(:group) { create(:group, :public) }
+
+ let(:current_user) { create(:user) }
+ let(:achievement) { create(:achievement, namespace: group) }
+ let(:achievement_owner) { create(:user) }
+ let(:user_achievement) { create(:user_achievement, achievement: achievement, user: achievement_owner) }
+
+ before do
+ group.add_maintainer(maintainer)
+ end
+
+ subject { described_class.new(current_user, user_achievement) }
+
+ it 'is readable to everyone when user has public profile' do
+ is_expected.to be_allowed(:read_user_achievement)
+ end
+
+ context 'when user has private profile' do
+ before do
+ achievement_owner.update!(private_profile: true)
+ end
+
+ context 'for achievement owner' do
+ let(:current_user) { achievement_owner }
+
+ it 'is visible' do
+ is_expected.to be_allowed(:read_user_achievement)
+ end
+ end
+
+ context 'for group maintainer' do
+ let(:current_user) { maintainer }
+
+ it 'is visible' do
+ is_expected.to be_allowed(:read_user_achievement)
+ end
+ end
+
+ context 'for others' do
+ it 'is hidden' do
+ is_expected.not_to be_allowed(:read_user_achievement)
+ end
+ end
+ end
+
+ context 'when group is private' do
+ let(:group) { create(:group, :private) }
+
+ context 'for achievement owner' do
+ let(:current_user) { achievement_owner }
+
+ it 'is hidden' do
+ is_expected.not_to be_allowed(:read_user_achievement)
+ end
+ end
+
+ context 'for group maintainer' do
+ let(:current_user) { maintainer }
+
+ it 'is visible' do
+ is_expected.to be_allowed(:read_user_achievement)
+ end
+ end
+
+ context 'for others' do
+ it 'is hidden' do
+ is_expected.not_to be_allowed(:read_user_achievement)
+ end
+ end
+ end
+end
diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb
index fee4d76ca8f..77cfcab5c3e 100644
--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -121,8 +121,7 @@ RSpec.describe Ci::BuildPolicy do
context 'when no one can push or merge to the branch' do
before do
- create(:protected_branch, :no_one_can_push,
- name: build.ref, project: project)
+ create(:protected_branch, :no_one_can_push, name: build.ref, project: project)
end
it 'does not include ability to update build' do
@@ -132,8 +131,7 @@ RSpec.describe Ci::BuildPolicy do
context 'when developers can push to the branch' do
before do
- create(:protected_branch, :developers_can_merge,
- name: build.ref, project: project)
+ create(:protected_branch, :developers_can_merge, name: build.ref, project: project)
end
it 'includes ability to update build' do
@@ -143,8 +141,7 @@ RSpec.describe Ci::BuildPolicy do
context 'when no one can create the tag' do
before do
- create(:protected_tag, :no_one_can_create,
- name: build.ref, project: project)
+ create(:protected_tag, :no_one_can_create, name: build.ref, project: project)
build.update!(tag: true)
end
@@ -156,8 +153,7 @@ RSpec.describe Ci::BuildPolicy do
context 'when no one can create the tag but it is not a tag' do
before do
- create(:protected_tag, :no_one_can_create,
- name: build.ref, project: project)
+ create(:protected_tag, :no_one_can_create, name: build.ref, project: project)
end
it 'includes ability to update build' do
@@ -181,8 +177,7 @@ RSpec.describe Ci::BuildPolicy do
context 'when the build was created for a protected ref' do
before do
- create(:protected_branch, :developers_can_push,
- name: build.ref, project: project)
+ create(:protected_branch, :developers_can_push, name: build.ref, project: project)
end
it { expect(policy).to be_disallowed :erase_build }
@@ -204,8 +199,7 @@ RSpec.describe Ci::BuildPolicy do
let(:owner) { user }
before do
- create(:protected_branch, :no_one_can_push, :no_one_can_merge,
- name: build.ref, project: project)
+ create(:protected_branch, :no_one_can_push, :no_one_can_merge, name: build.ref, project: project)
end
it { expect(policy).to be_disallowed :erase_build }
@@ -219,8 +213,7 @@ RSpec.describe Ci::BuildPolicy do
context 'when maintainers can push to the branch' do
before do
- create(:protected_branch, :maintainers_can_push,
- name: build.ref, project: project)
+ create(:protected_branch, :maintainers_can_push, name: build.ref, project: project)
end
context 'when the build was created by the maintainer' do
@@ -240,8 +233,7 @@ RSpec.describe Ci::BuildPolicy do
let(:owner) { user }
before do
- create(:protected_branch, :no_one_can_push, :no_one_can_merge,
- name: build.ref, project: project)
+ create(:protected_branch, :no_one_can_push, :no_one_can_merge, name: build.ref, project: project)
end
it { expect(policy).to be_disallowed :erase_build }
@@ -257,8 +249,7 @@ RSpec.describe Ci::BuildPolicy do
context 'when the build was created for a protected branch' do
before do
- create(:protected_branch, :developers_can_push,
- name: build.ref, project: project)
+ create(:protected_branch, :developers_can_push, name: build.ref, project: project)
end
it { expect(policy).to be_allowed :erase_build }
@@ -266,8 +257,7 @@ RSpec.describe Ci::BuildPolicy do
context 'when the build was created for a protected tag' do
before do
- create(:protected_tag, :developers_can_create,
- name: build.ref, project: project)
+ create(:protected_tag, :developers_can_create, name: build.ref, project: project)
end
it { expect(policy).to be_allowed :erase_build }
diff --git a/spec/policies/ci/pipeline_policy_spec.rb b/spec/policies/ci/pipeline_policy_spec.rb
index b68bb966820..8a5b80e3051 100644
--- a/spec/policies/ci/pipeline_policy_spec.rb
+++ b/spec/policies/ci/pipeline_policy_spec.rb
@@ -20,8 +20,7 @@ RSpec.describe Ci::PipelinePolicy, :models do
context 'when no one can push or merge to the branch' do
before do
- create(:protected_branch, :no_one_can_push,
- name: pipeline.ref, project: project)
+ create(:protected_branch, :no_one_can_push, name: pipeline.ref, project: project)
end
it 'does not include ability to update pipeline' do
@@ -31,8 +30,7 @@ RSpec.describe Ci::PipelinePolicy, :models do
context 'when developers can push to the branch' do
before do
- create(:protected_branch, :developers_can_merge,
- name: pipeline.ref, project: project)
+ create(:protected_branch, :developers_can_merge, name: pipeline.ref, project: project)
end
it 'includes ability to update pipeline' do
@@ -42,8 +40,7 @@ RSpec.describe Ci::PipelinePolicy, :models do
context 'when no one can create the tag' do
before do
- create(:protected_tag, :no_one_can_create,
- name: pipeline.ref, project: project)
+ create(:protected_tag, :no_one_can_create, name: pipeline.ref, project: project)
pipeline.update!(tag: true)
end
@@ -55,8 +52,7 @@ RSpec.describe Ci::PipelinePolicy, :models do
context 'when no one can create the tag but it is not a tag' do
before do
- create(:protected_tag, :no_one_can_create,
- name: pipeline.ref, project: project)
+ create(:protected_tag, :no_one_can_create, name: pipeline.ref, project: project)
end
it 'includes ability to update pipeline' do
@@ -119,8 +115,7 @@ RSpec.describe Ci::PipelinePolicy, :models do
before do
project.add_developer(user)
- create(:protected_branch, :developers_can_merge,
- name: pipeline.ref, project: project)
+ create(:protected_branch, :developers_can_merge, name: pipeline.ref, project: project)
end
it 'is enabled' do
@@ -133,8 +128,7 @@ RSpec.describe Ci::PipelinePolicy, :models do
before do
project.add_developer(user)
- create(:protected_branch, :developers_can_merge,
- name: pipeline.ref, project: project)
+ create(:protected_branch, :developers_can_merge, name: pipeline.ref, project: project)
end
it 'is disabled' do
diff --git a/spec/policies/ci/pipeline_schedule_policy_spec.rb b/spec/policies/ci/pipeline_schedule_policy_spec.rb
index 92ad37145c0..7025eda1ba1 100644
--- a/spec/policies/ci/pipeline_schedule_policy_spec.rb
+++ b/spec/policies/ci/pipeline_schedule_policy_spec.rb
@@ -19,8 +19,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do
context 'when no one can push or merge to the branch' do
before do
- create(:protected_branch, :no_one_can_push,
- name: pipeline_schedule.ref, project: project)
+ create(:protected_branch, :no_one_can_push, name: pipeline_schedule.ref, project: project)
end
it 'does not include ability to play pipeline schedule' do
@@ -30,8 +29,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do
context 'when developers can push to the branch' do
before do
- create(:protected_branch, :developers_can_merge,
- name: pipeline_schedule.ref, project: project)
+ create(:protected_branch, :developers_can_merge, name: pipeline_schedule.ref, project: project)
end
it 'includes ability to update pipeline' do
@@ -45,8 +43,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do
before do
pipeline_schedule.update!(ref: tag)
- create(:protected_tag, :no_one_can_create,
- name: pipeline_schedule.ref, project: project)
+ create(:protected_tag, :no_one_can_create, name: pipeline_schedule.ref, project: project)
end
it 'does not include ability to play pipeline schedule' do
@@ -56,8 +53,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do
context 'when no one can create the tag but it is not a tag' do
before do
- create(:protected_tag, :no_one_can_create,
- name: pipeline_schedule.ref, project: project)
+ create(:protected_tag, :no_one_can_create, name: pipeline_schedule.ref, project: project)
end
it 'includes ability to play pipeline schedule' do
diff --git a/spec/policies/ci/runner_machine_policy_spec.rb b/spec/policies/ci/runner_manager_policy_spec.rb
index 8b95f2d7526..d7004033ceb 100644
--- a/spec/policies/ci/runner_machine_policy_spec.rb
+++ b/spec/policies/ci/runner_manager_policy_spec.rb
@@ -2,10 +2,10 @@
require 'spec_helper'
-RSpec.describe Ci::RunnerMachinePolicy, feature_category: :runner_fleet do
+RSpec.describe Ci::RunnerManagerPolicy, feature_category: :runner_fleet do
let_it_be(:owner) { create(:user) }
- describe 'ability :read_runner_machine' do
+ describe 'ability :read_runner_manager' do
let_it_be(:guest) { create(:user) }
let_it_be(:developer) { create(:user) }
let_it_be(:maintainer) { create(:user) }
@@ -14,13 +14,13 @@ RSpec.describe Ci::RunnerMachinePolicy, feature_category: :runner_fleet do
let_it_be_with_reload(:subgroup) { create(:group, name: 'subgroup', path: 'subgroup', parent: group) }
let_it_be_with_reload(:project) { create(:project, group: subgroup) }
- let_it_be(:instance_runner) { create(:ci_runner, :instance, :with_runner_machine) }
- let_it_be(:group_runner) { create(:ci_runner, :group, :with_runner_machine, groups: [group]) }
- let_it_be(:project_runner) { create(:ci_runner, :project, :with_runner_machine, projects: [project]) }
+ let_it_be(:instance_runner) { create(:ci_runner, :instance, :with_runner_manager) }
+ let_it_be(:group_runner) { create(:ci_runner, :group, :with_runner_manager, groups: [group]) }
+ let_it_be(:project_runner) { create(:ci_runner, :project, :with_runner_manager, projects: [project]) }
- let(:runner_machine) { runner.runner_machines.first }
+ let(:runner_manager) { runner.runner_managers.first }
- subject(:policy) { described_class.new(user, runner_machine) }
+ subject(:policy) { described_class.new(user, runner_manager) }
before_all do
group.add_guest(guest)
@@ -29,18 +29,18 @@ RSpec.describe Ci::RunnerMachinePolicy, feature_category: :runner_fleet do
group.add_owner(owner)
end
- shared_examples 'a policy allowing reading instance runner machine depending on runner sharing' do
+ shared_examples 'a policy allowing reading instance runner manager depending on runner sharing' do
context 'with instance runner' do
let(:runner) { instance_runner }
- it { expect_allowed :read_runner_machine }
+ it { expect_allowed :read_runner_manager }
context 'with shared runners disabled on projects' do
before do
project.update!(shared_runners_enabled: false)
end
- it { expect_allowed :read_runner_machine }
+ it { expect_allowed :read_runner_manager }
end
context 'with shared runners disabled for groups and projects' do
@@ -49,32 +49,32 @@ RSpec.describe Ci::RunnerMachinePolicy, feature_category: :runner_fleet do
project.update!(shared_runners_enabled: false)
end
- it { expect_disallowed :read_runner_machine }
+ it { expect_disallowed :read_runner_manager }
end
end
end
- shared_examples 'a policy allowing reading group runner machine depending on runner sharing' do
+ shared_examples 'a policy allowing reading group runner manager depending on runner sharing' do
context 'with group runner' do
let(:runner) { group_runner }
- it { expect_allowed :read_runner_machine }
+ it { expect_allowed :read_runner_manager }
context 'with sharing of group runners disabled' do
before do
project.update!(group_runners_enabled: false)
end
- it { expect_disallowed :read_runner_machine }
+ it { expect_disallowed :read_runner_manager }
end
end
end
- shared_examples 'does not allow reading runners machines on any scope' do
+ shared_examples 'does not allow reading runners managers on any scope' do
context 'with instance runner' do
let(:runner) { instance_runner }
- it { expect_disallowed :read_runner_machine }
+ it { expect_disallowed :read_runner_manager }
context 'with shared runners disabled for groups and projects' do
before do
@@ -82,94 +82,94 @@ RSpec.describe Ci::RunnerMachinePolicy, feature_category: :runner_fleet do
project.update!(shared_runners_enabled: false)
end
- it { expect_disallowed :read_runner_machine }
+ it { expect_disallowed :read_runner_manager }
end
end
context 'with group runner' do
let(:runner) { group_runner }
- it { expect_disallowed :read_runner_machine }
+ it { expect_disallowed :read_runner_manager }
context 'with sharing of group runners disabled' do
before do
project.update!(group_runners_enabled: false)
end
- it { expect_disallowed :read_runner_machine }
+ it { expect_disallowed :read_runner_manager }
end
end
context 'with project runner' do
let(:runner) { project_runner }
- it { expect_disallowed :read_runner_machine }
+ it { expect_disallowed :read_runner_manager }
end
end
context 'without access' do
let_it_be(:user) { create(:user) }
- it_behaves_like 'does not allow reading runners machines on any scope'
+ it_behaves_like 'does not allow reading runners managers on any scope'
end
context 'with guest access' do
let(:user) { guest }
- it_behaves_like 'does not allow reading runners machines on any scope'
+ it_behaves_like 'does not allow reading runners managers on any scope'
end
context 'with developer access' do
let(:user) { developer }
- it_behaves_like 'a policy allowing reading instance runner machine depending on runner sharing'
+ it_behaves_like 'a policy allowing reading instance runner manager depending on runner sharing'
- it_behaves_like 'a policy allowing reading group runner machine depending on runner sharing'
+ it_behaves_like 'a policy allowing reading group runner manager depending on runner sharing'
context 'with project runner' do
let(:runner) { project_runner }
- it { expect_disallowed :read_runner_machine }
+ it { expect_disallowed :read_runner_manager }
end
end
context 'with maintainer access' do
let(:user) { maintainer }
- it_behaves_like 'a policy allowing reading instance runner machine depending on runner sharing'
+ it_behaves_like 'a policy allowing reading instance runner manager depending on runner sharing'
- it_behaves_like 'a policy allowing reading group runner machine depending on runner sharing'
+ it_behaves_like 'a policy allowing reading group runner manager depending on runner sharing'
context 'with project runner' do
let(:runner) { project_runner }
- it { expect_allowed :read_runner_machine }
+ it { expect_allowed :read_runner_manager }
end
end
context 'with owner access' do
let(:user) { owner }
- it_behaves_like 'a policy allowing reading instance runner machine depending on runner sharing'
+ it_behaves_like 'a policy allowing reading instance runner manager depending on runner sharing'
context 'with group runner' do
let(:runner) { group_runner }
- it { expect_allowed :read_runner_machine }
+ it { expect_allowed :read_runner_manager }
context 'with sharing of group runners disabled' do
before do
project.update!(group_runners_enabled: false)
end
- it { expect_allowed :read_runner_machine }
+ it { expect_allowed :read_runner_manager }
end
end
context 'with project runner' do
let(:runner) { project_runner }
- it { expect_allowed :read_runner_machine }
+ it { expect_allowed :read_runner_manager }
end
end
end
diff --git a/spec/policies/environment_policy_spec.rb b/spec/policies/environment_policy_spec.rb
index 701fc7ac9ae..f0957ff5cc9 100644
--- a/spec/policies/environment_policy_spec.rb
+++ b/spec/policies/environment_policy_spec.rb
@@ -50,8 +50,7 @@ RSpec.describe EnvironmentPolicy do
with_them do
before do
project.add_member(user, access_level) unless access_level.nil?
- create(:protected_branch, :no_one_can_push,
- name: 'master', project: project)
+ create(:protected_branch, :no_one_can_push, name: 'master', project: project)
end
it { expect(policy).to be_disallowed :stop_environment }
diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb
index 3d6d95bb122..0d91c288bbc 100644
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -10,6 +10,7 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
let_it_be(:service_account) { create(:user, :service_account) }
let_it_be(:migration_bot) { create(:user, :migration_bot) }
let_it_be(:security_bot) { create(:user, :security_bot) }
+ let_it_be(:llm_bot) { create(:user, :llm_bot) }
let_it_be_with_reload(:current_user) { create(:user) }
let_it_be(:user) { create(:user) }
@@ -238,6 +239,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
it { is_expected.to be_disallowed(:access_api) }
end
+ context 'llm bot' do
+ let(:current_user) { llm_bot }
+
+ it { is_expected.to be_disallowed(:access_api) }
+ end
+
context 'user blocked pending approval' do
before do
current_user.block_pending_approval
@@ -617,6 +624,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
it { is_expected.to be_disallowed(:log_in) }
end
+ context 'llm bot' do
+ let(:current_user) { llm_bot }
+
+ it { is_expected.to be_disallowed(:log_in) }
+ end
+
context 'user blocked pending approval' do
before do
current_user.block_pending_approval
@@ -626,47 +639,53 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
end
end
- describe 'create_instance_runners' do
+ describe 'create_instance_runner' do
context 'admin' do
let(:current_user) { admin_user }
context 'when admin mode is enabled', :enable_admin_mode do
- it { is_expected.to be_allowed(:create_instance_runners) }
+ it { is_expected.to be_allowed(:create_instance_runner) }
end
context 'when admin mode is disabled' do
- it { is_expected.to be_disallowed(:create_instance_runners) }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
end
end
context 'with project_bot' do
let(:current_user) { project_bot }
- it { is_expected.to be_disallowed(:create_instance_runners) }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
end
context 'with migration_bot' do
let(:current_user) { migration_bot }
- it { is_expected.to be_disallowed(:create_instance_runners) }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
end
context 'with security_bot' do
let(:current_user) { security_bot }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
+ end
+
+ context 'with llm_bot' do
+ let(:current_user) { llm_bot }
+
it { is_expected.to be_disallowed(:create_instance_runners) }
end
context 'with regular user' do
let(:current_user) { user }
- it { is_expected.to be_disallowed(:create_instance_runners) }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
end
context 'with anonymous' do
let(:current_user) { nil }
- it { is_expected.to be_disallowed(:create_instance_runners) }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
end
context 'create_runner_workflow_for_admin flag disabled' do
@@ -678,42 +697,48 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
let(:current_user) { admin_user }
context 'when admin mode is enabled', :enable_admin_mode do
- it { is_expected.to be_disallowed(:create_instance_runners) }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
end
context 'when admin mode is disabled' do
- it { is_expected.to be_disallowed(:create_instance_runners) }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
end
end
context 'with project_bot' do
let(:current_user) { project_bot }
- it { is_expected.to be_disallowed(:create_instance_runners) }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
end
context 'with migration_bot' do
let(:current_user) { migration_bot }
- it { is_expected.to be_disallowed(:create_instance_runners) }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
end
context 'with security_bot' do
let(:current_user) { security_bot }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
+ end
+
+ context 'with llm_bot' do
+ let(:current_user) { llm_bot }
+
it { is_expected.to be_disallowed(:create_instance_runners) }
end
context 'with regular user' do
let(:current_user) { user }
- it { is_expected.to be_disallowed(:create_instance_runners) }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
end
context 'with anonymous' do
let(:current_user) { nil }
- it { is_expected.to be_disallowed(:create_instance_runners) }
+ it { is_expected.to be_disallowed(:create_instance_runner) }
end
end
end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 003ca2512dc..935b9124534 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -670,6 +670,124 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
end
end
+ context 'import_projects' do
+ before do
+ group.update!(project_creation_level: project_creation_level)
+ end
+
+ context 'when group has no project creation level set' do
+ let(:project_creation_level) { nil }
+
+ context 'reporter' do
+ let(:current_user) { reporter }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'developer' do
+ let(:current_user) { developer }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'maintainer' do
+ let(:current_user) { maintainer }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+
+ context 'owner' do
+ let(:current_user) { owner }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+ end
+
+ context 'when group has project creation level set to no one' do
+ let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS }
+
+ context 'reporter' do
+ let(:current_user) { reporter }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'developer' do
+ let(:current_user) { developer }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'maintainer' do
+ let(:current_user) { maintainer }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'owner' do
+ let(:current_user) { owner }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+ end
+
+ context 'when group has project creation level set to maintainer only' do
+ let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS }
+
+ context 'reporter' do
+ let(:current_user) { reporter }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'developer' do
+ let(:current_user) { developer }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'maintainer' do
+ let(:current_user) { maintainer }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+
+ context 'owner' do
+ let(:current_user) { owner }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+ end
+
+ context 'when group has project creation level set to developers + maintainer' do
+ let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS }
+
+ context 'reporter' do
+ let(:current_user) { reporter }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'developer' do
+ let(:current_user) { developer }
+
+ it { is_expected.to be_disallowed(:import_projects) }
+ end
+
+ context 'maintainer' do
+ let(:current_user) { maintainer }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+
+ context 'owner' do
+ let(:current_user) { owner }
+
+ it { is_expected.to be_allowed(:import_projects) }
+ end
+ end
+ end
+
context 'create_subgroup' do
context 'when group has subgroup creation level set to owner' do
before do
@@ -735,10 +853,7 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
it_behaves_like 'clusterable policies' do
let(:clusterable) { create(:group, :crm_enabled) }
let(:cluster) do
- create(:cluster,
- :provided_by_gcp,
- :group,
- groups: [clusterable])
+ create(:cluster, :provided_by_gcp, :group, groups: [clusterable])
end
end
@@ -1275,7 +1390,7 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
end
end
- describe 'create_group_runners' do
+ describe 'create_runner' do
shared_examples 'disallowed when group runner registration disabled' do
context 'with group runner registration disabled' do
before do
@@ -1286,13 +1401,13 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
context 'with specific group runner registration enabled' do
let(:runner_registration_enabled) { true }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with specific group runner registration disabled' do
let(:runner_registration_enabled) { false }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
end
@@ -1306,14 +1421,14 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
- it { is_expected.to be_allowed(:create_group_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
context 'with specific group runner registration disabled' do
before do
group.runner_registration_enabled = false
end
- it { is_expected.to be_allowed(:create_group_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
end
context 'with group runner registration disabled' do
@@ -1325,26 +1440,26 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
context 'with specific group runner registration enabled' do
let(:runner_registration_enabled) { true }
- it { is_expected.to be_allowed(:create_group_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
end
context 'with specific group runner registration disabled' do
let(:runner_registration_enabled) { false }
- it { is_expected.to be_allowed(:create_group_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
end
end
end
context 'when admin mode is disabled' do
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
context 'with owner' do
let(:current_user) { owner }
- it { is_expected.to be_allowed(:create_group_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
it_behaves_like 'disallowed when group runner registration disabled'
end
@@ -1352,31 +1467,31 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
context 'with maintainer' do
let(:current_user) { maintainer }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with reporter' do
let(:current_user) { reporter }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with guest' do
let(:current_user) { guest }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with developer' do
let(:current_user) { developer }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with anonymous' do
let(:current_user) { nil }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
@@ -1391,28 +1506,28 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
context 'with specific group runner registration disabled' do
before do
group.runner_registration_enabled = false
end
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
it_behaves_like 'disallowed when group runner registration disabled'
end
context 'when admin mode is disabled' do
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
context 'with owner' do
let(:current_user) { owner }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
it_behaves_like 'disallowed when group runner registration disabled'
end
@@ -1420,31 +1535,31 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
context 'with maintainer' do
let(:current_user) { maintainer }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with reporter' do
let(:current_user) { reporter }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with guest' do
let(:current_user) { guest }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with developer' do
let(:current_user) { developer }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with anonymous' do
let(:current_user) { nil }
- it { is_expected.to be_disallowed(:create_group_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
end
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index 17558787966..1142d6f80fd 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -27,8 +27,8 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do
shared_examples 'support bot with service desk enabled' do
before do
- allow(::Gitlab::IncomingEmail).to receive(:enabled?) { true }
- allow(::Gitlab::IncomingEmail).to receive(:supports_wildcard?) { true }
+ allow(::Gitlab::Email::IncomingEmail).to receive(:enabled?) { true }
+ allow(::Gitlab::Email::IncomingEmail).to receive(:supports_wildcard?) { true }
project.update!(service_desk_enabled: true)
end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 50f425f4efe..ae2a11bdbf0 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -2810,6 +2810,14 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
it { is_expected.to be_allowed(:register_project_runners) }
end
+
+ context 'with specific project runner registration disabled' do
+ before do
+ project.update!(runner_registration_enabled: false)
+ end
+
+ it { is_expected.to be_allowed(:register_project_runners) }
+ end
end
context 'when admin mode is disabled' do
@@ -2829,6 +2837,14 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
it { is_expected.to be_disallowed(:register_project_runners) }
end
+
+ context 'with specific project runner registration disabled' do
+ before do
+ project.update!(runner_registration_enabled: false)
+ end
+
+ it { is_expected.to be_disallowed(:register_project_runners) }
+ end
end
context 'with maintainer' do
@@ -2862,7 +2878,7 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
end
end
- describe 'create_project_runners' do
+ describe 'create_runner' do
context 'create_runner_workflow_for_namespace flag enabled' do
before do
stub_feature_flags(create_runner_workflow_for_namespace: [project.namespace])
@@ -2872,64 +2888,80 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
- it { is_expected.to be_allowed(:create_project_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
context 'with project runner registration disabled' do
before do
stub_application_setting(valid_runner_registrars: ['group'])
end
- it { is_expected.to be_allowed(:create_project_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
+ end
+
+ context 'with specific project runner registration disabled' do
+ before do
+ project.update!(runner_registration_enabled: false)
+ end
+
+ it { is_expected.to be_allowed(:create_runner) }
end
end
context 'when admin mode is disabled' do
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
context 'with owner' do
let(:current_user) { owner }
- it { is_expected.to be_allowed(:create_project_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
context 'with project runner registration disabled' do
before do
stub_application_setting(valid_runner_registrars: ['group'])
end
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
+ end
+
+ context 'with specific project runner registration disabled' do
+ before do
+ project.update!(runner_registration_enabled: false)
+ end
+
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
context 'with maintainer' do
let(:current_user) { maintainer }
- it { is_expected.to be_allowed(:create_project_runners) }
+ it { is_expected.to be_allowed(:create_runner) }
end
context 'with reporter' do
let(:current_user) { reporter }
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with guest' do
let(:current_user) { guest }
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with developer' do
let(:current_user) { developer }
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with anonymous' do
let(:current_user) { nil }
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
@@ -2942,68 +2974,162 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
context 'with project runner registration disabled' do
before do
stub_application_setting(valid_runner_registrars: ['group'])
end
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
+ end
+
+ context 'with specific project runner registration disabled' do
+ before do
+ project.update!(runner_registration_enabled: false)
+ end
+
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
context 'when admin mode is disabled' do
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
context 'with owner' do
let(:current_user) { owner }
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
context 'with project runner registration disabled' do
before do
stub_application_setting(valid_runner_registrars: ['group'])
end
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
+ end
+
+ context 'with specific project runner registration disabled' do
+ before do
+ project.update!(runner_registration_enabled: false)
+ end
+
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
context 'with maintainer' do
let(:current_user) { maintainer }
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with reporter' do
let(:current_user) { reporter }
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with guest' do
let(:current_user) { guest }
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with developer' do
let(:current_user) { developer }
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
context 'with anonymous' do
let(:current_user) { nil }
- it { is_expected.to be_disallowed(:create_project_runners) }
+ it { is_expected.to be_disallowed(:create_runner) }
end
end
end
+ describe 'admin_project_runners' do
+ context 'admin' do
+ let(:current_user) { admin }
+
+ context 'when admin mode is enabled', :enable_admin_mode do
+ it { is_expected.to be_allowed(:create_runner) }
+ end
+
+ context 'when admin mode is disabled' do
+ it { is_expected.to be_disallowed(:create_runner) }
+ end
+ end
+
+ context 'with owner' do
+ let(:current_user) { owner }
+
+ it { is_expected.to be_allowed(:create_runner) }
+ end
+
+ context 'with maintainer' do
+ let(:current_user) { maintainer }
+
+ it { is_expected.to be_allowed(:create_runner) }
+ end
+
+ context 'with reporter' do
+ let(:current_user) { reporter }
+
+ it { is_expected.to be_disallowed(:create_runner) }
+ end
+
+ context 'with guest' do
+ let(:current_user) { guest }
+
+ it { is_expected.to be_disallowed(:create_runner) }
+ end
+
+ context 'with developer' do
+ let(:current_user) { developer }
+
+ it { is_expected.to be_disallowed(:create_runner) }
+ end
+
+ context 'with anonymous' do
+ let(:current_user) { nil }
+
+ it { is_expected.to be_disallowed(:create_runner) }
+ end
+ end
+
+ describe 'read_project_runners' do
+ subject(:policy) { described_class.new(user, project) }
+
+ context 'with maintainer' do
+ let(:user) { maintainer }
+
+ it { is_expected.to be_allowed(:read_project_runners) }
+ end
+
+ context 'with admin', :enable_admin_mode do
+ let(:user) { admin }
+
+ it { is_expected.to be_allowed(:read_project_runners) }
+ end
+
+ context 'with reporter' do
+ let(:user) { reporter }
+
+ it { is_expected.to be_disallowed(:read_project_runners) }
+ end
+
+ context 'when the user is not part of the project' do
+ let(:user) { non_member }
+
+ it { is_expected.to be_disallowed(:read_project_runners) }
+ end
+ end
+
describe 'update_sentry_issue' do
using RSpec::Parameterized::TableSyntax
@@ -3104,26 +3230,6 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
end
end
- describe 'add_catalog_resource' do
- using RSpec::Parameterized::TableSyntax
-
- let(:current_user) { public_send(role) }
-
- where(:role, :allowed) do
- :owner | true
- :maintainer | false
- :developer | false
- :reporter | false
- :guest | false
- end
-
- with_them do
- it do
- expect(subject.can?(:add_catalog_resource)).to be(allowed)
- end
- end
- end
-
describe 'read_code' do
let(:current_user) { create(:user) }
@@ -3145,6 +3251,18 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
end
end
+ describe 'read_namespace_catalog' do
+ let(:current_user) { owner }
+
+ specify { is_expected.to be_disallowed(:read_namespace_catalog) }
+ end
+
+ describe 'add_catalog_resource' do
+ let(:current_user) { owner }
+
+ specify { is_expected.to be_disallowed(:read_namespace_catalog) }
+ end
+
private
def project_subject(project_type)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-15 15:37:33 +0300