diff options
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/achievements/user_achievement_policy_spec.rb | 78 | ||||
-rw-r--r-- | spec/policies/ci/build_policy_spec.rb | 30 | ||||
-rw-r--r-- | spec/policies/ci/pipeline_policy_spec.rb | 18 | ||||
-rw-r--r-- | spec/policies/ci/pipeline_schedule_policy_spec.rb | 12 | ||||
-rw-r--r-- | spec/policies/ci/runner_manager_policy_spec.rb (renamed from spec/policies/ci/runner_machine_policy_spec.rb) | 64 | ||||
-rw-r--r-- | spec/policies/environment_policy_spec.rb | 3 | ||||
-rw-r--r-- | spec/policies/global_policy_spec.rb | 51 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 169 | ||||
-rw-r--r-- | spec/policies/issue_policy_spec.rb | 4 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 200 |
10 files changed, 472 insertions, 157 deletions
diff --git a/spec/policies/achievements/user_achievement_policy_spec.rb b/spec/policies/achievements/user_achievement_policy_spec.rb new file mode 100644 index 00000000000..47f6188e178 --- /dev/null +++ b/spec/policies/achievements/user_achievement_policy_spec.rb @@ -0,0 +1,78 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Achievements::UserAchievementPolicy, feature_category: :user_profile do + let(:maintainer) { create(:user) } + + let(:group) { create(:group, :public) } + + let(:current_user) { create(:user) } + let(:achievement) { create(:achievement, namespace: group) } + let(:achievement_owner) { create(:user) } + let(:user_achievement) { create(:user_achievement, achievement: achievement, user: achievement_owner) } + + before do + group.add_maintainer(maintainer) + end + + subject { described_class.new(current_user, user_achievement) } + + it 'is readable to everyone when user has public profile' do + is_expected.to be_allowed(:read_user_achievement) + end + + context 'when user has private profile' do + before do + achievement_owner.update!(private_profile: true) + end + + context 'for achievement owner' do + let(:current_user) { achievement_owner } + + it 'is visible' do + is_expected.to be_allowed(:read_user_achievement) + end + end + + context 'for group maintainer' do + let(:current_user) { maintainer } + + it 'is visible' do + is_expected.to be_allowed(:read_user_achievement) + end + end + + context 'for others' do + it 'is hidden' do + is_expected.not_to be_allowed(:read_user_achievement) + end + end + end + + context 'when group is private' do + let(:group) { create(:group, :private) } + + context 'for achievement owner' do + let(:current_user) { achievement_owner } + + it 'is hidden' do + is_expected.not_to be_allowed(:read_user_achievement) + end + end + + context 'for group maintainer' do + let(:current_user) { maintainer } + + it 'is visible' do + is_expected.to be_allowed(:read_user_achievement) + end + end + + context 'for others' do + it 'is hidden' do + is_expected.not_to be_allowed(:read_user_achievement) + end + end + end +end diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb index fee4d76ca8f..77cfcab5c3e 100644 --- a/spec/policies/ci/build_policy_spec.rb +++ b/spec/policies/ci/build_policy_spec.rb @@ -121,8 +121,7 @@ RSpec.describe Ci::BuildPolicy do context 'when no one can push or merge to the branch' do before do - create(:protected_branch, :no_one_can_push, - name: build.ref, project: project) + create(:protected_branch, :no_one_can_push, name: build.ref, project: project) end it 'does not include ability to update build' do @@ -132,8 +131,7 @@ RSpec.describe Ci::BuildPolicy do context 'when developers can push to the branch' do before do - create(:protected_branch, :developers_can_merge, - name: build.ref, project: project) + create(:protected_branch, :developers_can_merge, name: build.ref, project: project) end it 'includes ability to update build' do @@ -143,8 +141,7 @@ RSpec.describe Ci::BuildPolicy do context 'when no one can create the tag' do before do - create(:protected_tag, :no_one_can_create, - name: build.ref, project: project) + create(:protected_tag, :no_one_can_create, name: build.ref, project: project) build.update!(tag: true) end @@ -156,8 +153,7 @@ RSpec.describe Ci::BuildPolicy do context 'when no one can create the tag but it is not a tag' do before do - create(:protected_tag, :no_one_can_create, - name: build.ref, project: project) + create(:protected_tag, :no_one_can_create, name: build.ref, project: project) end it 'includes ability to update build' do @@ -181,8 +177,7 @@ RSpec.describe Ci::BuildPolicy do context 'when the build was created for a protected ref' do before do - create(:protected_branch, :developers_can_push, - name: build.ref, project: project) + create(:protected_branch, :developers_can_push, name: build.ref, project: project) end it { expect(policy).to be_disallowed :erase_build } @@ -204,8 +199,7 @@ RSpec.describe Ci::BuildPolicy do let(:owner) { user } before do - create(:protected_branch, :no_one_can_push, :no_one_can_merge, - name: build.ref, project: project) + create(:protected_branch, :no_one_can_push, :no_one_can_merge, name: build.ref, project: project) end it { expect(policy).to be_disallowed :erase_build } @@ -219,8 +213,7 @@ RSpec.describe Ci::BuildPolicy do context 'when maintainers can push to the branch' do before do - create(:protected_branch, :maintainers_can_push, - name: build.ref, project: project) + create(:protected_branch, :maintainers_can_push, name: build.ref, project: project) end context 'when the build was created by the maintainer' do @@ -240,8 +233,7 @@ RSpec.describe Ci::BuildPolicy do let(:owner) { user } before do - create(:protected_branch, :no_one_can_push, :no_one_can_merge, - name: build.ref, project: project) + create(:protected_branch, :no_one_can_push, :no_one_can_merge, name: build.ref, project: project) end it { expect(policy).to be_disallowed :erase_build } @@ -257,8 +249,7 @@ RSpec.describe Ci::BuildPolicy do context 'when the build was created for a protected branch' do before do - create(:protected_branch, :developers_can_push, - name: build.ref, project: project) + create(:protected_branch, :developers_can_push, name: build.ref, project: project) end it { expect(policy).to be_allowed :erase_build } @@ -266,8 +257,7 @@ RSpec.describe Ci::BuildPolicy do context 'when the build was created for a protected tag' do before do - create(:protected_tag, :developers_can_create, - name: build.ref, project: project) + create(:protected_tag, :developers_can_create, name: build.ref, project: project) end it { expect(policy).to be_allowed :erase_build } diff --git a/spec/policies/ci/pipeline_policy_spec.rb b/spec/policies/ci/pipeline_policy_spec.rb index b68bb966820..8a5b80e3051 100644 --- a/spec/policies/ci/pipeline_policy_spec.rb +++ b/spec/policies/ci/pipeline_policy_spec.rb @@ -20,8 +20,7 @@ RSpec.describe Ci::PipelinePolicy, :models do context 'when no one can push or merge to the branch' do before do - create(:protected_branch, :no_one_can_push, - name: pipeline.ref, project: project) + create(:protected_branch, :no_one_can_push, name: pipeline.ref, project: project) end it 'does not include ability to update pipeline' do @@ -31,8 +30,7 @@ RSpec.describe Ci::PipelinePolicy, :models do context 'when developers can push to the branch' do before do - create(:protected_branch, :developers_can_merge, - name: pipeline.ref, project: project) + create(:protected_branch, :developers_can_merge, name: pipeline.ref, project: project) end it 'includes ability to update pipeline' do @@ -42,8 +40,7 @@ RSpec.describe Ci::PipelinePolicy, :models do context 'when no one can create the tag' do before do - create(:protected_tag, :no_one_can_create, - name: pipeline.ref, project: project) + create(:protected_tag, :no_one_can_create, name: pipeline.ref, project: project) pipeline.update!(tag: true) end @@ -55,8 +52,7 @@ RSpec.describe Ci::PipelinePolicy, :models do context 'when no one can create the tag but it is not a tag' do before do - create(:protected_tag, :no_one_can_create, - name: pipeline.ref, project: project) + create(:protected_tag, :no_one_can_create, name: pipeline.ref, project: project) end it 'includes ability to update pipeline' do @@ -119,8 +115,7 @@ RSpec.describe Ci::PipelinePolicy, :models do before do project.add_developer(user) - create(:protected_branch, :developers_can_merge, - name: pipeline.ref, project: project) + create(:protected_branch, :developers_can_merge, name: pipeline.ref, project: project) end it 'is enabled' do @@ -133,8 +128,7 @@ RSpec.describe Ci::PipelinePolicy, :models do before do project.add_developer(user) - create(:protected_branch, :developers_can_merge, - name: pipeline.ref, project: project) + create(:protected_branch, :developers_can_merge, name: pipeline.ref, project: project) end it 'is disabled' do diff --git a/spec/policies/ci/pipeline_schedule_policy_spec.rb b/spec/policies/ci/pipeline_schedule_policy_spec.rb index 92ad37145c0..7025eda1ba1 100644 --- a/spec/policies/ci/pipeline_schedule_policy_spec.rb +++ b/spec/policies/ci/pipeline_schedule_policy_spec.rb @@ -19,8 +19,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do context 'when no one can push or merge to the branch' do before do - create(:protected_branch, :no_one_can_push, - name: pipeline_schedule.ref, project: project) + create(:protected_branch, :no_one_can_push, name: pipeline_schedule.ref, project: project) end it 'does not include ability to play pipeline schedule' do @@ -30,8 +29,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do context 'when developers can push to the branch' do before do - create(:protected_branch, :developers_can_merge, - name: pipeline_schedule.ref, project: project) + create(:protected_branch, :developers_can_merge, name: pipeline_schedule.ref, project: project) end it 'includes ability to update pipeline' do @@ -45,8 +43,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do before do pipeline_schedule.update!(ref: tag) - create(:protected_tag, :no_one_can_create, - name: pipeline_schedule.ref, project: project) + create(:protected_tag, :no_one_can_create, name: pipeline_schedule.ref, project: project) end it 'does not include ability to play pipeline schedule' do @@ -56,8 +53,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do context 'when no one can create the tag but it is not a tag' do before do - create(:protected_tag, :no_one_can_create, - name: pipeline_schedule.ref, project: project) + create(:protected_tag, :no_one_can_create, name: pipeline_schedule.ref, project: project) end it 'includes ability to play pipeline schedule' do diff --git a/spec/policies/ci/runner_machine_policy_spec.rb b/spec/policies/ci/runner_manager_policy_spec.rb index 8b95f2d7526..d7004033ceb 100644 --- a/spec/policies/ci/runner_machine_policy_spec.rb +++ b/spec/policies/ci/runner_manager_policy_spec.rb @@ -2,10 +2,10 @@ require 'spec_helper' -RSpec.describe Ci::RunnerMachinePolicy, feature_category: :runner_fleet do +RSpec.describe Ci::RunnerManagerPolicy, feature_category: :runner_fleet do let_it_be(:owner) { create(:user) } - describe 'ability :read_runner_machine' do + describe 'ability :read_runner_manager' do let_it_be(:guest) { create(:user) } let_it_be(:developer) { create(:user) } let_it_be(:maintainer) { create(:user) } @@ -14,13 +14,13 @@ RSpec.describe Ci::RunnerMachinePolicy, feature_category: :runner_fleet do let_it_be_with_reload(:subgroup) { create(:group, name: 'subgroup', path: 'subgroup', parent: group) } let_it_be_with_reload(:project) { create(:project, group: subgroup) } - let_it_be(:instance_runner) { create(:ci_runner, :instance, :with_runner_machine) } - let_it_be(:group_runner) { create(:ci_runner, :group, :with_runner_machine, groups: [group]) } - let_it_be(:project_runner) { create(:ci_runner, :project, :with_runner_machine, projects: [project]) } + let_it_be(:instance_runner) { create(:ci_runner, :instance, :with_runner_manager) } + let_it_be(:group_runner) { create(:ci_runner, :group, :with_runner_manager, groups: [group]) } + let_it_be(:project_runner) { create(:ci_runner, :project, :with_runner_manager, projects: [project]) } - let(:runner_machine) { runner.runner_machines.first } + let(:runner_manager) { runner.runner_managers.first } - subject(:policy) { described_class.new(user, runner_machine) } + subject(:policy) { described_class.new(user, runner_manager) } before_all do group.add_guest(guest) @@ -29,18 +29,18 @@ RSpec.describe Ci::RunnerMachinePolicy, feature_category: :runner_fleet do group.add_owner(owner) end - shared_examples 'a policy allowing reading instance runner machine depending on runner sharing' do + shared_examples 'a policy allowing reading instance runner manager depending on runner sharing' do context 'with instance runner' do let(:runner) { instance_runner } - it { expect_allowed :read_runner_machine } + it { expect_allowed :read_runner_manager } context 'with shared runners disabled on projects' do before do project.update!(shared_runners_enabled: false) end - it { expect_allowed :read_runner_machine } + it { expect_allowed :read_runner_manager } end context 'with shared runners disabled for groups and projects' do @@ -49,32 +49,32 @@ RSpec.describe Ci::RunnerMachinePolicy, feature_category: :runner_fleet do project.update!(shared_runners_enabled: false) end - it { expect_disallowed :read_runner_machine } + it { expect_disallowed :read_runner_manager } end end end - shared_examples 'a policy allowing reading group runner machine depending on runner sharing' do + shared_examples 'a policy allowing reading group runner manager depending on runner sharing' do context 'with group runner' do let(:runner) { group_runner } - it { expect_allowed :read_runner_machine } + it { expect_allowed :read_runner_manager } context 'with sharing of group runners disabled' do before do project.update!(group_runners_enabled: false) end - it { expect_disallowed :read_runner_machine } + it { expect_disallowed :read_runner_manager } end end end - shared_examples 'does not allow reading runners machines on any scope' do + shared_examples 'does not allow reading runners managers on any scope' do context 'with instance runner' do let(:runner) { instance_runner } - it { expect_disallowed :read_runner_machine } + it { expect_disallowed :read_runner_manager } context 'with shared runners disabled for groups and projects' do before do @@ -82,94 +82,94 @@ RSpec.describe Ci::RunnerMachinePolicy, feature_category: :runner_fleet do project.update!(shared_runners_enabled: false) end - it { expect_disallowed :read_runner_machine } + it { expect_disallowed :read_runner_manager } end end context 'with group runner' do let(:runner) { group_runner } - it { expect_disallowed :read_runner_machine } + it { expect_disallowed :read_runner_manager } context 'with sharing of group runners disabled' do before do project.update!(group_runners_enabled: false) end - it { expect_disallowed :read_runner_machine } + it { expect_disallowed :read_runner_manager } end end context 'with project runner' do let(:runner) { project_runner } - it { expect_disallowed :read_runner_machine } + it { expect_disallowed :read_runner_manager } end end context 'without access' do let_it_be(:user) { create(:user) } - it_behaves_like 'does not allow reading runners machines on any scope' + it_behaves_like 'does not allow reading runners managers on any scope' end context 'with guest access' do let(:user) { guest } - it_behaves_like 'does not allow reading runners machines on any scope' + it_behaves_like 'does not allow reading runners managers on any scope' end context 'with developer access' do let(:user) { developer } - it_behaves_like 'a policy allowing reading instance runner machine depending on runner sharing' + it_behaves_like 'a policy allowing reading instance runner manager depending on runner sharing' - it_behaves_like 'a policy allowing reading group runner machine depending on runner sharing' + it_behaves_like 'a policy allowing reading group runner manager depending on runner sharing' context 'with project runner' do let(:runner) { project_runner } - it { expect_disallowed :read_runner_machine } + it { expect_disallowed :read_runner_manager } end end context 'with maintainer access' do let(:user) { maintainer } - it_behaves_like 'a policy allowing reading instance runner machine depending on runner sharing' + it_behaves_like 'a policy allowing reading instance runner manager depending on runner sharing' - it_behaves_like 'a policy allowing reading group runner machine depending on runner sharing' + it_behaves_like 'a policy allowing reading group runner manager depending on runner sharing' context 'with project runner' do let(:runner) { project_runner } - it { expect_allowed :read_runner_machine } + it { expect_allowed :read_runner_manager } end end context 'with owner access' do let(:user) { owner } - it_behaves_like 'a policy allowing reading instance runner machine depending on runner sharing' + it_behaves_like 'a policy allowing reading instance runner manager depending on runner sharing' context 'with group runner' do let(:runner) { group_runner } - it { expect_allowed :read_runner_machine } + it { expect_allowed :read_runner_manager } context 'with sharing of group runners disabled' do before do project.update!(group_runners_enabled: false) end - it { expect_allowed :read_runner_machine } + it { expect_allowed :read_runner_manager } end end context 'with project runner' do let(:runner) { project_runner } - it { expect_allowed :read_runner_machine } + it { expect_allowed :read_runner_manager } end end end diff --git a/spec/policies/environment_policy_spec.rb b/spec/policies/environment_policy_spec.rb index 701fc7ac9ae..f0957ff5cc9 100644 --- a/spec/policies/environment_policy_spec.rb +++ b/spec/policies/environment_policy_spec.rb @@ -50,8 +50,7 @@ RSpec.describe EnvironmentPolicy do with_them do before do project.add_member(user, access_level) unless access_level.nil? - create(:protected_branch, :no_one_can_push, - name: 'master', project: project) + create(:protected_branch, :no_one_can_push, name: 'master', project: project) end it { expect(policy).to be_disallowed :stop_environment } diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 3d6d95bb122..0d91c288bbc 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -10,6 +10,7 @@ RSpec.describe GlobalPolicy, feature_category: :shared do let_it_be(:service_account) { create(:user, :service_account) } let_it_be(:migration_bot) { create(:user, :migration_bot) } let_it_be(:security_bot) { create(:user, :security_bot) } + let_it_be(:llm_bot) { create(:user, :llm_bot) } let_it_be_with_reload(:current_user) { create(:user) } let_it_be(:user) { create(:user) } @@ -238,6 +239,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do it { is_expected.to be_disallowed(:access_api) } end + context 'llm bot' do + let(:current_user) { llm_bot } + + it { is_expected.to be_disallowed(:access_api) } + end + context 'user blocked pending approval' do before do current_user.block_pending_approval @@ -617,6 +624,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do it { is_expected.to be_disallowed(:log_in) } end + context 'llm bot' do + let(:current_user) { llm_bot } + + it { is_expected.to be_disallowed(:log_in) } + end + context 'user blocked pending approval' do before do current_user.block_pending_approval @@ -626,47 +639,53 @@ RSpec.describe GlobalPolicy, feature_category: :shared do end end - describe 'create_instance_runners' do + describe 'create_instance_runner' do context 'admin' do let(:current_user) { admin_user } context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:create_instance_runners) } + it { is_expected.to be_allowed(:create_instance_runner) } end context 'when admin mode is disabled' do - it { is_expected.to be_disallowed(:create_instance_runners) } + it { is_expected.to be_disallowed(:create_instance_runner) } end end context 'with project_bot' do let(:current_user) { project_bot } - it { is_expected.to be_disallowed(:create_instance_runners) } + it { is_expected.to be_disallowed(:create_instance_runner) } end context 'with migration_bot' do let(:current_user) { migration_bot } - it { is_expected.to be_disallowed(:create_instance_runners) } + it { is_expected.to be_disallowed(:create_instance_runner) } end context 'with security_bot' do let(:current_user) { security_bot } + it { is_expected.to be_disallowed(:create_instance_runner) } + end + + context 'with llm_bot' do + let(:current_user) { llm_bot } + it { is_expected.to be_disallowed(:create_instance_runners) } end context 'with regular user' do let(:current_user) { user } - it { is_expected.to be_disallowed(:create_instance_runners) } + it { is_expected.to be_disallowed(:create_instance_runner) } end context 'with anonymous' do let(:current_user) { nil } - it { is_expected.to be_disallowed(:create_instance_runners) } + it { is_expected.to be_disallowed(:create_instance_runner) } end context 'create_runner_workflow_for_admin flag disabled' do @@ -678,42 +697,48 @@ RSpec.describe GlobalPolicy, feature_category: :shared do let(:current_user) { admin_user } context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_disallowed(:create_instance_runners) } + it { is_expected.to be_disallowed(:create_instance_runner) } end context 'when admin mode is disabled' do - it { is_expected.to be_disallowed(:create_instance_runners) } + it { is_expected.to be_disallowed(:create_instance_runner) } end end context 'with project_bot' do let(:current_user) { project_bot } - it { is_expected.to be_disallowed(:create_instance_runners) } + it { is_expected.to be_disallowed(:create_instance_runner) } end context 'with migration_bot' do let(:current_user) { migration_bot } - it { is_expected.to be_disallowed(:create_instance_runners) } + it { is_expected.to be_disallowed(:create_instance_runner) } end context 'with security_bot' do let(:current_user) { security_bot } + it { is_expected.to be_disallowed(:create_instance_runner) } + end + + context 'with llm_bot' do + let(:current_user) { llm_bot } + it { is_expected.to be_disallowed(:create_instance_runners) } end context 'with regular user' do let(:current_user) { user } - it { is_expected.to be_disallowed(:create_instance_runners) } + it { is_expected.to be_disallowed(:create_instance_runner) } end context 'with anonymous' do let(:current_user) { nil } - it { is_expected.to be_disallowed(:create_instance_runners) } + it { is_expected.to be_disallowed(:create_instance_runner) } end end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 003ca2512dc..935b9124534 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -670,6 +670,124 @@ RSpec.describe GroupPolicy, feature_category: :system_access do end end + context 'import_projects' do + before do + group.update!(project_creation_level: project_creation_level) + end + + context 'when group has no project creation level set' do + let(:project_creation_level) { nil } + + context 'reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:import_projects) } + end + + context 'developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:import_projects) } + end + + context 'maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:import_projects) } + end + + context 'owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:import_projects) } + end + end + + context 'when group has project creation level set to no one' do + let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS } + + context 'reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:import_projects) } + end + + context 'developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:import_projects) } + end + + context 'maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_disallowed(:import_projects) } + end + + context 'owner' do + let(:current_user) { owner } + + it { is_expected.to be_disallowed(:import_projects) } + end + end + + context 'when group has project creation level set to maintainer only' do + let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS } + + context 'reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:import_projects) } + end + + context 'developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:import_projects) } + end + + context 'maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:import_projects) } + end + + context 'owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:import_projects) } + end + end + + context 'when group has project creation level set to developers + maintainer' do + let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS } + + context 'reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:import_projects) } + end + + context 'developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:import_projects) } + end + + context 'maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:import_projects) } + end + + context 'owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:import_projects) } + end + end + end + context 'create_subgroup' do context 'when group has subgroup creation level set to owner' do before do @@ -735,10 +853,7 @@ RSpec.describe GroupPolicy, feature_category: :system_access do it_behaves_like 'clusterable policies' do let(:clusterable) { create(:group, :crm_enabled) } let(:cluster) do - create(:cluster, - :provided_by_gcp, - :group, - groups: [clusterable]) + create(:cluster, :provided_by_gcp, :group, groups: [clusterable]) end end @@ -1275,7 +1390,7 @@ RSpec.describe GroupPolicy, feature_category: :system_access do end end - describe 'create_group_runners' do + describe 'create_runner' do shared_examples 'disallowed when group runner registration disabled' do context 'with group runner registration disabled' do before do @@ -1286,13 +1401,13 @@ RSpec.describe GroupPolicy, feature_category: :system_access do context 'with specific group runner registration enabled' do let(:runner_registration_enabled) { true } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with specific group runner registration disabled' do let(:runner_registration_enabled) { false } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end end end @@ -1306,14 +1421,14 @@ RSpec.describe GroupPolicy, feature_category: :system_access do let(:current_user) { admin } context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:create_group_runners) } + it { is_expected.to be_allowed(:create_runner) } context 'with specific group runner registration disabled' do before do group.runner_registration_enabled = false end - it { is_expected.to be_allowed(:create_group_runners) } + it { is_expected.to be_allowed(:create_runner) } end context 'with group runner registration disabled' do @@ -1325,26 +1440,26 @@ RSpec.describe GroupPolicy, feature_category: :system_access do context 'with specific group runner registration enabled' do let(:runner_registration_enabled) { true } - it { is_expected.to be_allowed(:create_group_runners) } + it { is_expected.to be_allowed(:create_runner) } end context 'with specific group runner registration disabled' do let(:runner_registration_enabled) { false } - it { is_expected.to be_allowed(:create_group_runners) } + it { is_expected.to be_allowed(:create_runner) } end end end context 'when admin mode is disabled' do - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end end context 'with owner' do let(:current_user) { owner } - it { is_expected.to be_allowed(:create_group_runners) } + it { is_expected.to be_allowed(:create_runner) } it_behaves_like 'disallowed when group runner registration disabled' end @@ -1352,31 +1467,31 @@ RSpec.describe GroupPolicy, feature_category: :system_access do context 'with maintainer' do let(:current_user) { maintainer } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with reporter' do let(:current_user) { reporter } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with guest' do let(:current_user) { guest } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with developer' do let(:current_user) { developer } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with anonymous' do let(:current_user) { nil } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end end @@ -1391,28 +1506,28 @@ RSpec.describe GroupPolicy, feature_category: :system_access do let(:current_user) { admin } context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } context 'with specific group runner registration disabled' do before do group.runner_registration_enabled = false end - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end it_behaves_like 'disallowed when group runner registration disabled' end context 'when admin mode is disabled' do - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end end context 'with owner' do let(:current_user) { owner } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } it_behaves_like 'disallowed when group runner registration disabled' end @@ -1420,31 +1535,31 @@ RSpec.describe GroupPolicy, feature_category: :system_access do context 'with maintainer' do let(:current_user) { maintainer } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with reporter' do let(:current_user) { reporter } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with guest' do let(:current_user) { guest } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with developer' do let(:current_user) { developer } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with anonymous' do let(:current_user) { nil } - it { is_expected.to be_disallowed(:create_group_runners) } + it { is_expected.to be_disallowed(:create_runner) } end end end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index 17558787966..1142d6f80fd 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -27,8 +27,8 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do shared_examples 'support bot with service desk enabled' do before do - allow(::Gitlab::IncomingEmail).to receive(:enabled?) { true } - allow(::Gitlab::IncomingEmail).to receive(:supports_wildcard?) { true } + allow(::Gitlab::Email::IncomingEmail).to receive(:enabled?) { true } + allow(::Gitlab::Email::IncomingEmail).to receive(:supports_wildcard?) { true } project.update!(service_desk_enabled: true) end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 50f425f4efe..ae2a11bdbf0 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -2810,6 +2810,14 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do it { is_expected.to be_allowed(:register_project_runners) } end + + context 'with specific project runner registration disabled' do + before do + project.update!(runner_registration_enabled: false) + end + + it { is_expected.to be_allowed(:register_project_runners) } + end end context 'when admin mode is disabled' do @@ -2829,6 +2837,14 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do it { is_expected.to be_disallowed(:register_project_runners) } end + + context 'with specific project runner registration disabled' do + before do + project.update!(runner_registration_enabled: false) + end + + it { is_expected.to be_disallowed(:register_project_runners) } + end end context 'with maintainer' do @@ -2862,7 +2878,7 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do end end - describe 'create_project_runners' do + describe 'create_runner' do context 'create_runner_workflow_for_namespace flag enabled' do before do stub_feature_flags(create_runner_workflow_for_namespace: [project.namespace]) @@ -2872,64 +2888,80 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do let(:current_user) { admin } context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:create_project_runners) } + it { is_expected.to be_allowed(:create_runner) } context 'with project runner registration disabled' do before do stub_application_setting(valid_runner_registrars: ['group']) end - it { is_expected.to be_allowed(:create_project_runners) } + it { is_expected.to be_allowed(:create_runner) } + end + + context 'with specific project runner registration disabled' do + before do + project.update!(runner_registration_enabled: false) + end + + it { is_expected.to be_allowed(:create_runner) } end end context 'when admin mode is disabled' do - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } end end context 'with owner' do let(:current_user) { owner } - it { is_expected.to be_allowed(:create_project_runners) } + it { is_expected.to be_allowed(:create_runner) } context 'with project runner registration disabled' do before do stub_application_setting(valid_runner_registrars: ['group']) end - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } + end + + context 'with specific project runner registration disabled' do + before do + project.update!(runner_registration_enabled: false) + end + + it { is_expected.to be_disallowed(:create_runner) } end end context 'with maintainer' do let(:current_user) { maintainer } - it { is_expected.to be_allowed(:create_project_runners) } + it { is_expected.to be_allowed(:create_runner) } end context 'with reporter' do let(:current_user) { reporter } - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with guest' do let(:current_user) { guest } - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with developer' do let(:current_user) { developer } - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with anonymous' do let(:current_user) { nil } - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } end end @@ -2942,68 +2974,162 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do let(:current_user) { admin } context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } context 'with project runner registration disabled' do before do stub_application_setting(valid_runner_registrars: ['group']) end - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } + end + + context 'with specific project runner registration disabled' do + before do + project.update!(runner_registration_enabled: false) + end + + it { is_expected.to be_disallowed(:create_runner) } end end context 'when admin mode is disabled' do - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } end end context 'with owner' do let(:current_user) { owner } - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } context 'with project runner registration disabled' do before do stub_application_setting(valid_runner_registrars: ['group']) end - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } + end + + context 'with specific project runner registration disabled' do + before do + project.update!(runner_registration_enabled: false) + end + + it { is_expected.to be_disallowed(:create_runner) } end end context 'with maintainer' do let(:current_user) { maintainer } - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with reporter' do let(:current_user) { reporter } - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with guest' do let(:current_user) { guest } - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with developer' do let(:current_user) { developer } - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } end context 'with anonymous' do let(:current_user) { nil } - it { is_expected.to be_disallowed(:create_project_runners) } + it { is_expected.to be_disallowed(:create_runner) } end end end + describe 'admin_project_runners' do + context 'admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:create_runner) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_runner) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:create_runner) } + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:create_runner) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:create_runner) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:create_runner) } + end + + context 'with developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:create_runner) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_runner) } + end + end + + describe 'read_project_runners' do + subject(:policy) { described_class.new(user, project) } + + context 'with maintainer' do + let(:user) { maintainer } + + it { is_expected.to be_allowed(:read_project_runners) } + end + + context 'with admin', :enable_admin_mode do + let(:user) { admin } + + it { is_expected.to be_allowed(:read_project_runners) } + end + + context 'with reporter' do + let(:user) { reporter } + + it { is_expected.to be_disallowed(:read_project_runners) } + end + + context 'when the user is not part of the project' do + let(:user) { non_member } + + it { is_expected.to be_disallowed(:read_project_runners) } + end + end + describe 'update_sentry_issue' do using RSpec::Parameterized::TableSyntax @@ -3104,26 +3230,6 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do end end - describe 'add_catalog_resource' do - using RSpec::Parameterized::TableSyntax - - let(:current_user) { public_send(role) } - - where(:role, :allowed) do - :owner | true - :maintainer | false - :developer | false - :reporter | false - :guest | false - end - - with_them do - it do - expect(subject.can?(:add_catalog_resource)).to be(allowed) - end - end - end - describe 'read_code' do let(:current_user) { create(:user) } @@ -3145,6 +3251,18 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do end end + describe 'read_namespace_catalog' do + let(:current_user) { owner } + + specify { is_expected.to be_disallowed(:read_namespace_catalog) } + end + + describe 'add_catalog_resource' do + let(:current_user) { owner } + + specify { is_expected.to be_disallowed(:read_namespace_catalog) } + end + private def project_subject(project_type) |