diff options
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/global_policy_spec.rb | 30 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 20 | ||||
-rw-r--r-- | spec/policies/issue_policy_spec.rb | 123 | ||||
-rw-r--r-- | spec/policies/merge_request_policy_spec.rb | 5 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 244 |
5 files changed, 338 insertions, 84 deletions
diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index bbbc5d08c07..9e995366c17 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -565,4 +565,34 @@ RSpec.describe GlobalPolicy do it { is_expected.not_to be_allowed(:log_in) } end end + + describe 'update_runners_registration_token' do + context 'when anonymous' do + let(:current_user) { nil } + + it { is_expected.not_to be_allowed(:update_runners_registration_token) } + end + + context 'regular user' do + it { is_expected.not_to be_allowed(:update_runners_registration_token) } + end + + context 'when external' do + let(:current_user) { build(:user, :external) } + + it { is_expected.not_to be_allowed(:update_runners_registration_token) } + end + + context 'admin' do + let(:current_user) { create(:admin) } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:update_runners_registration_token) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:update_runners_registration_token) } + end + end + end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index f5e389ff338..9fac5521aa6 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -924,53 +924,53 @@ RSpec.describe GroupPolicy do end end - context 'timelogs' do - context 'with admin' do + describe 'update_runners_registration_token' do + context 'admin' do let(:current_user) { admin } context 'when admin mode is enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:read_group_timelogs) } + it { is_expected.to be_allowed(:update_runners_registration_token) } end context 'when admin mode is disabled' do - it { is_expected.to be_disallowed(:read_group_timelogs) } + it { is_expected.to be_disallowed(:update_runners_registration_token) } end end context 'with owner' do let(:current_user) { owner } - it { is_expected.to be_allowed(:read_group_timelogs) } + it { is_expected.to be_allowed(:update_runners_registration_token) } end context 'with maintainer' do let(:current_user) { maintainer } - it { is_expected.to be_allowed(:read_group_timelogs) } + it { is_expected.to be_allowed(:update_runners_registration_token) } end context 'with reporter' do let(:current_user) { reporter } - it { is_expected.to be_allowed(:read_group_timelogs) } + it { is_expected.to be_disallowed(:update_runners_registration_token) } end context 'with guest' do let(:current_user) { guest } - it { is_expected.to be_disallowed(:read_group_timelogs) } + it { is_expected.to be_disallowed(:update_runners_registration_token) } end context 'with non member' do let(:current_user) { create(:user) } - it { is_expected.to be_disallowed(:read_group_timelogs) } + it { is_expected.to be_disallowed(:update_runners_registration_token) } end context 'with anonymous' do let(:current_user) { nil } - it { is_expected.to be_disallowed(:read_group_timelogs) } + it { is_expected.to be_disallowed(:update_runners_registration_token) } end end end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index 76788ae2cb7..bc09191f6ec 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -21,6 +21,7 @@ RSpec.describe IssuePolicy do let(:project) { create(:project, :private) } let(:issue) { create(:issue, project: project, assignees: [assignee], author: author) } let(:issue_no_assignee) { create(:issue, project: project) } + let(:new_issue) { build(:issue, project: project, assignees: [assignee], author: author) } before do project.add_guest(guest) @@ -34,42 +35,51 @@ RSpec.describe IssuePolicy do end it 'does not allow non-members to read issues' do - expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata) end it 'allows guests to read issues' do expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue) + expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue) + expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) + + expect(permissions(guest, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) end it 'allows reporters to read, update, and admin issues' do - expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) end it 'allows reporters from group links to read, update, and admin issues' do - expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter_from_group_link, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) end it 'allows issue authors to read and update their issues' do expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(author, issue)).to be_disallowed(:admin_issue) + expect(permissions(author, issue)).to be_disallowed(:admin_issue, :set_issue_metadata) expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue) + expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) + + expect(permissions(author, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) end it 'allows issue assignees to read and update their issues' do expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(assignee, issue)).to be_disallowed(:admin_issue) + expect(permissions(assignee, issue)).to be_disallowed(:admin_issue, :set_issue_metadata) expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue) + expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata) + + expect(permissions(assignee, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) end context 'with confidential issues' do @@ -78,48 +88,49 @@ RSpec.describe IssuePolicy do it 'does not allow non-members to read confidential issues' do expect(permissions(non_member, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(non_member, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(non_member, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) end it 'does not allow guests to read confidential issues' do expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) end it 'allows reporters to read, update, and admin confidential issues' do - expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) end it 'allows reporters from group links to read, update, and admin confidential issues' do - expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) + expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) end it 'allows issue authors to read and update their confidential issues' do expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue) + expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata) expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:admin_issue, :set_issue_metadata) end it 'does not allow issue author to read or update confidential issue moved to an private project' do confidential_issue.project = create(:project, :private) - expect(permissions(author, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue) + expect(permissions(author, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :set_issue_metadata) end it 'allows issue assignees to read and update their confidential issues' do expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue) + expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata) - expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) end it 'does not allow issue assignees to read or update confidential issue moved to an private project' do confidential_issue.project = create(:project, :private) - expect(permissions(assignee, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue) + expect(permissions(assignee, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :set_issue_metadata) end end end @@ -129,6 +140,7 @@ RSpec.describe IssuePolicy do let(:issue) { create(:issue, project: project, assignees: [assignee], author: author) } let(:issue_no_assignee) { create(:issue, project: project) } let(:issue_locked) { create(:issue, :locked, project: project, author: author, assignees: [assignee]) } + let(:new_issue) { build(:issue, project: project) } before do project.add_guest(guest) @@ -139,56 +151,65 @@ RSpec.describe IssuePolicy do create(:project_group_link, group: group, project: project) end - it 'does not allow guest to create todos' do + it 'does not allow anonymous user to create todos' do expect(permissions(nil, issue)).to be_allowed(:read_issue) - expect(permissions(nil, issue)).to be_disallowed(:create_todo) + expect(permissions(nil, issue)).to be_disallowed(:create_todo, :update_subscription, :set_issue_metadata) + expect(permissions(nil, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata) end it 'allows guests to read issues' do - expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid, :create_todo) - expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue) + expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid, :create_todo, :update_subscription) + expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue) + expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) expect(permissions(guest, issue_locked)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(guest, issue_locked)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue) + expect(permissions(guest, issue_locked)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) + + expect(permissions(guest, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) end it 'allows reporters to read, update, reopen, and admin issues' do - expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue) - expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue) - expect(permissions(reporter, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) + expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) + expect(permissions(reporter, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) expect(permissions(reporter, issue_locked)).to be_disallowed(:reopen_issue) + expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) end it 'allows reporters from group links to read, update, reopen and admin issues' do - expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue) - expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue) - expect(permissions(reporter_from_group_link, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) + expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) + expect(permissions(reporter_from_group_link, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) expect(permissions(reporter_from_group_link, issue_locked)).to be_disallowed(:reopen_issue) + expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) end it 'allows issue authors to read, reopen and update their issues' do expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :reopen_issue) - expect(permissions(author, issue)).to be_disallowed(:admin_issue) + expect(permissions(author, issue)).to be_disallowed(:admin_issue, :set_issue_metadata) expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue) + expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) expect(permissions(author, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(author, issue_locked)).to be_disallowed(:admin_issue, :reopen_issue) + expect(permissions(author, issue_locked)).to be_disallowed(:admin_issue, :reopen_issue, :set_issue_metadata) + + expect(permissions(author, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) end it 'allows issue assignees to read, reopen and update their issues' do expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :reopen_issue) - expect(permissions(assignee, issue)).to be_disallowed(:admin_issue) + expect(permissions(assignee, issue)).to be_disallowed(:admin_issue, :set_issue_metadata) expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) - expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue) + expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata) expect(permissions(assignee, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(assignee, issue_locked)).to be_disallowed(:admin_issue, :reopen_issue) + expect(permissions(assignee, issue_locked)).to be_disallowed(:admin_issue, :reopen_issue, :set_issue_metadata) + + expect(permissions(author, new_issue)).to be_allowed(:create_issue, :set_issue_metadata) end context 'when issues are private' do @@ -205,12 +226,18 @@ RSpec.describe IssuePolicy do it 'forbids visitors from commenting' do expect(permissions(visitor, issue)).to be_disallowed(:create_note) end + it 'forbids visitors from subscribing' do + expect(permissions(visitor, issue)).to be_disallowed(:update_subscription) + end it 'allows guests to view' do expect(permissions(guest, issue)).to be_allowed(:read_issue) end it 'allows guests to comment' do expect(permissions(guest, issue)).to be_allowed(:create_note) end + it 'allows guests to subscribe' do + expect(permissions(guest, issue)).to be_allowed(:update_subscription) + end context 'when admin mode is enabled', :enable_admin_mode do it 'allows admins to view' do @@ -239,31 +266,31 @@ RSpec.describe IssuePolicy do it 'does not allow guests to read confidential issues' do expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) end it 'allows reporters to read, update, and admin confidential issues' do expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) end it 'allows reporter from group links to read, update, and admin confidential issues' do expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) - expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) end it 'allows issue authors to read and update their confidential issues' do expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue) + expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata) - expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) end it 'allows issue assignees to read and update their confidential issues' do expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) - expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue) + expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata) - expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) + expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata) end end end diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb index 744822f58d1..b94df4d4374 100644 --- a/spec/policies/merge_request_policy_spec.rb +++ b/spec/policies/merge_request_policy_spec.rb @@ -26,7 +26,8 @@ RSpec.describe MergeRequestPolicy do read_merge_request create_todo approve_merge_request - create_note].freeze + create_note + update_subscription].freeze shared_examples_for 'a denied user' do let(:perms) { permissions(subject, merge_request) } @@ -55,7 +56,7 @@ RSpec.describe MergeRequestPolicy do subject { permissions(nil, merge_request) } it do - is_expected.to be_disallowed(:create_todo) + is_expected.to be_disallowed(:create_todo, :update_subscription) end end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 46da42a4787..d0fe0cca8a1 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -1386,53 +1386,249 @@ RSpec.describe ProjectPolicy do end end - context 'timelogs' do - context 'with admin' do - let(:current_user) { admin } + describe 'when user is authenticated via CI_JOB_TOKEN', :request_store do + let(:current_user) { developer } + let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) } - context 'when admin mode enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:read_group_timelogs) } + before do + current_user.set_ci_job_token_scope!(job) + end + + context 'when accessing a private project' do + let(:project) { private_project } + + context 'when the job token comes from the same project' do + let(:scope_project) { project } + + it { is_expected.to be_allowed(:developer_access) } end - context 'when admin mode disabled' do - it { is_expected.to be_disallowed(:read_group_timelogs) } + context 'when the job token comes from another project' do + let(:scope_project) { create(:project, :private) } + + before do + scope_project.add_developer(current_user) + end + + it { is_expected.to be_disallowed(:guest_access) } end end - context 'with owner' do - let(:current_user) { owner } + context 'when accessing a public project' do + let(:project) { public_project } - it { is_expected.to be_allowed(:read_group_timelogs) } + context 'when the job token comes from the same project' do + let(:scope_project) { project } + + it { is_expected.to be_allowed(:developer_access) } + end + + context 'when the job token comes from another project' do + let(:scope_project) { create(:project, :private) } + + before do + scope_project.add_developer(current_user) + end + + it { is_expected.to be_disallowed(:public_access) } + end end + end - context 'with maintainer' do - let(:current_user) { maintainer } + describe 'container_image policies' do + using RSpec::Parameterized::TableSyntax - it { is_expected.to be_allowed(:read_group_timelogs) } + let(:guest_operations_permissions) { [:read_container_image] } + + let(:developer_operations_permissions) do + guest_operations_permissions + [ + :create_container_image, :update_container_image, :destroy_container_image + ] end - context 'with reporter' do - let(:current_user) { reporter } + let(:maintainer_operations_permissions) do + developer_operations_permissions + [ + :admin_container_image + ] + end - it { is_expected.to be_allowed(:read_group_timelogs) } + where(:project_visibility, :access_level, :role, :allowed) do + :public | ProjectFeature::ENABLED | :maintainer | true + :public | ProjectFeature::ENABLED | :developer | true + :public | ProjectFeature::ENABLED | :reporter | true + :public | ProjectFeature::ENABLED | :guest | true + :public | ProjectFeature::ENABLED | :anonymous | true + :public | ProjectFeature::PRIVATE | :maintainer | true + :public | ProjectFeature::PRIVATE | :developer | true + :public | ProjectFeature::PRIVATE | :reporter | true + :public | ProjectFeature::PRIVATE | :guest | false + :public | ProjectFeature::PRIVATE | :anonymous | false + :public | ProjectFeature::DISABLED | :maintainer | false + :public | ProjectFeature::DISABLED | :developer | false + :public | ProjectFeature::DISABLED | :reporter | false + :public | ProjectFeature::DISABLED | :guest | false + :public | ProjectFeature::DISABLED | :anonymous | false + :internal | ProjectFeature::ENABLED | :maintainer | true + :internal | ProjectFeature::ENABLED | :developer | true + :internal | ProjectFeature::ENABLED | :reporter | true + :internal | ProjectFeature::ENABLED | :guest | true + :internal | ProjectFeature::ENABLED | :anonymous | false + :internal | ProjectFeature::PRIVATE | :maintainer | true + :internal | ProjectFeature::PRIVATE | :developer | true + :internal | ProjectFeature::PRIVATE | :reporter | true + :internal | ProjectFeature::PRIVATE | :guest | false + :internal | ProjectFeature::PRIVATE | :anonymous | false + :internal | ProjectFeature::DISABLED | :maintainer | false + :internal | ProjectFeature::DISABLED | :developer | false + :internal | ProjectFeature::DISABLED | :reporter | false + :internal | ProjectFeature::DISABLED | :guest | false + :internal | ProjectFeature::DISABLED | :anonymous | false + :private | ProjectFeature::ENABLED | :maintainer | true + :private | ProjectFeature::ENABLED | :developer | true + :private | ProjectFeature::ENABLED | :reporter | true + :private | ProjectFeature::ENABLED | :guest | false + :private | ProjectFeature::ENABLED | :anonymous | false + :private | ProjectFeature::PRIVATE | :maintainer | true + :private | ProjectFeature::PRIVATE | :developer | true + :private | ProjectFeature::PRIVATE | :reporter | true + :private | ProjectFeature::PRIVATE | :guest | false + :private | ProjectFeature::PRIVATE | :anonymous | false + :private | ProjectFeature::DISABLED | :maintainer | false + :private | ProjectFeature::DISABLED | :developer | false + :private | ProjectFeature::DISABLED | :reporter | false + :private | ProjectFeature::DISABLED | :guest | false + :private | ProjectFeature::DISABLED | :anonymous | false end - context 'with guest' do - let(:current_user) { guest } + with_them do + let(:current_user) { send(role) } + let(:project) { send("#{project_visibility}_project") } + + it 'allows/disallows the abilities based on the container_registry feature access level' do + project.project_feature.update!(container_registry_access_level: access_level) + + if allowed + expect_allowed(*permissions_abilities(role)) + else + expect_disallowed(*permissions_abilities(role)) + end + end - it { is_expected.to be_disallowed(:read_group_timelogs) } + def permissions_abilities(role) + case role + when :maintainer + maintainer_operations_permissions + when :developer + developer_operations_permissions + when :reporter, :guest, :anonymous + guest_operations_permissions + else + raise "Unknown role #{role}" + end + end end - context 'with non member' do - let(:current_user) { non_member } + context 'with read_container_registry_access_level disabled' do + before do + stub_feature_flags(read_container_registry_access_level: false) + end + + where(:project_visibility, :container_registry_enabled, :role, :allowed) do + :public | true | :maintainer | true + :public | true | :developer | true + :public | true | :reporter | true + :public | true | :guest | true + :public | true | :anonymous | true + :public | false | :maintainer | false + :public | false | :developer | false + :public | false | :reporter | false + :public | false | :guest | false + :public | false | :anonymous | false + :internal | true | :maintainer | true + :internal | true | :developer | true + :internal | true | :reporter | true + :internal | true | :guest | true + :internal | true | :anonymous | false + :internal | false | :maintainer | false + :internal | false | :developer | false + :internal | false | :reporter | false + :internal | false | :guest | false + :internal | false | :anonymous | false + :private | true | :maintainer | true + :private | true | :developer | true + :private | true | :reporter | true + :private | true | :guest | false + :private | true | :anonymous | false + :private | false | :maintainer | false + :private | false | :developer | false + :private | false | :reporter | false + :private | false | :guest | false + :private | false | :anonymous | false + end + + with_them do + let(:current_user) { send(role) } + let(:project) { send("#{project_visibility}_project") } + + it 'allows/disallows the abilities based on container_registry_enabled' do + project.update_column(:container_registry_enabled, container_registry_enabled) + + if allowed + expect_allowed(*permissions_abilities(role)) + else + expect_disallowed(*permissions_abilities(role)) + end + end - it { is_expected.to be_disallowed(:read_group_timelogs) } + def permissions_abilities(role) + case role + when :maintainer + maintainer_operations_permissions + when :developer + developer_operations_permissions + when :reporter, :guest, :anonymous + guest_operations_permissions + else + raise "Unknown role #{role}" + end + end + end end + end - context 'with anonymous' do + describe 'update_runners_registration_token' do + context 'when anonymous' do let(:current_user) { anonymous } - it { is_expected.to be_disallowed(:read_group_timelogs) } + it { is_expected.not_to be_allowed(:update_runners_registration_token) } + end + + context 'admin' do + let(:current_user) { create(:admin) } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:update_runners_registration_token) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:update_runners_registration_token) } + end + end + + %w(guest reporter developer).each do |role| + context role do + let(:current_user) { send(role) } + + it { is_expected.to be_disallowed(:update_runners_registration_token) } + end + end + + %w(maintainer owner).each do |role| + context role do + let(:current_user) { send(role) } + + it { is_expected.to be_allowed(:update_runners_registration_token) } + end end end end |