Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies')
-rw-r--r--spec/policies/concerns/archived_abilities_spec.rb2
-rw-r--r--spec/policies/global_policy_spec.rb106
-rw-r--r--spec/policies/group_policy_spec.rb21
-rw-r--r--spec/policies/issue_policy_spec.rb124
-rw-r--r--spec/policies/merge_request_policy_spec.rb30
-rw-r--r--spec/policies/note_policy_spec.rb36
-rw-r--r--spec/policies/project_group_link_policy_spec.rb56
-rw-r--r--spec/policies/project_policy_spec.rb2
-rw-r--r--spec/policies/resource_label_event_policy_spec.rb2
-rw-r--r--spec/policies/resource_milestone_event_policy_spec.rb73
-rw-r--r--spec/policies/resource_state_event_policy_spec.rb39
-rw-r--r--spec/policies/todo_policy_spec.rb2
-rw-r--r--spec/policies/user_policy_spec.rb26
-rw-r--r--spec/policies/work_item_policy_spec.rb2
14 files changed, 374 insertions, 147 deletions
diff --git a/spec/policies/concerns/archived_abilities_spec.rb b/spec/policies/concerns/archived_abilities_spec.rb
index 8e3fd8a209f..d4d0498b0a3 100644
--- a/spec/policies/concerns/archived_abilities_spec.rb
+++ b/spec/policies/concerns/archived_abilities_spec.rb
@@ -14,7 +14,7 @@ RSpec.describe ArchivedAbilities, feature_category: :projects do
end
describe '.archived_abilities' do
- it 'returns an array of abilites to be prevented when archived' do
+ it 'returns an array of abilities to be prevented when archived' do
expect(TestClass.archived_abilities).to include(*described_class::ARCHIVED_ABILITIES)
end
end
diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb
index 4a8855f1da7..1538f8a70c8 100644
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -2,15 +2,15 @@
require 'spec_helper'
-RSpec.describe GlobalPolicy do
+RSpec.describe GlobalPolicy, feature_category: :security_policies do
include TermsHelper
+ let_it_be(:admin_user) { create(:admin) }
let_it_be(:project_bot) { create(:user, :project_bot) }
let_it_be(:migration_bot) { create(:user, :migration_bot) }
let_it_be(:security_bot) { create(:user, :security_bot) }
-
- let(:current_user) { create(:user) }
- let(:user) { create(:user) }
+ let_it_be_with_reload(:current_user) { create(:user) }
+ let_it_be(:user) { create(:user) }
subject { described_class.new(current_user, [user]) }
@@ -27,7 +27,7 @@ RSpec.describe GlobalPolicy do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
- it { is_expected.not_to be_allowed(:read_users_list) }
+ it { is_expected.to be_disallowed(:read_users_list) }
end
context "when the public level is not restricted" do
@@ -40,7 +40,7 @@ RSpec.describe GlobalPolicy do
end
context "for an admin" do
- let_it_be(:current_user) { create(:admin) }
+ let(:current_user) { admin_user }
context "when the public level is restricted" do
before do
@@ -93,7 +93,7 @@ RSpec.describe GlobalPolicy do
context 'when user does not have the ability to create group' do
let(:current_user) { create(:user, can_create_group: false) }
- it { is_expected.not_to be_allowed(:create_group) }
+ it { is_expected.to be_disallowed(:create_group) }
end
end
@@ -107,18 +107,18 @@ RSpec.describe GlobalPolicy do
context 'when user does not have the ability to create group' do
let(:current_user) { create(:user, can_create_group: false) }
- it { is_expected.not_to be_allowed(:create_group_with_default_branch_protection) }
+ it { is_expected.to be_disallowed(:create_group_with_default_branch_protection) }
end
end
describe 'custom attributes' do
context 'regular user' do
- it { is_expected.not_to be_allowed(:read_custom_attribute) }
- it { is_expected.not_to be_allowed(:update_custom_attribute) }
+ it { is_expected.to be_disallowed(:read_custom_attribute) }
+ it { is_expected.to be_disallowed(:update_custom_attribute) }
end
context 'admin' do
- let_it_be(:current_user) { create(:user, :admin) }
+ let(:current_user) { admin_user }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_custom_attribute) }
@@ -134,11 +134,11 @@ RSpec.describe GlobalPolicy do
describe 'approving users' do
context 'regular user' do
- it { is_expected.not_to be_allowed(:approve_user) }
+ it { is_expected.to be_disallowed(:approve_user) }
end
context 'admin' do
- let_it_be(:current_user) { create(:admin) }
+ let(:current_user) { admin_user }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:approve_user) }
@@ -152,11 +152,11 @@ RSpec.describe GlobalPolicy do
describe 'rejecting users' do
context 'regular user' do
- it { is_expected.not_to be_allowed(:reject_user) }
+ it { is_expected.to be_disallowed(:reject_user) }
end
context 'admin' do
- let_it_be(:current_user) { create(:admin) }
+ let(:current_user) { admin_user }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:reject_user) }
@@ -170,11 +170,11 @@ RSpec.describe GlobalPolicy do
describe 'using project statistics filters' do
context 'regular user' do
- it { is_expected.not_to be_allowed(:use_project_statistics_filters) }
+ it { is_expected.to be_disallowed(:use_project_statistics_filters) }
end
context 'admin' do
- let_it_be(:current_user) { create(:user, :admin) }
+ let(:current_user) { admin_user }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:use_project_statistics_filters) }
@@ -187,7 +187,7 @@ RSpec.describe GlobalPolicy do
end
shared_examples 'access allowed when terms accepted' do |ability|
- it { is_expected.not_to be_allowed(ability) }
+ it { is_expected.to be_disallowed(ability) }
it "allows #{ability} when the user accepted the terms" do
accept_terms(current_user)
@@ -202,7 +202,7 @@ RSpec.describe GlobalPolicy do
end
context 'admin' do
- let(:current_user) { create(:admin) }
+ let(:current_user) { admin_user }
it { is_expected.to be_allowed(:access_api) }
end
@@ -222,13 +222,13 @@ RSpec.describe GlobalPolicy do
context 'migration bot' do
let(:current_user) { migration_bot }
- it { is_expected.not_to be_allowed(:access_api) }
+ it { is_expected.to be_disallowed(:access_api) }
end
context 'security bot' do
let(:current_user) { security_bot }
- it { is_expected.not_to be_allowed(:access_api) }
+ it { is_expected.to be_disallowed(:access_api) }
end
context 'user blocked pending approval' do
@@ -236,7 +236,7 @@ RSpec.describe GlobalPolicy do
current_user.block_pending_approval
end
- it { is_expected.not_to be_allowed(:access_api) }
+ it { is_expected.to be_disallowed(:access_api) }
end
context 'with a deactivated user' do
@@ -244,7 +244,7 @@ RSpec.describe GlobalPolicy do
current_user.deactivate!
end
- it { is_expected.not_to be_allowed(:access_api) }
+ it { is_expected.to be_disallowed(:access_api) }
end
context 'user with expired password' do
@@ -252,7 +252,7 @@ RSpec.describe GlobalPolicy do
current_user.update!(password_expires_at: 2.minutes.ago)
end
- it { is_expected.not_to be_allowed(:access_api) }
+ it { is_expected.to be_disallowed(:access_api) }
context 'when user is using ldap' do
let(:current_user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }
@@ -271,7 +271,7 @@ RSpec.describe GlobalPolicy do
end
context 'admin' do
- let(:current_user) { create(:admin) }
+ let(:current_user) { admin_user }
it_behaves_like 'access allowed when terms accepted', :access_api
end
@@ -301,7 +301,7 @@ RSpec.describe GlobalPolicy do
allow(User).to receive(:allow_unconfirmed_access_for).and_return(2.days)
end
- it { is_expected.not_to be_allowed(:access_api) }
+ it { is_expected.to be_disallowed(:access_api) }
end
end
end
@@ -312,7 +312,7 @@ RSpec.describe GlobalPolicy do
end
describe 'admin' do
- let(:current_user) { create(:admin) }
+ let(:current_user) { admin_user }
it { is_expected.to be_allowed(:receive_notifications) }
end
@@ -320,7 +320,7 @@ RSpec.describe GlobalPolicy do
describe 'anonymous' do
let(:current_user) { nil }
- it { is_expected.not_to be_allowed(:receive_notifications) }
+ it { is_expected.to be_disallowed(:receive_notifications) }
end
describe 'blocked user' do
@@ -328,7 +328,7 @@ RSpec.describe GlobalPolicy do
current_user.block
end
- it { is_expected.not_to be_allowed(:receive_notifications) }
+ it { is_expected.to be_disallowed(:receive_notifications) }
end
describe 'deactivated user' do
@@ -336,19 +336,19 @@ RSpec.describe GlobalPolicy do
current_user.deactivate
end
- it { is_expected.not_to be_allowed(:receive_notifications) }
+ it { is_expected.to be_disallowed(:receive_notifications) }
end
context 'project bot' do
let(:current_user) { project_bot }
- it { is_expected.not_to be_allowed(:receive_notifications) }
+ it { is_expected.to be_disallowed(:receive_notifications) }
end
context 'migration bot' do
let(:current_user) { migration_bot }
- it { is_expected.not_to be_allowed(:receive_notifications) }
+ it { is_expected.to be_disallowed(:receive_notifications) }
end
context 'user blocked pending approval' do
@@ -356,7 +356,7 @@ RSpec.describe GlobalPolicy do
current_user.block_pending_approval
end
- it { is_expected.not_to be_allowed(:receive_notifications) }
+ it { is_expected.to be_disallowed(:receive_notifications) }
end
end
@@ -366,7 +366,7 @@ RSpec.describe GlobalPolicy do
end
describe 'admin' do
- let(:current_user) { create(:admin) }
+ let(:current_user) { admin_user }
it { is_expected.to be_allowed(:access_git) }
end
@@ -394,7 +394,7 @@ RSpec.describe GlobalPolicy do
current_user.deactivate
end
- it { is_expected.not_to be_allowed(:access_git) }
+ it { is_expected.to be_disallowed(:access_git) }
end
describe 'inactive user' do
@@ -402,7 +402,7 @@ RSpec.describe GlobalPolicy do
current_user.update!(confirmed_at: nil)
end
- it { is_expected.not_to be_allowed(:access_git) }
+ it { is_expected.to be_disallowed(:access_git) }
end
context 'when terms are enforced' do
@@ -438,7 +438,7 @@ RSpec.describe GlobalPolicy do
current_user.block_pending_approval
end
- it { is_expected.not_to be_allowed(:access_git) }
+ it { is_expected.to be_disallowed(:access_git) }
end
context 'user with expired password' do
@@ -446,7 +446,7 @@ RSpec.describe GlobalPolicy do
current_user.update!(password_expires_at: 2.minutes.ago)
end
- it { is_expected.not_to be_allowed(:access_git) }
+ it { is_expected.to be_disallowed(:access_git) }
context 'when user is using ldap' do
let(:current_user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }
@@ -464,7 +464,7 @@ RSpec.describe GlobalPolicy do
context 'anonymous' do
let(:current_user) { nil }
- it { is_expected.not_to be_allowed(:read_instance_metadata) }
+ it { is_expected.to be_disallowed(:read_instance_metadata) }
end
end
@@ -476,7 +476,7 @@ RSpec.describe GlobalPolicy do
context 'when internal' do
let(:current_user) { User.ghost }
- it { is_expected.not_to be_allowed(:use_slash_commands) }
+ it { is_expected.to be_disallowed(:use_slash_commands) }
end
context 'when blocked' do
@@ -484,7 +484,7 @@ RSpec.describe GlobalPolicy do
current_user.block
end
- it { is_expected.not_to be_allowed(:use_slash_commands) }
+ it { is_expected.to be_disallowed(:use_slash_commands) }
end
context 'when deactivated' do
@@ -492,7 +492,7 @@ RSpec.describe GlobalPolicy do
current_user.deactivate
end
- it { is_expected.not_to be_allowed(:use_slash_commands) }
+ it { is_expected.to be_disallowed(:use_slash_commands) }
end
describe 'inactive user' do
@@ -500,7 +500,7 @@ RSpec.describe GlobalPolicy do
current_user.update!(confirmed_at: nil)
end
- it { is_expected.not_to be_allowed(:use_slash_commands) }
+ it { is_expected.to be_disallowed(:use_slash_commands) }
end
context 'when access locked' do
@@ -508,7 +508,7 @@ RSpec.describe GlobalPolicy do
current_user.lock_access!
end
- it { is_expected.not_to be_allowed(:use_slash_commands) }
+ it { is_expected.to be_disallowed(:use_slash_commands) }
end
context 'project bot' do
@@ -520,7 +520,7 @@ RSpec.describe GlobalPolicy do
context 'migration bot' do
let(:current_user) { migration_bot }
- it { is_expected.not_to be_allowed(:use_slash_commands) }
+ it { is_expected.to be_disallowed(:use_slash_commands) }
end
context 'user blocked pending approval' do
@@ -528,7 +528,7 @@ RSpec.describe GlobalPolicy do
current_user.block_pending_approval
end
- it { is_expected.not_to be_allowed(:use_slash_commands) }
+ it { is_expected.to be_disallowed(:use_slash_commands) }
end
context 'user with expired password' do
@@ -536,7 +536,7 @@ RSpec.describe GlobalPolicy do
current_user.update!(password_expires_at: 2.minutes.ago)
end
- it { is_expected.not_to be_allowed(:use_slash_commands) }
+ it { is_expected.to be_disallowed(:use_slash_commands) }
context 'when user is using ldap' do
let(:current_user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }
@@ -550,7 +550,7 @@ RSpec.describe GlobalPolicy do
context 'when anonymous' do
let(:current_user) { nil }
- it { is_expected.not_to be_allowed(:create_snippet) }
+ it { is_expected.to be_disallowed(:create_snippet) }
end
context 'regular user' do
@@ -560,7 +560,7 @@ RSpec.describe GlobalPolicy do
context 'when external' do
let(:current_user) { build(:user, :external) }
- it { is_expected.not_to be_allowed(:create_snippet) }
+ it { is_expected.to be_disallowed(:create_snippet) }
end
end
@@ -568,19 +568,19 @@ RSpec.describe GlobalPolicy do
context 'project bot' do
let(:current_user) { project_bot }
- it { is_expected.not_to be_allowed(:log_in) }
+ it { is_expected.to be_disallowed(:log_in) }
end
context 'migration bot' do
let(:current_user) { migration_bot }
- it { is_expected.not_to be_allowed(:log_in) }
+ it { is_expected.to be_disallowed(:log_in) }
end
context 'security bot' do
let(:current_user) { security_bot }
- it { is_expected.not_to be_allowed(:log_in) }
+ it { is_expected.to be_disallowed(:log_in) }
end
context 'user blocked pending approval' do
@@ -588,7 +588,7 @@ RSpec.describe GlobalPolicy do
current_user.block_pending_approval
end
- it { is_expected.not_to be_allowed(:log_in) }
+ it { is_expected.to be_disallowed(:log_in) }
end
end
end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 65abb43b6c4..2d4c86845c9 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -157,7 +157,7 @@ RSpec.describe GroupPolicy do
let(:current_user) { maintainer }
context 'with subgroup_creation level set to maintainer' do
- before_all do
+ before do
group.update!(subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
end
@@ -550,7 +550,7 @@ RSpec.describe GroupPolicy do
context 'create_projects' do
context 'when group has no project creation level set' do
- before_all do
+ before do
group.update!(project_creation_level: nil)
end
@@ -580,7 +580,7 @@ RSpec.describe GroupPolicy do
end
context 'when group has project creation level set to no one' do
- before_all do
+ before do
group.update!(project_creation_level: ::Gitlab::Access::NO_ONE_PROJECT_ACCESS)
end
@@ -610,7 +610,7 @@ RSpec.describe GroupPolicy do
end
context 'when group has project creation level set to maintainer only' do
- before_all do
+ before do
group.update!(project_creation_level: ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS)
end
@@ -640,7 +640,7 @@ RSpec.describe GroupPolicy do
end
context 'when group has project creation level set to developers + maintainer' do
- before_all do
+ before do
group.update!(project_creation_level: ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS)
end
@@ -672,7 +672,7 @@ RSpec.describe GroupPolicy do
context 'create_subgroup' do
context 'when group has subgroup creation level set to owner' do
- before_all do
+ before do
group.update!(subgroup_creation_level: ::Gitlab::Access::OWNER_SUBGROUP_ACCESS)
end
@@ -702,7 +702,7 @@ RSpec.describe GroupPolicy do
end
context 'when group has subgroup creation level set to maintainer' do
- before_all do
+ before do
group.update!(subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
end
@@ -1073,7 +1073,7 @@ RSpec.describe GroupPolicy do
it_behaves_like 'Self-managed Core resource access tokens'
context 'support bot' do
- let_it_be(:group) { create(:group, :private, :crm_enabled) }
+ let_it_be_with_refind(:group) { create(:group, :private, :crm_enabled) }
let_it_be(:current_user) { User.support_bot }
before do
@@ -1351,9 +1351,8 @@ RSpec.describe GroupPolicy do
context 'when crm_enabled is false' do
let(:current_user) { owner }
- before_all do
- group.crm_settings.enabled = false
- group.crm_settings.save!
+ before do
+ group.crm_settings.update!(enabled: false)
end
it { is_expected.to be_disallowed(:read_crm_contact) }
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index 905ef591b53..0040d9dff7e 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -87,49 +87,49 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do
end
it 'allows guests to read issues' do
- expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid)
- expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :mark_note_as_confidential)
+ expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid, :admin_issue_relation)
+ expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :mark_note_as_internal)
- expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
+ expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :admin_issue_relation)
expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
expect(permissions(guest, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality)
end
it 'allows reporters to read, update, admin and create confidential notes' do
- expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality, :mark_note_as_confidential)
+ expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
+ expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
+ expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality, :mark_note_as_internal, :admin_issue_relation)
end
it 'allows reporters from group links to read, update, and admin issues' do
- expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(reporter_from_group_link, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
+ expect(permissions(reporter_from_group_link, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'allows issue authors to read and update their issues' do
- expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
+ expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue_relation)
expect(permissions(author, issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
+ expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :admin_issue_relation)
expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(author, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(author, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'allows issue assignees to read and update their issues' do
- expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
+ expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue_relation)
expect(permissions(assignee, issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality)
expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(assignee, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(assignee, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'does not allow non-members to read, update or create issues' do
- expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
+ expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality)
end
@@ -142,50 +142,50 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do
let(:confidential_issue_no_assignee) { create(:issue, :confidential, project: project) }
it 'does not allow non-members to read confidential issues' do
- expect(permissions(non_member, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
- expect(permissions(non_member, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(non_member, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :admin_issue_relation)
+ expect(permissions(non_member, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'does not allow guests to read confidential issues' do
- expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
- expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :admin_issue_relation)
+ expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'allows reporters to read, update, and admin confidential issues' do
- expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
+ expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'allows reporters from group links to read, update, and admin confidential issues' do
- expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
+ expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'allows issue authors to read and update their confidential issues' do
- expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
+ expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue_relation)
expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+ expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :admin_issue_relation)
expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality)
end
it 'does not allow issue author to read or update confidential issue moved to an private project' do
confidential_issue.project = create(:project, :private)
- expect(permissions(author, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(author, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'allows issue assignees to read and update their confidential issues' do
expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'does not allow issue assignees to read or update confidential issue moved to an private project' do
confidential_issue.project = create(:project, :private)
- expect(permissions(assignee, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(assignee, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
end
end
@@ -210,61 +210,61 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do
it 'does not allow anonymous user to create todos' do
expect(permissions(nil, issue)).to be_allowed(:read_issue)
- expect(permissions(nil, issue)).to be_disallowed(:create_todo, :update_subscription, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(nil, issue)).to be_disallowed(:create_todo, :update_subscription, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
expect(permissions(nil, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality)
end
it 'allows guests to read issues' do
- expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid, :create_todo, :update_subscription)
+ expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid, :create_todo, :update_subscription, :admin_issue_relation)
expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
+ expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :admin_issue_relation)
expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(guest, issue_locked)).to be_allowed(:read_issue, :read_issue_iid)
+ expect(permissions(guest, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :admin_issue_relation)
expect(permissions(guest, issue_locked)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(guest, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(guest, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'allows reporters to read, update, reopen, and admin issues' do
- expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(reporter, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
+ expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
+ expect(permissions(reporter, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
expect(permissions(reporter, issue_locked)).to be_disallowed(:reopen_issue)
- expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'allows reporters from group links to read, update, reopen and admin issues' do
- expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:reopen_issue)
- expect(permissions(reporter_from_group_link, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(reporter_from_group_link, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
expect(permissions(reporter_from_group_link, issue_locked)).to be_disallowed(:reopen_issue)
- expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(reporter, new_issue)).to be_allowed(:create_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it 'allows issue authors to read, reopen and update their issues' do
- expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :reopen_issue)
+ expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :reopen_issue, :admin_issue_relation)
expect(permissions(author, issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
+ expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :admin_issue_relation)
expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(author, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
+ expect(permissions(author, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue_relation)
expect(permissions(author, issue_locked)).to be_disallowed(:admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(author, new_issue)).to be_allowed(:create_issue)
+ expect(permissions(author, new_issue)).to be_allowed(:create_issue, :admin_issue_relation)
expect(permissions(author, new_issue)).to be_disallowed(:set_issue_metadata)
end
it 'allows issue assignees to read, reopen and update their issues' do
- expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :reopen_issue)
+ expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :reopen_issue, :admin_issue_relation)
expect(permissions(assignee, issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
+ expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :admin_issue_relation)
expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(assignee, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
+ expect(permissions(assignee, issue_locked)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue_relation)
expect(permissions(assignee, issue_locked)).to be_disallowed(:admin_issue, :reopen_issue, :set_issue_metadata, :set_confidentiality)
end
@@ -335,6 +335,10 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do
expect(permissions(guest, issue)).to be_allowed(:update_subscription)
end
+ it 'allows guests to admin relation' do
+ expect(permissions(guest, issue)).to be_allowed(:admin_issue_relation)
+ end
+
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows admins to view' do
expect(permissions(admin, issue)).to be_allowed(:read_issue)
@@ -356,9 +360,9 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do
end
it 'does not allow non-members to update or create issues' do
- expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
- expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality)
+ expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
+ expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
+ expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality, :admin_issue_relation)
end
it_behaves_like 'alert bot'
@@ -376,24 +380,24 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do
end
it 'allows reporters to read, update, and admin confidential issues' do
- expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+ expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :admin_issue_relation)
expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
end
it 'allows reporter from group links to read, update, and admin confidential issues' do
- expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+ expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :admin_issue_relation)
expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
end
it 'allows issue authors to read and update their confidential issues' do
- expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
+ expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue_relation)
expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality)
expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
end
it 'allows issue assignees to read and update their confidential issues' do
- expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
+ expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue_relation)
expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue, :set_issue_metadata, :set_confidentiality)
expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
@@ -432,8 +436,8 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do
it 'does not allow accessing notes' do
# if notes widget is disabled not even maintainer can access notes
- expect(permissions(maintainer, task)).to be_disallowed(:create_note, :read_note, :mark_note_as_confidential, :read_internal_note)
- expect(permissions(admin, task)).to be_disallowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential, :set_note_created_at)
+ expect(permissions(maintainer, task)).to be_disallowed(:create_note, :read_note, :mark_note_as_internal, :read_internal_note)
+ expect(permissions(admin, task)).to be_disallowed(:create_note, :read_note, :read_internal_note, :mark_note_as_internal, :set_note_created_at)
end
end
@@ -441,10 +445,10 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do
it 'allows accessing notes' do
# with notes widget enabled, even guests can access notes
expect(permissions(guest, issue)).to be_allowed(:create_note, :read_note)
- expect(permissions(guest, issue)).to be_disallowed(:read_internal_note, :mark_note_as_confidential, :set_note_created_at)
- expect(permissions(reporter, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential)
- expect(permissions(maintainer, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential)
- expect(permissions(owner, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_confidential, :set_note_created_at)
+ expect(permissions(guest, issue)).to be_disallowed(:read_internal_note, :mark_note_as_internal, :set_note_created_at)
+ expect(permissions(reporter, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_internal)
+ expect(permissions(maintainer, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_internal)
+ expect(permissions(owner, issue)).to be_allowed(:create_note, :read_note, :read_internal_note, :mark_note_as_internal, :set_note_created_at)
end
end
end
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index 741a0db3009..c21e1244402 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -461,4 +461,34 @@ RSpec.describe MergeRequestPolicy do
end
end
end
+
+ context 'when the author of the merge request is banned', feature_category: :insider_threat do
+ let_it_be(:user) { create(:user) }
+ let_it_be(:admin) { create(:user, :admin) }
+ let_it_be(:author) { create(:user, :banned) }
+ let_it_be(:project) { create(:project, :public) }
+ let_it_be(:hidden_merge_request) { create(:merge_request, source_project: project, author: author) }
+
+ it 'does not allow non-admin user to read the merge_request' do
+ expect(permissions(user, hidden_merge_request)).not_to be_allowed(:read_merge_request)
+ end
+
+ it 'allows admin to read the merge_request', :enable_admin_mode do
+ expect(permissions(admin, hidden_merge_request)).to be_allowed(:read_merge_request)
+ end
+
+ context 'when the `hide_merge_requests_from_banned_users` feature flag is disabled' do
+ before do
+ stub_feature_flags(hide_merge_requests_from_banned_users: false)
+ end
+
+ it 'allows non-admin users to read the merge_request' do
+ expect(permissions(user, hidden_merge_request)).to be_allowed(:read_merge_request)
+ end
+
+ it 'allows admin users to read the merge_request', :enable_admin_mode do
+ expect(permissions(admin, hidden_merge_request)).to be_allowed(:read_merge_request)
+ end
+ end
+ end
end
diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb
index dcfc398806a..f4abe3a223c 100644
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -311,7 +311,7 @@ RSpec.describe NotePolicy, feature_category: :team_planning do
end
end
- context 'with confidential notes' do
+ context 'with internal notes' do
def permissions(user, note)
described_class.new(user, note)
end
@@ -332,54 +332,54 @@ RSpec.describe NotePolicy, feature_category: :team_planning do
project.add_guest(guest)
end
- shared_examples_for 'confidential notes permissions' do
- it 'does not allow non members to read confidential notes and replies' do
- expect(permissions(non_member, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
+ shared_examples_for 'internal notes permissions' do
+ it 'does not allow non members to read internal notes and replies' do
+ expect(permissions(non_member, internal_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_internal)
end
- it 'does not allow guests to read confidential notes and replies' do
- expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :read_internal_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
+ it 'does not allow guests to read internal notes and replies' do
+ expect(permissions(guest, internal_note)).to be_disallowed(:read_note, :read_internal_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_internal)
end
it 'allows reporter to read all notes but not resolve and admin them' do
- expect(permissions(reporter, confidential_note)).to be_allowed(:read_note, :award_emoji, :mark_note_as_confidential)
- expect(permissions(reporter, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note)
+ expect(permissions(reporter, internal_note)).to be_allowed(:read_note, :award_emoji, :mark_note_as_internal)
+ expect(permissions(reporter, internal_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note)
end
it 'allows developer to read and resolve all notes' do
- expect(permissions(developer, confidential_note)).to be_allowed(:read_note, :award_emoji, :resolve_note, :mark_note_as_confidential)
- expect(permissions(developer, confidential_note)).to be_disallowed(:admin_note, :reposition_note)
+ expect(permissions(developer, internal_note)).to be_allowed(:read_note, :award_emoji, :resolve_note, :mark_note_as_internal)
+ expect(permissions(developer, internal_note)).to be_disallowed(:admin_note, :reposition_note)
end
it 'allows maintainers to read all notes and admin them' do
- expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
+ expect(permissions(maintainer, internal_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_internal)
end
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows admins to read all notes and admin them' do
- expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
+ expect(permissions(admin, internal_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_internal)
end
end
context 'when admin mode is disabled' do
- it 'does not allow non members to read confidential notes and replies' do
- expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
+ it 'does not allow non members to read internal notes and replies' do
+ expect(permissions(admin, internal_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_internal)
end
end
it 'disallows noteable author to read and resolve all notes' do
- expect(permissions(author, confidential_note)).to be_disallowed(:read_note, :resolve_note, :award_emoji, :mark_note_as_confidential, :admin_note, :reposition_note)
+ expect(permissions(author, internal_note)).to be_disallowed(:read_note, :resolve_note, :award_emoji, :mark_note_as_internal, :admin_note, :reposition_note)
end
end
context 'for issues' do
let(:issue) { create(:issue, project: project, author: author, assignees: [assignee]) }
- let(:confidential_note) { create(:note, :confidential, project: project, noteable: issue) }
+ let(:internal_note) { create(:note, :confidential, project: project, noteable: issue) }
- it_behaves_like 'confidential notes permissions'
+ it_behaves_like 'internal notes permissions'
it 'disallows noteable assignees to read all notes' do
- expect(permissions(assignee, confidential_note)).to be_disallowed(:read_note, :award_emoji, :mark_note_as_confidential, :admin_note, :reposition_note, :resolve_note)
+ expect(permissions(assignee, internal_note)).to be_disallowed(:read_note, :award_emoji, :mark_note_as_internal, :admin_note, :reposition_note, :resolve_note)
end
end
end
diff --git a/spec/policies/project_group_link_policy_spec.rb b/spec/policies/project_group_link_policy_spec.rb
new file mode 100644
index 00000000000..7c8a4619e47
--- /dev/null
+++ b/spec/policies/project_group_link_policy_spec.rb
@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ProjectGroupLinkPolicy, feature_category: :authentication_and_authorization do
+ let_it_be(:user) { create(:user) }
+ let_it_be(:group) { create(:group, :private) }
+ let_it_be(:group2) { create(:group, :private) }
+ let_it_be(:project) { create(:project, :private, group: group) }
+
+ let(:project_group_link) do
+ create(:project_group_link, project: project, group: group2, group_access: Gitlab::Access::DEVELOPER)
+ end
+
+ subject(:policy) { described_class.new(user, project_group_link) }
+
+ context 'when the user is a group owner' do
+ before do
+ project_group_link.group.add_owner(user)
+ end
+
+ context 'when user is not project maintainer' do
+ it 'can admin group_project_link' do
+ expect(policy).to be_allowed(:admin_project_group_link)
+ end
+ end
+
+ context 'when user is a project maintainer' do
+ before do
+ project_group_link.project.add_maintainer(user)
+ end
+
+ it 'can admin group_project_link' do
+ expect(policy).to be_allowed(:admin_project_group_link)
+ end
+ end
+ end
+
+ context 'when user is not a group owner' do
+ context 'when user is a project maintainer' do
+ it 'can admin group_project_link' do
+ project_group_link.project.add_maintainer(user)
+
+ expect(policy).to be_allowed(:admin_project_group_link)
+ end
+ end
+
+ context 'when user is not a project maintainer' do
+ it 'cannot admin group_project_link' do
+ project_group_link.project.add_developer(user)
+
+ expect(policy).to be_disallowed(:admin_project_group_link)
+ end
+ end
+ end
+end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index e370f536519..a98f091b9fc 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -2,7 +2,7 @@
require 'spec_helper'
-RSpec.describe ProjectPolicy do
+RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorization do
include ExternalAuthorizationServiceHelpers
include AdminModeHelper
include_context 'ProjectPolicy context'
diff --git a/spec/policies/resource_label_event_policy_spec.rb b/spec/policies/resource_label_event_policy_spec.rb
index eff2b0e1af5..66a249c38d9 100644
--- a/spec/policies/resource_label_event_policy_spec.rb
+++ b/spec/policies/resource_label_event_policy_spec.rb
@@ -2,7 +2,7 @@
require 'spec_helper'
-RSpec.describe ResourceLabelEventPolicy do
+RSpec.describe ResourceLabelEventPolicy, feature_category: :team_planning do
let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project, :private) }
let_it_be(:issue) { create(:issue, project: project) }
diff --git a/spec/policies/resource_milestone_event_policy_spec.rb b/spec/policies/resource_milestone_event_policy_spec.rb
new file mode 100644
index 00000000000..22d1f837ae3
--- /dev/null
+++ b/spec/policies/resource_milestone_event_policy_spec.rb
@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ResourceMilestoneEventPolicy, feature_category: :team_planning do
+ let_it_be(:user) { create(:user) }
+ let_it_be(:group) { create(:group) }
+ let_it_be(:project) { create(:project, :private) }
+ let_it_be(:issue) { create(:issue, project: project) }
+ let_it_be(:private_project) { create(:project, :private) }
+
+ describe '#read_resource_milestone_event' do
+ context 'with non-member user' do
+ it 'does not allow to read event' do
+ event = build_event(project)
+
+ expect(permissions(user, event)).to be_disallowed(:read_milestone, :read_resource_milestone_event, :read_note)
+ end
+ end
+
+ context 'with member user' do
+ before do
+ project.add_guest(user)
+ end
+
+ it 'allows to read event for accessible milestone' do
+ event = build_event(project)
+
+ expect(permissions(user, event)).to be_allowed(:read_milestone, :read_resource_milestone_event, :read_note)
+ end
+
+ it 'does not allow to read event for not accessible milestone' do
+ event = build_event(private_project)
+
+ expect(permissions(user, event)).to be_disallowed(:read_milestone, :read_resource_milestone_event, :read_note)
+ end
+ end
+ end
+
+ describe '#read_milestone' do
+ before do
+ project.add_guest(user)
+ end
+
+ it 'allows to read deleted milestone' do
+ event = build(:resource_milestone_event, issue: issue, milestone: nil)
+
+ expect(permissions(user, event)).to be_allowed(:read_milestone, :read_resource_milestone_event, :read_note)
+ end
+
+ it 'allows to read accessible milestone' do
+ event = build_event(project)
+
+ expect(permissions(user, event)).to be_allowed(:read_milestone, :read_resource_milestone_event, :read_note)
+ end
+
+ it 'does not allow to read not accessible milestone' do
+ event = build_event(private_project)
+
+ expect(permissions(user, event)).to be_disallowed(:read_milestone, :read_resource_milestone_event, :read_note)
+ end
+ end
+
+ def build_event(project)
+ milestone = create(:milestone, project: project)
+
+ build(:resource_milestone_event, issue: issue, milestone: milestone)
+ end
+
+ def permissions(user, issue)
+ described_class.new(user, issue)
+ end
+end
diff --git a/spec/policies/resource_state_event_policy_spec.rb b/spec/policies/resource_state_event_policy_spec.rb
new file mode 100644
index 00000000000..30f52f45c37
--- /dev/null
+++ b/spec/policies/resource_state_event_policy_spec.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ResourceStateEventPolicy, feature_category: :team_planning do
+ let_it_be(:user) { create(:user) }
+ let_it_be(:project) { create(:project, :private) }
+ let_it_be(:issue) { create(:issue, project: project) }
+
+ describe '#read_resource_state_event' do
+ context 'with non-member user' do
+ it 'does not allow to read event' do
+ event = build_event(project)
+
+ expect(permissions(user, event)).to be_disallowed(:read_resource_state_event, :read_note)
+ end
+ end
+
+ context 'with member user' do
+ before do
+ project.add_guest(user)
+ end
+
+ it 'allows to read event for a state change' do
+ event = build_event(project)
+
+ expect(permissions(user, event)).to be_allowed(:read_resource_state_event, :read_note)
+ end
+ end
+ end
+
+ def build_event(label_project)
+ build(:resource_state_event, issue: issue, state: 2)
+ end
+
+ def permissions(user, issue)
+ described_class.new(user, issue)
+ end
+end
diff --git a/spec/policies/todo_policy_spec.rb b/spec/policies/todo_policy_spec.rb
index 34ba7bf9276..fa62f53c628 100644
--- a/spec/policies/todo_policy_spec.rb
+++ b/spec/policies/todo_policy_spec.rb
@@ -2,7 +2,7 @@
require 'spec_helper'
-RSpec.describe TodoPolicy do
+RSpec.describe TodoPolicy, feature_category: :project_management do
using RSpec::Parameterized::TableSyntax
let_it_be(:project) { create(:project) }
diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
index d02a94b810e..94b7e295167 100644
--- a/spec/policies/user_policy_spec.rb
+++ b/spec/policies/user_policy_spec.rb
@@ -246,4 +246,30 @@ RSpec.describe UserPolicy do
end
end
end
+
+ describe ':read_user_email_address' do
+ context 'when user is admin' do
+ let(:current_user) { admin }
+
+ context 'when admin mode is enabled', :enable_admin_mode do
+ it { is_expected.to be_allowed(:read_user_email_address) }
+ end
+
+ context 'when admin mode is disabled' do
+ it { is_expected.not_to be_allowed(:read_user_email_address) }
+ end
+ end
+
+ context 'when user is not an admin' do
+ context 'requesting their own' do
+ subject { described_class.new(current_user, current_user) }
+
+ it { is_expected.to be_allowed(:read_user_email_address) }
+ end
+
+ context "requesting a different user's" do
+ it { is_expected.not_to be_allowed(:read_user_email_address) }
+ end
+ end
+ end
end
diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb
index ed76ec1eccf..3d282271d60 100644
--- a/spec/policies/work_item_policy_spec.rb
+++ b/spec/policies/work_item_policy_spec.rb
@@ -11,7 +11,7 @@ RSpec.describe WorkItemPolicy do
let_it_be(:reporter) { create(:user).tap { |user| project.add_reporter(user) } }
let_it_be(:group_reporter) { create(:user).tap { |user| group.add_reporter(user) } }
let_it_be(:non_member_user) { create(:user) }
- let_it_be(:work_item) { create(:work_item, project: project) }
+ let_it_be_with_reload(:work_item) { create(:work_item, project: project) }
let_it_be(:authored_work_item) { create(:work_item, project: project, author: guest_author) }
let_it_be(:public_work_item) { create(:work_item, project: public_project) }
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-17 08:16:57 +0300