Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies')
-rw-r--r--spec/policies/achievements/user_achievement_policy_spec.rb23
-rw-r--r--spec/policies/group_policy_spec.rb69
-rw-r--r--spec/policies/namespaces/user_namespace_policy_spec.rb2
-rw-r--r--spec/policies/personal_snippet_policy_spec.rb51
-rw-r--r--spec/policies/project_member_policy_spec.rb6
-rw-r--r--spec/policies/project_policy_spec.rb1
-rw-r--r--spec/policies/project_snippet_policy_spec.rb56
-rw-r--r--spec/policies/work_item_policy_spec.rb88
8 files changed, 223 insertions, 73 deletions
diff --git a/spec/policies/achievements/user_achievement_policy_spec.rb b/spec/policies/achievements/user_achievement_policy_spec.rb
index c3148e882fa..a53912d67a1 100644
--- a/spec/policies/achievements/user_achievement_policy_spec.rb
+++ b/spec/policies/achievements/user_achievement_policy_spec.rb
@@ -75,4 +75,27 @@ RSpec.describe Achievements::UserAchievementPolicy, feature_category: :user_prof
end
end
end
+
+ context 'when current_user and achievement owner are different' do
+ it { is_expected.to be_disallowed(:update_owned_user_achievement) }
+ it { is_expected.to be_disallowed(:update_user_achievement) }
+ end
+
+ context 'when current_user and achievement owner are the same' do
+ let(:current_user) { achievement_owner }
+
+ it { is_expected.to be_allowed(:update_owned_user_achievement) }
+ it { is_expected.to be_allowed(:update_user_achievement) }
+ end
+
+ context 'when the achievements feature flag is disabled' do
+ let(:current_user) { achievement_owner }
+
+ before do
+ stub_feature_flags(achievements: false)
+ end
+
+ it { is_expected.to be_disallowed(:read_user_achievement) }
+ it { is_expected.to be_disallowed(:update_user_achievement) }
+ end
end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 4d72de27046..cb7884b141e 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -19,6 +19,7 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
expect_disallowed(:read_namespace)
+ expect_disallowed(:read_namespace_via_membership)
end
end
@@ -34,6 +35,7 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
expect_disallowed(:read_namespace)
+ expect_disallowed(:read_namespace_via_membership)
end
end
@@ -1099,73 +1101,6 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
end
end
- describe 'observability' do
- let(:allowed_admin) { be_allowed(:read_observability) && be_allowed(:admin_observability) }
- let(:allowed_read) { be_allowed(:read_observability) && be_disallowed(:admin_observability) }
- let(:disallowed) { be_disallowed(:read_observability) && be_disallowed(:admin_observability) }
-
- # rubocop:disable Layout/LineLength
- where(:feature_enabled, :admin_matcher, :owner_matcher, :maintainer_matcher, :developer_matcher, :reporter_matcher, :guest_matcher, :non_member_matcher, :anonymous_matcher) do
- false | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed)
- true | ref(:allowed_admin) | ref(:allowed_admin) | ref(:allowed_admin) | ref(:allowed_read) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed)
- end
- # rubocop:enable Layout/LineLength
-
- with_them do
- before do
- stub_feature_flags(observability_group_tab: feature_enabled)
- end
-
- context 'admin', :enable_admin_mode do
- let(:current_user) { admin }
-
- it { is_expected.to admin_matcher }
- end
-
- context 'owner' do
- let(:current_user) { owner }
-
- it { is_expected.to owner_matcher }
- end
-
- context 'maintainer' do
- let(:current_user) { maintainer }
-
- it { is_expected.to maintainer_matcher }
- end
-
- context 'developer' do
- let(:current_user) { developer }
-
- it { is_expected.to developer_matcher }
- end
-
- context 'reporter' do
- let(:current_user) { reporter }
-
- it { is_expected.to reporter_matcher }
- end
-
- context 'with guest' do
- let(:current_user) { guest }
-
- it { is_expected.to guest_matcher }
- end
-
- context 'with non member' do
- let(:current_user) { create(:user) }
-
- it { is_expected.to non_member_matcher }
- end
-
- context 'with anonymous' do
- let(:current_user) { nil }
-
- it { is_expected.to anonymous_matcher }
- end
- end
- end
-
describe 'dependency proxy' do
RSpec.shared_examples 'disabling admin_package feature flag' do
before do
diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb
index 41555ca4150..b4fbc7e0417 100644
--- a/spec/policies/namespaces/user_namespace_policy_spec.rb
+++ b/spec/policies/namespaces/user_namespace_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe Namespaces::UserNamespacePolicy, feature_category: :groups_and_pr
let_it_be(:admin) { create(:admin) }
let_it_be(:namespace) { create(:user_namespace, owner: owner) }
- let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package, :read_billing, :edit_billing, :import_projects] }
+ let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_namespace_via_membership, :read_statistics, :transfer_projects, :admin_package, :read_billing, :edit_billing, :import_projects] }
subject { described_class.new(current_user, namespace) }
diff --git a/spec/policies/personal_snippet_policy_spec.rb b/spec/policies/personal_snippet_policy_spec.rb
index d546805ce01..3efa96cffe9 100644
--- a/spec/policies/personal_snippet_policy_spec.rb
+++ b/spec/policies/personal_snippet_policy_spec.rb
@@ -170,4 +170,55 @@ RSpec.describe PersonalSnippetPolicy do
it_behaves_like 'admin access with admin mode'
end
+
+ context 'when the author of the snippet is banned', feature_category: :insider_threat do
+ let(:banned_user) { build(:user, :banned) }
+ let(:snippet) { build(:personal_snippet, :public, author: banned_user) }
+
+ context 'no user' do
+ subject { permissions(nil) }
+
+ it do
+ is_expected.to be_disallowed(:read_snippet)
+ is_expected.to be_disallowed(:create_note)
+ is_expected.to be_disallowed(:award_emoji)
+ is_expected.to be_disallowed(*author_permissions)
+ end
+ end
+
+ context 'regular user' do
+ subject { permissions(regular_user) }
+
+ it do
+ is_expected.to be_disallowed(:read_snippet)
+ is_expected.to be_disallowed(:read_note)
+ is_expected.to be_disallowed(:create_note)
+ is_expected.to be_disallowed(*author_permissions)
+ end
+ end
+
+ context 'external user' do
+ subject { permissions(external_user) }
+
+ it do
+ is_expected.to be_disallowed(:read_snippet)
+ is_expected.to be_disallowed(:read_note)
+ is_expected.to be_disallowed(:create_note)
+ is_expected.to be_disallowed(*author_permissions)
+ end
+ end
+
+ context 'snippet author' do
+ subject { permissions(snippet.author) }
+
+ it do
+ is_expected.to be_disallowed(:read_snippet)
+ is_expected.to be_disallowed(:read_note)
+ is_expected.to be_disallowed(:create_note)
+ is_expected.to be_disallowed(*author_permissions)
+ end
+ end
+
+ it_behaves_like 'admin access with admin mode'
+ end
end
diff --git a/spec/policies/project_member_policy_spec.rb b/spec/policies/project_member_policy_spec.rb
index d7c155b39f5..8e7f2658e3f 100644
--- a/spec/policies/project_member_policy_spec.rb
+++ b/spec/policies/project_member_policy_spec.rb
@@ -2,9 +2,9 @@
require 'spec_helper'
-RSpec.describe ProjectMemberPolicy do
- let(:project) { create(:project) }
- let(:maintainer) { create(:user) }
+RSpec.describe ProjectMemberPolicy, feature_category: :groups_and_projects do
+ let_it_be(:project) { create(:project) }
+ let_it_be(:maintainer) { create(:user) }
let(:member) { create(:project_member, project: project, user: member_user) }
let(:current_user) { maintainer }
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index e7c2dcc4158..3de006d8c9b 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -288,7 +288,6 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
:create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule_variables, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
- :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
]
diff --git a/spec/policies/project_snippet_policy_spec.rb b/spec/policies/project_snippet_policy_spec.rb
index c6d8ef05cfd..b02fc53db21 100644
--- a/spec/policies/project_snippet_policy_spec.rb
+++ b/spec/policies/project_snippet_policy_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe ProjectSnippetPolicy do
let_it_be(:group) { create(:group, :public) }
let_it_be(:regular_user) { create(:user) }
let_it_be(:external_user) { create(:user, :external) }
+ let_it_be(:admin_user) { create(:user, :admin) }
let_it_be(:author) { create(:user) }
let_it_be(:author_permissions) do
[
@@ -296,7 +297,7 @@ RSpec.describe ProjectSnippetPolicy do
context 'admin user' do
let(:snippet_visibility) { :private }
- let(:current_user) { create(:admin) }
+ let(:current_user) { admin_user }
context 'when admin mode is enabled', :enable_admin_mode do
it do
@@ -327,4 +328,57 @@ RSpec.describe ProjectSnippetPolicy do
it_behaves_like 'regular user member permissions'
end
end
+
+ context 'when the author of the snippet is banned', feature_category: :insider_threat do
+ let(:banned_user) { build(:user, :banned) }
+ let(:project) { build(:project, :public, group: group) }
+ let(:snippet) { build(:project_snippet, :public, project: project, author: banned_user) }
+
+ context 'no user' do
+ let(:current_user) { nil }
+
+ it do
+ expect_disallowed(:read_snippet)
+ expect_disallowed(:read_note)
+ expect_disallowed(:create_note)
+ expect_disallowed(*author_permissions)
+ end
+ end
+
+ context 'regular user' do
+ let(:current_user) { regular_user }
+ let(:membership_target) { project }
+
+ it do
+ expect_disallowed(:read_snippet)
+ expect_disallowed(:read_note)
+ expect_disallowed(:create_note)
+ expect_disallowed(*author_permissions)
+ end
+ end
+
+ context 'external user' do
+ let(:current_user) { external_user }
+ let(:membership_target) { project }
+
+ it do
+ expect_disallowed(:read_snippet)
+ expect_disallowed(:read_note)
+ expect_disallowed(:create_note)
+ expect_disallowed(*author_permissions)
+ end
+ end
+
+ context 'admin user', :enable_admin_mode do
+ let(:current_user) { admin_user }
+ let(:membership_target) { project }
+
+ it do
+ expect_allowed(:read_snippet)
+ expect_allowed(:read_note)
+ expect_allowed(:create_note)
+ expect_allowed(*author_permissions)
+ end
+ end
+ end
end
diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb
index bd8f5604eba..568c375ce56 100644
--- a/spec/policies/work_item_policy_spec.rb
+++ b/spec/policies/work_item_policy_spec.rb
@@ -221,4 +221,92 @@ RSpec.describe WorkItemPolicy, feature_category: :team_planning do
it { is_expected.to be_allowed(:admin_work_item_link) }
end
end
+
+ describe 'create_note' do
+ context 'when work item is associated with a project' do
+ context 'when project is public' do
+ let(:work_item_subject) { public_work_item }
+
+ context 'when user is not a member of the project' do
+ let(:current_user) { non_member_user }
+
+ it { is_expected.to be_allowed(:create_note) }
+ end
+
+ context 'when user is a member of the project' do
+ let(:current_user) { guest_author }
+
+ it { is_expected.to be_allowed(:create_note) }
+
+ context 'when work_item is confidential' do
+ let(:work_item_subject) { create(:work_item, :confidential, project: project) }
+
+ it { is_expected.not_to be_allowed(:create_note) }
+ end
+ end
+ end
+ end
+
+ context 'when work item is associated with a group' do
+ context 'when group is public' do
+ let_it_be(:public_group) { create(:group, :public) }
+ let_it_be(:public_group_work_item) { create(:work_item, :group_level, namespace: public_group) }
+ let_it_be(:public_group_member) { create(:user).tap { |u| public_group.add_reporter(u) } }
+ let(:work_item_subject) { public_group_work_item }
+
+ let_it_be(:public_group_confidential_work_item) do
+ create(:work_item, :group_level, :confidential, namespace: public_group)
+ end
+
+ context 'when user is not a member of the group' do
+ let(:current_user) { non_member_user }
+
+ it { is_expected.to be_allowed(:create_note) }
+
+ context 'when work_item is confidential' do
+ let(:work_item_subject) { public_group_confidential_work_item }
+
+ it { is_expected.not_to be_allowed(:create_note) }
+ end
+ end
+
+ context 'when user is a member of the group' do
+ let(:current_user) { public_group_member }
+
+ it { is_expected.to be_allowed(:create_note) }
+
+ context 'when work_item is confidential' do
+ let(:work_item_subject) { public_group_confidential_work_item }
+
+ it { is_expected.to be_allowed(:create_note) }
+ end
+ end
+ end
+
+ context 'when group is not public' do
+ let_it_be(:private_group) { create(:group, :private) }
+ let_it_be(:private_group_work_item) { create(:work_item, :group_level, namespace: private_group) }
+ let_it_be(:private_group_reporter) { create(:user).tap { |u| private_group.add_reporter(u) } }
+ let(:work_item_subject) { private_group_work_item }
+
+ context 'when user is not a member of the group' do
+ let(:current_user) { non_member_user }
+
+ it { is_expected.not_to be_allowed(:create_note) }
+ end
+
+ context 'when user is a member of the group' do
+ let(:current_user) { private_group_reporter }
+
+ it { is_expected.to be_allowed(:create_note) }
+
+ context 'when work_item is confidential' do
+ let(:work_item_subject) { create(:work_item, :group_level, :confidential, namespace: private_group) }
+
+ it { is_expected.to be_allowed(:create_note) }
+ end
+ end
+ end
+ end
+ end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-12 06:46:08 +0300