diff options
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/achievements/user_achievement_policy_spec.rb | 23 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 69 | ||||
-rw-r--r-- | spec/policies/namespaces/user_namespace_policy_spec.rb | 2 | ||||
-rw-r--r-- | spec/policies/personal_snippet_policy_spec.rb | 51 | ||||
-rw-r--r-- | spec/policies/project_member_policy_spec.rb | 6 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 1 | ||||
-rw-r--r-- | spec/policies/project_snippet_policy_spec.rb | 56 | ||||
-rw-r--r-- | spec/policies/work_item_policy_spec.rb | 88 |
8 files changed, 223 insertions, 73 deletions
diff --git a/spec/policies/achievements/user_achievement_policy_spec.rb b/spec/policies/achievements/user_achievement_policy_spec.rb index c3148e882fa..a53912d67a1 100644 --- a/spec/policies/achievements/user_achievement_policy_spec.rb +++ b/spec/policies/achievements/user_achievement_policy_spec.rb @@ -75,4 +75,27 @@ RSpec.describe Achievements::UserAchievementPolicy, feature_category: :user_prof end end end + + context 'when current_user and achievement owner are different' do + it { is_expected.to be_disallowed(:update_owned_user_achievement) } + it { is_expected.to be_disallowed(:update_user_achievement) } + end + + context 'when current_user and achievement owner are the same' do + let(:current_user) { achievement_owner } + + it { is_expected.to be_allowed(:update_owned_user_achievement) } + it { is_expected.to be_allowed(:update_user_achievement) } + end + + context 'when the achievements feature flag is disabled' do + let(:current_user) { achievement_owner } + + before do + stub_feature_flags(achievements: false) + end + + it { is_expected.to be_disallowed(:read_user_achievement) } + it { is_expected.to be_disallowed(:update_user_achievement) } + end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 4d72de27046..cb7884b141e 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -19,6 +19,7 @@ RSpec.describe GroupPolicy, feature_category: :system_access do expect_disallowed(*maintainer_permissions) expect_disallowed(*owner_permissions) expect_disallowed(:read_namespace) + expect_disallowed(:read_namespace_via_membership) end end @@ -34,6 +35,7 @@ RSpec.describe GroupPolicy, feature_category: :system_access do expect_disallowed(*maintainer_permissions) expect_disallowed(*owner_permissions) expect_disallowed(:read_namespace) + expect_disallowed(:read_namespace_via_membership) end end @@ -1099,73 +1101,6 @@ RSpec.describe GroupPolicy, feature_category: :system_access do end end - describe 'observability' do - let(:allowed_admin) { be_allowed(:read_observability) && be_allowed(:admin_observability) } - let(:allowed_read) { be_allowed(:read_observability) && be_disallowed(:admin_observability) } - let(:disallowed) { be_disallowed(:read_observability) && be_disallowed(:admin_observability) } - - # rubocop:disable Layout/LineLength - where(:feature_enabled, :admin_matcher, :owner_matcher, :maintainer_matcher, :developer_matcher, :reporter_matcher, :guest_matcher, :non_member_matcher, :anonymous_matcher) do - false | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) - true | ref(:allowed_admin) | ref(:allowed_admin) | ref(:allowed_admin) | ref(:allowed_read) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) - end - # rubocop:enable Layout/LineLength - - with_them do - before do - stub_feature_flags(observability_group_tab: feature_enabled) - end - - context 'admin', :enable_admin_mode do - let(:current_user) { admin } - - it { is_expected.to admin_matcher } - end - - context 'owner' do - let(:current_user) { owner } - - it { is_expected.to owner_matcher } - end - - context 'maintainer' do - let(:current_user) { maintainer } - - it { is_expected.to maintainer_matcher } - end - - context 'developer' do - let(:current_user) { developer } - - it { is_expected.to developer_matcher } - end - - context 'reporter' do - let(:current_user) { reporter } - - it { is_expected.to reporter_matcher } - end - - context 'with guest' do - let(:current_user) { guest } - - it { is_expected.to guest_matcher } - end - - context 'with non member' do - let(:current_user) { create(:user) } - - it { is_expected.to non_member_matcher } - end - - context 'with anonymous' do - let(:current_user) { nil } - - it { is_expected.to anonymous_matcher } - end - end - end - describe 'dependency proxy' do RSpec.shared_examples 'disabling admin_package feature flag' do before do diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb index 41555ca4150..b4fbc7e0417 100644 --- a/spec/policies/namespaces/user_namespace_policy_spec.rb +++ b/spec/policies/namespaces/user_namespace_policy_spec.rb @@ -8,7 +8,7 @@ RSpec.describe Namespaces::UserNamespacePolicy, feature_category: :groups_and_pr let_it_be(:admin) { create(:admin) } let_it_be(:namespace) { create(:user_namespace, owner: owner) } - let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package, :read_billing, :edit_billing, :import_projects] } + let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_namespace_via_membership, :read_statistics, :transfer_projects, :admin_package, :read_billing, :edit_billing, :import_projects] } subject { described_class.new(current_user, namespace) } diff --git a/spec/policies/personal_snippet_policy_spec.rb b/spec/policies/personal_snippet_policy_spec.rb index d546805ce01..3efa96cffe9 100644 --- a/spec/policies/personal_snippet_policy_spec.rb +++ b/spec/policies/personal_snippet_policy_spec.rb @@ -170,4 +170,55 @@ RSpec.describe PersonalSnippetPolicy do it_behaves_like 'admin access with admin mode' end + + context 'when the author of the snippet is banned', feature_category: :insider_threat do + let(:banned_user) { build(:user, :banned) } + let(:snippet) { build(:personal_snippet, :public, author: banned_user) } + + context 'no user' do + subject { permissions(nil) } + + it do + is_expected.to be_disallowed(:read_snippet) + is_expected.to be_disallowed(:create_note) + is_expected.to be_disallowed(:award_emoji) + is_expected.to be_disallowed(*author_permissions) + end + end + + context 'regular user' do + subject { permissions(regular_user) } + + it do + is_expected.to be_disallowed(:read_snippet) + is_expected.to be_disallowed(:read_note) + is_expected.to be_disallowed(:create_note) + is_expected.to be_disallowed(*author_permissions) + end + end + + context 'external user' do + subject { permissions(external_user) } + + it do + is_expected.to be_disallowed(:read_snippet) + is_expected.to be_disallowed(:read_note) + is_expected.to be_disallowed(:create_note) + is_expected.to be_disallowed(*author_permissions) + end + end + + context 'snippet author' do + subject { permissions(snippet.author) } + + it do + is_expected.to be_disallowed(:read_snippet) + is_expected.to be_disallowed(:read_note) + is_expected.to be_disallowed(:create_note) + is_expected.to be_disallowed(*author_permissions) + end + end + + it_behaves_like 'admin access with admin mode' + end end diff --git a/spec/policies/project_member_policy_spec.rb b/spec/policies/project_member_policy_spec.rb index d7c155b39f5..8e7f2658e3f 100644 --- a/spec/policies/project_member_policy_spec.rb +++ b/spec/policies/project_member_policy_spec.rb @@ -2,9 +2,9 @@ require 'spec_helper' -RSpec.describe ProjectMemberPolicy do - let(:project) { create(:project) } - let(:maintainer) { create(:user) } +RSpec.describe ProjectMemberPolicy, feature_category: :groups_and_projects do + let_it_be(:project) { create(:project) } + let_it_be(:maintainer) { create(:user) } let(:member) { create(:project_member, project: project, user: member_user) } let(:current_user) { maintainer } diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index e7c2dcc4158..3de006d8c9b 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -288,7 +288,6 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do :create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_pipeline_schedule, :read_pipeline_schedule_variables, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, - :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment ] diff --git a/spec/policies/project_snippet_policy_spec.rb b/spec/policies/project_snippet_policy_spec.rb index c6d8ef05cfd..b02fc53db21 100644 --- a/spec/policies/project_snippet_policy_spec.rb +++ b/spec/policies/project_snippet_policy_spec.rb @@ -7,6 +7,7 @@ RSpec.describe ProjectSnippetPolicy do let_it_be(:group) { create(:group, :public) } let_it_be(:regular_user) { create(:user) } let_it_be(:external_user) { create(:user, :external) } + let_it_be(:admin_user) { create(:user, :admin) } let_it_be(:author) { create(:user) } let_it_be(:author_permissions) do [ @@ -296,7 +297,7 @@ RSpec.describe ProjectSnippetPolicy do context 'admin user' do let(:snippet_visibility) { :private } - let(:current_user) { create(:admin) } + let(:current_user) { admin_user } context 'when admin mode is enabled', :enable_admin_mode do it do @@ -327,4 +328,57 @@ RSpec.describe ProjectSnippetPolicy do it_behaves_like 'regular user member permissions' end end + + context 'when the author of the snippet is banned', feature_category: :insider_threat do + let(:banned_user) { build(:user, :banned) } + let(:project) { build(:project, :public, group: group) } + let(:snippet) { build(:project_snippet, :public, project: project, author: banned_user) } + + context 'no user' do + let(:current_user) { nil } + + it do + expect_disallowed(:read_snippet) + expect_disallowed(:read_note) + expect_disallowed(:create_note) + expect_disallowed(*author_permissions) + end + end + + context 'regular user' do + let(:current_user) { regular_user } + let(:membership_target) { project } + + it do + expect_disallowed(:read_snippet) + expect_disallowed(:read_note) + expect_disallowed(:create_note) + expect_disallowed(*author_permissions) + end + end + + context 'external user' do + let(:current_user) { external_user } + let(:membership_target) { project } + + it do + expect_disallowed(:read_snippet) + expect_disallowed(:read_note) + expect_disallowed(:create_note) + expect_disallowed(*author_permissions) + end + end + + context 'admin user', :enable_admin_mode do + let(:current_user) { admin_user } + let(:membership_target) { project } + + it do + expect_allowed(:read_snippet) + expect_allowed(:read_note) + expect_allowed(:create_note) + expect_allowed(*author_permissions) + end + end + end end diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb index bd8f5604eba..568c375ce56 100644 --- a/spec/policies/work_item_policy_spec.rb +++ b/spec/policies/work_item_policy_spec.rb @@ -221,4 +221,92 @@ RSpec.describe WorkItemPolicy, feature_category: :team_planning do it { is_expected.to be_allowed(:admin_work_item_link) } end end + + describe 'create_note' do + context 'when work item is associated with a project' do + context 'when project is public' do + let(:work_item_subject) { public_work_item } + + context 'when user is not a member of the project' do + let(:current_user) { non_member_user } + + it { is_expected.to be_allowed(:create_note) } + end + + context 'when user is a member of the project' do + let(:current_user) { guest_author } + + it { is_expected.to be_allowed(:create_note) } + + context 'when work_item is confidential' do + let(:work_item_subject) { create(:work_item, :confidential, project: project) } + + it { is_expected.not_to be_allowed(:create_note) } + end + end + end + end + + context 'when work item is associated with a group' do + context 'when group is public' do + let_it_be(:public_group) { create(:group, :public) } + let_it_be(:public_group_work_item) { create(:work_item, :group_level, namespace: public_group) } + let_it_be(:public_group_member) { create(:user).tap { |u| public_group.add_reporter(u) } } + let(:work_item_subject) { public_group_work_item } + + let_it_be(:public_group_confidential_work_item) do + create(:work_item, :group_level, :confidential, namespace: public_group) + end + + context 'when user is not a member of the group' do + let(:current_user) { non_member_user } + + it { is_expected.to be_allowed(:create_note) } + + context 'when work_item is confidential' do + let(:work_item_subject) { public_group_confidential_work_item } + + it { is_expected.not_to be_allowed(:create_note) } + end + end + + context 'when user is a member of the group' do + let(:current_user) { public_group_member } + + it { is_expected.to be_allowed(:create_note) } + + context 'when work_item is confidential' do + let(:work_item_subject) { public_group_confidential_work_item } + + it { is_expected.to be_allowed(:create_note) } + end + end + end + + context 'when group is not public' do + let_it_be(:private_group) { create(:group, :private) } + let_it_be(:private_group_work_item) { create(:work_item, :group_level, namespace: private_group) } + let_it_be(:private_group_reporter) { create(:user).tap { |u| private_group.add_reporter(u) } } + let(:work_item_subject) { private_group_work_item } + + context 'when user is not a member of the group' do + let(:current_user) { non_member_user } + + it { is_expected.not_to be_allowed(:create_note) } + end + + context 'when user is a member of the group' do + let(:current_user) { private_group_reporter } + + it { is_expected.to be_allowed(:create_note) } + + context 'when work_item is confidential' do + let(:work_item_subject) { create(:work_item, :group_level, :confidential, namespace: private_group) } + + it { is_expected.to be_allowed(:create_note) } + end + end + end + end + end end |