diff options
Diffstat (limited to 'spec/policies')
-rw-r--r-- | spec/policies/group_policy_spec.rb | 33 | ||||
-rw-r--r-- | spec/policies/namespaces/project_namespace_policy_spec.rb | 3 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 84 |
3 files changed, 99 insertions, 21 deletions
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 201ccf0fc14..fc4fbace790 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -11,8 +11,8 @@ RSpec.describe GroupPolicy do it do expect_allowed(:read_group) - expect_allowed(:read_organization) - expect_allowed(:read_contact) + expect_allowed(:read_crm_organization) + expect_allowed(:read_crm_contact) expect_allowed(:read_counts) expect_allowed(*read_group_permissions) expect_disallowed(:upload_file) @@ -33,8 +33,8 @@ RSpec.describe GroupPolicy do end it { expect_disallowed(:read_group) } - it { expect_disallowed(:read_organization) } - it { expect_disallowed(:read_contact) } + it { expect_disallowed(:read_crm_organization) } + it { expect_disallowed(:read_crm_contact) } it { expect_disallowed(:read_counts) } it { expect_disallowed(*read_group_permissions) } end @@ -48,8 +48,8 @@ RSpec.describe GroupPolicy do end it { expect_disallowed(:read_group) } - it { expect_disallowed(:read_organization) } - it { expect_disallowed(:read_contact) } + it { expect_disallowed(:read_crm_organization) } + it { expect_disallowed(:read_crm_contact) } it { expect_disallowed(:read_counts) } it { expect_disallowed(*read_group_permissions) } end @@ -933,8 +933,8 @@ RSpec.describe GroupPolicy do it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_group) } - it { is_expected.to be_allowed(:read_organization) } - it { is_expected.to be_allowed(:read_contact) } + it { is_expected.to be_allowed(:read_crm_organization) } + it { is_expected.to be_allowed(:read_crm_contact) } it { is_expected.to be_disallowed(:create_package) } end @@ -944,8 +944,8 @@ RSpec.describe GroupPolicy do it { is_expected.to be_allowed(:create_package) } it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_group) } - it { is_expected.to be_allowed(:read_organization) } - it { is_expected.to be_allowed(:read_contact) } + it { is_expected.to be_allowed(:read_crm_organization) } + it { is_expected.to be_allowed(:read_crm_contact) } it { is_expected.to be_disallowed(:destroy_package) } end @@ -1032,4 +1032,17 @@ RSpec.describe GroupPolicy do it { is_expected.to be_disallowed(:update_runners_registration_token) } end end + + context 'with customer_relations feature flag disabled' do + let(:current_user) { owner } + + before do + stub_feature_flags(customer_relations: false) + end + + it { is_expected.to be_disallowed(:read_crm_contact) } + it { is_expected.to be_disallowed(:read_crm_organization) } + it { is_expected.to be_disallowed(:admin_crm_contact) } + it { is_expected.to be_disallowed(:admin_crm_organization) } + end end diff --git a/spec/policies/namespaces/project_namespace_policy_spec.rb b/spec/policies/namespaces/project_namespace_policy_spec.rb index 22f3ccec1f8..5bb38deb498 100644 --- a/spec/policies/namespaces/project_namespace_policy_spec.rb +++ b/spec/policies/namespaces/project_namespace_policy_spec.rb @@ -4,7 +4,8 @@ require 'spec_helper' RSpec.describe NamespacePolicy do let_it_be(:parent) { create(:namespace) } - let_it_be(:namespace) { create(:project_namespace, parent: parent) } + let_it_be(:project) { create(:project, namespace: parent) } + let_it_be(:namespace) { project.project_namespace } let(:permissions) do [:owner_access, :create_projects, :admin_namespace, :read_namespace, diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index f36b0a62aa3..2953c198af6 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -104,29 +104,71 @@ RSpec.describe ProjectPolicy do end context 'pipeline feature' do - let(:project) { private_project } + let(:project) { private_project } + let(:current_user) { developer } + let(:pipeline) { create(:ci_pipeline, project: project) } - before do - private_project.add_developer(current_user) + describe 'for confirmed user' do + it 'allows modify pipelines' do + expect_allowed(:create_pipeline) + expect_allowed(:update_pipeline) + expect_allowed(:create_pipeline_schedule) + end end describe 'for unconfirmed user' do - let(:current_user) { create(:user, confirmed_at: nil) } + let(:current_user) { project.owner.tap { |u| u.update!(confirmed_at: nil) } } it 'disallows to modify pipelines' do expect_disallowed(:create_pipeline) expect_disallowed(:update_pipeline) + expect_disallowed(:destroy_pipeline) expect_disallowed(:create_pipeline_schedule) end end - describe 'for confirmed user' do - let(:current_user) { developer } + describe 'destroy permission' do + describe 'for developers' do + it 'prevents :destroy_pipeline' do + expect(current_user.can?(:destroy_pipeline, pipeline)).to be_falsey + end + end - it 'allows modify pipelines' do - expect_allowed(:create_pipeline) - expect_allowed(:update_pipeline) - expect_allowed(:create_pipeline_schedule) + describe 'for maintainers' do + let(:current_user) { maintainer } + + it 'prevents :destroy_pipeline' do + project.add_maintainer(maintainer) + expect(current_user.can?(:destroy_pipeline, pipeline)).to be_falsey + end + end + + describe 'for project owner' do + let(:current_user) { project.owner } + + it 'allows :destroy_pipeline' do + expect(current_user.can?(:destroy_pipeline, pipeline)).to be_truthy + end + + context 'on archived projects' do + before do + project.update!(archived: true) + end + + it 'prevents :destroy_pipeline' do + expect(current_user.can?(:destroy_pipeline, pipeline)).to be_falsey + end + end + + context 'on archived pending_delete projects' do + before do + project.update!(archived: true, pending_delete: true) + end + + it 'allows :destroy_pipeline' do + expect(current_user.can?(:destroy_pipeline, pipeline)).to be_truthy + end + end end end end @@ -955,6 +997,28 @@ RSpec.describe ProjectPolicy do end end + context 'infrastructure google cloud feature' do + %w(guest reporter developer).each do |role| + context role do + let(:current_user) { send(role) } + + it 'disallows managing google cloud' do + expect_disallowed(:admin_project_google_cloud) + end + end + end + + %w(maintainer owner).each do |role| + context role do + let(:current_user) { send(role) } + + it 'allows managing google cloud' do + expect_allowed(:admin_project_google_cloud) + end + end + end + end + describe 'design permissions' do include DesignManagementTestHelpers |