6 files changed, 167 insertions, 15 deletions

diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb
index d1027f64d13..b4f0b2c201a 100644
--- a/spec/models/application_setting_spec.rb
+++ b/spec/models/application_setting_spec.rb
@@ -2,17 +2,19 @@
 #
 # Table name: application_settings
 #
-#  id                        :integer          not null, primary key
-#  default_projects_limit    :integer
-#  signup_enabled            :boolean
-#  signin_enabled            :boolean
-#  gravatar_enabled          :boolean
-#  sign_in_text              :text
-#  created_at                :datetime
-#  updated_at                :datetime
-#  home_page_url             :string(255)
-#  default_branch_protection :integer          default(2)
-#  twitter_sharing_enabled   :boolean          default(TRUE)
+#  id                           :integer          not null, primary key
+#  default_projects_limit       :integer
+#  default_branch_protection    :integer
+#  signup_enabled               :boolean
+#  signin_enabled               :boolean
+#  gravatar_enabled             :boolean
+#  sign_in_text                 :text
+#  created_at                   :datetime
+#  updated_at                   :datetime
+#  home_page_url                :string(255)
+#  default_branch_protection    :integer          default(2)
+#  twitter_sharing_enabled      :boolean          default(TRUE)
+#  restricted_visibility_levels :text
 #
 
 require 'spec_helper'
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index 0b3a47e3273..f28dfea3ccf 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -3,6 +3,7 @@ require 'spec_helper'
 
 describe API::API, api: true  do
   include ApiHelpers
+  include Gitlab::CurrentSettings
   let(:user) { create(:user) }
   let(:user2) { create(:user) }
   let(:user3) { create(:user) }
@@ -202,6 +203,31 @@ describe API::API, api: true  do
       expect(json_response['public']).to be_falsey
       expect(json_response['visibility_level']).to eq(Gitlab::VisibilityLevel::PRIVATE)
     end
+
+    context 'when a visibility level is restricted' do
+      before do
+        @project = attributes_for(:project, { public: true })
+        allow_any_instance_of(ApplicationSetting).to(
+          receive(:restricted_visibility_levels).and_return([20])
+        )
+      end
+
+      it 'should not allow a non-admin to use a restricted visibility level' do
+        post api('/projects', user), @project
+        expect(response.status).to eq(400)
+        expect(json_response['message']['visibility_level'].first).to(
+          match('restricted by your GitLab administrator')
+        )
+      end
+
+      it 'should allow an admin to override restricted visibility settings' do
+        post api('/projects', admin), @project
+        expect(json_response['public']).to be_truthy
+        expect(json_response['visibility_level']).to(
+          eq(Gitlab::VisibilityLevel::PUBLIC)
+        )
+      end
+    end
   end
 
   describe 'POST /projects/user/:id' do
@@ -399,7 +425,8 @@ describe API::API, api: true  do
   describe 'POST /projects/:id/snippets' do
     it 'should create a new project snippet' do
       post api("/projects/#{project.id}/snippets", user),
-        title: 'api test', file_name: 'sample.rb', code: 'test'
+        title: 'api test', file_name: 'sample.rb', code: 'test',
+        visibility_level: '0'
       expect(response.status).to eq(201)
       expect(json_response['title']).to eq('api test')
     end
diff --git a/spec/services/create_snippet_service_spec.rb b/spec/services/create_snippet_service_spec.rb
new file mode 100644
index 00000000000..08689c15ca8
--- /dev/null
+++ b/spec/services/create_snippet_service_spec.rb
@@ -0,0 +1,44 @@
+require 'spec_helper'
+
+describe CreateSnippetService do
+  before do
+    @user = create :user
+    @admin = create :user, admin: true
+    @opts = {
+      title: 'Test snippet',
+      file_name: 'snippet.rb',
+      content: 'puts "hello world"',
+      visibility_level: Gitlab::VisibilityLevel::PRIVATE
+    }
+  end
+
+  context 'When public visibility is restricted' do
+    before do
+      allow_any_instance_of(ApplicationSetting).to(
+        receive(:restricted_visibility_levels).and_return(
+          [Gitlab::VisibilityLevel::PUBLIC]
+        )
+      )
+
+      @opts.merge!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+    end
+
+    it 'non-admins should not be able to create a public snippet' do
+      snippet = create_snippet(nil, @user, @opts)
+      expect(snippet.errors.messages).to have_key(:visibility_level)
+      expect(snippet.errors.messages[:visibility_level].first).to(
+        match('Public visibility has been restricted')
+      )
+    end
+
+    it 'admins should be able to create a public snippet' do
+      snippet = create_snippet(nil, @admin, @opts)
+      expect(snippet.errors.any?).to be_falsey
+      expect(snippet.visibility_level).to eq(Gitlab::VisibilityLevel::PUBLIC)
+    end
+  end
+
+  def create_snippet(project, user, opts)
+    CreateSnippetService.new(project, user, opts).execute
+  end
+end
diff --git a/spec/services/projects/create_service_spec.rb b/spec/services/projects/create_service_spec.rb
index 8bb48346202..337dae592dd 100644
--- a/spec/services/projects/create_service_spec.rb
+++ b/spec/services/projects/create_service_spec.rb
@@ -55,6 +55,33 @@ describe Projects::CreateService do
         it { expect(File.exists?(@path)).to be_falsey }
       end
     end
+
+    context 'restricted visibility level' do
+      before do
+        allow_any_instance_of(ApplicationSetting).to(
+          receive(:restricted_visibility_levels).and_return([20])
+        )
+
+        @opts.merge!(
+          visibility_level: Gitlab::VisibilityLevel.options['Public']
+        )
+      end
+
+      it 'should not allow a restricted visibility level for non-admins' do
+        project = create_project(@user, @opts)
+        expect(project).to respond_to(:errors)
+        expect(project.errors.messages).to have_key(:visibility_level)
+        expect(project.errors.messages[:visibility_level].first).to(
+          match('restricted by your GitLab administrator')
+        )
+      end
+
+      it 'should allow a restricted visibility level for admins' do
+        project = create_project(@admin, @opts)
+        expect(project.errors.any?).to be(false)
+        expect(project.saved?).to be(true)
+      end
+    end
   end
 
   def create_project(user, opts)
diff --git a/spec/services/projects/update_service_spec.rb b/spec/services/projects/update_service_spec.rb
index 10dbc548e86..ea5b8813105 100644
--- a/spec/services/projects/update_service_spec.rb
+++ b/spec/services/projects/update_service_spec.rb
@@ -47,9 +47,9 @@ describe Projects::UpdateService do
 
     context 'respect configured visibility restrictions setting' do
       before(:each) do
-        @restrictions = double("restrictions")
-        allow(@restrictions).to receive(:restricted_visibility_levels) { [ "public" ] }
-        Settings.stub_chain(:gitlab).and_return(@restrictions)
+        allow_any_instance_of(ApplicationSetting).to(
+          receive(:restricted_visibility_levels).and_return([20])
+        )
       end
 
       context 'should be private when updated to private' do
diff --git a/spec/services/update_snippet_service_spec.rb b/spec/services/update_snippet_service_spec.rb
new file mode 100644
index 00000000000..841ef9bfed1
--- /dev/null
+++ b/spec/services/update_snippet_service_spec.rb
@@ -0,0 +1,52 @@
+require 'spec_helper'
+
+describe UpdateSnippetService do
+  before do
+    @user = create :user
+    @admin = create :user, admin: true
+    @opts = {
+      title: 'Test snippet',
+      file_name: 'snippet.rb',
+      content: 'puts "hello world"',
+      visibility_level: Gitlab::VisibilityLevel::PRIVATE
+    }
+  end
+
+  context 'When public visibility is restricted' do
+    before do
+      allow_any_instance_of(ApplicationSetting).to(
+        receive(:restricted_visibility_levels).and_return(
+          [Gitlab::VisibilityLevel::PUBLIC]
+        )
+      )
+
+      @snippet = create_snippet(@project, @user, @opts)
+      @opts.merge!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+    end
+
+    it 'non-admins should not be able to update to public visibility' do
+      old_visibility = @snippet.visibility_level
+      update_snippet(@project, @user, @snippet, @opts)
+      expect(@snippet.errors.messages).to have_key(:visibility_level)
+      expect(@snippet.errors.messages[:visibility_level].first).to(
+        match('Public visibility has been restricted')
+      )
+      expect(@snippet.visibility_level).to eq(old_visibility)
+    end
+
+    it 'admins should be able to update to pubic visibility' do
+      old_visibility = @snippet.visibility_level
+      update_snippet(@project, @admin, @snippet, @opts)
+      expect(@snippet.visibility_level).not_to eq(old_visibility)
+      expect(@snippet.visibility_level).to eq(Gitlab::VisibilityLevel::PUBLIC)
+    end
+  end
+
+  def create_snippet(project, user, opts)
+    CreateSnippetService.new(project, user, opts).execute
+  end
+
+  def update_snippet(project = nil, user, snippet, opts)
+    UpdateSnippetService.new(project, user, snippet, opts).execute
+  end
+end