From 7e9c479f7de77702622631cff2628a9c8dcbc627 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 19 Nov 2020 08:27:35 +0000 Subject: Add latest changes from gitlab-org/gitlab@13-6-stable-ee --- .../http_integration_policy_spec.rb | 23 ++++ spec/policies/base_policy_spec.rb | 74 ++++++------- spec/policies/blob_policy_spec.rb | 5 +- spec/policies/group_member_policy_spec.rb | 1 + spec/policies/group_policy_spec.rb | 20 ++++ spec/policies/instance_metadata_policy_spec.rb | 19 ++++ spec/policies/issue_policy_spec.rb | 7 +- spec/policies/merge_request_policy_spec.rb | 13 +++ spec/policies/note_policy_spec.rb | 117 +++++++++++++-------- spec/policies/project_policy_spec.rb | 1 + spec/policies/service_policy_spec.rb | 26 +++++ .../terraform/state_version_policy_spec.rb | 33 ++++++ spec/policies/user_policy_spec.rb | 58 ++++++++++ spec/policies/wiki_page_policy_spec.rb | 5 +- 14 files changed, 315 insertions(+), 87 deletions(-) create mode 100644 spec/policies/alert_management/http_integration_policy_spec.rb create mode 100644 spec/policies/instance_metadata_policy_spec.rb create mode 100644 spec/policies/service_policy_spec.rb create mode 100644 spec/policies/terraform/state_version_policy_spec.rb (limited to 'spec/policies') diff --git a/spec/policies/alert_management/http_integration_policy_spec.rb b/spec/policies/alert_management/http_integration_policy_spec.rb new file mode 100644 index 00000000000..8e8348ad7f5 --- /dev/null +++ b/spec/policies/alert_management/http_integration_policy_spec.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe AlertManagement::HttpIntegrationPolicy, :models do + let(:integration) { create(:alert_management_http_integration) } + let(:project) { integration.project } + let(:user) { create(:user) } + + subject(:policy) { described_class.new(user, integration) } + + describe 'rules' do + it { is_expected.to be_disallowed :admin_operations } + + context 'when maintainer' do + before do + project.add_maintainer(user) + end + + it { is_expected.to be_allowed :admin_operations } + end + end +end diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb index 103f2e9bc39..226660dc955 100644 --- a/spec/policies/base_policy_spec.rb +++ b/spec/policies/base_policy_spec.rb @@ -22,6 +22,34 @@ RSpec.describe BasePolicy do end end + shared_examples 'admin only access' do |policy| + let(:current_user) { build_stubbed(:user) } + + subject { described_class.new(current_user, nil) } + + it { is_expected.not_to be_allowed(policy) } + + context 'for admins' do + let(:current_user) { build_stubbed(:admin) } + + it 'allowed when in admin mode' do + enable_admin_mode!(current_user) + + is_expected.to be_allowed(policy) + end + + it 'prevented when not in admin mode' do + is_expected.not_to be_allowed(policy) + end + end + + context 'for anonymous' do + let(:current_user) { nil } + + it { is_expected.not_to be_allowed(policy) } + end + end + describe 'read cross project' do let(:current_user) { build_stubbed(:user) } let(:user) { build_stubbed(:user) } @@ -41,51 +69,15 @@ RSpec.describe BasePolicy do enable_external_authorization_service_check end - it { is_expected.not_to be_allowed(:read_cross_project) } - - context 'for admins' do - let(:current_user) { build_stubbed(:admin) } - - subject { described_class.new(current_user, nil) } - - it 'allowed when in admin mode' do - enable_admin_mode!(current_user) - - is_expected.to be_allowed(:read_cross_project) - end - - it 'prevented when not in admin mode' do - is_expected.not_to be_allowed(:read_cross_project) - end - end - - context 'for anonymous' do - let(:current_user) { nil } - - it { is_expected.not_to be_allowed(:read_cross_project) } - end + it_behaves_like 'admin only access', :read_cross_project end end describe 'full private access' do - let(:current_user) { build_stubbed(:user) } - - subject { described_class.new(current_user, nil) } - - it { is_expected.not_to be_allowed(:read_all_resources) } - - context 'for admins' do - let(:current_user) { build_stubbed(:admin) } - - it 'allowed when in admin mode' do - enable_admin_mode!(current_user) - - is_expected.to be_allowed(:read_all_resources) - end + it_behaves_like 'admin only access', :read_all_resources + end - it 'prevented when not in admin mode' do - is_expected.not_to be_allowed(:read_all_resources) - end - end + describe 'change_repository_storage' do + it_behaves_like 'admin only access', :change_repository_storage end end diff --git a/spec/policies/blob_policy_spec.rb b/spec/policies/blob_policy_spec.rb index fc46b25f25c..daabcd844af 100644 --- a/spec/policies/blob_policy_spec.rb +++ b/spec/policies/blob_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe BlobPolicy, :enable_admin_mode do +RSpec.describe BlobPolicy do include_context 'ProjectPolicyTable context' include ProjectHelpers using RSpec::Parameterized::TableSyntax @@ -13,12 +13,13 @@ RSpec.describe BlobPolicy, :enable_admin_mode do subject(:policy) { described_class.new(user, blob) } - where(:project_level, :feature_access_level, :membership, :expected_count) do + where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do permission_table_for_guest_feature_access_and_non_private_project_only end with_them do it "grants permission" do + enable_admin_mode!(user) if admin_mode update_feature_access_level(project, feature_access_level) if expected_count == 1 diff --git a/spec/policies/group_member_policy_spec.rb b/spec/policies/group_member_policy_spec.rb index 4215fa09301..9e58ea81ef3 100644 --- a/spec/policies/group_member_policy_spec.rb +++ b/spec/policies/group_member_policy_spec.rb @@ -42,6 +42,7 @@ RSpec.describe GroupMemberPolicy do it do expect_disallowed(:destroy_group_member) expect_disallowed(:update_group_member) + expect_allowed(:read_group) end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index fecf5f3e4f8..7cded27e449 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -876,10 +876,30 @@ RSpec.describe GroupPolicy do let(:deploy_token) { create(:deploy_token, :group, write_package_registry: true) } it { is_expected.to be_allowed(:create_package) } + it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_group) } it { is_expected.to be_disallowed(:destroy_package) } end end it_behaves_like 'Self-managed Core resource access tokens' + + context 'support bot' do + let_it_be(:group) { create(:group, :private) } + let_it_be(:current_user) { User.support_bot } + + before do + allow(Gitlab::ServiceDesk).to receive(:supported?).and_return(true) + end + + it { expect_disallowed(:read_label) } + + context 'when group hierarchy has a project with service desk enabled' do + let_it_be(:subgroup) { create(:group, :private, parent: group)} + let_it_be(:project) { create(:project, group: subgroup, service_desk_enabled: true) } + + it { expect_allowed(:read_label) } + it { expect(described_class.new(current_user, subgroup)).to be_allowed(:read_label) } + end + end end diff --git a/spec/policies/instance_metadata_policy_spec.rb b/spec/policies/instance_metadata_policy_spec.rb new file mode 100644 index 00000000000..2c8e18483e6 --- /dev/null +++ b/spec/policies/instance_metadata_policy_spec.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe InstanceMetadataPolicy do + subject { described_class.new(user, InstanceMetadata.new) } + + context 'for any logged-in user' do + let(:user) { create(:user) } + + specify { expect_allowed(:read_instance_metadata) } + end + + context 'for anonymous users' do + let(:user) { nil } + + specify { expect_disallowed(:read_instance_metadata) } + end +end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index e352b990159..76788ae2cb7 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -139,8 +139,13 @@ RSpec.describe IssuePolicy do create(:project_group_link, group: group, project: project) end + it 'does not allow guest to create todos' do + expect(permissions(nil, issue)).to be_allowed(:read_issue) + expect(permissions(nil, issue)).to be_disallowed(:create_todo) + end + it 'allows guests to read issues' do - expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid) + expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid, :create_todo) expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue, :reopen_issue) expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid) diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb index 3a46d5b9226..744822f58d1 100644 --- a/spec/policies/merge_request_policy_spec.rb +++ b/spec/policies/merge_request_policy_spec.rb @@ -24,6 +24,7 @@ RSpec.describe MergeRequestPolicy do mr_perms = %i[create_merge_request_in create_merge_request_from read_merge_request + create_todo approve_merge_request create_note].freeze @@ -47,6 +48,18 @@ RSpec.describe MergeRequestPolicy do end end + context 'when merge request is public' do + context 'and user is anonymous' do + let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) } + + subject { permissions(nil, merge_request) } + + it do + is_expected.to be_disallowed(:create_todo) + end + end + end + context 'when merge requests have been disabled' do let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) } diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb index a4cc3a1e9af..f6cd84f29ae 100644 --- a/spec/policies/note_policy_spec.rb +++ b/spec/policies/note_policy_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' RSpec.describe NotePolicy do - describe '#rules' do + describe '#rules', :aggregate_failures do let(:user) { create(:user) } let(:project) { create(:project, :public) } let(:issue) { create(:issue, project: project) } @@ -11,14 +11,15 @@ RSpec.describe NotePolicy do let(:policy) { described_class.new(user, note) } let(:note) { create(:note, noteable: noteable, author: user, project: project) } + shared_examples_for 'user cannot read or act on the note' do + specify do + expect(policy).to be_disallowed(:admin_note, :reposition_note, :resolve_note, :read_note, :award_emoji) + end + end + shared_examples_for 'a discussion with a private noteable' do context 'when the note author can no longer see the noteable' do - it 'can not edit nor read the note' do - expect(policy).to be_disallowed(:admin_note) - expect(policy).to be_disallowed(:resolve_note) - expect(policy).to be_disallowed(:read_note) - expect(policy).to be_disallowed(:award_emoji) - end + it_behaves_like 'user cannot read or act on the note' end context 'when the note author can still see the noteable' do @@ -28,6 +29,7 @@ RSpec.describe NotePolicy do it 'can edit the note' do expect(policy).to be_allowed(:admin_note) + expect(policy).to be_allowed(:reposition_note) expect(policy).to be_allowed(:resolve_note) expect(policy).to be_allowed(:read_note) expect(policy).to be_allowed(:award_emoji) @@ -35,6 +37,13 @@ RSpec.describe NotePolicy do end end + shared_examples_for 'a note on a public noteable' do + it 'can only read and award emoji on the note' do + expect(policy).to be_allowed(:read_note, :award_emoji) + expect(policy).to be_disallowed(:reposition_note, :admin_note, :resolve_note) + end + end + context 'when the noteable is a deleted commit' do let(:commit) { nil } let(:note) { create(:note_on_commit, commit_id: '12345678', author: user, project: project) } @@ -42,6 +51,7 @@ RSpec.describe NotePolicy do it 'allows to read' do expect(policy).to be_allowed(:read_note) expect(policy).to be_disallowed(:admin_note) + expect(policy).to be_disallowed(:reposition_note) expect(policy).to be_disallowed(:resolve_note) expect(policy).to be_disallowed(:award_emoji) end @@ -66,31 +76,60 @@ RSpec.describe NotePolicy do end end + context 'when the noteable is a Design' do + include DesignManagementTestHelpers + + let(:note) { create(:note, noteable: noteable, project: project) } + let(:noteable) { create(:design, issue: issue) } + + before do + enable_design_management + end + + it 'can read, award emoji and reposition the note' do + expect(policy).to be_allowed(:reposition_note, :read_note, :award_emoji) + expect(policy).to be_disallowed(:admin_note, :resolve_note) + end + + context 'when project is private' do + let(:project) { create(:project, :private) } + + it_behaves_like 'user cannot read or act on the note' + end + end + context 'when the noteable is a personal snippet' do let(:noteable) { create(:personal_snippet, :public) } - let(:note) { create(:note, noteable: noteable, author: user) } + let(:note) { create(:note, noteable: noteable) } - it 'can edit note' do - expect(policy).to be_allowed(:admin_note) - expect(policy).to be_allowed(:resolve_note) - expect(policy).to be_allowed(:read_note) - end + it_behaves_like 'a note on a public noteable' + + context 'when user is the author of the personal snippet' do + let(:note) { create(:note, noteable: noteable, author: user) } - context 'when it is private' do - let(:noteable) { create(:personal_snippet, :private) } + it 'can edit note' do + expect(policy).to be_allowed(:read_note, :award_emoji, :admin_note, :reposition_note, :resolve_note) + end + + context 'when it is private' do + let(:noteable) { create(:personal_snippet, :private) } - it 'can not edit nor read the note' do - expect(policy).to be_disallowed(:admin_note) - expect(policy).to be_disallowed(:resolve_note) - expect(policy).to be_disallowed(:read_note) + it_behaves_like 'user cannot read or act on the note' end end end context 'when the project is public' do + context 'when user is not the author of the note' do + let(:note) { create(:note, noteable: noteable, project: project) } + + it_behaves_like 'a note on a public noteable' + end + context 'when the note author is not a project member' do it 'can edit a note' do expect(policy).to be_allowed(:admin_note) + expect(policy).to be_allowed(:reposition_note) expect(policy).to be_allowed(:resolve_note) expect(policy).to be_allowed(:read_note) end @@ -101,6 +140,7 @@ RSpec.describe NotePolicy do it 'can edit note' do expect(policy).to be_allowed(:admin_note) + expect(policy).to be_allowed(:reposition_note) expect(policy).to be_allowed(:resolve_note) expect(policy).to be_allowed(:read_note) end @@ -132,6 +172,7 @@ RSpec.describe NotePolicy do it 'can edit a note' do expect(policy).to be_allowed(:admin_note) + expect(policy).to be_allowed(:reposition_note) expect(policy).to be_allowed(:resolve_note) expect(policy).to be_allowed(:read_note) end @@ -140,6 +181,7 @@ RSpec.describe NotePolicy do context 'when the note author is not a project member' do it 'can not edit a note' do expect(policy).to be_disallowed(:admin_note) + expect(policy).to be_disallowed(:reposition_note) expect(policy).to be_disallowed(:resolve_note) end @@ -154,6 +196,7 @@ RSpec.describe NotePolicy do it 'allows the author to manage the discussion' do expect(policy).to be_allowed(:admin_note) + expect(policy).to be_allowed(:reposition_note) expect(policy).to be_allowed(:resolve_note) expect(policy).to be_allowed(:read_note) expect(policy).to be_allowed(:award_emoji) @@ -180,21 +223,13 @@ RSpec.describe NotePolicy do shared_examples_for 'user can act on the note' do it 'allows the user to read the note' do - expect(policy).not_to be_allowed(:admin_note) + expect(policy).to be_disallowed(:admin_note) + expect(policy).to be_disallowed(:reposition_note) expect(policy).to be_allowed(:resolve_note) expect(policy).to be_allowed(:award_emoji) end end - shared_examples_for 'user cannot read or act on the note' do - it 'allows user to read the note' do - expect(policy).not_to be_allowed(:admin_note) - expect(policy).not_to be_allowed(:resolve_note) - expect(policy).not_to be_allowed(:read_note) - expect(policy).not_to be_allowed(:award_emoji) - end - end - context 'when noteable is a public issue' do let(:note) { create(:note, system: true, noteable: noteable, author: user, project: project) } @@ -274,42 +309,42 @@ RSpec.describe NotePolicy do shared_examples_for 'confidential notes permissions' do it 'does not allow non members to read confidential notes and replies' do - expect(permissions(non_member, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji) + expect(permissions(non_member, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji) end it 'does not allow guests to read confidential notes and replies' do - expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji) + expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji) end it 'allows reporter to read all notes but not resolve and admin them' do expect(permissions(reporter, confidential_note)).to be_allowed(:read_note, :award_emoji) - expect(permissions(reporter, confidential_note)).to be_disallowed(:admin_note, :resolve_note) + expect(permissions(reporter, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note) end it 'allows developer to read and resolve all notes' do expect(permissions(developer, confidential_note)).to be_allowed(:read_note, :award_emoji, :resolve_note) - expect(permissions(developer, confidential_note)).to be_disallowed(:admin_note) + expect(permissions(developer, confidential_note)).to be_disallowed(:admin_note, :reposition_note) end it 'allows maintainers to read all notes and admin them' do - expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) + expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji) end context 'when admin mode is enabled', :enable_admin_mode do it 'allows admins to read all notes and admin them' do - expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) + expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji) end end context 'when admin mode is disabled' do it 'does not allow non members to read confidential notes and replies' do - expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji) + expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji) end end it 'allows noteable author to read and resolve all notes' do expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji) - expect(permissions(author, confidential_note)).to be_disallowed(:admin_note) + expect(permissions(author, confidential_note)).to be_disallowed(:admin_note, :reposition_note) end end @@ -321,7 +356,7 @@ RSpec.describe NotePolicy do it 'allows noteable assignees to read all notes' do expect(permissions(assignee, confidential_note)).to be_allowed(:read_note, :award_emoji) - expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :resolve_note) + expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note) end end @@ -333,7 +368,7 @@ RSpec.describe NotePolicy do it 'allows noteable assignees to read all notes' do expect(permissions(assignee, confidential_note)).to be_allowed(:read_note, :award_emoji) - expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :resolve_note) + expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note) end end @@ -350,11 +385,11 @@ RSpec.describe NotePolicy do it 'allows snippet author to read and resolve all notes' do expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji) - expect(permissions(author, confidential_note)).to be_disallowed(:admin_note) + expect(permissions(author, confidential_note)).to be_disallowed(:admin_note, :reposition_note) end it 'does not allow maintainers to read confidential notes and replies' do - expect(permissions(maintainer, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji) + expect(permissions(maintainer, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji) end end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index b28fb9a0255..6c281030618 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -697,6 +697,7 @@ RSpec.describe ProjectPolicy do let(:deploy_token) { create(:deploy_token, write_package_registry: true) } it { is_expected.to be_allowed(:create_package) } + it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_project) } it { is_expected.to be_disallowed(:destroy_package) } end diff --git a/spec/policies/service_policy_spec.rb b/spec/policies/service_policy_spec.rb new file mode 100644 index 00000000000..5d2c9c1f6c3 --- /dev/null +++ b/spec/policies/service_policy_spec.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe ServicePolicy, :models do + let_it_be(:user) { create(:user) } + let(:project) { integration.project } + + subject(:policy) { Ability.policy_for(user, integration) } + + context 'when the integration is a prometheus_service' do + let(:integration) { create(:prometheus_service) } + + describe 'rules' do + it { is_expected.to be_disallowed :admin_project } + + context 'when maintainer' do + before do + project.add_maintainer(user) + end + + it { is_expected.to be_allowed :admin_project } + end + end + end +end diff --git a/spec/policies/terraform/state_version_policy_spec.rb b/spec/policies/terraform/state_version_policy_spec.rb new file mode 100644 index 00000000000..6614e073332 --- /dev/null +++ b/spec/policies/terraform/state_version_policy_spec.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Terraform::StateVersionPolicy do + let_it_be(:project) { create(:project) } + let_it_be(:terraform_state) { create(:terraform_state, :with_version, project: project)} + + subject { described_class.new(user, terraform_state.latest_version) } + + describe 'rules' do + context 'no access' do + let(:user) { create(:user) } + + it { is_expected.to be_disallowed(:read_terraform_state) } + it { is_expected.to be_disallowed(:admin_terraform_state) } + end + + context 'developer' do + let(:user) { create(:user, developer_projects: [project]) } + + it { is_expected.to be_allowed(:read_terraform_state) } + it { is_expected.to be_disallowed(:admin_terraform_state) } + end + + context 'maintainer' do + let(:user) { create(:user, maintainer_projects: [project]) } + + it { is_expected.to be_allowed(:read_terraform_state) } + it { is_expected.to be_allowed(:admin_terraform_state) } + end + end +end diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb index 38641558b6b..17ac7d0e44d 100644 --- a/spec/policies/user_policy_spec.rb +++ b/spec/policies/user_policy_spec.rb @@ -40,6 +40,46 @@ RSpec.describe UserPolicy do end end + describe "creating a different user's Personal Access Tokens" do + context 'when current_user is admin' do + let(:current_user) { create(:user, :admin) } + + context 'when admin mode is enabled and current_user is not blocked', :enable_admin_mode do + it { is_expected.to be_allowed(:create_user_personal_access_token) } + end + + context 'when admin mode is enabled and current_user is blocked', :enable_admin_mode do + let(:current_user) { create(:admin, :blocked) } + + it { is_expected.not_to be_allowed(:create_user_personal_access_token) } + end + + context 'when admin mode is disabled' do + it { is_expected.not_to be_allowed(:create_user_personal_access_token) } + end + end + + context 'when current_user is not an admin' do + context 'creating their own personal access tokens' do + subject { described_class.new(current_user, current_user) } + + context 'when current_user is not blocked' do + it { is_expected.to be_allowed(:create_user_personal_access_token) } + end + + context 'when current_user is blocked' do + let(:current_user) { create(:user, :blocked) } + + it { is_expected.not_to be_allowed(:create_user_personal_access_token) } + end + end + + context "creating a different user's personal access tokens" do + it { is_expected.not_to be_allowed(:create_user_personal_access_token) } + end + end + end + shared_examples 'changing a user' do |ability| context "when a regular user tries to destroy another regular user" do it { is_expected.not_to be_allowed(ability) } @@ -102,4 +142,22 @@ RSpec.describe UserPolicy do end end end + + describe "reading a user's group count" do + context "when current_user is an admin", :enable_admin_mode do + let(:current_user) { create(:user, :admin) } + + it { is_expected.to be_allowed(:read_group_count) } + end + + context "for self users" do + let(:user) { current_user } + + it { is_expected.to be_allowed(:read_group_count) } + end + + context "when accessing a different user's group count" do + it { is_expected.not_to be_allowed(:read_group_count) } + end + end end diff --git a/spec/policies/wiki_page_policy_spec.rb b/spec/policies/wiki_page_policy_spec.rb index 093db9f8374..a2fa7f29135 100644 --- a/spec/policies/wiki_page_policy_spec.rb +++ b/spec/policies/wiki_page_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe WikiPagePolicy, :enable_admin_mode do +RSpec.describe WikiPagePolicy do include_context 'ProjectPolicyTable context' include ProjectHelpers using RSpec::Parameterized::TableSyntax @@ -13,12 +13,13 @@ RSpec.describe WikiPagePolicy, :enable_admin_mode do subject(:policy) { described_class.new(user, wiki_page) } - where(:project_level, :feature_access_level, :membership, :expected_count) do + where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do permission_table_for_guest_feature_access end with_them do it "grants permission" do + enable_admin_mode!(user) if admin_mode update_feature_access_level(project, feature_access_level) if expected_count == 1 -- cgit v1.2.3