blob: 0e9200f1fd9346218b29aca712dbbcc881b2c91c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
# frozen_string_literal: true
RSpec.shared_examples 'protected ref access' do |association|
include ExternalAuthorizationServiceHelpers
let_it_be(:project) { create(:project) }
let_it_be(:protected_ref) { create(association, project: project) } # rubocop:disable Rails/SaveBang
describe 'validations' do
subject { build(described_class.model_name.singular) }
context 'when role?' do
it { is_expected.to validate_inclusion_of(:access_level).in_array(described_class.allowed_access_levels) }
it { is_expected.to validate_presence_of(:access_level) }
it do
is_expected.to validate_uniqueness_of(:access_level)
.scoped_to("#{described_class.module_parent.model_name.singular}_id")
end
end
context 'when not role?' do
before do
allow(subject).to receive(:role?).and_return(false)
end
it { is_expected.not_to validate_presence_of(:access_level) }
it { is_expected.not_to validate_inclusion_of(:access_level).in_array(described_class.allowed_access_levels) }
it do
is_expected.not_to validate_uniqueness_of(:access_level)
.scoped_to("#{described_class.module_parent.model_name.singular}_id")
end
end
end
describe '::human_access_levels' do
subject { described_class.human_access_levels }
let(:levels) do
{
Gitlab::Access::DEVELOPER => "Developers + Maintainers",
Gitlab::Access::MAINTAINER => "Maintainers",
Gitlab::Access::ADMIN => 'Instance admins',
Gitlab::Access::NO_ACCESS => "No one"
}.slice(*described_class.allowed_access_levels)
end
it { is_expected.to eq(levels) }
end
describe '#check_access' do
let_it_be(:current_user) { create(:user) }
let(:access_level) { ::Gitlab::Access::DEVELOPER }
before_all do
project.add_developer(current_user)
end
subject do
described_class.new(
association => protected_ref,
access_level: access_level
)
end
context 'when current_user is nil' do
it { expect(subject.check_access(nil)).to eq(false) }
end
context 'when access_level is NO_ACCESS' do
let(:access_level) { ::Gitlab::Access::NO_ACCESS }
it { expect(subject.check_access(current_user)).to eq(false) }
end
context 'when instance admin access is configured' do
let(:access_level) { Gitlab::Access::ADMIN }
context 'when current_user is a maintainer' do
it { expect(subject.check_access(current_user)).to eq(false) }
end
context 'when current_user is admin' do
before do
allow(current_user).to receive(:admin?).and_return(true)
end
it { expect(subject.check_access(current_user)).to eq(true) }
end
end
context 'when current_user can push_code to project' do
context 'and member access is high enough' do
it { expect(subject.check_access(current_user)).to eq(true) }
context 'when external authorization denies access' do
before do
external_service_deny_access(current_user, project)
end
it { expect(subject.check_access(current_user)).to be_falsey }
end
end
context 'and member access is too low' do
let(:access_level) { ::Gitlab::Access::MAINTAINER }
it { expect(subject.check_access(current_user)).to eq(false) }
end
end
context 'when current_user cannot push_code to project' do
before do
allow(current_user).to receive(:can?).with(:push_code, project).and_return(false)
end
it { expect(subject.check_access(current_user)).to eq(false) }
end
end
end
|