kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/spec/policies/project_policy_spec.rb

1407 lines
43 KiB
Ruby
Raw Normal View History

Add latest changes from gitlab-org/gitlab@master
2019-10-25 00:06:14 +00:00
# frozen_string_literal: true
add project_policy_spec to replace .project_abilities spec
2016-08-23 23:19:36 +00:00
require 'spec_helper'
Add latest changes from gitlab-org/gitlab@master
2020-06-24 06:09:01 +00:00
RSpec.describe ProjectPolicy do
Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE
2019-04-09 15:38:58 +00:00
include ExternalAuthorizationServiceHelpers
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
include_context 'ProjectPolicy context'
Add latest changes from gitlab-org/gitlab@master
2020-09-09 21:08:33 +00:00
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:project) { public_project }
subject { described_class.new(current_user, project) }
Test if issue authors can access private projects
2016-09-19 20:21:58 +00:00
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
def expect_allowed(*permissions)
permissions.each { |p| is_expected.to be_allowed(p) }
end
def expect_disallowed(*permissions)
permissions.each { |p| is_expected.not_to be_allowed(p) }
end
Guard against deleted project feature entry In https://gitlab.com/gitlab-org/gitlab-ce/issues/66482, we see that a project's `project_feature` association may be lazily loaded and hence return `nil` if the entry is deleted if the `Project` is already loaded in memory. To ensure we don't fail hard when this happens, assume all features are disabled. We can fix this issue by eager loading the `project_feature` in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/32169, but we shouldn't have to depend on that. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/66482
2019-08-25 14:20:17 +00:00
context 'with no project feature' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { owner }
Guard against deleted project feature entry In https://gitlab.com/gitlab-org/gitlab-ce/issues/66482, we see that a project's `project_feature` association may be lazily loaded and hence return `nil` if the entry is deleted if the `Project` is already loaded in memory. To ensure we don't fail hard when this happens, assume all features are disabled. We can fix this issue by eager loading the `project_feature` in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/32169, but we shouldn't have to depend on that. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/66482
2019-08-25 14:20:17 +00:00
before do
Add latest changes from gitlab-org/gitlab@master
2020-07-29 12:09:45 +00:00
project.project_feature.destroy!
Guard against deleted project feature entry In https://gitlab.com/gitlab-org/gitlab-ce/issues/66482, we see that a project's `project_feature` association may be lazily loaded and hence return `nil` if the entry is deleted if the `Project` is already loaded in memory. To ensure we don't fail hard when this happens, assume all features are disabled. We can fix this issue by eager loading the `project_feature` in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/32169, but we shouldn't have to depend on that. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/66482
2019-08-25 14:20:17 +00:00
project.reload
end
it 'returns false' do
is_expected.to be_disallowed(:read_build)
end
end
Test if issue authors can access private projects
2016-09-19 20:21:58 +00:00
it 'does not include the read_issue permission when the issue author is not a member of the private project' do
Change all `:empty_project` to `:project`
2017-08-02 19:55:11 +00:00
project = create(:project, :private)
Make user/author use project.creator in most factories Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-08-04 17:14:04 +00:00
issue = create(:issue, project: project, author: create(:user))
Test if issue authors can access private projects
2016-09-19 20:21:58 +00:00
user = issue.author
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
expect(project.team.member?(issue.author)).to be false
Test if issue authors can access private projects
2016-09-19 20:21:58 +00:00
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
expect(Ability).not_to be_allowed(user, :read_issue, project)
Test if issue authors can access private projects
2016-09-19 20:21:58 +00:00
end
Improve project policy spec
2016-09-21 05:09:31 +00:00
Add latest changes from gitlab-org/gitlab@master
2020-04-13 15:09:20 +00:00
it_behaves_like 'model with wiki policies' do
let(:container) { project }
Add latest changes from gitlab-org/gitlab@master
2020-05-06 15:09:42 +00:00
let_it_be(:user) { owner }
Fixed bug when external wiki is enabled When the external wiki is enabled, the internal wiki link is replaced by the external wiki url. But the internal wiki is still accessible. In this change the external wiki will have its own tab in the sidebar and only if the services are disabled the tab (and access rights) will not be displayed.
2019-01-09 15:05:52 +00:00
Add latest changes from gitlab-org/gitlab@master
2020-04-13 15:09:20 +00:00
def set_access_level(access_level)
project.project_feature.update_attribute(:wiki_access_level, access_level)
Allowing all users to view history This removes the create_wiki permission check from the history controller, allowing show and history to have the same level of permissions. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/29528
2019-07-23 22:40:23 +00:00
end
Improve ProjectPolicy spec to check permissions when wiki is disabled
2016-11-29 19:30:14 +00:00
end
Associate Issues tab only with internal issues tracker
2017-06-13 08:25:25 +00:00
context 'issues feature' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { owner }
Associate Issues tab only with internal issues tracker
2017-06-13 08:25:25 +00:00
context 'when the feature is disabled' do
Disable board policies when issues are disabled Board list policies are also included
2019-02-11 10:51:53 +00:00
before do
Associate Issues tab only with internal issues tracker
2017-06-13 08:25:25 +00:00
project.issues_enabled = false
project.save!
Disable board policies when issues are disabled Board list policies are also included
2019-02-11 10:51:53 +00:00
end
Associate Issues tab only with internal issues tracker
2017-06-13 08:25:25 +00:00
Disable board policies when issues are disabled Board list policies are also included
2019-02-11 10:51:53 +00:00
it 'does not include the issues permissions' do
Fix N+1 in MergeRequestParser read_project can be prevented by a very expensive condition, which we want to avoid, while still not writing manual SQL queries. read_project_for_iids is used by read_issue_iid and read_merge_request_iid to satisfy both of those constraints, and allow the declarative policy runner to use its normal caching strategy.
2018-04-02 15:14:20 +00:00
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
Associate Issues tab only with internal issues tracker
2017-06-13 08:25:25 +00:00
end
Disable board policies when issues are disabled Board list policies are also included
2019-02-11 10:51:53 +00:00
it 'disables boards and lists permissions' do
Add latest changes from gitlab-org/gitlab@master
2021-03-03 00:10:50 +00:00
expect_disallowed :read_issue_board, :create_board, :update_board
expect_disallowed :read_issue_board_list, :create_list, :update_list, :admin_issue_board_list
Disable board policies when issues are disabled Board list policies are also included
2019-02-11 10:51:53 +00:00
end
Associate Issues tab only with internal issues tracker
2017-06-13 08:25:25 +00:00
Disable board policies when issues are disabled Board list policies are also included
2019-02-11 10:51:53 +00:00
context 'when external tracker configured' do
it 'does not include the issues permissions' do
create(:jira_service, project: project)
Associate Issues tab only with internal issues tracker
2017-06-13 08:25:25 +00:00
Disable board policies when issues are disabled Board list policies are also included
2019-02-11 10:51:53 +00:00
expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue
end
Associate Issues tab only with internal issues tracker
2017-06-13 08:25:25 +00:00
end
end
end
Prevent new merge requests for archived projects This prevents creating merge requests targeting archived projects. This could happen when a project was already forked, but then the source was archived.
2018-04-06 10:47:52 +00:00
context 'merge requests feature' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { owner }
Prevent new merge requests for archived projects This prevents creating merge requests targeting archived projects. This could happen when a project was already forked, but then the source was archived.
2018-04-06 10:47:52 +00:00
it 'disallows all permissions when the feature is disabled' do
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
Prevent new merge requests for archived projects This prevents creating merge requests targeting archived projects. This could happen when a project was already forked, but then the source was archived.
2018-04-06 10:47:52 +00:00
Rename `create_merge_request` permissions So we can distinguish between the permissions on the source and the target project. - `create_merge_request_from` indicates a user can create a merge request with the project as a source_project - `create_merge_request_in` indicates a user can create a merge request with the project as a target_project
2018-04-06 12:18:58 +00:00
mr_permissions = [:create_merge_request_from, :read_merge_request,
Prevent new merge requests for archived projects This prevents creating merge requests targeting archived projects. This could happen when a project was already forked, but then the source was archived.
2018-04-06 10:47:52 +00:00
:update_merge_request, :admin_merge_request,
Rename `create_merge_request` permissions So we can distinguish between the permissions on the source and the target project. - `create_merge_request_from` indicates a user can create a merge request with the project as a source_project - `create_merge_request_in` indicates a user can create a merge request with the project as a target_project
2018-04-06 12:18:58 +00:00
:create_merge_request_in]
Prevent new merge requests for archived projects This prevents creating merge requests targeting archived projects. This could happen when a project was already forked, but then the source was archived.
2018-04-06 10:47:52 +00:00
expect_disallowed(*mr_permissions)
end
end
Don't process MR refs for guests in the notes
2019-01-09 19:24:05 +00:00
context 'for a guest in a private project' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { guest }
let(:project) { private_project }
Don't process MR refs for guests in the notes
2019-01-09 19:24:05 +00:00
it 'disallows the guest from reading the merge request and merge request iid' do
expect_disallowed(:read_merge_request)
expect_disallowed(:read_merge_request_iid)
end
end
Add latest changes from gitlab-org/gitlab@master
2019-11-08 00:05:58 +00:00
context 'pipeline feature' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:project) { private_project }
Add latest changes from gitlab-org/gitlab@master
2019-11-08 00:05:58 +00:00
Add latest changes from gitlab-org/gitlab@master
2021-03-01 15:10:53 +00:00
before do
private_project.add_developer(current_user)
end
Add latest changes from gitlab-org/gitlab@master
2019-11-08 00:05:58 +00:00
describe 'for unconfirmed user' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { create(:user, confirmed_at: nil) }
Add latest changes from gitlab-org/gitlab@master
2019-11-08 00:05:58 +00:00
it 'disallows to modify pipelines' do
expect_disallowed(:create_pipeline)
expect_disallowed(:update_pipeline)
expect_disallowed(:create_pipeline_schedule)
end
end
describe 'for confirmed user' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { developer }
Add latest changes from gitlab-org/gitlab@master
2019-11-08 00:05:58 +00:00
it 'allows modify pipelines' do
expect_allowed(:create_pipeline)
expect_allowed(:update_pipeline)
expect_allowed(:create_pipeline_schedule)
end
end
end
Operations and Kubernetes items are now omitted in the sidebar when repository or builds are disabled
2018-06-14 10:34:09 +00:00
context 'builds feature' do
[master] Pipelines section is available to unauthorized users
2019-01-28 12:12:30 +00:00
context 'when builds are disabled' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { owner }
Operations and Kubernetes items are now omitted in the sidebar when repository or builds are disabled
2018-06-14 10:34:09 +00:00
[master] Pipelines section is available to unauthorized users
2019-01-28 12:12:30 +00:00
before do
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
project.project_feature.update!(builds_access_level: ProjectFeature::DISABLED)
[master] Pipelines section is available to unauthorized users
2019-01-28 12:12:30 +00:00
end
Operations and Kubernetes items are now omitted in the sidebar when repository or builds are disabled
2018-06-14 10:34:09 +00:00
Add latest changes from gitlab-org/gitlab@master
2020-05-21 18:08:27 +00:00
it 'disallows all permissions except pipeline when the feature is disabled' do
builds_permissions = [
:create_build, :read_build, :update_build, :admin_build, :destroy_build,
Add latest changes from gitlab-org/gitlab@master
2020-11-02 21:09:10 +00:00
:create_pipeline_schedule, :read_pipeline_schedule_variables, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
Add latest changes from gitlab-org/gitlab@master
2020-05-21 18:08:27 +00:00
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
]
Add latest changes from gitlab-org/gitlab@master
2020-05-15 21:08:21 +00:00
Add latest changes from gitlab-org/gitlab@master
2020-05-21 18:08:27 +00:00
expect_disallowed(*builds_permissions)
[master] Pipelines section is available to unauthorized users
2019-01-28 12:12:30 +00:00
end
end
context 'when builds are disabled only for some users' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { guest }
[master] Pipelines section is available to unauthorized users
2019-01-28 12:12:30 +00:00
before do
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
project.project_feature.update!(builds_access_level: ProjectFeature::PRIVATE)
[master] Pipelines section is available to unauthorized users
2019-01-28 12:12:30 +00:00
end
Operations and Kubernetes items are now omitted in the sidebar when repository or builds are disabled
2018-06-14 10:34:09 +00:00
[master] Pipelines section is available to unauthorized users
2019-01-28 12:12:30 +00:00
it 'disallows pipeline and commit_status permissions' do
builds_permissions = [
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
:create_commit_status, :update_commit_status, :admin_commit_status, :destroy_commit_status
]
expect_disallowed(*builds_permissions)
end
Operations and Kubernetes items are now omitted in the sidebar when repository or builds are disabled
2018-06-14 10:34:09 +00:00
end
end
context 'repository feature' do
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
let(:repository_permissions) do
[
Add latest changes from gitlab-org/gitlab@master
2020-05-21 18:08:27 +00:00
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
:create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
:destroy_release, :download_code, :build_download_code
Add latest changes from gitlab-org/gitlab@master
2020-05-21 18:08:27 +00:00
]
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
end
context 'when user is a project member' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { owner }
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
context 'when it is disabled' do
before do
project.project_feature.update!(
repository_access_level: ProjectFeature::DISABLED,
merge_requests_access_level: ProjectFeature::DISABLED,
builds_access_level: ProjectFeature::DISABLED,
forking_access_level: ProjectFeature::DISABLED
)
end
Add latest changes from gitlab-org/gitlab@master
2020-05-21 18:08:27 +00:00
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
it 'disallows all permissions' do
expect_disallowed(*repository_permissions)
end
end
end
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
context 'when user is non-member' do
let(:current_user) { non_member }
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
context 'when access level is private' do
before do
project.project_feature.update!(
repository_access_level: ProjectFeature::PRIVATE,
merge_requests_access_level: ProjectFeature::PRIVATE,
builds_access_level: ProjectFeature::PRIVATE,
forking_access_level: ProjectFeature::PRIVATE
)
end
it 'disallows all permissions' do
expect_disallowed(*repository_permissions)
end
end
Operations and Kubernetes items are now omitted in the sidebar when repository or builds are disabled
2018-06-14 10:34:09 +00:00
end
end
Refactor spec/policies/project_policy_spec.rb to minimize the diff with EE Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-09-22 07:13:31 +00:00
it_behaves_like 'project policies as anonymous'
it_behaves_like 'project policies as guest'
it_behaves_like 'project policies as reporter'
it_behaves_like 'project policies as developer'
Resolve "Rename the `Master` role to `Maintainer`" Backend
2018-07-11 14:36:08 +00:00
it_behaves_like 'project policies as maintainer'
Refactor spec/policies/project_policy_spec.rb to minimize the diff with EE Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-09-22 07:13:31 +00:00
it_behaves_like 'project policies as owner'
Add latest changes from gitlab-org/gitlab@master
2020-05-15 15:08:04 +00:00
it_behaves_like 'project policies as admin with admin mode'
it_behaves_like 'project policies as admin without admin mode'
Allow abilities on forks while MR is open When an MR is created using `allow_maintainer_to_push`, we enable some abilities while the MR is open. This should allow every user with developer abilities on the target project, to push to the source project.
2018-02-26 12:32:42 +00:00
context 'when a public project has merge requests allowing access' do
include ProjectForksHelper
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { create(:user) }
Allow abilities on forks while MR is open When an MR is created using `allow_maintainer_to_push`, we enable some abilities while the MR is open. This should allow every user with developer abilities on the target project, to push to the source project.
2018-02-26 12:32:42 +00:00
let(:target_project) { create(:project, :public) }
let(:project) { fork_project(target_project) }
let!(:merge_request) do
create(
:merge_request,
target_project: target_project,
source_project: project,
Rephrase "maintainer" to more precise "members who can merge to the target branch" "Maintainer" will be freed to be used for #42751
2018-05-23 01:54:57 +00:00
allow_collaboration: true
Allow abilities on forks while MR is open When an MR is created using `allow_maintainer_to_push`, we enable some abilities while the MR is open. This should allow every user with developer abilities on the target project, to push to the source project.
2018-02-26 12:32:42 +00:00
)
end
Add latest changes from gitlab-org/gitlab@master
2020-08-11 03:11:00 +00:00
Allow abilities on forks while MR is open When an MR is created using `allow_maintainer_to_push`, we enable some abilities while the MR is open. This should allow every user with developer abilities on the target project, to push to the source project.
2018-02-26 12:32:42 +00:00
let(:maintainer_abilities) do
Enable update_(build|pipeline) for maintainers
2018-05-15 08:18:22 +00:00
%w(create_build create_pipeline)
Allow abilities on forks while MR is open When an MR is created using `allow_maintainer_to_push`, we enable some abilities while the MR is open. This should allow every user with developer abilities on the target project, to push to the source project.
2018-02-26 12:32:42 +00:00
end
it 'does not allow pushing code' do
expect_disallowed(*maintainer_abilities)
end
it 'allows pushing if the user is a member with push access to the target project' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
target_project.add_developer(current_user)
Allow abilities on forks while MR is open When an MR is created using `allow_maintainer_to_push`, we enable some abilities while the MR is open. This should allow every user with developer abilities on the target project, to push to the source project.
2018-02-26 12:32:42 +00:00
expect_allowed(*maintainer_abilities)
end
Add latest changes from gitlab-org/gitlab@master
2020-05-15 15:08:04 +00:00
it 'disallows abilities to a maintainer if the merge request was closed' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
target_project.add_developer(current_user)
Allow abilities on forks while MR is open When an MR is created using `allow_maintainer_to_push`, we enable some abilities while the MR is open. This should allow every user with developer abilities on the target project, to push to the source project.
2018-02-26 12:32:42 +00:00
merge_request.close!
expect_disallowed(*maintainer_abilities)
end
end
Allow users to add cluster with ancestors Include a new policy in Clusterables (projects and groups), which checks if another cluster can be added clusterable_has_cluster? and multiple_clusters_available private methods will be overriden in EE Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/34758
2018-12-04 21:38:15 +00:00
it_behaves_like 'clusterable policies' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let_it_be(:clusterable) { create(:project, :repository) }
let_it_be(:cluster) do
create(:cluster, :provided_by_gcp, :project, projects: [clusterable])
Allow users to add cluster with ancestors Include a new policy in Clusterables (projects and groups), which checks if another cluster can be added clusterable_has_cluster? and multiple_clusters_available private methods will be overriden in EE Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/34758
2018-12-04 21:38:15 +00:00
end
end
Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE
2019-04-09 15:38:58 +00:00
context 'reading a project' do
it 'allows access when a user has read access to the repo' do
expect(described_class.new(owner, project)).to be_allowed(:read_project)
expect(described_class.new(developer, project)).to be_allowed(:read_project)
expect(described_class.new(admin, project)).to be_allowed(:read_project)
end
it 'never checks the external service' do
expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
expect(described_class.new(owner, project)).to be_allowed(:read_project)
end
context 'with an external authorization service' do
before do
enable_external_authorization_service_check
end
it 'allows access when the external service allows it' do
external_service_allow_access(owner, project)
external_service_allow_access(developer, project)
expect(described_class.new(owner, project)).to be_allowed(:read_project)
expect(described_class.new(developer, project)).to be_allowed(:read_project)
end
Add latest changes from gitlab-org/gitlab@master
2020-05-15 15:08:04 +00:00
context 'with an admin' do
context 'when admin mode is enabled', :enable_admin_mode do
it 'does not check the external service and allows access' do
expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE
2019-04-09 15:38:58 +00:00
Add latest changes from gitlab-org/gitlab@master
2020-05-15 15:08:04 +00:00
expect(described_class.new(admin, project)).to be_allowed(:read_project)
end
end
context 'when admin mode is disabled' do
it 'checks the external service and allows access' do
external_service_allow_access(admin, project)
expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?)
expect(described_class.new(admin, project)).to be_allowed(:read_project)
end
end
Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE
2019-04-09 15:38:58 +00:00
end
it 'prevents all but seeing a public project in a list when access is denied' do
[developer, owner, build(:user), nil].each do |user|
external_service_deny_access(user, project)
policy = described_class.new(user, project)
expect(policy).not_to be_allowed(:read_project)
expect(policy).not_to be_allowed(:owner_access)
expect(policy).not_to be_allowed(:change_namespace)
end
end
it 'passes the full path to external authorization for logging purposes' do
expect(::Gitlab::ExternalAuthorization)
.to receive(:access_allowed?).with(owner, 'default_label', project.full_path).and_call_original
described_class.new(owner, project).allowed?(:read_project)
end
end
end
Add latest changes from gitlab-org/gitlab@master
2019-10-14 15:06:07 +00:00
Add latest changes from gitlab-org/gitlab@master
2020-01-20 15:09:18 +00:00
context 'forking a project' do
context 'anonymous user' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2020-01-20 15:09:18 +00:00
it { is_expected.to be_disallowed(:fork_project) }
end
context 'project member' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:project) { private_project }
Add latest changes from gitlab-org/gitlab@master
2020-01-20 15:09:18 +00:00
context 'guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:fork_project) }
end
%w(reporter developer maintainer).each do |role|
context role do
let(:current_user) { send(role) }
it { is_expected.to be_allowed(:fork_project) }
end
end
end
end
Add latest changes from gitlab-org/gitlab@master
2019-10-14 15:06:07 +00:00
describe 'update_max_artifacts_size' do
context 'when no user' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2019-10-14 15:06:07 +00:00
it { expect_disallowed(:update_max_artifacts_size) }
end
context 'admin' do
let(:current_user) { admin }
Add latest changes from gitlab-org/gitlab@master
2020-05-15 15:08:04 +00:00
context 'when admin mode is enabled', :enable_admin_mode do
it { expect_allowed(:update_max_artifacts_size) }
end
context 'when admin mode is disabled' do
it { expect_disallowed(:update_max_artifacts_size) }
end
Add latest changes from gitlab-org/gitlab@master
2019-10-14 15:06:07 +00:00
end
%w(guest reporter developer maintainer owner).each do |role|
context role do
let(:current_user) { send(role) }
it { expect_disallowed(:update_max_artifacts_size) }
end
end
end
Add latest changes from gitlab-org/gitlab@master
2020-02-06 12:10:29 +00:00
context 'alert bot' do
let(:current_user) { User.alert_bot }
it { is_expected.to be_allowed(:reporter_access) }
context 'within a private project' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:project) { private_project }
Add latest changes from gitlab-org/gitlab@master
2020-02-06 12:10:29 +00:00
it { is_expected.to be_allowed(:admin_issue) }
end
end
Add latest changes from gitlab-org/gitlab@master
2020-03-25 09:08:11 +00:00
Add latest changes from gitlab-org/gitlab@master
2021-01-14 12:10:54 +00:00
describe 'set_pipeline_variables' do
context 'when user is developer' do
let(:current_user) { developer }
context 'when project allows user defined variables' do
before do
project.update!(restrict_user_defined_variables: false)
end
it { is_expected.to be_allowed(:set_pipeline_variables) }
end
context 'when project restricts use of user defined variables' do
before do
project.update!(restrict_user_defined_variables: true)
end
it { is_expected.not_to be_allowed(:set_pipeline_variables) }
end
end
context 'when user is maintainer' do
let(:current_user) { maintainer }
context 'when project allows user defined variables' do
before do
project.update!(restrict_user_defined_variables: false)
end
it { is_expected.to be_allowed(:set_pipeline_variables) }
end
context 'when project restricts use of user defined variables' do
before do
project.update!(restrict_user_defined_variables: true)
end
it { is_expected.to be_allowed(:set_pipeline_variables) }
end
end
end
Add latest changes from gitlab-org/gitlab@master
2020-06-22 15:09:27 +00:00
context 'support bot' do
let(:current_user) { User.support_bot }
context 'with service desk disabled' do
it { expect_allowed(:guest_access) }
it { expect_disallowed(:create_note, :read_project) }
end
context 'with service desk enabled' do
before do
allow(project).to receive(:service_desk_enabled?).and_return(true)
end
it { expect_allowed(:reporter_access, :create_note, :read_issue) }
context 'when issues are protected members only' do
before do
project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
end
it { expect_allowed(:reporter_access, :create_note, :read_issue) }
end
end
end
Add latest changes from gitlab-org/gitlab@master
2021-01-29 21:09:34 +00:00
context "project bots" do
let(:project_bot) { create(:user, :project_bot) }
let(:user) { create(:user) }
context "project_bot_access" do
context "when regular user and part of the project" do
let(:current_user) { user }
before do
project.add_developer(user)
end
it { is_expected.not_to be_allowed(:project_bot_access)}
end
context "when project bot and not part of the project" do
let(:current_user) { project_bot }
it { is_expected.not_to be_allowed(:project_bot_access)}
end
context "when project bot and part of the project" do
let(:current_user) { project_bot }
before do
project.add_developer(project_bot)
end
it { is_expected.to be_allowed(:project_bot_access)}
end
end
context 'with resource access tokens' do
let(:current_user) { project_bot }
before do
project.add_maintainer(project_bot)
end
Add latest changes from gitlab-org/gitlab@master
2021-03-26 21:09:22 +00:00
it { is_expected.not_to be_allowed(:create_resource_access_tokens)}
Add latest changes from gitlab-org/gitlab@master
2021-01-29 21:09:34 +00:00
end
end
Add latest changes from gitlab-org/gitlab@master
2020-03-25 09:08:11 +00:00
describe 'read_prometheus_alerts' do
context 'with admin' do
let(:current_user) { admin }
Add latest changes from gitlab-org/gitlab@master
2020-05-15 15:08:04 +00:00
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_prometheus_alerts) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_prometheus_alerts) }
end
Add latest changes from gitlab-org/gitlab@master
2020-03-25 09:08:11 +00:00
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:read_prometheus_alerts) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:read_prometheus_alerts) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.to be_disallowed(:read_prometheus_alerts) }
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_disallowed(:read_prometheus_alerts) }
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:read_prometheus_alerts) }
end
context 'with anonymous' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2020-03-25 09:08:11 +00:00
it { is_expected.to be_disallowed(:read_prometheus_alerts) }
end
end
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
describe 'metrics_dashboard feature' do
context 'public project' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:project) { public_project }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
context 'feature private' do
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:metrics_dashboard) }
it { is_expected.to be_allowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
Add latest changes from gitlab-org/gitlab@master
2020-05-11 18:09:55 +00:00
it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
context 'with anonymous' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
end
context 'feature enabled' do
before do
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:metrics_dashboard) }
it { is_expected.to be_allowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
Add latest changes from gitlab-org/gitlab@master
2020-05-11 18:09:55 +00:00
it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_allowed(:metrics_dashboard) }
it { is_expected.to be_allowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
Add latest changes from gitlab-org/gitlab@master
2020-05-11 18:09:55 +00:00
it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
context 'with anonymous' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
it { is_expected.to be_allowed(:metrics_dashboard) }
it { is_expected.to be_allowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
Add latest changes from gitlab-org/gitlab@master
2020-05-15 21:08:21 +00:00
it { is_expected.to be_disallowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_disallowed(:create_metrics_user_starred_dashboard) }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
end
end
context 'internal project' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:project) { internal_project }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
context 'feature private' do
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:metrics_dashboard) }
it { is_expected.to be_allowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
Add latest changes from gitlab-org/gitlab@master
2020-05-11 18:09:55 +00:00
it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
context 'with anonymous' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
it { is_expected.to be_disallowed(:metrics_dashboard)}
end
end
context 'feature enabled' do
before do
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:metrics_dashboard) }
it { is_expected.to be_allowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
Add latest changes from gitlab-org/gitlab@master
2020-05-11 18:09:55 +00:00
it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_allowed(:metrics_dashboard) }
it { is_expected.to be_allowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
Add latest changes from gitlab-org/gitlab@master
2020-05-11 18:09:55 +00:00
it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
context 'with anonymous' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
end
end
context 'private project' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:project) { private_project }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
context 'feature private' do
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:metrics_dashboard) }
it { is_expected.to be_allowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
Add latest changes from gitlab-org/gitlab@master
2020-05-11 18:09:55 +00:00
it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
context 'with anonymous' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
end
context 'feature enabled' do
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:metrics_dashboard) }
it { is_expected.to be_allowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
Add latest changes from gitlab-org/gitlab@master
2020-05-11 18:09:55 +00:00
it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
context 'with anonymous' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
end
end
context 'feature disabled' do
before do
Add latest changes from gitlab-org/gitlab@master
2020-06-03 18:08:28 +00:00
project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::DISABLED)
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
context 'with anonymous' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2020-04-30 09:09:39 +00:00
it { is_expected.to be_disallowed(:metrics_dashboard) }
end
end
end
Add latest changes from gitlab-org/gitlab@master
2020-05-13 09:08:37 +00:00
context 'deploy token access' do
let!(:project_deploy_token) do
create(:project_deploy_token, project: project, deploy_token: deploy_token)
end
subject { described_class.new(deploy_token, project) }
context 'a deploy token with read_package_registry scope' do
let(:deploy_token) { create(:deploy_token, read_package_registry: true) }
it { is_expected.to be_allowed(:read_package) }
it { is_expected.to be_allowed(:read_project) }
it { is_expected.to be_disallowed(:create_package) }
end
context 'a deploy token with write_package_registry scope' do
let(:deploy_token) { create(:deploy_token, write_package_registry: true) }
it { is_expected.to be_allowed(:create_package) }
Add latest changes from gitlab-org/gitlab@master
2020-11-16 21:09:02 +00:00
it { is_expected.to be_allowed(:read_package) }
Add latest changes from gitlab-org/gitlab@master
2020-05-13 09:08:37 +00:00
it { is_expected.to be_allowed(:read_project) }
it { is_expected.to be_disallowed(:destroy_package) }
end
end
Add latest changes from gitlab-org/gitlab@master
2020-05-25 15:07:58 +00:00
describe 'create_web_ide_terminal' do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:create_web_ide_terminal) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:create_web_ide_terminal) }
end
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:create_web_ide_terminal) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:create_web_ide_terminal) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.to be_disallowed(:create_web_ide_terminal) }
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_disallowed(:create_web_ide_terminal) }
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:create_web_ide_terminal) }
end
context 'with non member' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { non_member }
Add latest changes from gitlab-org/gitlab@master
2020-05-25 15:07:58 +00:00
it { is_expected.to be_disallowed(:create_web_ide_terminal) }
end
context 'with anonymous' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2020-05-25 15:07:58 +00:00
it { is_expected.to be_disallowed(:create_web_ide_terminal) }
end
end
Add latest changes from gitlab-org/gitlab@master
2020-06-05 15:08:23 +00:00
describe 'read_repository_graphs' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { guest }
Add latest changes from gitlab-org/gitlab@master
2020-06-05 15:08:23 +00:00
before do
allow(subject).to receive(:allowed?).with(:read_repository_graphs).and_call_original
allow(subject).to receive(:allowed?).with(:download_code).and_return(can_download_code)
end
context 'when user can download_code' do
let(:can_download_code) { true }
it { is_expected.to be_allowed(:read_repository_graphs) }
end
context 'when user cannot download_code' do
let(:can_download_code) { false }
it { is_expected.to be_disallowed(:read_repository_graphs) }
end
end
Add latest changes from gitlab-org/gitlab@master
2021-02-04 21:09:06 +00:00
context 'security configuration feature' do
%w(guest reporter).each do |role|
context role do
let(:current_user) { send(role) }
it 'prevents reading security configuration' do
expect_disallowed(:read_security_configuration)
end
end
end
%w(developer maintainer owner).each do |role|
context role do
let(:current_user) { send(role) }
it 'allows reading security configuration' do
expect_allowed(:read_security_configuration)
end
end
end
end
Add latest changes from gitlab-org/gitlab@master
2020-06-19 18:08:39 +00:00
describe 'design permissions' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { guest }
Add latest changes from gitlab-org/gitlab@master
2020-06-19 18:08:39 +00:00
let(:design_permissions) do
%i[read_design_activity read_design]
end
context 'when design management is not available' do
it { is_expected.not_to be_allowed(*design_permissions) }
end
context 'when design management is available' do
include DesignManagementTestHelpers
before do
enable_design_management
end
it { is_expected.to be_allowed(*design_permissions) }
end
end
Add latest changes from gitlab-org/gitlab@master
2020-06-05 15:08:23 +00:00
describe 'read_build_report_results' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { guest }
Add latest changes from gitlab-org/gitlab@master
2020-06-05 15:08:23 +00:00
before do
allow(subject).to receive(:allowed?).with(:read_build_report_results).and_call_original
allow(subject).to receive(:allowed?).with(:read_build).and_return(can_read_build)
allow(subject).to receive(:allowed?).with(:read_pipeline).and_return(can_read_pipeline)
end
context 'when user can read_build and read_pipeline' do
let(:can_read_build) { true }
let(:can_read_pipeline) { true }
it { is_expected.to be_allowed(:read_build_report_results) }
end
context 'when user can read_build but cannot read_pipeline' do
let(:can_read_build) { true }
let(:can_read_pipeline) { false }
it { is_expected.to be_disallowed(:read_build_report_results) }
end
context 'when user cannot read_build but can read_pipeline' do
let(:can_read_build) { false }
let(:can_read_pipeline) { true }
it { is_expected.to be_disallowed(:read_build_report_results) }
end
context 'when user cannot read_build and cannot read_pipeline' do
let(:can_read_build) { false }
let(:can_read_pipeline) { false }
it { is_expected.to be_disallowed(:read_build_report_results) }
end
end
Add latest changes from gitlab-org/gitlab@master
2020-07-13 06:09:23 +00:00
describe 'read_package' do
context 'with admin' do
let(:current_user) { admin }
it { is_expected.to be_allowed(:read_package) }
context 'when repository is disabled' do
before do
Add latest changes from gitlab-org/gitlab@master
2020-07-29 12:09:45 +00:00
project.project_feature.update!(
# Disable merge_requests and builds as well, since merge_requests and
# builds cannot have higher visibility than repository.
merge_requests_access_level: ProjectFeature::DISABLED,
builds_access_level: ProjectFeature::DISABLED,
repository_access_level: ProjectFeature::DISABLED)
Add latest changes from gitlab-org/gitlab@master
2020-07-13 06:09:23 +00:00
end
it { is_expected.to be_disallowed(:read_package) }
end
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:read_package) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:read_package) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:read_package) }
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:read_package) }
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_allowed(:read_package) }
end
context 'with non member' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { non_member }
Add latest changes from gitlab-org/gitlab@master
2020-07-13 06:09:23 +00:00
it { is_expected.to be_allowed(:read_package) }
end
context 'with anonymous' do
Add latest changes from gitlab-org/gitlab@master
2020-09-15 21:09:35 +00:00
let(:current_user) { anonymous }
Add latest changes from gitlab-org/gitlab@master
2020-07-13 06:09:23 +00:00
it { is_expected.to be_allowed(:read_package) }
end
end
Add latest changes from gitlab-org/gitlab@master
2020-09-17 06:09:32 +00:00
describe 'read_feature_flag' do
subject { described_class.new(current_user, project) }
context 'with maintainer' do
let(:current_user) { maintainer }
context 'when repository is available' do
it { is_expected.to be_allowed(:read_feature_flag) }
end
context 'when repository is disabled' do
before do
project.project_feature.update!(
merge_requests_access_level: ProjectFeature::DISABLED,
builds_access_level: ProjectFeature::DISABLED,
repository_access_level: ProjectFeature::DISABLED
)
end
it { is_expected.to be_disallowed(:read_feature_flag) }
end
end
context 'with developer' do
let(:current_user) { developer }
context 'when repository is available' do
it { is_expected.to be_allowed(:read_feature_flag) }
end
end
context 'with reporter' do
let(:current_user) { reporter }
context 'when repository is available' do
it { is_expected.to be_disallowed(:read_feature_flag) }
end
end
end
Add latest changes from gitlab-org/gitlab@master
2020-09-30 18:09:52 +00:00
Add latest changes from gitlab-org/gitlab@master
2020-12-16 21:09:57 +00:00
describe 'read_analytics' do
context 'anonymous user' do
let(:current_user) { anonymous }
it { is_expected.to be_allowed(:read_analytics) }
end
Add latest changes from gitlab-org/gitlab@master
2021-02-11 15:09:11 +00:00
context 'with various analytics features' do
let_it_be(:project_with_analytics_disabled) { create(:project, :analytics_disabled) }
let_it_be(:project_with_analytics_private) { create(:project, :analytics_private) }
let_it_be(:project_with_analytics_enabled) { create(:project, :analytics_enabled) }
before do
project_with_analytics_disabled.add_developer(developer)
project_with_analytics_private.add_developer(developer)
project_with_analytics_enabled.add_developer(developer)
end
context 'when analytics is enabled for the project' do
let(:project) { project_with_analytics_disabled }
context 'for guest user' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:read_cycle_analytics) }
it { is_expected.to be_disallowed(:read_insights) }
it { is_expected.to be_disallowed(:read_repository_graphs) }
end
context 'for developer' do
let(:current_user) { developer }
it { is_expected.to be_disallowed(:read_cycle_analytics) }
it { is_expected.to be_disallowed(:read_insights) }
it { is_expected.to be_disallowed(:read_repository_graphs) }
end
end
context 'when analytics is private for the project' do
let(:project) { project_with_analytics_private }
context 'for guest user' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:read_cycle_analytics) }
it { is_expected.to be_disallowed(:read_insights) }
it { is_expected.to be_disallowed(:read_repository_graphs) }
end
context 'for developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:read_cycle_analytics) }
it { is_expected.to be_allowed(:read_insights) }
it { is_expected.to be_allowed(:read_repository_graphs) }
end
end
context 'when analytics is enabled for the project' do
let(:project) { project_with_analytics_private }
context 'for guest user' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:read_cycle_analytics) }
it { is_expected.to be_disallowed(:read_insights) }
it { is_expected.to be_disallowed(:read_repository_graphs) }
end
context 'for developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:read_cycle_analytics) }
it { is_expected.to be_allowed(:read_insights) }
it { is_expected.to be_allowed(:read_repository_graphs) }
end
end
end
Add latest changes from gitlab-org/gitlab@master
2020-12-16 21:09:57 +00:00
context 'project member' do
let(:project) { private_project }
%w(guest reporter developer maintainer).each do |role|
context role do
let(:current_user) { send(role) }
it { is_expected.to be_allowed(:read_analytics) }
context "without access to Analytics" do
before do
project.project_feature.update!(analytics_access_level: ProjectFeature::DISABLED)
end
it { is_expected.to be_disallowed(:read_analytics) }
end
end
end
end
end
Add latest changes from gitlab-org/gitlab@master
2020-09-30 18:09:52 +00:00
it_behaves_like 'Self-managed Core resource access tokens'
Add latest changes from gitlab-org/gitlab@master
2020-11-27 12:09:14 +00:00
describe 'operations feature' do
using RSpec::Parameterized::TableSyntax
let(:guest_operations_permissions) { [:read_environment, :read_deployment] }
let(:developer_operations_permissions) do
guest_operations_permissions + [
:read_feature_flag, :read_sentry_issue, :read_alert_management_alert, :read_terraform_state,
:metrics_dashboard, :read_pod_logs, :read_prometheus, :create_feature_flag,
:create_environment, :create_deployment, :update_feature_flag, :update_environment,
:update_sentry_issue, :update_alert_management_alert, :update_deployment,
:destroy_feature_flag, :destroy_environment, :admin_feature_flag
]
end
let(:maintainer_operations_permissions) do
developer_operations_permissions + [
:read_cluster, :create_cluster, :update_cluster, :admin_environment,
:admin_cluster, :admin_terraform_state, :admin_deployment
]
end
where(:project_visibility, :access_level, :role, :allowed) do
:public | ProjectFeature::ENABLED | :maintainer | true
:public | ProjectFeature::ENABLED | :developer | true
:public | ProjectFeature::ENABLED | :guest | true
:public | ProjectFeature::ENABLED | :anonymous | true
:public | ProjectFeature::PRIVATE | :maintainer | true
:public | ProjectFeature::PRIVATE | :developer | true
:public | ProjectFeature::PRIVATE | :guest | true
:public | ProjectFeature::PRIVATE | :anonymous | false
:public | ProjectFeature::DISABLED | :maintainer | false
:public | ProjectFeature::DISABLED | :developer | false
:public | ProjectFeature::DISABLED | :guest | false
:public | ProjectFeature::DISABLED | :anonymous | false
:internal | ProjectFeature::ENABLED | :maintainer | true
:internal | ProjectFeature::ENABLED | :developer | true
:internal | ProjectFeature::ENABLED | :guest | true
:internal | ProjectFeature::ENABLED | :anonymous | false
:internal | ProjectFeature::PRIVATE | :maintainer | true
:internal | ProjectFeature::PRIVATE | :developer | true
:internal | ProjectFeature::PRIVATE | :guest | true
:internal | ProjectFeature::PRIVATE | :anonymous | false
:internal | ProjectFeature::DISABLED | :maintainer | false
:internal | ProjectFeature::DISABLED | :developer | false
:internal | ProjectFeature::DISABLED | :guest | false
:internal | ProjectFeature::DISABLED | :anonymous | false
:private | ProjectFeature::ENABLED | :maintainer | true
:private | ProjectFeature::ENABLED | :developer | true
:private | ProjectFeature::ENABLED | :guest | false
:private | ProjectFeature::ENABLED | :anonymous | false
:private | ProjectFeature::PRIVATE | :maintainer | true
:private | ProjectFeature::PRIVATE | :developer | true
:private | ProjectFeature::PRIVATE | :guest | false
:private | ProjectFeature::PRIVATE | :anonymous | false
:private | ProjectFeature::DISABLED | :maintainer | false
:private | ProjectFeature::DISABLED | :developer | false
:private | ProjectFeature::DISABLED | :guest | false
:private | ProjectFeature::DISABLED | :anonymous | false
end
with_them do
let(:current_user) { user_subject(role) }
let(:project) { project_subject(project_visibility) }
it 'allows/disallows the abilities based on the operation feature access level' do
project.project_feature.update!(operations_access_level: access_level)
if allowed
expect_allowed(*permissions_abilities(role))
else
expect_disallowed(*permissions_abilities(role))
end
end
def project_subject(project_type)
case project_type
when :public
public_project
when :internal
internal_project
else
private_project
end
end
def user_subject(role)
case role
when :maintainer
maintainer
when :developer
developer
when :guest
guest
when :anonymous
anonymous
end
end
def permissions_abilities(role)
case role
when :maintainer
maintainer_operations_permissions
when :developer
developer_operations_permissions
else
guest_operations_permissions
end
end
end
end
Add latest changes from gitlab-org/gitlab@master
2021-02-18 18:10:41 +00:00
describe 'access_security_and_compliance' do
context 'when the "Security & Compliance" is enabled' do
before do
project.project_feature.update!(security_and_compliance_access_level: Featurable::PRIVATE)
end
%w[owner maintainer developer].each do |role|
context "when the role is #{role}" do
let(:current_user) { public_send(role) }
it { is_expected.to be_allowed(:access_security_and_compliance) }
end
end
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:access_security_and_compliance) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:access_security_and_compliance) }
end
end
%w[reporter guest].each do |role|
context "when the role is #{role}" do
let(:current_user) { public_send(role) }
it { is_expected.to be_disallowed(:access_security_and_compliance) }
end
end
context 'with non member' do
let(:current_user) { non_member }
it { is_expected.to be_disallowed(:access_security_and_compliance) }
end
context 'with anonymous' do
let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:access_security_and_compliance) }
end
end
context 'when the "Security & Compliance" is not enabled' do
before do
project.project_feature.update!(security_and_compliance_access_level: Featurable::DISABLED)
end
%w[owner maintainer developer reporter guest].each do |role|
context "when the role is #{role}" do
let(:current_user) { public_send(role) }
it { is_expected.to be_disallowed(:access_security_and_compliance) }
end
end
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_disallowed(:access_security_and_compliance) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:access_security_and_compliance) }
end
end
context 'with non member' do
let(:current_user) { non_member }
it { is_expected.to be_disallowed(:access_security_and_compliance) }
end
context 'with anonymous' do
let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:access_security_and_compliance) }
end
end
end
Add latest changes from gitlab-org/gitlab@master
2021-03-23 03:09:04 +00:00
context 'timelogs' do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_group_timelogs) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:read_group_timelogs) }
end
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:read_group_timelogs) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:read_group_timelogs) }
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:read_group_timelogs) }
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:read_group_timelogs) }
end
context 'with non member' do
let(:current_user) { non_member }
it { is_expected.to be_disallowed(:read_group_timelogs) }
end
context 'with anonymous' do
let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:read_group_timelogs) }
end
end
add project_policy_spec to replace .project_abilities spec
2016-08-23 23:19:36 +00:00
end