gitlab-org--gitlab-foss/spec/policies/ci/build_policy_spec.rb

require 'spec_helper'

describe Ci::BuildPolicy, :models do
  let(:user) { create(:user) }
  let(:build) { create(:ci_build, pipeline: pipeline) }
  let(:pipeline) { create(:ci_empty_pipeline, project: project) }

  let(:policy) do
    described_class.new(user, build)
  end

  shared_context 'public pipelines disabled' do
    before do
      project.update_attribute(:public_builds, false)
    end
  end

  describe '#rules' do
    context 'when user does not have access to the project' do
      let(:project) { create(:empty_project, :private) }

      context 'when public builds are enabled' do
        it 'does not include ability to read build' do
          expect(policy).not_to be_allowed :read_build
        end
      end

      context 'when public builds are disabled' do
        include_context 'public pipelines disabled'

        it 'does not include ability to read build' do
          expect(policy).not_to be_allowed :read_build
        end
      end
    end

    context 'when anonymous user has access to the project' do
      let(:project) { create(:empty_project, :public) }

      context 'when public builds are enabled' do
        it 'includes ability to read build' do
          expect(policy).to be_allowed :read_build
        end
      end

      context 'when public builds are disabled' do
        include_context 'public pipelines disabled'

        it 'does not include ability to read build' do
          expect(policy).not_to be_allowed :read_build
        end
      end
    end

    context 'when team member has access to the project' do
      let(:project) { create(:empty_project, :public) }

      context 'team member is a guest' do
        before do
          project.team << [user, :guest]
        end

        context 'when public builds are enabled' do
          it 'includes ability to read build' do
            expect(policy).to be_allowed :read_build
          end
        end

        context 'when public builds are disabled' do
          include_context 'public pipelines disabled'

          it 'does not include ability to read build' do
            expect(policy).not_to be_allowed :read_build
          end
        end
      end

      context 'team member is a reporter' do
        before do
          project.team << [user, :reporter]
        end

        context 'when public builds are enabled' do
          it 'includes ability to read build' do
            expect(policy).to be_allowed :read_build
          end
        end

        context 'when public builds are disabled' do
          include_context 'public pipelines disabled'

          it 'does not include ability to read build' do
            expect(policy).to be_allowed :read_build
          end
        end
      end
    end

    describe 'rules for protected branch' do
      let(:project) { create(:project) }

      before do
        project.add_developer(user)

        create(:protected_branch, branch_policy,
               name: build.ref, project: project)
      end

      context 'when no one can push or merge to the branch' do
        let(:branch_policy) { :no_one_can_push }

        it 'does not include ability to update build' do
          expect(policy).to be_disallowed :update_build
        end
      end

      context 'when developers can push to the branch' do
        let(:branch_policy) { :developers_can_merge }

        it 'includes ability to update build' do
          expect(policy).to be_allowed :update_build
        end
      end
    end
  end
end
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`require 'spec_helper'`

			`describe Ci::BuildPolicy, :models do`
			`let(:user) { create(:user) }`
			`let(:build) { create(:ci_build, pipeline: pipeline) }`
			`let(:pipeline) { create(:ci_empty_pipeline, project: project) }`

update the specs to not require a set to be returned 2017-04-06 17:09:58 -04:00			`let(:policy) do`
			`described_class.new(user, build)`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`end`

			`shared_context 'public pipelines disabled' do`
Correct RSpec/SingleLineHook cop offenses 2017-06-14 14:18:56 -04:00			`before do`
			`project.update_attribute(:public_builds, false)`
			`end`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`end`

			`describe '#rules' do`
			`context 'when user does not have access to the project' do`
			`let(:project) { create(:empty_project, :private) }`

			`context 'when public builds are enabled' do`
			`it 'does not include ability to read build' do`
update the specs to not require a set to be returned 2017-04-06 17:09:58 -04:00			`expect(policy).not_to be_allowed :read_build`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`end`
			`end`

			`context 'when public builds are disabled' do`
			`include_context 'public pipelines disabled'`

			`it 'does not include ability to read build' do`
update the specs to not require a set to be returned 2017-04-06 17:09:58 -04:00			`expect(policy).not_to be_allowed :read_build`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`end`
			`end`
			`end`

			`context 'when anonymous user has access to the project' do`
			`let(:project) { create(:empty_project, :public) }`

			`context 'when public builds are enabled' do`
			`it 'includes ability to read build' do`
update the specs to not require a set to be returned 2017-04-06 17:09:58 -04:00			`expect(policy).to be_allowed :read_build`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`end`
			`end`

			`context 'when public builds are disabled' do`
			`include_context 'public pipelines disabled'`

			`it 'does not include ability to read build' do`
update the specs to not require a set to be returned 2017-04-06 17:09:58 -04:00			`expect(policy).not_to be_allowed :read_build`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`end`
			`end`
			`end`

			`context 'when team member has access to the project' do`
			`let(:project) { create(:empty_project, :public) }`

			`context 'team member is a guest' do`
Correct RSpec/SingleLineHook cop offenses 2017-06-14 14:18:56 -04:00			`before do`
			`project.team << [user, :guest]`
			`end`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00
			`context 'when public builds are enabled' do`
			`it 'includes ability to read build' do`
update the specs to not require a set to be returned 2017-04-06 17:09:58 -04:00			`expect(policy).to be_allowed :read_build`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`end`
			`end`

			`context 'when public builds are disabled' do`
			`include_context 'public pipelines disabled'`

			`it 'does not include ability to read build' do`
update the specs to not require a set to be returned 2017-04-06 17:09:58 -04:00			`expect(policy).not_to be_allowed :read_build`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`end`
			`end`
			`end`

			`context 'team member is a reporter' do`
Correct RSpec/SingleLineHook cop offenses 2017-06-14 14:18:56 -04:00			`before do`
			`project.team << [user, :reporter]`
			`end`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00
			`context 'when public builds are enabled' do`
			`it 'includes ability to read build' do`
update the specs to not require a set to be returned 2017-04-06 17:09:58 -04:00			`expect(policy).to be_allowed :read_build`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`end`
			`end`

			`context 'when public builds are disabled' do`
			`include_context 'public pipelines disabled'`

			`it 'does not include ability to read build' do`
update the specs to not require a set to be returned 2017-04-06 17:09:58 -04:00			`expect(policy).to be_allowed :read_build`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`end`
			`end`
			`end`
			`end`
Implement new rule for manual actions in policies 2017-04-12 05:26:18 -04:00
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 17:01:05 -04:00			`describe 'rules for protected branch' do`
Implement new rule for manual actions in policies 2017-04-12 05:26:18 -04:00			`let(:project) { create(:project) }`

			`before do`
			`project.add_developer(user)`

Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 17:01:05 -04:00			`create(:protected_branch, branch_policy,`
			`name: build.ref, project: project)`
			`end`
Implement new rule for manual actions in policies 2017-04-12 05:26:18 -04:00
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 17:01:05 -04:00			`context 'when no one can push or merge to the branch' do`
			`let(:branch_policy) { :no_one_can_push }`
Implement new rule for manual actions in policies 2017-04-12 05:26:18 -04:00
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 17:01:05 -04:00			`it 'does not include ability to update build' do`
Fix bad conflict resolution 2017-07-03 17:20:44 -04:00			`expect(policy).to be_disallowed :update_build`
Implement new rule for manual actions in policies 2017-04-12 05:26:18 -04:00			`end`
			`end`

Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 17:01:05 -04:00			`context 'when developers can push to the branch' do`
			`let(:branch_policy) { :developers_can_merge }`
Implement new rule for manual actions in policies 2017-04-12 05:26:18 -04:00
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 17:01:05 -04:00			`it 'includes ability to update build' do`
Fix bad conflict resolution 2017-07-03 17:20:44 -04:00			`expect(policy).to be_allowed :update_build`
Implement new rule for manual actions in policies 2017-04-12 05:26:18 -04:00			`end`
			`end`
			`end`
Fix build access policies when pipelines are public 2017-01-23 08:49:13 -05:00			`end`
			`end`