kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/spec/policies/project_snippet_policy_spec.rb

158 lines
3.7 KiB
Ruby
Raw Normal View History

More backport
2017-02-06 23:19:37 +00:00
require 'spec_helper'
Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4' [Port for security-10-4]: Makes SnippetFinder ensure feature visibility
2018-01-18 16:07:06 +00:00
# Snippet visibility scenarios are included in more details in spec/support/snippet_visibility.rb
Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-07-10 14:24:02 +00:00
describe ProjectSnippetPolicy do
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
let(:regular_user) { create(:user) }
let(:external_user) { create(:user, :external) }
Change all `:empty_project` to `:project`
2017-08-02 19:55:11 +00:00
let(:project) { create(:project, :public) }
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:snippet) { create(:project_snippet, snippet_visibility, project: project) }
More backport
2017-02-06 23:19:37 +00:00
let(:author_permissions) do
[
:update_project_snippet,
:admin_project_snippet
]
end
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
subject { described_class.new(current_user, snippet) }
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
context 'public snippet' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:snippet_visibility) { :public }
More backport
2017-02-06 23:19:37 +00:00
context 'no user' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:current_user) { nil }
More backport
2017-02-06 23:19:37 +00:00
it do
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
expect_allowed(:read_project_snippet)
expect_disallowed(*author_permissions)
More backport
2017-02-06 23:19:37 +00:00
end
end
context 'regular user' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:current_user) { regular_user }
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
it do
Prevent comments by email when issue is locked This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable.
2019-01-15 18:53:24 +00:00
expect_allowed(:read_project_snippet, :create_note)
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
expect_disallowed(*author_permissions)
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
end
end
context 'external user' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:current_user) { external_user }
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
More backport
2017-02-06 23:19:37 +00:00
it do
Prevent comments by email when issue is locked This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable.
2019-01-15 18:53:24 +00:00
expect_allowed(:read_project_snippet, :create_note)
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
expect_disallowed(*author_permissions)
More backport
2017-02-06 23:19:37 +00:00
end
end
end
context 'internal snippet' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:snippet_visibility) { :internal }
More backport
2017-02-06 23:19:37 +00:00
context 'no user' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:current_user) { nil }
More backport
2017-02-06 23:19:37 +00:00
it do
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
expect_disallowed(:read_project_snippet)
expect_disallowed(*author_permissions)
More backport
2017-02-06 23:19:37 +00:00
end
end
context 'regular user' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:current_user) { regular_user }
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
it do
Prevent comments by email when issue is locked This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable.
2019-01-15 18:53:24 +00:00
expect_allowed(:read_project_snippet, :create_note)
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
expect_disallowed(*author_permissions)
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
end
end
context 'external user' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:current_user) { external_user }
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
it do
Prevent comments by email when issue is locked This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable.
2019-01-15 18:53:24 +00:00
expect_disallowed(:read_project_snippet, :create_note)
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
expect_disallowed(*author_permissions)
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
end
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
context 'project team member' do
before do
project.add_developer(external_user)
end
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
it do
expect_allowed(:read_project_snippet, :create_note)
expect_disallowed(*author_permissions)
end
More backport
2017-02-06 23:19:37 +00:00
end
end
end
context 'private snippet' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:snippet_visibility) { :private }
More backport
2017-02-06 23:19:37 +00:00
context 'no user' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:current_user) { nil }
More backport
2017-02-06 23:19:37 +00:00
it do
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
expect_disallowed(:read_project_snippet)
expect_disallowed(*author_permissions)
More backport
2017-02-06 23:19:37 +00:00
end
end
context 'regular user' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:current_user) { regular_user }
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
More backport
2017-02-06 23:19:37 +00:00
it do
Prevent comments by email when issue is locked This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable.
2019-01-15 18:53:24 +00:00
expect_disallowed(:read_project_snippet, :create_note)
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
expect_disallowed(*author_permissions)
More backport
2017-02-06 23:19:37 +00:00
end
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
context 'snippet author' do
let(:snippet) { create(:project_snippet, :private, author: regular_user, project: project) }
More backport
2017-02-06 23:19:37 +00:00
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
it do
expect_allowed(:read_project_snippet, :create_note)
expect_allowed(*author_permissions)
end
More backport
2017-02-06 23:19:37 +00:00
end
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
context 'project team member normal user' do
before do
project.add_developer(regular_user)
end
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
it do
expect_allowed(:read_project_snippet, :create_note)
expect_disallowed(*author_permissions)
end
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
end
end
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
context 'external user' do
context 'project team member' do
let(:current_user) { external_user }
Merge branch 'snippets-finder-visibility' into 'security' Refactor snippets finder & dont return internal snippets for external users See merge request !2094
2017-04-28 22:06:27 +00:00
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
before do
project.add_developer(external_user)
end
More backport
2017-02-06 23:19:37 +00:00
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
it do
expect_allowed(:read_project_snippet, :create_note)
expect_disallowed(*author_permissions)
end
More backport
2017-02-06 23:19:37 +00:00
end
end
context 'admin user' do
[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-03-26 11:31:47 +00:00
let(:snippet_visibility) { :private }
let(:current_user) { create(:admin) }
More backport
2017-02-06 23:19:37 +00:00
it do
Prevent comments by email when issue is locked This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable.
2019-01-15 18:53:24 +00:00
expect_allowed(:read_project_snippet, :create_note)
update the specs to not require a set to be returned
2017-04-06 21:09:58 +00:00
expect_allowed(*author_permissions)
More backport
2017-02-06 23:19:37 +00:00
end
end
end
end