gitlab-org--gitlab-foss/spec/features/security/project/private_access_spec.rb

require 'spec_helper'

describe "Private Project Access", feature: true  do
  let(:project) { create(:project) }

  let(:master)   { create(:user) }
  let(:guest)    { create(:user) }
  let(:reporter) { create(:user) }

  before do
    # full access
    project.team << [master, :master]

    # readonly
    project.team << [reporter, :reporter]
  end

  describe "Project should be private" do
    subject { project }

    describe '#private?' do
      subject { super().private? }
      it { is_expected.to be_truthy }
    end
  end

  describe "GET /:project_path" do
    subject { project_path(project) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_allowed_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/tree/master" do
    subject { project_tree_path(project, project.repository.root_ref) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_allowed_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/commits/master" do
    subject { project_commits_path(project, project.repository.root_ref, limit: 1) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_allowed_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/commit/:sha" do
    subject { project_commit_path(project, project.repository.commit) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_allowed_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/compare" do
    subject { project_compare_index_path(project) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_allowed_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/team" do
    subject { project_team_index_path(project) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_denied_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/blob" do
    before do
      commit = project.repository.commit
      path = '.gitignore'
      @blob_path = project_blob_path(project, File.join(commit.id, path))
    end

    it { expect(@blob_path).to be_allowed_for master }
    it { expect(@blob_path).to be_allowed_for reporter }
    it { expect(@blob_path).to be_allowed_for :admin }
    it { expect(@blob_path).to be_denied_for guest }
    it { expect(@blob_path).to be_denied_for :user }
    it { expect(@blob_path).to be_denied_for :visitor }
  end

  describe "GET /:project_path/edit" do
    subject { edit_project_path(project) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_denied_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/deploy_keys" do
    subject { project_deploy_keys_path(project) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_denied_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/issues" do
    subject { project_issues_path(project) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_allowed_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/snippets" do
    subject { project_snippets_path(project) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_allowed_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/merge_requests" do
    subject { project_merge_requests_path(project) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_allowed_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/branches" do
    subject { project_branches_path(project) }

    before do
      # Speed increase
      allow_any_instance_of(Project).to receive(:branches).and_return([])
    end

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_allowed_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/tags" do
    subject { project_tags_path(project) }

    before do
      # Speed increase
      allow_any_instance_of(Project).to receive(:tags).and_return([])
    end

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_allowed_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/hooks" do
    subject { project_hooks_path(project) }

    it { is_expected.to be_allowed_for master }
    it { is_expected.to be_denied_for reporter }
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end
end
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`require 'spec_helper'`

Split feature tests out to different build job 2014-04-12 08:56:37 +00:00			`describe "Private Project Access", feature: true do`
Make changes to tests * project_with_code -> project * project -> ermpty_project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-01-22 19:03:52 +00:00			`let(:project) { create(:project) }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00
			`let(:master) { create(:user) }`
			`let(:guest) { create(:user) }`
			`let(:reporter) { create(:user) }`

			`before do`
			`# full access`
			`project.team << [master, :master]`

			`# readonly`
			`project.team << [reporter, :reporter]`
			`end`

Adding authenticated public mode (internal). Added visibility_level icons to project view (rather than just text). Added public projects to search results. Added ability to restrict visibility levels standard users can set. 2013-11-06 15:13:21 +00:00			`describe "Project should be private" do`
			`subject { project }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`describe '#private?' do`
			`subject { super().private? }`
			`it { is_expected.to be_truthy }`
			`end`
Adding authenticated public mode (internal). Added visibility_level icons to project view (rather than just text). Added public projects to search results. Added ability to restrict visibility levels standard users can set. 2013-11-06 15:13:21 +00:00			`end`

Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`describe "GET /:project_path" do`
			`subject { project_path(project) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_allowed_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/tree/master" do`
			`subject { project_tree_path(project, project.repository.root_ref) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_allowed_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/commits/master" do`
			`subject { project_commits_path(project, project.repository.root_ref, limit: 1) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_allowed_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/commit/:sha" do`
			`subject { project_commit_path(project, project.repository.commit) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_allowed_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/compare" do`
			`subject { project_compare_index_path(project) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_allowed_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/team" do`
			`subject { project_team_index_path(project) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_denied_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/blob" do`
			`before do`
			`commit = project.repository.commit`
Fix security tests Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-25 13:10:03 +00:00			`path = '.gitignore'`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`@blob_path = project_blob_path(project, File.join(commit.id, path))`
			`end`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { expect(@blob_path).to be_allowed_for master }`
			`it { expect(@blob_path).to be_allowed_for reporter }`
			`it { expect(@blob_path).to be_allowed_for :admin }`
			`it { expect(@blob_path).to be_denied_for guest }`
			`it { expect(@blob_path).to be_denied_for :user }`
			`it { expect(@blob_path).to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/edit" do`
			`subject { edit_project_path(project) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_denied_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/deploy_keys" do`
			`subject { project_deploy_keys_path(project) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_denied_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/issues" do`
			`subject { project_issues_path(project) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_allowed_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/snippets" do`
			`subject { project_snippets_path(project) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_allowed_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/merge_requests" do`
			`subject { project_merge_requests_path(project) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_allowed_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/branches" do`
			`subject { project_branches_path(project) }`

			`before do`
			`# Speed increase`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`allow_any_instance_of(Project).to receive(:branches).and_return([])`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_allowed_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/tags" do`
			`subject { project_tags_path(project) }`

			`before do`
			`# Speed increase`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`allow_any_instance_of(Project).to receive(:tags).and_return([])`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_allowed_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`

			`describe "GET /:project_path/hooks" do`
			`subject { project_hooks_path(project) }`

Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 18:17:35 +00:00			`it { is_expected.to be_allowed_for master }`
			`it { is_expected.to be_denied_for reporter }`
			`it { is_expected.to be_allowed_for :admin }`
			`it { is_expected.to be_denied_for guest }`
			`it { is_expected.to be_denied_for :user }`
			`it { is_expected.to be_denied_for :visitor }`
Public/Private projects security specs 2013-09-25 11:04:01 +00:00			`end`
			`end`