gitlab-org--gitlab-foss/spec/policies/global_policy_spec.rb

require 'spec_helper'

describe GlobalPolicy do
  include TermsHelper

  let(:current_user) { create(:user) }
  let(:user) { create(:user) }

  subject { described_class.new(current_user, [user]) }

  describe "reading the list of users" do
    context "for a logged in user" do
      it { is_expected.to be_allowed(:read_users_list) }
    end

    context "for an anonymous user" do
      let(:current_user) { nil }

      context "when the public level is restricted" do
        before do
          stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
        end

        it { is_expected.not_to be_allowed(:read_users_list) }
      end

      context "when the public level is not restricted" do
        before do
          stub_application_setting(restricted_visibility_levels: [])
        end

        it { is_expected.to be_allowed(:read_users_list) }
      end
    end

    context "for an admin" do
      let(:current_user) { create(:admin) }

      context "when the public level is restricted" do
        before do
          stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
        end

        it { is_expected.to be_allowed(:read_users_list) }
      end

      context "when the public level is not restricted" do
        before do
          stub_application_setting(restricted_visibility_levels: [])
        end

        it { is_expected.to be_allowed(:read_users_list) }
      end
    end
  end

  describe "create fork" do
    context "when user has not exceeded project limit" do
      it { is_expected.to be_allowed(:create_fork) }
    end

    context "when user has exceeded project limit" do
      let(:current_user) { create(:user, projects_limit: 0) }

      it { is_expected.not_to be_allowed(:create_fork) }
    end

    context "when user is a maintainer in a group" do
      let(:group) { create(:group) }
      let(:current_user) { create(:user, projects_limit: 0) }

      before do
        group.add_maintainer(current_user)
      end

      it { is_expected.to be_allowed(:create_fork) }
    end
  end

  describe 'custom attributes' do
    context 'regular user' do
      it { is_expected.not_to be_allowed(:read_custom_attribute) }
      it { is_expected.not_to be_allowed(:update_custom_attribute) }
    end

    context 'admin' do
      let(:current_user) { create(:user, :admin) }

      it { is_expected.to be_allowed(:read_custom_attribute) }
      it { is_expected.to be_allowed(:update_custom_attribute) }
    end
  end

  shared_examples 'access allowed when terms accepted' do |ability|
    it { is_expected.not_to be_allowed(ability) }

    it "allows #{ability} when the user accepted the terms" do
      accept_terms(current_user)

      is_expected.to be_allowed(ability)
    end
  end

  describe 'API access' do
    context 'regular user' do
      it { is_expected.to be_allowed(:access_api) }
    end

    context 'admin' do
      let(:current_user) { create(:admin) }

      it { is_expected.to be_allowed(:access_api) }
    end

    context 'anonymous' do
      let(:current_user) { nil }

      it { is_expected.to be_allowed(:access_api) }
    end

    context 'when terms are enforced' do
      before do
        enforce_terms
      end

      context 'regular user' do
        it_behaves_like 'access allowed when terms accepted', :access_api
      end

      context 'admin' do
        let(:current_user) { create(:admin) }

        it_behaves_like 'access allowed when terms accepted', :access_api
      end

      context 'anonymous' do
        let(:current_user) { nil }

        it { is_expected.to be_allowed(:access_api) }
      end
    end
  end

  describe 'git access' do
    describe 'regular user' do
      it { is_expected.to be_allowed(:access_git) }
    end

    describe 'admin' do
      let(:current_user) { create(:admin) }

      it { is_expected.to be_allowed(:access_git) }
    end

    describe 'anonymous' do
      let(:current_user) { nil }

      it { is_expected.to be_allowed(:access_git) }
    end

    context 'when terms are enforced' do
      before do
        enforce_terms
      end

      context 'regular user' do
        it_behaves_like 'access allowed when terms accepted', :access_git
      end

      context 'admin' do
        let(:current_user) { create(:admin) }

        it_behaves_like 'access allowed when terms accepted', :access_git
      end

      context 'anonymous' do
        let(:current_user) { nil }

        it { is_expected.to be_allowed(:access_git) }
      end
    end
  end

  describe 'read instance statistics' do
    context 'regular user' do
      it { is_expected.to be_allowed(:read_instance_statistics) }

      context 'when instance statistics are set to private' do
        before do
          stub_application_setting(instance_statistics_visibility_private: true)
        end

        it { is_expected.not_to be_allowed(:read_instance_statistics) }
      end
    end

    context 'admin' do
      let(:current_user) { create(:admin) }

      it { is_expected.to be_allowed(:read_instance_statistics) }

      context 'when instance statistics are set to private' do
        before do
          stub_application_setting(instance_statistics_visibility_private: true)
        end

        it { is_expected.to be_allowed(:read_instance_statistics) }
      end
    end

    context 'anonymous' do
      let(:current_user) { nil }

      it { is_expected.not_to be_allowed(:read_instance_statistics) }
    end
  end
end
Implement review comments for !12445 from @jneen. - Fix duplicate `prevent` declaration - Add spec for `GlobalPolicy` 2017-07-03 01:14:00 -04:00			`require 'spec_helper'`

Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true Signed-off-by: Rémy Coutable <remy@rymai.me> 2017-07-10 10:24:02 -04:00			`describe GlobalPolicy do`
Enforces terms in the web application This enforces the terms in the web application. These cases are specced: - Logging in: When terms are enforced, and a user logs in that has not accepted the terms, they are presented with the screen. They get directed to their customized root path afterwards. - Signing up: After signing up, the first screen the user is presented with the screen to accept the terms. After they accept they are directed to the dashboard. - While a session is active: - For a GET: The user will be directed to the terms page first, after they accept the terms, they will be directed to the page they were going to - For any other request: They are directed to the terms, after they accept the terms, they are directed back to the page they came from to retry the request. Any information entered would be persisted in localstorage and available on the page. 2018-04-27 10:50:33 -04:00			`include TermsHelper`

Implement review comments for !12445 from @jneen. - Fix duplicate `prevent` declaration - Add spec for `GlobalPolicy` 2017-07-03 01:14:00 -04:00			`let(:current_user) { create(:user) }`
			`let(:user) { create(:user) }`

Use described_class when possible Signed-off-by: Rémy Coutable <remy@rymai.me> 2017-07-25 13:09:00 -04:00			`subject { described_class.new(current_user, [user]) }`
Implement review comments for !12445 from @jneen. - Fix duplicate `prevent` declaration - Add spec for `GlobalPolicy` 2017-07-03 01:14:00 -04:00
			`describe "reading the list of users" do`
			`context "for a logged in user" do`
			`it { is_expected.to be_allowed(:read_users_list) }`
			`end`

			`context "for an anonymous user" do`
			`let(:current_user) { nil }`

			`context "when the public level is restricted" do`
			`before do`
			`stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])`
			`end`

			`it { is_expected.not_to be_allowed(:read_users_list) }`
			`end`

			`context "when the public level is not restricted" do`
			`before do`
			`stub_application_setting(restricted_visibility_levels: [])`
			`end`

			`it { is_expected.to be_allowed(:read_users_list) }`
			`end`
			`end`
Allow admin to read_users_list even if it's restricted 2017-07-25 04:44:02 -04:00
			`context "for an admin" do`
			`let(:current_user) { create(:admin) }`

			`context "when the public level is restricted" do`
			`before do`
			`stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])`
			`end`

			`it { is_expected.to be_allowed(:read_users_list) }`
			`end`

			`context "when the public level is not restricted" do`
			`before do`
			`stub_application_setting(restricted_visibility_levels: [])`
			`end`

			`it { is_expected.to be_allowed(:read_users_list) }`
			`end`
			`end`
Implement review comments for !12445 from @jneen. - Fix duplicate `prevent` declaration - Add spec for `GlobalPolicy` 2017-07-03 01:14:00 -04:00			`end`
Support custom attributes on users 2017-09-28 12:49:42 -04:00
moved fork checks into policies 2017-09-29 07:14:39 -04:00			`describe "create fork" do`
			`context "when user has not exceeded project limit" do`
			`it { is_expected.to be_allowed(:create_fork) }`
			`end`

			`context "when user has exceeded project limit" do`
			`let(:current_user) { create(:user, projects_limit: 0) }`

			`it { is_expected.not_to be_allowed(:create_fork) }`
			`end`

Resolve "Rename the `Master` role to `Maintainer`" Backend 2018-07-11 10:36:08 -04:00			`context "when user is a maintainer in a group" do`
moved fork checks into policies 2017-09-29 07:14:39 -04:00			`let(:group) { create(:group) }`
			`let(:current_user) { create(:user, projects_limit: 0) }`

			`before do`
Resolve "Rename the `Master` role to `Maintainer`" Backend 2018-07-11 10:36:08 -04:00			`group.add_maintainer(current_user)`
moved fork checks into policies 2017-09-29 07:14:39 -04:00			`end`

			`it { is_expected.to be_allowed(:create_fork) }`
			`end`
			`end`

Support custom attributes on users 2017-09-28 12:49:42 -04:00			`describe 'custom attributes' do`
			`context 'regular user' do`
			`it { is_expected.not_to be_allowed(:read_custom_attribute) }`
			`it { is_expected.not_to be_allowed(:update_custom_attribute) }`
			`end`

			`context 'admin' do`
			`let(:current_user) { create(:user, :admin) }`

			`it { is_expected.to be_allowed(:read_custom_attribute) }`
			`it { is_expected.to be_allowed(:update_custom_attribute) }`
			`end`
			`end`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`shared_examples 'access allowed when terms accepted' do \|ability\|`
			`it { is_expected.not_to be_allowed(ability) }`

			`it "allows #{ability} when the user accepted the terms" do`
			`accept_terms(current_user)`

			`is_expected.to be_allowed(ability)`
			`end`
			`end`

Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00			`describe 'API access' do`
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`context 'regular user' do`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00			`it { is_expected.to be_allowed(:access_api) }`
			`end`

Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`context 'admin' do`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00			`let(:current_user) { create(:admin) }`

			`it { is_expected.to be_allowed(:access_api) }`
			`end`

Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`context 'anonymous' do`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00			`let(:current_user) { nil }`

Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`it { is_expected.to be_allowed(:access_api) }`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00			`end`

			`context 'when terms are enforced' do`
			`before do`
			`enforce_terms`
			`end`

Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`context 'regular user' do`
			`it_behaves_like 'access allowed when terms accepted', :access_api`
			`end`

			`context 'admin' do`
			`let(:current_user) { create(:admin) }`

			`it_behaves_like 'access allowed when terms accepted', :access_api`
			`end`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`context 'anonymous' do`
			`let(:current_user) { nil }`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`it { is_expected.to be_allowed(:access_api) }`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00			`end`
			`end`
			`end`

			`describe 'git access' do`
			`describe 'regular user' do`
			`it { is_expected.to be_allowed(:access_git) }`
			`end`

			`describe 'admin' do`
			`let(:current_user) { create(:admin) }`

			`it { is_expected.to be_allowed(:access_git) }`
			`end`

			`describe 'anonymous' do`
			`let(:current_user) { nil }`

Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`it { is_expected.to be_allowed(:access_git) }`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00			`end`

			`context 'when terms are enforced' do`
			`before do`
			`enforce_terms`
			`end`

Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`context 'regular user' do`
			`it_behaves_like 'access allowed when terms accepted', :access_git`
			`end`

			`context 'admin' do`
			`let(:current_user) { create(:admin) }`

			`it_behaves_like 'access allowed when terms accepted', :access_git`
			`end`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`context 'anonymous' do`
			`let(:current_user) { nil }`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`it { is_expected.to be_allowed(:access_git) }`
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00			`end`
			`end`
			`end`
Spec instance statistics 2018-07-25 11:36:08 -04:00
			`describe 'read instance statistics' do`
			`context 'regular user' do`
Revert "Merge branch 'bvl-instance-stats-default' into 'master'" This reverts merge request !21044 2018-08-06 11:44:23 -04:00			`it { is_expected.to be_allowed(:read_instance_statistics) }`
Spec instance statistics 2018-07-25 11:36:08 -04:00
			`context 'when instance statistics are set to private' do`
			`before do`
			`stub_application_setting(instance_statistics_visibility_private: true)`
			`end`

			`it { is_expected.not_to be_allowed(:read_instance_statistics) }`
			`end`
			`end`

			`context 'admin' do`
			`let(:current_user) { create(:admin) }`

Revert "Merge branch 'bvl-instance-stats-default' into 'master'" This reverts merge request !21044 2018-08-06 11:44:23 -04:00			`it { is_expected.to be_allowed(:read_instance_statistics) }`
Spec instance statistics 2018-07-25 11:36:08 -04:00
			`context 'when instance statistics are set to private' do`
			`before do`
			`stub_application_setting(instance_statistics_visibility_private: true)`
			`end`

			`it { is_expected.to be_allowed(:read_instance_statistics) }`
			`end`
			`end`

			`context 'anonymous' do`
			`let(:current_user) { nil }`

			`it { is_expected.not_to be_allowed(:read_instance_statistics) }`
			`end`
			`end`
Implement review comments for !12445 from @jneen. - Fix duplicate `prevent` declaration - Add spec for `GlobalPolicy` 2017-07-03 01:14:00 -04:00			`end`