gitlab-org--gitlab-foss/spec/policies/project_policy_spec.rb

require 'spec_helper'

describe ProjectPolicy, models: true do
  let(:guest) { create(:user) }
  let(:reporter) { create(:user) }
  let(:dev) { create(:user) }
  let(:master) { create(:user) }
  let(:owner) { create(:user) }
  let(:project) { create(:empty_project, :public, namespace: owner.namespace) }

  let(:guest_permissions) do
    [
      :read_project, :read_board, :read_list, :read_wiki, :read_issue, :read_label,
      :read_milestone, :read_project_snippet, :read_project_member,
      :read_note, :create_project, :create_issue, :create_note,
      :upload_file
    ]
  end

  let(:reporter_permissions) do
    [
      :download_code, :fork_project, :create_project_snippet, :update_issue,
      :admin_issue, :admin_label, :admin_list, :read_commit_status, :read_build,
      :read_container_image, :read_pipeline, :read_environment, :read_deployment,
      :read_merge_request
    ]
  end

  let(:team_member_reporter_permissions) do
    [
      :build_download_code, :build_read_container_image
    ]
  end

  let(:developer_permissions) do
    [
      :admin_merge_request, :update_merge_request, :create_commit_status,
      :update_commit_status, :create_build, :update_build, :create_pipeline,
      :update_pipeline, :create_merge_request, :create_wiki, :push_code,
      :resolve_note, :create_container_image, :update_container_image,
      :create_environment, :create_deployment
    ]
  end

  let(:master_permissions) do
    [
      :push_code_to_protected_branches, :update_project_snippet, :update_environment,
      :update_deployment, :admin_milestone, :admin_project_snippet,
      :admin_project_member, :admin_note, :admin_wiki, :admin_project,
      :admin_commit_status, :admin_build, :admin_container_image,
      :admin_pipeline, :admin_environment, :admin_deployment
    ]
  end

  let(:public_permissions) do
    [
      :download_code, :fork_project, :read_commit_status, :read_pipeline,
      :read_container_image, :build_download_code, :build_read_container_image
    ]
  end

  let(:owner_permissions) do
    [
      :change_namespace, :change_visibility_level, :rename_project, :remove_project,
      :archive_project, :remove_fork_project, :destroy_merge_request, :destroy_issue
    ]
  end

  before do
    project.team << [guest, :guest]
    project.team << [master, :master]
    project.team << [dev, :developer]
    project.team << [reporter, :reporter]
  end

  it 'does not include the read_issue permission when the issue author is not a member of the private project' do
    project = create(:project, :private)
    issue   = create(:issue, project: project)
    user    = issue.author

    expect(project.team.member?(issue.author)).to eq(false)

    expect(BasePolicy.class_for(project).abilities(user, project).can_set).
      not_to include(:read_issue)

    expect(Ability.allowed?(user, :read_issue, project)).to be_falsy
  end

  context 'abilities for non-public projects' do
    let(:project) { create(:empty_project, namespace: owner.namespace) }

    subject { described_class.abilities(current_user, project).to_set }

    context 'with no user' do
      let(:current_user) { nil }

      it { is_expected.to be_empty }
    end

    context 'guests' do
      let(:current_user) { guest }

      it do
        is_expected.to include(*guest_permissions)
        is_expected.not_to include(*reporter_permissions)
        is_expected.not_to include(*team_member_reporter_permissions)
        is_expected.not_to include(*developer_permissions)
        is_expected.not_to include(*master_permissions)
        is_expected.not_to include(*owner_permissions)
      end
    end

    context 'reporter' do
      let(:current_user) { reporter }

      it do
        is_expected.to include(*guest_permissions)
        is_expected.to include(*reporter_permissions)
        is_expected.to include(*team_member_reporter_permissions)
        is_expected.not_to include(*developer_permissions)
        is_expected.not_to include(*master_permissions)
        is_expected.not_to include(*owner_permissions)
      end
    end

    context 'developer' do
      let(:current_user) { dev }

      it do
        is_expected.to include(*guest_permissions)
        is_expected.to include(*reporter_permissions)
        is_expected.to include(*team_member_reporter_permissions)
        is_expected.to include(*developer_permissions)
        is_expected.not_to include(*master_permissions)
        is_expected.not_to include(*owner_permissions)
      end
    end

    context 'master' do
      let(:current_user) { master }

      it do
        is_expected.to include(*guest_permissions)
        is_expected.to include(*reporter_permissions)
        is_expected.to include(*team_member_reporter_permissions)
        is_expected.to include(*developer_permissions)
        is_expected.to include(*master_permissions)
        is_expected.not_to include(*owner_permissions)
      end
    end

    context 'owner' do
      let(:current_user) { owner }

      it do
        is_expected.to include(*guest_permissions)
        is_expected.to include(*reporter_permissions)
        is_expected.not_to include(*team_member_reporter_permissions)
        is_expected.to include(*developer_permissions)
        is_expected.to include(*master_permissions)
        is_expected.to include(*owner_permissions)
      end
    end
  end
end
add project_policy_spec to replace .project_abilities spec 2016-08-23 23:19:36 +00:00			`require 'spec_helper'`

			`describe ProjectPolicy, models: true do`
			`let(:guest) { create(:user) }`
			`let(:reporter) { create(:user) }`
			`let(:dev) { create(:user) }`
			`let(:master) { create(:user) }`
			`let(:owner) { create(:user) }`
Improve project policy spec 2016-09-21 05:09:31 +00:00			`let(:project) { create(:empty_project, :public, namespace: owner.namespace) }`
add project_policy_spec to replace .project_abilities spec 2016-08-23 23:19:36 +00:00
Improve project policy spec 2016-09-21 05:09:31 +00:00			`let(:guest_permissions) do`
			`[`
			`:read_project, :read_board, :read_list, :read_wiki, :read_issue, :read_label,`
			`:read_milestone, :read_project_snippet, :read_project_member,`
Make guests unable to view MRs 2016-10-04 12:52:08 +00:00			`:read_note, :create_project, :create_issue, :create_note,`
Improve project policy spec 2016-09-21 05:09:31 +00:00			`:upload_file`
			`]`
add project_policy_spec to replace .project_abilities spec 2016-08-23 23:19:36 +00:00			`end`

Improve project policy spec 2016-09-21 05:09:31 +00:00			`let(:reporter_permissions) do`
			`[`
			`:download_code, :fork_project, :create_project_snippet, :update_issue,`
			`:admin_issue, :admin_label, :admin_list, :read_commit_status, :read_build,`
Make guests unable to view MRs 2016-10-04 12:52:08 +00:00			`:read_container_image, :read_pipeline, :read_environment, :read_deployment,`
			`:read_merge_request`
Improve project policy spec 2016-09-21 05:09:31 +00:00			`]`
			`end`

			`let(:team_member_reporter_permissions) do`
			`[`
			`:build_download_code, :build_read_container_image`
			`]`
			`end`

			`let(:developer_permissions) do`
			`[`
			`:admin_merge_request, :update_merge_request, :create_commit_status,`
			`:update_commit_status, :create_build, :update_build, :create_pipeline,`
			`:update_pipeline, :create_merge_request, :create_wiki, :push_code,`
			`:resolve_note, :create_container_image, :update_container_image,`
			`:create_environment, :create_deployment`
			`]`
			`end`

			`let(:master_permissions) do`
			`[`
			`:push_code_to_protected_branches, :update_project_snippet, :update_environment,`
			`:update_deployment, :admin_milestone, :admin_project_snippet,`
			`:admin_project_member, :admin_note, :admin_wiki, :admin_project,`
			`:admin_commit_status, :admin_build, :admin_container_image,`
			`:admin_pipeline, :admin_environment, :admin_deployment`
			`]`
			`end`

			`let(:public_permissions) do`
			`[`
			`:download_code, :fork_project, :read_commit_status, :read_pipeline,`
			`:read_container_image, :build_download_code, :build_read_container_image`
			`]`
			`end`

			`let(:owner_permissions) do`
			`[`
			`:change_namespace, :change_visibility_level, :rename_project, :remove_project,`
			`:archive_project, :remove_fork_project, :destroy_merge_request, :destroy_issue`
			`]`
add project_policy_spec to replace .project_abilities spec 2016-08-23 23:19:36 +00:00			`end`

			`before do`
			`project.team << [guest, :guest]`
			`project.team << [master, :master]`
			`project.team << [dev, :developer]`
			`project.team << [reporter, :reporter]`
			`end`
Test if issue authors can access private projects 2016-09-19 20:21:58 +00:00
			`it 'does not include the read_issue permission when the issue author is not a member of the private project' do`
			`project = create(:project, :private)`
			`issue = create(:issue, project: project)`
			`user = issue.author`

			`expect(project.team.member?(issue.author)).to eq(false)`

			`expect(BasePolicy.class_for(project).abilities(user, project).can_set).`
			`not_to include(:read_issue)`

			`expect(Ability.allowed?(user, :read_issue, project)).to be_falsy`
			`end`
Improve project policy spec 2016-09-21 05:09:31 +00:00
			`context 'abilities for non-public projects' do`
			`let(:project) { create(:empty_project, namespace: owner.namespace) }`

			`subject { described_class.abilities(current_user, project).to_set }`

			`context 'with no user' do`
			`let(:current_user) { nil }`

			`it { is_expected.to be_empty }`
			`end`

			`context 'guests' do`
			`let(:current_user) { guest }`

			`it do`
			`is_expected.to include(*guest_permissions)`
			`is_expected.not_to include(*reporter_permissions)`
			`is_expected.not_to include(*team_member_reporter_permissions)`
			`is_expected.not_to include(*developer_permissions)`
			`is_expected.not_to include(*master_permissions)`
			`is_expected.not_to include(*owner_permissions)`
			`end`
			`end`

			`context 'reporter' do`
			`let(:current_user) { reporter }`

			`it do`
			`is_expected.to include(*guest_permissions)`
			`is_expected.to include(*reporter_permissions)`
			`is_expected.to include(*team_member_reporter_permissions)`
			`is_expected.not_to include(*developer_permissions)`
			`is_expected.not_to include(*master_permissions)`
			`is_expected.not_to include(*owner_permissions)`
			`end`
			`end`

			`context 'developer' do`
			`let(:current_user) { dev }`

			`it do`
			`is_expected.to include(*guest_permissions)`
			`is_expected.to include(*reporter_permissions)`
			`is_expected.to include(*team_member_reporter_permissions)`
			`is_expected.to include(*developer_permissions)`
			`is_expected.not_to include(*master_permissions)`
			`is_expected.not_to include(*owner_permissions)`
			`end`
			`end`

			`context 'master' do`
			`let(:current_user) { master }`

			`it do`
			`is_expected.to include(*guest_permissions)`
			`is_expected.to include(*reporter_permissions)`
			`is_expected.to include(*team_member_reporter_permissions)`
			`is_expected.to include(*developer_permissions)`
			`is_expected.to include(*master_permissions)`
			`is_expected.not_to include(*owner_permissions)`
			`end`
			`end`

			`context 'owner' do`
			`let(:current_user) { owner }`

			`it do`
			`is_expected.to include(*guest_permissions)`
			`is_expected.to include(*reporter_permissions)`
			`is_expected.not_to include(*team_member_reporter_permissions)`
			`is_expected.to include(*developer_permissions)`
			`is_expected.to include(*master_permissions)`
			`is_expected.to include(*owner_permissions)`
			`end`
			`end`
			`end`
add project_policy_spec to replace .project_abilities spec 2016-08-23 23:19:36 +00:00			`end`