Commit graph

21 commits

Author SHA1 Message Date
Robert Speicher
90e802cd96 Use :empty_project where possible in policy specs 2017-03-27 18:45:36 -04:00
http://jneen.net/
275a46c523 spec the new behavior of .class_for
and more robustly spec the ancestor behavior
2017-03-09 11:49:53 -08:00
Kamil Trzciński
32dee03b2f Improve pipeline triggers UI 2017-03-07 13:02:56 +00:00
Timothy Andrew
6fdb17cbbe
Don't allow deleting a ghost user.
- Add a `destroy_user` ability. This didn't exist before, and was implicit in
  other abilities (only admins could access the admin area, so only they could
  destroy all users; a user can only access their own account page, and so can
  destroy only themselves).

- Grant this ability to admins, and when the current user is trying to destroy
  themselves. Disallow destroying ghost users in all cases.

- Modify the `Users::DestroyService` to check this ability. Also check it in
  views to decide whether or not to show the "Delete User" button.

- Add a short summary of the Ghost User to the bio.
2017-02-24 16:50:20 +05:30
Douwe Maan
46dff6910d More backport 2017-02-06 17:19:37 -06:00
Grzegorz Bizon
5e3f8db707 Fix build access policies when pipelines are public 2017-01-23 14:49:13 +01:00
Rémy Coutable
061bb6eb6e More improvements to presenters
Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-01-18 16:38:35 +01:00
Rémy Coutable
fd72c0f4c7 Handle presenters in BasePolicy
Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-01-18 16:38:34 +01:00
Dmitriy Zaporozhets
7b4b3d5f26 Include group parents into read access for project and group
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2016-12-26 10:57:11 +02:00
Dmitriy Zaporozhets
b6a1c0bf9b
Add missing group policy spec
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2016-12-15 21:30:35 +02:00
Z.J. van de Weg
1096040024 Update effected tests 2016-12-04 17:32:33 +01:00
Z.J. van de Weg
617f43c74b Guests can read builds if those are public
Fixes #18448
2016-12-04 15:48:50 +01:00
Douglas Barbosa Alexandre
42c332689d Improve ProjectPolicy spec to check permissions when wiki is disabled 2016-11-30 16:02:25 -02:00
Yorick Peterse
3c957c0066
Added tests for IssuePolicy 2016-11-07 12:49:24 +01:00
Kamil Trzcinski
517dd4a3f3 Allow owners to fetch source code in CI builds
Due to different way of handling owners of a project, they were not allowed to fetch CI sources for project.
2016-11-01 09:37:20 +01:00
Sean McGivern
af6cf695c4 Add specs for a user from a group link 2016-10-28 15:11:32 +01:00
Sean McGivern
db9979bcad Fix project member access for group links
`ProjectTeam#find_member` doesn't take group links into account. It was
used in two places:

1. An admin view - it can stay here.
2. `ProjectTeam#member?`, which is often used to decide if a user has
   access to view something.

This second part broke confidential issues viewing. `IssuesFinder` ends
up delegating to `Project#authorized_for_user?`, which does consider
group links, so users with access to the project via a group link could
see confidential issues on the index page. However, `IssuesPolicy` used
`ProjectTeam#member?`, so the same user couldn't view the issue when
going to it directly.
2016-10-28 09:20:55 +01:00
Valery Sizov
b4004488f7 Make guests unable to view MRs 2016-10-11 16:51:26 +03:00
Alejandro Rodríguez
1d35c5b3ae Improve project policy spec 2016-10-06 18:54:28 -03:00
Felipe Artur
98559adf71 Test if issue authors can access private projects 2016-09-20 14:57:23 -03:00
http://jneen.net/
29b1623a36 add project_policy_spec to replace .project_abilities spec 2016-08-30 11:35:06 -07:00