projects_security_spec.rb 9.29 KB
Newer Older
gitlabhq's avatar
gitlabhq committed
1 2 3
require 'spec_helper'

describe "Projects" do
Nihad Abbasov's avatar
Nihad Abbasov committed
4
  describe "GET /projects" do
gitlabhq's avatar
gitlabhq committed
5 6 7 8 9
    it { projects_path.should be_allowed_for :admin }
    it { projects_path.should be_allowed_for :user }
    it { projects_path.should be_denied_for :visitor }
  end

Nihad Abbasov's avatar
Nihad Abbasov committed
10
  describe "GET /projects/new" do
gitlabhq's avatar
gitlabhq committed
11 12 13 14 15 16
    it { projects_path.should be_allowed_for :admin }
    it { projects_path.should be_allowed_for :user }
    it { projects_path.should be_denied_for :visitor }
  end

  describe "Project" do
Nihad Abbasov's avatar
Nihad Abbasov committed
17
    before do
gitlabhq's avatar
gitlabhq committed
18 19 20 21 22
      @project = Factory :project
      @u1 = Factory :user
      @u2 = Factory :user
      @u3 = Factory :user
      # full access
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
23
      @project.users_projects.create(:user => @u1, :project_access => Project::PROJECT_RWA)
gitlabhq's avatar
gitlabhq committed
24
      # no access
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
25
      @project.users_projects.create(:user => @u2, :project_access => Project::PROJECT_N)
gitlabhq's avatar
gitlabhq committed
26
      # readonly
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
27
      @project.users_projects.create(:user => @u3, :project_access => Project::PROJECT_R)
gitlabhq's avatar
gitlabhq committed
28 29
    end

Nihad Abbasov's avatar
Nihad Abbasov committed
30
    describe "GET /project_code" do
gitlabhq's avatar
gitlabhq committed
31 32 33 34 35 36 37 38
      it { project_path(@project).should be_allowed_for @u1 }
      it { project_path(@project).should be_allowed_for @u3 }
      it { project_path(@project).should be_denied_for :admin }
      it { project_path(@project).should be_denied_for @u2 }
      it { project_path(@project).should be_denied_for :user }
      it { project_path(@project).should be_denied_for :visitor }
    end

gitlabhq's avatar
gitlabhq committed
39 40 41 42 43 44 45
    describe "GET /project_code/master/tree" do
      it { tree_project_ref_path(@project, @project.root_ref).should be_allowed_for @u1 }
      it { tree_project_ref_path(@project, @project.root_ref).should be_allowed_for @u3 }
      it { tree_project_ref_path(@project, @project.root_ref).should be_denied_for :admin }
      it { tree_project_ref_path(@project, @project.root_ref).should be_denied_for @u2 }
      it { tree_project_ref_path(@project, @project.root_ref).should be_denied_for :user }
      it { tree_project_ref_path(@project, @project.root_ref).should be_denied_for :visitor }
gitlabhq's avatar
gitlabhq committed
46 47
    end

Nihad Abbasov's avatar
Nihad Abbasov committed
48
    describe "GET /project_code/commits" do
gitlabhq's avatar
gitlabhq committed
49 50 51 52 53 54 55 56
      it { project_commits_path(@project).should be_allowed_for @u1 }
      it { project_commits_path(@project).should be_allowed_for @u3 }
      it { project_commits_path(@project).should be_denied_for :admin }
      it { project_commits_path(@project).should be_denied_for @u2 }
      it { project_commits_path(@project).should be_denied_for :user }
      it { project_commits_path(@project).should be_denied_for :visitor }
    end

Nihad Abbasov's avatar
Nihad Abbasov committed
57
    describe "GET /project_code/commit" do
58 59 60 61 62 63
      it { project_commit_path(@project, @project.commit.id).should be_allowed_for @u1 }
      it { project_commit_path(@project, @project.commit.id).should be_allowed_for @u3 }
      it { project_commit_path(@project, @project.commit.id).should be_denied_for :admin }
      it { project_commit_path(@project, @project.commit.id).should be_denied_for @u2 }
      it { project_commit_path(@project, @project.commit.id).should be_denied_for :user }
      it { project_commit_path(@project, @project.commit.id).should be_denied_for :visitor }
gitlabhq's avatar
gitlabhq committed
64 65
    end

Nihad Abbasov's avatar
Nihad Abbasov committed
66
    describe "GET /project_code/team" do
gitlabhq's avatar
gitlabhq committed
67 68 69 70 71 72 73 74
      it { team_project_path(@project).should be_allowed_for @u1 }
      it { team_project_path(@project).should be_allowed_for @u3 }
      it { team_project_path(@project).should be_denied_for :admin }
      it { team_project_path(@project).should be_denied_for @u2 }
      it { team_project_path(@project).should be_denied_for :user }
      it { team_project_path(@project).should be_denied_for :visitor }
    end

Nihad Abbasov's avatar
Nihad Abbasov committed
75
    describe "GET /project_code/wall" do
gitlabhq's avatar
gitlabhq committed
76 77 78 79 80 81 82 83
      it { wall_project_path(@project).should be_allowed_for @u1 }
      it { wall_project_path(@project).should be_allowed_for @u3 }
      it { wall_project_path(@project).should be_denied_for :admin }
      it { wall_project_path(@project).should be_denied_for @u2 }
      it { wall_project_path(@project).should be_denied_for :user }
      it { wall_project_path(@project).should be_denied_for :visitor }
    end

Nihad Abbasov's avatar
Nihad Abbasov committed
84 85
    describe "GET /project_code/blob" do
      before do
gitlabhq's avatar
gitlabhq committed
86 87
        @commit = @project.commit
        @path = @commit.tree.contents.select { |i| i.is_a?(Grit::Blob)}.first.name
gitlabhq's avatar
gitlabhq committed
88
        @blob_path = blob_project_ref_path(@project, @commit.id, :path => @path)
gitlabhq's avatar
gitlabhq committed
89 90 91 92 93 94 95 96
      end

      it { @blob_path.should be_allowed_for @u1 }
      it { @blob_path.should be_allowed_for @u3 }
      it { @blob_path.should be_denied_for :admin }
      it { @blob_path.should be_denied_for @u2 }
      it { @blob_path.should be_denied_for :user }
      it { @blob_path.should be_denied_for :visitor }
gitlabhq's avatar
gitlabhq committed
97 98
    end

Nihad Abbasov's avatar
Nihad Abbasov committed
99
    describe "GET /project_code/edit" do
gitlabhq's avatar
gitlabhq committed
100 101 102 103 104 105 106 107
      it { edit_project_path(@project).should be_allowed_for @u1 }
      it { edit_project_path(@project).should be_denied_for @u3 }
      it { edit_project_path(@project).should be_denied_for :admin }
      it { edit_project_path(@project).should be_denied_for @u2 }
      it { edit_project_path(@project).should be_denied_for :user }
      it { edit_project_path(@project).should be_denied_for :visitor }
    end

miks's avatar
miks committed
108 109 110 111 112 113 114 115 116
    describe "GET /project_code/deploy_keys" do
      it { project_deploy_keys_path(@project).should be_allowed_for @u1 }
      it { project_deploy_keys_path(@project).should be_denied_for @u3 }
      it { project_deploy_keys_path(@project).should be_denied_for :admin }
      it { project_deploy_keys_path(@project).should be_denied_for @u2 }
      it { project_deploy_keys_path(@project).should be_denied_for :user }
      it { project_deploy_keys_path(@project).should be_denied_for :visitor }
    end

Nihad Abbasov's avatar
Nihad Abbasov committed
117
    describe "GET /project_code/issues" do
gitlabhq's avatar
gitlabhq committed
118 119 120 121 122 123 124
      it { project_issues_path(@project).should be_allowed_for @u1 }
      it { project_issues_path(@project).should be_allowed_for @u3 }
      it { project_issues_path(@project).should be_denied_for :admin }
      it { project_issues_path(@project).should be_denied_for @u2 }
      it { project_issues_path(@project).should be_denied_for :user }
      it { project_issues_path(@project).should be_denied_for :visitor }
    end
gitlabhq's avatar
gitlabhq committed
125

Nihad Abbasov's avatar
Nihad Abbasov committed
126
    describe "GET /project_code/snippets" do
gitlabhq's avatar
gitlabhq committed
127 128 129 130 131 132 133
      it { project_snippets_path(@project).should be_allowed_for @u1 }
      it { project_snippets_path(@project).should be_allowed_for @u3 }
      it { project_snippets_path(@project).should be_denied_for :admin }
      it { project_snippets_path(@project).should be_denied_for @u2 }
      it { project_snippets_path(@project).should be_denied_for :user }
      it { project_snippets_path(@project).should be_denied_for :visitor }
    end
134 135 136 137 138 139 140 141 142

    describe "GET /project_code/merge_requests" do
      it { project_merge_requests_path(@project).should be_allowed_for @u1 }
      it { project_merge_requests_path(@project).should be_allowed_for @u3 }
      it { project_merge_requests_path(@project).should be_denied_for :admin }
      it { project_merge_requests_path(@project).should be_denied_for @u2 }
      it { project_merge_requests_path(@project).should be_denied_for :user }
      it { project_merge_requests_path(@project).should be_denied_for :visitor }
    end
143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187

    describe "GET /project_code/repository" do
      it { project_repository_path(@project).should be_allowed_for @u1 }
      it { project_repository_path(@project).should be_allowed_for @u3 }
      it { project_repository_path(@project).should be_denied_for :admin }
      it { project_repository_path(@project).should be_denied_for @u2 }
      it { project_repository_path(@project).should be_denied_for :user }
      it { project_repository_path(@project).should be_denied_for :visitor }
    end

    describe "GET /project_code/repository/branches" do
      it { branches_project_repository_path(@project).should be_allowed_for @u1 }
      it { branches_project_repository_path(@project).should be_allowed_for @u3 }
      it { branches_project_repository_path(@project).should be_denied_for :admin }
      it { branches_project_repository_path(@project).should be_denied_for @u2 }
      it { branches_project_repository_path(@project).should be_denied_for :user }
      it { branches_project_repository_path(@project).should be_denied_for :visitor }
    end

    describe "GET /project_code/repository/tags" do
      it { tags_project_repository_path(@project).should be_allowed_for @u1 }
      it { tags_project_repository_path(@project).should be_allowed_for @u3 }
      it { tags_project_repository_path(@project).should be_denied_for :admin }
      it { tags_project_repository_path(@project).should be_denied_for @u2 }
      it { tags_project_repository_path(@project).should be_denied_for :user }
      it { tags_project_repository_path(@project).should be_denied_for :visitor }
    end

    describe "GET /project_code/hooks" do
      it { project_hooks_path(@project).should be_allowed_for @u1 }
      it { project_hooks_path(@project).should be_allowed_for @u3 }
      it { project_hooks_path(@project).should be_denied_for :admin }
      it { project_hooks_path(@project).should be_denied_for @u2 }
      it { project_hooks_path(@project).should be_denied_for :user }
      it { project_hooks_path(@project).should be_denied_for :visitor }
    end

    describe "GET /project_code/files" do
      it { files_project_path(@project).should be_allowed_for @u1 }
      it { files_project_path(@project).should be_allowed_for @u3 }
      it { files_project_path(@project).should be_denied_for :admin }
      it { files_project_path(@project).should be_denied_for @u2 }
      it { files_project_path(@project).should be_denied_for :user }
      it { files_project_path(@project).should be_denied_for :visitor }
    end
gitlabhq's avatar
gitlabhq committed
188 189
  end
end