Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
97f966c4
Commit
97f966c4
authored
Nov 23, 2017
by
Tomasz Maczukin
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Introduce :read_namespace access policy for namespace and group
parent
dfbfd3c7
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
52 additions
and
11 deletions
+52
-11
app/policies/group_policy.rb
app/policies/group_policy.rb
+2
-0
app/policies/namespace_policy.rb
app/policies/namespace_policy.rb
+1
-0
lib/api/helpers.rb
lib/api/helpers.rb
+1
-1
spec/requests/api/namespaces_spec.rb
spec/requests/api/namespaces_spec.rb
+48
-10
No files found.
app/policies/group_policy.rb
View file @
97f966c4
...
@@ -34,6 +34,8 @@ class GroupPolicy < BasePolicy
...
@@ -34,6 +34,8 @@ class GroupPolicy < BasePolicy
rule
{
admin
}
.
enable
:read_group
rule
{
admin
}
.
enable
:read_group
rule
{
has_projects
}
.
enable
:read_group
rule
{
has_projects
}
.
enable
:read_group
rule
{
has_access
}.
enable
:read_namespace
rule
{
developer
}.
enable
:admin_milestones
rule
{
developer
}.
enable
:admin_milestones
rule
{
reporter
}.
enable
:admin_label
rule
{
reporter
}.
enable
:admin_label
...
...
app/policies/namespace_policy.rb
View file @
97f966c4
...
@@ -8,6 +8,7 @@ class NamespacePolicy < BasePolicy
...
@@ -8,6 +8,7 @@ class NamespacePolicy < BasePolicy
rule
{
owner
|
admin
}.
policy
do
rule
{
owner
|
admin
}.
policy
do
enable
:create_projects
enable
:create_projects
enable
:admin_namespace
enable
:admin_namespace
enable
:read_namespace
end
end
rule
{
personal_project
&
~
can_create_personal_project
}.
prevent
:create_projects
rule
{
personal_project
&
~
can_create_personal_project
}.
prevent
:create_projects
...
...
lib/api/helpers.rb
View file @
97f966c4
...
@@ -127,7 +127,7 @@ module API
...
@@ -127,7 +127,7 @@ module API
def
find_namespace!
(
id
)
def
find_namespace!
(
id
)
namespace
=
find_namespace
(
id
)
namespace
=
find_namespace
(
id
)
if
can?
(
current_user
,
:
admin
_namespace
,
namespace
)
if
can?
(
current_user
,
:
read
_namespace
,
namespace
)
namespace
namespace
else
else
not_found!
(
'Namespace'
)
not_found!
(
'Namespace'
)
...
...
spec/requests/api/namespaces_spec.rb
View file @
97f966c4
...
@@ -94,6 +94,7 @@ describe API::Namespaces do
...
@@ -94,6 +94,7 @@ describe API::Namespaces do
describe
'GET /namespaces/:id'
do
describe
'GET /namespaces/:id'
do
let
(
:owned_group
)
{
group1
}
let
(
:owned_group
)
{
group1
}
let
(
:user2
)
{
create
(
:user
)
}
shared_examples
'can access namespace'
do
shared_examples
'can access namespace'
do
it
'returns namespace details'
do
it
'returns namespace details'
do
...
@@ -116,16 +117,34 @@ describe API::Namespaces do
...
@@ -116,16 +117,34 @@ describe API::Namespaces do
context
'when namespace exists'
do
context
'when namespace exists'
do
context
'when requested by ID'
do
context
'when requested by ID'
do
context
'when requesting group'
do
let
(
:namespace_id
)
{
owned_group
.
id
}
let
(
:namespace_id
)
{
owned_group
.
id
}
it_behaves_like
'can access namespace'
it_behaves_like
'can access namespace'
end
end
context
'when requesting personal namespace'
do
let
(
:namespace_id
)
{
request_actor
.
namespace
.
id
}
let
(
:requested_namespace
)
{
request_actor
.
namespace
}
it_behaves_like
'can access namespace'
end
end
context
'when requested by path'
do
context
'when requested by path'
do
context
'when requesting group'
do
let
(
:namespace_id
)
{
owned_group
.
path
}
let
(
:namespace_id
)
{
owned_group
.
path
}
it_behaves_like
'can access namespace'
it_behaves_like
'can access namespace'
end
end
context
'when requesting personal namespace'
do
let
(
:namespace_id
)
{
request_actor
.
namespace
.
path
}
let
(
:requested_namespace
)
{
request_actor
.
namespace
}
it_behaves_like
'can access namespace'
end
end
end
end
context
"when namespace doesn't exist"
do
context
"when namespace doesn't exist"
do
...
@@ -149,6 +168,7 @@ describe API::Namespaces do
...
@@ -149,6 +168,7 @@ describe API::Namespaces do
let
(
:request_actor
)
{
user
}
let
(
:request_actor
)
{
user
}
context
'when requested namespace is not owned by user'
do
context
'when requested namespace is not owned by user'
do
context
'when requesting group'
do
it
'returns not-found'
do
it
'returns not-found'
do
get
api
(
"/namespaces/
#{
group2
.
id
}
"
,
request_actor
)
get
api
(
"/namespaces/
#{
group2
.
id
}
"
,
request_actor
)
...
@@ -156,6 +176,15 @@ describe API::Namespaces do
...
@@ -156,6 +176,15 @@ describe API::Namespaces do
end
end
end
end
context
'when requesting personal namespace'
do
it
'returns not-found'
do
get
api
(
"/namespaces/
#{
user2
.
namespace
.
id
}
"
,
request_actor
)
expect
(
response
).
to
have_gitlab_http_status
(
404
)
end
end
end
context
'when requested namespace is owned by user'
do
context
'when requested namespace is owned by user'
do
it_behaves_like
'namespace reader'
it_behaves_like
'namespace reader'
end
end
...
@@ -165,12 +194,21 @@ describe API::Namespaces do
...
@@ -165,12 +194,21 @@ describe API::Namespaces do
let
(
:request_actor
)
{
admin
}
let
(
:request_actor
)
{
admin
}
context
'when requested namespace is not owned by user'
do
context
'when requested namespace is not owned by user'
do
context
'when requesting group'
do
let
(
:namespace_id
)
{
group2
.
id
}
let
(
:namespace_id
)
{
group2
.
id
}
let
(
:requested_namespace
)
{
group2
}
let
(
:requested_namespace
)
{
group2
}
it_behaves_like
'can access namespace'
it_behaves_like
'can access namespace'
end
end
context
'when requesting personal namespace'
do
let
(
:namespace_id
)
{
user2
.
namespace
.
id
}
let
(
:requested_namespace
)
{
user2
.
namespace
}
it_behaves_like
'can access namespace'
end
end
context
'when requested namespace is owned by user'
do
context
'when requested namespace is owned by user'
do
it_behaves_like
'namespace reader'
it_behaves_like
'namespace reader'
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment