Merge branch 'epic/public_projects' of /home/git/repositories/gitlab/gitlabhq

CHANGELOG

+v 6.2.0
+  - Public projects are visible from the outside
+
 v 6.1.0
   - Project specific IDs for issues, mr, milestones
     Above items will get a new id and for example all bookmarked issue urls will change.

VERSION

-6.1.0
+6.2.0.pre

app/assets/stylesheets/common.scss

@@ -382,3 +382,8 @@ table {
   width: 50px;
   min-height: 100px;
 }
+
+.navbar-gitlab .navbar-inner .nav > li .btn-sign-in {
+  @extend .btn-new;
+  padding: 5px 15px;
+}

app/assets/stylesheets/sections/login.scss

 /* Login Page */
 body.login-page{
-  background: #474D57;
-  .container .content { padding-top: 4%; }
+  .container > .content {
+    padding-top: 20px;
+  }
 }
 
 .login-box{

app/assets/stylesheets/sections/projects.scss

@@ -79,21 +79,6 @@ ul.nav.nav-projects-tabs {
   margin: 0px;
 }
 
-.public-projects {
-  li {
-    .project-title {
-      font-size: 14px;
-      line-height: 2;
-      font-weight: normal;
-    }
-
-    .description {
-      margin-left: 15px;
-      color: #aaa;
-    }
-  }
-}
-
 .my-projects {
   li {
     .project-title {
@@ -110,7 +95,6 @@ ul.nav.nav-projects-tabs {
   }
 }
 
-
 .public-clone {
   background: #333;
   color: #f5f5f5;
@@ -123,3 +107,11 @@ ul.nav.nav-projects-tabs {
   position: relative;
   top: -5px;
 }
+
+.public-projects .repo-info {
+  color: #777;
+
+  a {
+    color: #777;
+  }
+}

app/controllers/profiles_controller.rb

@@ -33,8 +33,8 @@ class ProfilesController < ApplicationController
   end
 
   def update_password
-    params[:user].select! do |key, value|
-      %w(current_password password password_confirmation).include?(key.to_s)
+    password_attributes = params[:user].select do |key, value|
+      %w(password password_confirmation).include?(key.to_s)
     end
 
     unless @user.valid_password?(params[:user][:current_password])
@@ -42,7 +42,7 @@ class ProfilesController < ApplicationController
       return
     end
 
-    if @user.update_attributes(params[:user])
+    if @user.update_attributes(password_attributes)
       flash[:notice] = "Password was successfully updated. Please login with it"
       redirect_to new_user_session_path
     else

app/controllers/projects/application_controller.rb

 class Projects::ApplicationController < ApplicationController
   before_filter :project
   before_filter :repository
-  layout 'projects'
+  layout :determine_layout
+
+  def authenticate_user!
+    # Restrict access to Projects area only
+    # for non-signed users
+    if !current_user
+      id = params[:project_id] || params[:id]
+      @project = Project.find_with_namespace(id)
+
+      return if @project && @project.public
+    end
+
+    super
+  end
+
+  def determine_layout
+    if current_user
+      'projects'
+    else
+      'public_projects'
+    end
+  end
 end

app/controllers/projects/hooks_controller.rb

 class Projects::HooksController < Projects::ApplicationController
   # Authorize
-  before_filter :authorize_read_project!
-  before_filter :authorize_admin_project!, only: [:new, :create, :destroy]
+  before_filter :authorize_admin_project!
 
   respond_to :html
 

app/controllers/projects/snippets_controller.rb

@@ -14,8 +14,6 @@ class Projects::SnippetsController < Projects::ApplicationController
   # Allow destroy snippet
   before_filter :authorize_admin_project_snippet!, only: [:destroy]
 
-  layout 'projects'
-
   respond_to :html
 
   def index

app/controllers/projects/team_members_controller.rb

 class Projects::TeamMembersController < Projects::ApplicationController
   # Authorize
-  before_filter :authorize_read_project!
-  before_filter :authorize_admin_project!, except: [:index, :show]
+  before_filter :authorize_admin_project!
 
   layout "project_settings"
 

app/controllers/projects_controller.rb

-class ProjectsController < Projects::ApplicationController
-  skip_before_filter :project, only: [:new, :create]
-  skip_before_filter :repository, only: [:new, :create]
+class ProjectsController < ApplicationController
+  skip_before_filter :authenticate_user!, only: [:show]
+  before_filter :project, except: [:new, :create]
+  before_filter :repository, except: [:new, :create]
 
   # Authorize
   before_filter :authorize_read_project!, except: [:index, :new, :create]
@@ -54,8 +55,9 @@ class ProjectsController < Projects::ApplicationController
   end
 
   def show
-    limit = (params[:limit] || 20).to_i
+    return authenticate_user! unless @project.public || current_user
 
+    limit = (params[:limit] || 20).to_i
     @events = @project.events.recent
     @events = event_filter.apply_filter(@events)
     @events = @events.limit(limit).offset(params[:offset] || 0)
@@ -67,10 +69,12 @@ class ProjectsController < Projects::ApplicationController
     respond_to do |format|
       format.html do
         if @project.empty_repo?
-          render "projects/empty"
+          render "projects/empty", layout: user_layout
         else
-          @last_push = current_user.recent_push(@project.id)
-          render :show
+          if current_user
+            @last_push = current_user.recent_push(@project.id)
+          end
+          render :show, layout: user_layout
         end
       end
       format.js
@@ -121,4 +125,8 @@ class ProjectsController < Projects::ApplicationController
   def set_title
     @title = 'New Project'
   end
+
+  def user_layout
+    current_user ? "projects" : "public_projects"
+  end
 end

app/controllers/public/projects_controller.rb

@@ -10,17 +10,4 @@ class Public::ProjectsController < ApplicationController
     @projects = @projects.search(params[:search]) if params[:search].present?
     @projects = @projects.includes(:namespace).order("namespaces.path, projects.name ASC").page(params[:page]).per(20)
   end
-
-  def show
-    @project = Project.public_only.find_with_namespace(params[:id])
-    render_404 and return unless @project
-
-    @repository = @project.repository
-    unless @project.empty_repo?
-      @recent_tags = @repository.tags.first(10)
-
-      @commit = @repository.commit(params[:ref])
-      @tree = Tree.new(@repository, @commit.id)
-    end
-  end
 end

app/helpers/application_helper.rb

@@ -90,6 +90,8 @@ module ApplicationHelper
   end
 
   def search_autocomplete_source
+    return unless current_user
+
     projects = current_user.authorized_projects.map { |p| { label: "project: #{simple_sanitize(p.name_with_namespace)}", url: project_path(p) } }
     groups = current_user.authorized_groups.map { |group| { label: "group: #{simple_sanitize(group.name)}", url: group_path(group) } }
 

app/helpers/projects_helper.rb

@@ -103,4 +103,20 @@ module ProjectsHelper
 
     nav_tabs.flatten
   end
+
+  def git_user_name
+    if current_user
+      current_user.name
+    else
+      "Your name"
+    end
+  end
+
+  def git_user_email
+    if current_user
+      current_user.email
+    else
+      "your@email.com"
+    end
+  end
 end

app/models/ability.rb

 class Ability
   class << self
     def allowed(user, subject)
+      return not_auth_abilities(user, subject) if user.nil?
       return [] unless user.kind_of?(User)
       return [] if user.blocked?
 
@@ -17,6 +18,34 @@ class Ability
       end.concat(global_abilities(user))
     end
 
+    # List of possible abilities
+    # for non-authenticated user
+    def not_auth_abilities(user, subject)
+      project = if subject.kind_of?(Project)
+                  subject
+                elsif subject.respond_to?(:project)
+                  subject.project
+                else
+                  nil
+                end
+
+      if project && project.public
+        [
+          :read_project,
+          :read_wiki,
+          :read_issue,
+          :read_milestone,
+          :read_project_snippet,
+          :read_team_member,
+          :read_merge_request,
+          :read_note,
+          :download_code
+        ]
+      else
+        []
+      end
+    end
+
     def global_abilities(user)
       rules = []
       rules << :create_group if user.can_create_group
@@ -58,19 +87,9 @@ class Ability
     end
 
     def public_project_rules
-      [
+      project_guest_rules + [
         :download_code,
         :fork_project,
-        :read_project,
-        :read_wiki,
-        :read_issue,
-        :read_milestone,
-        :read_project_snippet,
-        :read_team_member,
-        :read_merge_request,
-        :read_note,
-        :write_issue,
-        :write_note
       ]
     end
 
@@ -135,7 +154,7 @@ class Ability
     def group_abilities user, group
       rules = []
 
-      if group.users.include?(user)
+      if group.users.include?(user) || user.admin?
         rules << :read_group
       end
 

app/models/group.rb

@@ -32,6 +32,10 @@ class Group < Namespace
     end
   end
 
+  def add_user(user, group_access)
+    self.users_groups.create(user_id: user.id, group_access: group_access)
+  end
+
   def change_owner(user)
     self.owner = user
     membership = users_groups.where(user_id: user.id).first

app/views/layouts/_public_head_panel.html.haml

+%header.navbar.navbar-static-top.navbar-gitlab
+  .navbar-inner
+    .container
+      %div.app_logo
+        %span.separator
+        = link_to public_root_path, class: "home" do
+          %h1 GITLAB
+        %span.separator
+      %h1.project_name
+        - if @project
+          = project_title(@project)
+        - else
+          Public Projects
+
+      %ul.nav
+        %li
+          %a
+            %div.hide.turbolink-spinner
+              %i.icon-refresh.icon-spin
+              Loading...
+        %li
+          = link_to "Sign in", new_session_path(:user), class: 'btn btn-sign-in'

app/views/layouts/devise.html.haml

@@ -6,5 +6,10 @@
     .container
       .content
         %center
-          = image_tag image_path "login-logo.png"
+          %h1 GitLab
+          %p.light
+            GitLab is open source software to collaborate on code.
+            %br
+            #{link_to "Sign in", new_user_session_path} or browse for #{link_to "public projects", public_projects_path}.
+        %hr
         = yield

app/views/layouts/public.html.haml

 !!! 5
 %html{ lang: "en"}
   = render "layouts/head", title: "Public Projects"
-  %body{class: "#{app_theme} application", :'data-page' => body_data_page}
+  %body{class: "ui_mars application", :'data-page' => body_data_page}
     - if current_user
       = render "layouts/head_panel", title: "Public Projects"
     - else
-      %header.navbar.navbar-static-top.navbar-gitlab
-        .navbar-inner
-          .container
-            %div.app_logo
-              %span.separator
-              = link_to public_root_path, class: "home" do
-                %h1 GITLAB
-              %span.separator
-            %h1.project_name Public Projects
-            %ul.nav
-              %li
-                %a
-                  %div.hide.turbolink-spinner
-                    %i.icon-refresh.icon-spin
-                    Loading...
-              %li
-                = link_to "Sign in", new_session_path(:user)
+      = render "layouts/public_head_panel"
 
     .container.navless-container
-      .content
-        = yield
+      .content= yield

app/views/layouts/public_projects.html.haml

+!!! 5
+%html{ lang: "en"}
+  = render "layouts/head", title: @project.name_with_namespace
+  %body{class: "ui_mars application", :'data-page' => body_data_page}
+    = render "layouts/public_head_panel"
+    %nav.main-nav
+      .container= render 'layouts/nav/project'
+    .container
+      .content= yield

app/views/projects/_clone_panel.html.haml

@@ -5,7 +5,7 @@
     .span3.pull-right
       .pull-right
         - unless @project.empty_repo?
-          - if can?(current_user, :fork_project, @project) && @project.namespace != current_user.namespace
+          - if current_user && can?(current_user, :fork_project, @project) && @project.namespace != current_user.namespace
             - if current_user.already_forked?(@project)
               = link_to project_path(current_user.fork_of(@project)), class: 'btn grouped disabled' do
                 %i.icon-code-fork
@@ -19,37 +19,38 @@
               %i.icon-download-alt
               %span.only-wide Download
 
-        .dropdown.pull-right
-          %a.dropdown-toggle.btn{href: '#', "data-toggle" => "dropdown"}
-            %i.icon-plus-sign-alt
-            %span.only-wide New
-            %b.caret
-          %ul.dropdown-menu
-            - if @project.issues_enabled && can?(current_user, :write_issue, @project)
-              %li
-                = link_to url_for_new_issue, title: "New Issue" do
-                  Issue
-            - if @project.merge_requests_enabled && can?(current_user, :write_merge_request, @project)
-              %li
-                = link_to new_project_merge_request_path(@project), title: "New Merge Request" do
-                  Merge Request
-            - if @project.snippets_enabled && can?(current_user, :write_snippet, @project)
-              %li
-                = link_to new_project_snippet_path(@project), title: "New Snippet" do
-                  Snippet
-            - if can? current_user, :push_code, @project
-              %li.divider
-              %li
-                = link_to new_project_branch_path(@project) do
-                  %i.icon-code-fork
-                  Git branch
-              %li
-                = link_to new_project_tag_path(@project) do
-                  %i.icon-tag
-                  Git tag
+        - if current_user
+          .dropdown.pull-right
+            %a.dropdown-toggle.btn{href: '#', "data-toggle" => "dropdown"}
+              %i.icon-plus-sign-alt
+              %span.only-wide New
+              %b.caret
+            %ul.dropdown-menu
+              - if @project.issues_enabled && can?(current_user, :write_issue, @project)
+                %li
+                  = link_to url_for_new_issue, title: "New Issue" do
+                    Issue
+              - if @project.merge_requests_enabled && can?(current_user, :write_merge_request, @project)
+                %li
+                  = link_to new_project_merge_request_path(@project), title: "New Merge Request" do
+                    Merge Request
+              - if @project.snippets_enabled && can?(current_user, :write_snippet, @project)
+                %li
+                  = link_to new_project_snippet_path(@project), title: "New Snippet" do
+                    Snippet
+              - if can? current_user, :push_code, @project
+                %li.divider
+                %li
+                  = link_to new_project_branch_path(@project) do
+                    %i.icon-code-fork
+                    Git branch
+                %li
+                  = link_to new_project_tag_path(@project) do
+                    %i.icon-tag
+                    Git tag
 
-            - if can?(current_user, :admin_team_member, @project)
-              %li.divider
-              %li
-                = link_to new_project_team_member_path(@project), title: "New project member" do
-                  Project member
+              - if can?(current_user, :admin_team_member, @project)
+                %li.divider
+                %li
+                  = link_to new_project_team_member_path(@project), title: "New project member" do
+                    Project member

app/views/projects/commits/_head.html.haml

@@ -21,7 +21,7 @@
       Stats
 
 
-  - if current_controller?(:commits) && current_user.private_token
+  - if current_user && current_controller?(:commits) && current_user.private_token
     %li.pull-right
       = link_to project_commits_path(@project, @ref, {format: :atom, private_token: current_user.private_token}), title: "Feed" do
         %i.icon-rss

app/views/projects/empty.html.haml

@@ -16,8 +16,8 @@
       %legend Git global setup:
       %pre.dark
         :preserve
-          git config --global user.name "#{current_user.name}"
-          git config --global user.email "#{current_user.email}"
+          git config --global user.name "#{git_user_name}"
+          git config --global user.email "#{git_user_email}"
 
     %fieldset
       %legend Create Repository

app/views/projects/issues/_head.html.haml

@@ -5,6 +5,7 @@
     = link_to 'Milestones', project_milestones_path(@project), class: "tab"
   = nav_link(controller: :labels) do
     = link_to 'Labels', project_labels_path(@project), class: "tab"
-  %li.pull-right
-    = link_to project_issues_path(@project, :atom, { private_token: current_user.private_token }) do
-      %i.icon-rss
+  - if current_user
+    %li.pull-right
+      = link_to project_issues_path(@project, :atom, { private_token: current_user.private_token }) do
+        %i.icon-rss

app/views/projects/notes/_note.html.haml

@@ -5,7 +5,7 @@
         %i.icon-link
         Link here
        
-      - if(note.author_id == current_user.id) || can?(current_user, :admin_note, @project)
+      - if(note.author_id == current_user.try(:id)) || can?(current_user, :admin_note, @project)
         = link_to "#", title: "Edit comment", class: "js-note-edit" do
           %i.icon-edit
           Edit

app/views/public/projects/_tree.html.haml

-- if tree.readme
-  = render "projects/tree/readme", readme: tree.readme
-- else
-  .alert
-    %h3.nothing_here_message This project does not have README file

app/views/public/projects/index.html.haml

@@ -2,29 +2,40 @@
   .span6
     %h3.page-title
       Projects (#{@projects.total_count})
-      %small with read-only access
+    .light
+      You can browse public projects in read-only mode until signed in.
+
   .span6
     .pull-right
       = form_tag public_projects_path, method: :get, class: 'form-inline' do |f|
         .search-holder
-          .controls
-            = search_field_tag :search, params[:search], placeholder: "Filter by name", class: "span3 search-text-input", id: "projects_search"
-            = submit_tag 'Search', class: "btn btn-primary wide"
-
+          = search_field_tag :search, params[:search], placeholder: "Filter by name", class: "span3 search-text-input", id: "projects_search"
+          = submit_tag 'Search', class: "btn btn-primary wide"
+%hr
 .public-projects
-  %ul.bordered-list
+  %ul.bordered-list.top-list
     - @projects.each do |project|
       %li
-        .project-title
-          %i.icon-share.cgray
-          = link_to public_project_path(project) do
-            %strong= project.name_with_namespace
+        %h4
+          = link_to project_path(project) do
+            = project.name_with_namespace
           .pull-right
             %pre.public-clone git clone #{project.http_url_to_repo}
 
         - if project.description.present?
-          %div.description
+          %p
             = project.description
+
+        .repo-info
+          - unless project.empty_repo?
+            = link_to pluralize(project.repository.round_commit_count, 'commit'), project_commits_path(project, project.default_branch)
+            ·
+            = link_to pluralize(project.repository.branch_names.count, 'branch'), project_branches_path(project)
+            ·
+            = link_to pluralize(project.repository.tag_names.count, 'tag'), project_tags_path(project)
+          - else
+            %i.icon-warning-sign
+            Empty repository
     - unless @projects.present?
       %h3.nothing_here_message No public projects
 

app/views/public/projects/show.html.haml

-%h3.page-title
-  = @project.name_with_namespace
-  .pull-right
-    %pre.public-clone git clone #{@project.http_url_to_repo}
-  .pull-right
-    - if current_user
-      = link_to 'Browse project', @project, class: 'btn btn-create append-right-10'
-
-
-%div
-  = link_to public_root_path do
-    ← To projects list
-  .pull-right
-    %span.light= @project.description
-
-%br
-.row
-  - unless @project.empty_repo?
-    .span9
-      = render 'tree', tree: @tree
-    .span3
-      %h5 Repository:
-      %div
-        %p
-          %span.light Bare size is
-          #{@project.repository.size} MB
-
-        %p
-          = pluralize(@repository.round_commit_count, 'commit')
-        %p
-          = pluralize(@repository.branch_names.count, 'branch')
-        %p
-          = pluralize(@repository.tag_names.count, 'tag')
-
-      - if @recent_tags.present?
-        %hr
-        %h5 Most Recent Tags:
-        %ul.unstyled
-          - @recent_tags.each do |tag|
-            %li
-              %p
-                %i.icon-tag
-                %strong= tag.name
-                %small.light.pull-right
-                  %i.icon-calendar
-                    = time_ago_in_words(tag.commit.committed_date)
-                  ago
-  - else
-    = 'Empty Repository'

config/routes.rb

@@ -55,8 +55,6 @@ Gitlab::Application.routes.draw do
   #
   namespace :public do
     resources :projects, only: [:index]
-    resources :projects, constraints: { id: /[a-zA-Z.\/0-9_\-]+/ }, only: [:show]
-
     root to: "projects#index"
   end
 

features/public/public_projects.feature

@@ -9,11 +9,10 @@ Feature: Public Projects Feature
     And I should not see project "Enterprise"
 
   Scenario: I visit public project page
-    When I visit public page for "Community" project
-    Then I should see public project details
-    And I should see project readme
+    When I visit project "Community" page
+    Then I should see project "Community" home page
 
   Scenario: I visit an empty public project page
     Given public empty project "Empty Public Project"
-    When I visit empty public project page
-    Then I should see empty public project details
+    When I visit empty project page
+    Then I should see empty public project details
\ No newline at end of file

features/steps/public/projects_feature.rb

@@ -11,7 +11,6 @@ class Spinach::Features::PublicProjectsFeature < Spinach::FeatureSteps
 
   step 'I should see project "Empty Public Project"' do
     page.should have_content "Empty Public Project"
-    puts page.save_page('foo.html')
   end
 
   step 'I should see public project details' do
@@ -24,26 +23,35 @@ class Spinach::Features::PublicProjectsFeature < Spinach::FeatureSteps
   end
 
   step 'public project "Community"' do
-    create :project_with_code, name: 'Community', public: true
+    create :project_with_code, name: 'Community', public: true, default_branch: 'master'
   end
 
   step 'public empty project "Empty Public Project"' do
     create :project, name: 'Empty Public Project', public: true
   end
 
-  step 'I visit empty public project page' do
+  step 'I visit empty project page' do
     project = Project.find_by_name('Empty Public Project')
-    visit public_project_path(project)
+    visit project_path(project)
+  end
+
+  step 'I visit project "Community" page' do
+    project = Project.find_by_name('Community')
+    visit project_path(project)
   end
 
   step 'I should see empty public project details' do
-    page.should have_content 'Empty Repository'
+    page.should have_content 'Git global setup'
   end
 
   step 'private project "Enterprise"' do
     create :project, name: 'Enterprise'
   end
 
+  step 'I should see project "Community" home page' do
+    page.should have_content 'Repo size is'
+  end
+
   private
 
   def project

spec/features/security/dashboard_access_spec.rb

+require 'spec_helper'
+
+describe "Dashboard access" do
+  describe "GET /dashboard" do
+    subject { dashboard_path }
+
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /dashboard/issues" do
+    subject { issues_dashboard_path }
+
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /dashboard/merge_requests" do
+    subject { merge_requests_dashboard_path }
+
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /dashboard/projects" do
+    subject { projects_dashboard_path }
+
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /help" do
+    subject { help_path }
+
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /projects/new" do
+    it { new_project_path.should be_allowed_for :admin }
+    it { new_project_path.should be_allowed_for :user }
+    it { new_project_path.should be_denied_for :visitor }
+  end
+
+  describe "GET /groups/new" do
+    it { new_group_path.should be_allowed_for :admin }
+    it { new_group_path.should be_allowed_for :user }
+    it { new_group_path.should be_denied_for :visitor }
+  end
+end

spec/features/security/group_access_spec.rb

+require 'spec_helper'
+
+describe "Group access" do
+  describe "GET /projects/new" do
+    it { new_group_path.should be_allowed_for :admin }
+    it { new_group_path.should be_allowed_for :user }
+    it { new_group_path.should be_denied_for :visitor }
+  end
+
+  describe "Group" do
+    let(:group) { create(:group) }
+
+    let(:master)   { create(:user) }
+    let(:reporter) { create(:user) }
+    let(:guest)    { create(:user) }
+
+    before do
+      group.add_user(master, Gitlab::Access::MASTER)
+      group.add_user(reporter, Gitlab::Access::REPORTER)
+      group.add_user(guest, Gitlab::Access::GUEST)
+    end
+
+    describe "GET /groups/:path" do
+      subject { group_path(group) }
+
+      it { should be_allowed_for group.owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/issues" do
+      subject { issues_group_path(group) }
+
+      it { should be_allowed_for group.owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/merge_requests" do
+      subject { merge_requests_group_path(group) }
+
+      it { should be_allowed_for group.owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/members" do
+      subject { members_group_path(group) }
+
+      it { should be_allowed_for group.owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/edit" do
+      subject { edit_group_path(group) }
+
+      it { should be_allowed_for group.owner }
+      it { should be_denied_for master }
+      it { should be_denied_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_denied_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+  end
+end

spec/features/security/profile_access_spec.rb

@@ -45,5 +45,32 @@ describe "Users Security" do
       it { should be_allowed_for :user }
       it { should be_denied_for :visitor }
     end
+
+    describe "GET /profile/history" do
+      subject { history_profile_path }
+
+      it { should be_allowed_for @u1 }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /profile/notifications" do
+      subject { profile_notifications_path }
+
+      it { should be_allowed_for @u1 }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /profile/groups" do
+      subject { profile_groups_path }
+
+      it { should be_allowed_for @u1 }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for :user }
+      it { should be_denied_for :visitor }
+    end
   end
 end

spec/features/security/project/private_access_spec.rb

+require 'spec_helper'
+
+describe "Private Project Access" do
+  let(:project) { create(:project_with_code) }
+
+  let(:master)   { create(:user) }
+  let(:guest)    { create(:user) }
+  let(:reporter) { create(:user) }
+
+  before do
+    # full access
+    project.team << [master, :master]
+
+    # readonly
+    project.team << [reporter, :reporter]
+  end
+
+  describe "GET /:project_path" do
+    subject { project_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/tree/master" do
+    subject { project_tree_path(project, project.repository.root_ref) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/commits/master" do
+    subject { project_commits_path(project, project.repository.root_ref, limit: 1) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/commit/:sha" do
+    subject { project_commit_path(project, project.repository.commit) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/compare" do
+    subject { project_compare_index_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/team" do
+    subject { project_team_index_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_denied_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/wall" do
+    subject { project_wall_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/blob" do
+    before do
+      commit = project.repository.commit
+      path = commit.tree.contents.select { |i| i.is_a?(Grit::Blob) }.first.name
+      @blob_path = project_blob_path(project, File.join(commit.id, path))
+    end
+
+    it { @blob_path.should be_allowed_for master }
+    it { @blob_path.should be_allowed_for reporter }
+    it { @blob_path.should be_allowed_for :admin }
+    it { @blob_path.should be_denied_for guest }
+    it { @blob_path.should be_denied_for :user }
+    it { @blob_path.should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/edit" do
+    subject { edit_project_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_denied_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/deploy_keys" do
+    subject { project_deploy_keys_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_denied_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/issues" do
+    subject { project_issues_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/snippets" do
+    subject { project_snippets_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/merge_requests" do
+    subject { project_merge_requests_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/branches/recent" do
+    subject { recent_project_branches_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/branches" do
+    subject { project_branches_path(project) }
+
+    before do
+      # Speed increase
+      Project.any_instance.stub(:branches).and_return([])
+    end
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/tags" do
+    subject { project_tags_path(project) }
+
+    before do
+      # Speed increase
+      Project.any_instance.stub(:tags).and_return([])
+    end
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/hooks" do
+    subject { project_hooks_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_denied_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+end

spec/features/security/project/public_access_spec.rb

+require 'spec_helper'
+
+describe "Public Project Access" do
+  let(:project) { create(:project_with_code) }
+
+  let(:master) { create(:user) }
+  let(:guest) { create(:user) }
+  let(:reporter) { create(:user) }
+
+  before do
+    # public project
+    project.public = true
+    project.save!
+
+    # full access
+    project.team << [master, :master]
+
+    # readonly
+    project.team << [reporter, :reporter]
+
+  end
+
+  describe "Project should be public" do
+    subject { project }
+
+    its(:public?) { should be_true }
+  end
+
+  describe "GET /:project_path" do
+    subject { project_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/tree/master" do
+    subject { project_tree_path(project, project.repository.root_ref) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/commits/master" do
+    subject { project_commits_path(project, project.repository.root_ref, limit: 1) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/commit/:sha" do
+    subject { project_commit_path(project, project.repository.commit) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/compare" do
+    subject { project_compare_index_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/team" do
+    subject { project_team_index_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_denied_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/wall" do
+    subject { project_wall_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/blob" do
+    before do
+      commit = project.repository.commit
+      path = commit.tree.contents.select { |i| i.is_a?(Grit::Blob) }.first.name
+      @blob_path = project_blob_path(project, File.join(commit.id, path))
+    end
+
+    it { @blob_path.should be_allowed_for master }
+    it { @blob_path.should be_allowed_for reporter }
+    it { @blob_path.should be_allowed_for :admin }
+    it { @blob_path.should be_allowed_for guest }
+    it { @blob_path.should be_allowed_for :user }
+    it { @blob_path.should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/edit" do
+    subject { edit_project_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_denied_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/deploy_keys" do
+    subject { project_deploy_keys_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_denied_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/issues" do
+    subject { project_issues_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/snippets" do
+    subject { project_snippets_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/snippets/new" do
+    subject { new_project_snippet_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/merge_requests" do
+    subject { project_merge_requests_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/merge_requests/new" do
+    subject { new_project_merge_request_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_denied_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+
+  describe "GET /:project_path/branches/recent" do
+    subject { recent_project_branches_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/branches" do
+    subject { project_branches_path(project) }
+
+    before do
+      # Speed increase
+      Project.any_instance.stub(:branches).and_return([])
+    end
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/tags" do
+    subject { project_tags_path(project) }
+
+    before do
+      # Speed increase
+      Project.any_instance.stub(:tags).and_return([])
+    end
+
+    it { should be_allowed_for master }
+    it { should be_allowed_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_allowed_for guest }
+    it { should be_allowed_for :user }
+    it { should be_allowed_for :visitor }
+  end
+
+  describe "GET /:project_path/hooks" do
+    subject { project_hooks_path(project) }
+
+    it { should be_allowed_for master }
+    it { should be_denied_for reporter }
+    it { should be_allowed_for :admin }
+    it { should be_denied_for guest }
+    it { should be_denied_for :user }
+    it { should be_denied_for :visitor }
+  end
+end