Skip to content

G
gitlab-ce
Commit 1983d05c authored by Rémy Coutable's avatar Rémy Coutable
Browse files
Options

[CE] Reduce the diff with EE in spec/policies/project_policy_spec.rb 

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 9aca2ccf
Show whitespace changes
Inline Side-by-side
Showing with 379 additions and 373 deletions
spec/policies/project_policy_spec.rb
View file @ 1983d05c
require 'spec_helper'
describe ProjectPolicy do
set(:guest) { create(:user) }
set(:reporter) { create(:user) }
set(:developer) { create(:user) }
set(:maintainer) { create(:user) }
set(:owner) { create(:user) }
set(:admin) { create(:admin) }
let(:project) { create(:project, :public, namespace: owner.namespace) }
let(:base_guest_permissions) do
%i[
read_project read_board read_list read_wiki read_issue
read_project_for_iids read_issue_iid read_label
read_milestone read_project_snippet read_project_member read_note
create_project create_issue create_note upload_file create_merge_request_in
award_emoji read_release
]
end
let(:base_reporter_permissions) do
%i[
download_code fork_project create_project_snippet update_issue
admin_issue admin_label admin_list read_commit_status read_build
read_container_image read_pipeline read_environment read_deployment
read_merge_request download_wiki_code read_sentry_issue
]
end
let(:team_member_reporter_permissions) do
%i[build_download_code build_read_container_image]
end
let(:developer_permissions) do
%i[
admin_milestone admin_merge_request update_merge_request create_commit_status
update_commit_status create_build update_build create_pipeline
update_pipeline create_merge_request_from create_wiki push_code
resolve_note create_container_image update_container_image
create_environment create_deployment create_release update_release
]
end
let(:base_maintainer_permissions) do
%i[
push_to_delete_protected_branch update_project_snippet update_environment
update_deployment admin_project_snippet admin_project_member admin_note admin_wiki admin_project
admin_commit_status admin_build admin_container_image
admin_pipeline admin_environment admin_deployment destroy_release add_cluster
daily_statistics
]
end
let(:public_permissions) do
%i[
download_code fork_project read_commit_status read_pipeline
read_container_image build_download_code build_read_container_image
download_wiki_code read_release
]
end
let(:owner_permissions) do
%i[
change_namespace change_visibility_level rename_project remove_project
archive_project remove_fork_project destroy_merge_request destroy_issue
set_issue_iid set_issue_created_at set_note_created_at
]
end
# Used in EE specs
let(:additional_guest_permissions) { [] }
let(:additional_reporter_permissions) { [] }
let(:additional_maintainer_permissions) { [] }
let(:guest_permissions) { base_guest_permissions + additional_guest_permissions }
let(:reporter_permissions) { base_reporter_permissions + additional_reporter_permissions }
let(:maintainer_permissions) { base_maintainer_permissions + additional_maintainer_permissions }
before do
project.add_guest(guest)
project.add_maintainer(maintainer)
project.add_developer(developer)
project.add_reporter(reporter)
end
def expect_allowed(*permissions)
permissions.each { |p| is_expected.to be_allowed(p) }
end
def expect_disallowed(*permissions)
permissions.each { |p| is_expected.not_to be_allowed(p) }
end
include_context 'ProjectPolicy context'
it 'does not include the read_issue permission when the issue author is not a member of the private project' do
project = create(:project, :private)
......@@ -140,7 +51,7 @@ describe ProjectPolicy do
end
it 'disables boards and lists permissions' do
expect_disallowed :read_board, :create_board, :update_board, :admin_board
expect_disallowed :read_board, :create_board, :update_board
expect_disallowed :read_list, :create_list, :update_list, :admin_list
end
......@@ -237,237 +148,6 @@ describe ProjectPolicy do
end
end
shared_examples 'archived project policies' do
let(:feature_write_abilities) do
described_class::READONLY_FEATURES_WHEN_ARCHIVED.flat_map do |feature|
described_class.create_update_admin_destroy(feature)
end
end
let(:other_write_abilities) do
%i[
create_merge_request_in
create_merge_request_from
push_to_delete_protected_branch
push_code
request_access
upload_file
resolve_note
award_emoji
]
end
context 'when the project is archived' do
before do
project.archived = true
end
it 'disables write actions on all relevant project features' do
expect_disallowed(*feature_write_abilities)
end
it 'disables some other important write actions' do
expect_disallowed(*other_write_abilities)
end
it 'does not disable other abilities' do
expect_allowed(*(regular_abilities - feature_write_abilities - other_write_abilities))
end
end
end
shared_examples 'project policies as anonymous' do
context 'abilities for public projects' do
context 'when a project has pending invites' do
let(:group) { create(:group, :public) }
let(:project) { create(:project, :public, namespace: group) }
let(:user_permissions) { [:create_merge_request_in, :create_project, :create_issue, :create_note, :upload_file, :award_emoji] }
let(:anonymous_permissions) { guest_permissions - user_permissions }
subject { described_class.new(nil, project) }
before do
create(:group_member, :invited, group: group)
end
it 'does not grant owner access' do
expect_allowed(*anonymous_permissions)
expect_disallowed(*user_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { anonymous_permissions }
end
end
end
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(nil, project) }
it { is_expected.to be_banned }
end
end
shared_examples 'project policies as guest' do
subject { described_class.new(guest, project) }
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
let(:reporter_public_build_permissions) do
reporter_permissions - [:read_build, :read_pipeline]
end
it do
expect_allowed(*guest_permissions)
expect_disallowed(*reporter_public_build_permissions)
expect_disallowed(*team_member_reporter_permissions)
expect_disallowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { guest_permissions }
end
context 'public builds enabled' do
it do
expect_allowed(*guest_permissions)
expect_allowed(:read_build, :read_pipeline)
end
end
context 'when public builds disabled' do
before do
project.update(public_builds: false)
end
it do
expect_allowed(*guest_permissions)
expect_disallowed(:read_build, :read_pipeline)
end
end
context 'when builds are disabled' do
before do
project.project_feature.update(builds_access_level: ProjectFeature::DISABLED)
end
it do
expect_disallowed(:read_build)
expect_allowed(:read_pipeline)
end
end
end
end
shared_examples 'project policies as reporter' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(reporter, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_disallowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { reporter_permissions }
end
end
end
shared_examples 'project policies as developer' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(developer, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { developer_permissions }
end
end
end
shared_examples 'project policies as maintainer' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(maintainer, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { maintainer_permissions }
end
end
end
shared_examples 'project policies as owner' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(owner, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_allowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { owner_permissions }
end
end
end
shared_examples 'project policies as admin' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(admin, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_disallowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_allowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { owner_permissions }
end
end
end
it_behaves_like 'project policies as anonymous'
it_behaves_like 'project policies as guest'
it_behaves_like 'project policies as reporter'
......
spec/policies/project_snippet_policy_spec.rb
View file @ 1983d05c
......@@ -5,7 +5,7 @@ describe ProjectSnippetPolicy do
let(:regular_user) { create(:user) }
let(:external_user) { create(:user, :external) }
let(:project) { create(:project, :public) }
let(:snippet) { create(:project_snippet, snippet_visibility, project: project) }
let(:author_permissions) do
[
:update_project_snippet,
......@@ -13,11 +13,7 @@ describe ProjectSnippetPolicy do
]
end
def abilities(user, snippet_visibility)
snippet = create(:project_snippet, snippet_visibility, project: project)
described_class.new(user, snippet)
end
subject { described_class.new(current_user, snippet) }
def expect_allowed(*permissions)
permissions.each { |p| is_expected.to be_allowed(p) }
......@@ -28,8 +24,10 @@ describe ProjectSnippetPolicy do
end
context 'public snippet' do
let(:snippet_visibility) { :public }
context 'no user' do
subject { abilities(nil, :public) }
let(:current_user) { nil }
it do
expect_allowed(:read_project_snippet)
......@@ -38,7 +36,7 @@ describe ProjectSnippetPolicy do
end
context 'regular user' do
subject { abilities(regular_user, :public) }
let(:current_user) { regular_user }
it do
expect_allowed(:read_project_snippet, :create_note)
......@@ -47,7 +45,7 @@ describe ProjectSnippetPolicy do
end
context 'external user' do
subject { abilities(external_user, :public) }
let(:current_user) { external_user }
it do
expect_allowed(:read_project_snippet, :create_note)
......@@ -57,8 +55,10 @@ describe ProjectSnippetPolicy do
end
context 'internal snippet' do
let(:snippet_visibility) { :internal }
context 'no user' do
subject { abilities(nil, :internal) }
let(:current_user) { nil }
it do
expect_disallowed(:read_project_snippet)
......@@ -67,7 +67,7 @@ describe ProjectSnippetPolicy do
end
context 'regular user' do
subject { abilities(regular_user, :internal) }
let(:current_user) { regular_user }
it do
expect_allowed(:read_project_snippet, :create_note)
......@@ -76,17 +76,14 @@ describe ProjectSnippetPolicy do
end
context 'external user' do
subject { abilities(external_user, :internal) }
let(:current_user) { external_user }
it do
expect_disallowed(:read_project_snippet, :create_note)
expect_disallowed(*author_permissions)
end
end
context 'project team member external user' do
subject { abilities(external_user, :internal) }
context 'project team member' do
before do
project.add_developer(external_user)
end
......@@ -97,10 +94,13 @@ describe ProjectSnippetPolicy do
end
end
end
end
context 'private snippet' do
let(:snippet_visibility) { :private }
context 'no user' do
subject { abilities(nil, :private) }
let(:current_user) { nil }
it do
expect_disallowed(:read_project_snippet)
......@@ -109,19 +109,16 @@ describe ProjectSnippetPolicy do
end
context 'regular user' do
subject { abilities(regular_user, :private) }
let(:current_user) { regular_user }
it do
expect_disallowed(:read_project_snippet, :create_note)
expect_disallowed(*author_permissions)
end
end
context 'snippet author' do
let(:snippet) { create(:project_snippet, :private, author: regular_user, project: project) }
subject { described_class.new(regular_user, snippet) }
it do
expect_allowed(:read_project_snippet, :create_note)
expect_allowed(*author_permissions)
......@@ -129,8 +126,6 @@ describe ProjectSnippetPolicy do
end
context 'project team member normal user' do
subject { abilities(regular_user, :private) }
before do
project.add_developer(regular_user)
end
......@@ -140,9 +135,11 @@ describe ProjectSnippetPolicy do
expect_disallowed(*author_permissions)
end
end
end
context 'project team member external user' do
subject { abilities(external_user, :private) }
context 'external user' do
context 'project team member' do
let(:current_user) { external_user }
before do
project.add_developer(external_user)
......@@ -153,9 +150,11 @@ describe ProjectSnippetPolicy do
expect_disallowed(*author_permissions)
end
end
end
context 'admin user' do
subject { abilities(create(:admin), :private) }
let(:snippet_visibility) { :private }
let(:current_user) { create(:admin) }
it do
expect_allowed(:read_project_snippet, :create_note)
......
spec/support/shared_context/policies/project_policy_shared_context.rb 0 → 100644
View file @ 1983d05c
# frozen_string_literal: true
RSpec.shared_context 'ProjectPolicy context' do
set(:guest) { create(:user) }
set(:reporter) { create(:user) }
set(:developer) { create(:user) }
set(:maintainer) { create(:user) }
set(:owner) { create(:user) }
set(:admin) { create(:admin) }
let(:project) { create(:project, :public, namespace: owner.namespace) }
let(:base_guest_permissions) do
%i[
read_project read_board read_list read_wiki read_issue
read_project_for_iids read_issue_iid read_label
read_milestone read_project_snippet read_project_member read_note
create_project create_issue create_note upload_file create_merge_request_in
award_emoji read_release
]
end
let(:base_reporter_permissions) do
%i[
download_code fork_project create_project_snippet update_issue
admin_issue admin_label admin_list read_commit_status read_build
read_container_image read_pipeline read_environment read_deployment
read_merge_request download_wiki_code read_sentry_issue
]
end
let(:team_member_reporter_permissions) do
%i[build_download_code build_read_container_image]
end
let(:developer_permissions) do
%i[
admin_milestone admin_merge_request update_merge_request create_commit_status
update_commit_status create_build update_build create_pipeline
update_pipeline create_merge_request_from create_wiki push_code
resolve_note create_container_image update_container_image
create_environment create_deployment create_release update_release
]
end
let(:base_maintainer_permissions) do
%i[
push_to_delete_protected_branch update_project_snippet update_environment
update_deployment admin_project_snippet admin_project_member admin_note admin_wiki admin_project
admin_commit_status admin_build admin_container_image
admin_pipeline admin_environment admin_deployment destroy_release add_cluster
daily_statistics
]
end
let(:public_permissions) do
%i[
download_code fork_project read_commit_status read_pipeline
read_container_image build_download_code build_read_container_image
download_wiki_code read_release
]
end
let(:base_owner_permissions) do
%i[
change_namespace change_visibility_level rename_project remove_project
archive_project remove_fork_project destroy_merge_request destroy_issue
set_issue_iid set_issue_created_at set_note_created_at
]
end
# Used in EE specs
let(:additional_guest_permissions) { [] }
let(:additional_reporter_permissions) { [] }
let(:additional_maintainer_permissions) { [] }
let(:additional_owner_permissions) { [] }
let(:guest_permissions) { base_guest_permissions + additional_guest_permissions }
let(:reporter_permissions) { base_reporter_permissions + additional_reporter_permissions }
let(:maintainer_permissions) { base_maintainer_permissions + additional_maintainer_permissions }
let(:owner_permissions) { base_owner_permissions + additional_owner_permissions }
before do
project.add_guest(guest)
project.add_maintainer(maintainer)
project.add_developer(developer)
project.add_reporter(reporter)
end
def expect_allowed(*permissions)
permissions.each { |p| is_expected.to be_allowed(p) }
end
def expect_disallowed(*permissions)
permissions.each { |p| is_expected.not_to be_allowed(p) }
end
end
spec/support/shared_examples/policies/project_policy_shared_examples.rb 0 → 100644
View file @ 1983d05c
# frozen_string_literal: true
RSpec.shared_examples 'archived project policies' do
let(:feature_write_abilities) do
described_class::READONLY_FEATURES_WHEN_ARCHIVED.flat_map do |feature|
described_class.create_update_admin_destroy(feature)
end + additional_reporter_permissions + additional_maintainer_permissions
end
let(:other_write_abilities) do
%i[
create_merge_request_in
create_merge_request_from
push_to_delete_protected_branch
push_code
request_access
upload_file
resolve_note
award_emoji
]
end
context 'when the project is archived' do
before do
project.archived = true
end
it 'disables write actions on all relevant project features' do
expect_disallowed(*feature_write_abilities)
end
it 'disables some other important write actions' do
expect_disallowed(*other_write_abilities)
end
it 'does not disable other abilities' do
expect_allowed(*(regular_abilities - feature_write_abilities - other_write_abilities))
end
end
end
RSpec.shared_examples 'project policies as anonymous' do
context 'abilities for public projects' do
context 'when a project has pending invites' do
let(:group) { create(:group, :public) }
let(:project) { create(:project, :public, namespace: group) }
let(:user_permissions) { [:create_merge_request_in, :create_project, :create_issue, :create_note, :upload_file, :award_emoji] }
let(:anonymous_permissions) { guest_permissions - user_permissions }
subject { described_class.new(nil, project) }
before do
create(:group_member, :invited, group: group)
end
it 'does not grant owner access' do
expect_allowed(*anonymous_permissions)
expect_disallowed(*user_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { anonymous_permissions }
end
end
end
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(nil, project) }
it { is_expected.to be_banned }
end
end
RSpec.shared_examples 'project policies as guest' do
subject { described_class.new(guest, project) }
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
let(:reporter_public_build_permissions) do
reporter_permissions - [:read_build, :read_pipeline]
end
it do
expect_allowed(*guest_permissions)
expect_disallowed(*reporter_public_build_permissions)
expect_disallowed(*team_member_reporter_permissions)
expect_disallowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { guest_permissions }
end
context 'public builds enabled' do
it do
expect_allowed(*guest_permissions)
expect_allowed(:read_build, :read_pipeline)
end
end
context 'when public builds disabled' do
before do
project.update(public_builds: false)
end
it do
expect_allowed(*guest_permissions)
expect_disallowed(:read_build, :read_pipeline)
end
end
context 'when builds are disabled' do
before do
project.project_feature.update(builds_access_level: ProjectFeature::DISABLED)
end
it do
expect_disallowed(:read_build)
expect_allowed(:read_pipeline)
end
end
end
end
RSpec.shared_examples 'project policies as reporter' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(reporter, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_disallowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { reporter_permissions }
end
end
end
RSpec.shared_examples 'project policies as developer' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(developer, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { developer_permissions }
end
end
end
RSpec.shared_examples 'project policies as maintainer' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(maintainer, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { maintainer_permissions }
end
end
end
RSpec.shared_examples 'project policies as owner' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(owner, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_allowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { owner_permissions }
end
end
end
RSpec.shared_examples 'project policies as admin' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(admin, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_disallowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_allowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { owner_permissions }
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7