Commit 20e73b5d authored by Pedro Pombeiro's avatar Pedro Pombeiro

Move rule to ApplicationSettingPolicy

The :update_runners_registration_token rule doesn't really belong to
:global since it lives in ApplicationSetting
parent 0ef34d11
...@@ -50,14 +50,16 @@ module Mutations ...@@ -50,14 +50,16 @@ module Mutations
when 'instance_type' when 'instance_type'
raise Gitlab::Graphql::Errors::ArgumentError, "id must not be specified for '#{type}' scope" if id.present? raise Gitlab::Graphql::Errors::ArgumentError, "id must not be specified for '#{type}' scope" if id.present?
authorize!(:global) scope = ApplicationSetting.current
authorize!(scope)
ApplicationSetting.current.reset_runners_registration_token! scope.reset_runners_registration_token!
ApplicationSetting.current_without_cache.runners_registration_token ApplicationSetting.current_without_cache.runners_registration_token
when 'group_type', 'project_type' when 'group_type', 'project_type'
project_or_group = authorized_find!(type: type, id: id) scope = authorized_find!(type: type, id: id)
project_or_group.reset_runners_token!
project_or_group.runners_token scope.reset_runners_token!
scope.runners_token
end end
end end
end end
......
# frozen_string_literal: true # frozen_string_literal: true
class ApplicationSettingPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass class ApplicationSettingPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass
rule { admin }.enable :read_application_setting rule { admin }.policy do
enable :read_application_setting
enable :update_runners_registration_token
end
end end
...@@ -115,7 +115,6 @@ class GlobalPolicy < BasePolicy ...@@ -115,7 +115,6 @@ class GlobalPolicy < BasePolicy
enable :approve_user enable :approve_user
enable :reject_user enable :reject_user
enable :read_usage_trends_measurement enable :read_usage_trends_measurement
enable :update_runners_registration_token
end end
# We can't use `read_statistics` because the user may have different permissions for different projects # We can't use `read_statistics` because the user may have different permissions for different projects
......
...@@ -246,7 +246,7 @@ module API ...@@ -246,7 +246,7 @@ module API
success Entities::Ci::ResetTokenResult success Entities::Ci::ResetTokenResult
end end
post 'reset_registration_token' do post 'reset_registration_token' do
authorize! :update_runners_registration_token authorize! :update_runners_registration_token, ApplicationSetting.current
ApplicationSetting.current.reset_runners_registration_token! ApplicationSetting.current.reset_runners_registration_token!
present ApplicationSetting.current_without_cache.runners_registration_token_with_expiration, with: Entities::Ci::ResetTokenResult present ApplicationSetting.current_without_cache.runners_registration_token_with_expiration, with: Entities::Ci::ResetTokenResult
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe ApplicationSettingPolicy do
let(:current_user) { create(:user) }
let(:user) { create(:user) }
subject { described_class.new(current_user, [user]) }
describe 'update_runners_registration_token' do
context 'when anonymous' do
let(:current_user) { nil }
it { is_expected.not_to be_allowed(:update_runners_registration_token) }
end
context 'regular user' do
it { is_expected.not_to be_allowed(:update_runners_registration_token) }
end
context 'when external' do
let(:current_user) { build(:user, :external) }
it { is_expected.not_to be_allowed(:update_runners_registration_token) }
end
context 'admin' do
let(:current_user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_runners_registration_token) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:update_runners_registration_token) }
end
end
end
end
...@@ -591,34 +591,4 @@ RSpec.describe GlobalPolicy do ...@@ -591,34 +591,4 @@ RSpec.describe GlobalPolicy do
it { is_expected.not_to be_allowed(:log_in) } it { is_expected.not_to be_allowed(:log_in) }
end end
end end
describe 'update_runners_registration_token' do
context 'when anonymous' do
let(:current_user) { nil }
it { is_expected.not_to be_allowed(:update_runners_registration_token) }
end
context 'regular user' do
it { is_expected.not_to be_allowed(:update_runners_registration_token) }
end
context 'when external' do
let(:current_user) { build(:user, :external) }
it { is_expected.not_to be_allowed(:update_runners_registration_token) }
end
context 'admin' do
let(:current_user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_runners_registration_token) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:update_runners_registration_token) }
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment