Use permission system for path_locks

Create new PathLockPolicy and use it instead of permission on project

Use permission system for path_locks
Create new PathLockPolicy and use it instead of permission on project
23f33151 · Magdalena Frankiewicz · fd76d685 · 23f33151 · 23f33151 · 23f33151
Commit 23f33151 authored Dec 01, 2021 by Magdalena Frankiewicz
6 changed files
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1656,10 +1656,6 @@ class Project < ApplicationRecord
    end
  end
-  def member?(user)
-    project_member(user).present?
-  end
  def membership_locked?
    false
  end

--- a/ee/app/helpers/path_locks_helper.rb
+++ b/ee/app/helpers/path_locks_helper.rb
 # frozen_string_literal: true
 module PathLocksHelper
-  def can_unlock?(path_lock, current_user = @current_user, project = @project)
+  def can_unlock?(path_lock, current_user = @current_user)
-    can?(current_user, :admin_path_locks, project) ||
+    can?(current_user, :admin_path_locks, path_lock)
-      (path_lock.user == current_user && project.member?(current_user))
  end
  def text_label_for_lock(file_lock, path)

--- a/ee/app/policies/path_lock_policy.rb
+++ b/ee/app/policies/path_lock_policy.rb
+# frozen_string_literal: true
+class PathLockPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass
+  delegate { @subject.project }
+  condition(:is_author) { @user && @subject.user == @user }
+  condition(:is_project_member) { @user && @subject.project && @subject.project.team.member?(user) }
+  rule { is_author & is_project_member }.enable :admin_path_locks
+end
--- a/ee/spec/helpers/path_locks_helper_spec.rb
+++ b/ee/spec/helpers/path_locks_helper_spec.rb
@@ -4,35 +4,20 @@ require 'spec_helper'
 RSpec.describe PathLocksHelper do
  let(:user) { create(:user, name: 'John') }
-  let(:user_2) { create(:user, name: 'Bob') }
-  let(:path_lock) { create(:path_lock, path: 'app', user: user) }
  let(:project) { create(:project) }
+  let(:path_lock) { create(:path_lock, path: 'app', user: user, project: project) }
  describe '#can_unlock?' do
-    it "returns false if the user is not a project member" do
-      allow(self).to receive(:can?).and_return(false)
-      expect(can_unlock?(path_lock, user, project)).to be(false)
-    end
-    it "returns false if the user is not the lock owner" do
-      project.add_user(user_2, :developer)
-      allow(self).to receive(:can?).and_return(false)
-      expect(can_unlock?(path_lock, user_2, project)).to be(false)
-    end
    it "returns true if the user has admin_path_locks permission" do
-      allow(self).to receive(:can?).with(user, :admin_path_locks, project).and_return(true)
+      allow(self).to receive(:can?).with(user, :admin_path_locks, path_lock).and_return(true)
-      expect(can_unlock?(path_lock, user, project)).to be(true)
+      expect(can_unlock?(path_lock, user)).to be(true)
    end
-    it "returns true if the user is the lock owner and a project member" do
+    it "returns false if the user does not have admin_path_locks permission" do
-      project.add_user(user, :developer)
+      allow(self).to receive(:can?).with(user, :admin_path_locks, path_lock).and_return(false)
-      allow(self).to receive(:can?).and_return(false)
-      expect(can_unlock?(path_lock, user, project)).to be(true)
+      expect(can_unlock?(path_lock, user)).to be(false)
    end
  end

--- a/ee/spec/policies/path_lock_policy_spec.rb
+++ b/ee/spec/policies/path_lock_policy_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe PathLockPolicy do
+  let(:project) { create(:project) }
+  let(:maintainer) { create(:user) }
+  let(:developer) { create(:user) }
+  let(:non_member) { create(:user) }
+  let(:developer_path_lock) { create(:path_lock, user: developer, project: project) }
+  let(:non_member_path_lock) { create(:path_lock, user: non_member, project: project) }
+  before do
+    project.add_maintainer(maintainer)
+    project.add_developer(developer)
+  end
+  def permissions(user, path_lock)
+    described_class.new(user, path_lock)
+  end
+  it 'disallows non-member from administrating path lock they created' do
+    expect(permissions(non_member, non_member_path_lock)).to be_disallowed(:admin_path_locks)
+  end
+  it 'disallows developer from administrating path lock they did not create' do
+    expect(permissions(developer, non_member_path_lock)).to be_disallowed(:admin_path_locks)
+  end
+  it 'allows developer to administrating path lock they created' do
+    expect(permissions(developer, developer_path_lock)).to be_allowed(:admin_path_locks)
+  end
+  it 'allows maintainer to administrating path lock they did not create' do
+    expect(permissions(maintainer, non_member_path_lock)).to be_allowed(:admin_path_locks)
+    expect(permissions(maintainer, developer_path_lock)).to be_allowed(:admin_path_locks)
+  end
+end
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -1589,19 +1589,6 @@ RSpec.describe Project, factory_default: :keep do
    it { expect(project.builds_enabled?).to be_truthy }
  end
-  describe '#member?' do
-    it 'returns true if the given user is a project member, false otherwise' do
-      project = create(:project)
-      user = create(:user)
-      expect(project.member?(user)).to be(false)
-      project.add_user(user, :developer)
-      expect(project.member?(user)).to be(true)
-    end
-  end
  describe '.sort_by_attribute' do
    it 'reorders the input relation by start count desc' do
      project1 = create(:project, star_count: 2)