Commit 28362d9f authored by Stan Hu's avatar Stan Hu

Merge branch '9023-fix-commenting-in-epics-permissions' into 'master'

Fix commenting on epics permissions

Closes #9023

See merge request gitlab-org/gitlab-ee!9783
parents 473ce756 e7f6ecfb
...@@ -8,7 +8,7 @@ class EpicPolicy < BasePolicy ...@@ -8,7 +8,7 @@ class EpicPolicy < BasePolicy
enable :read_note enable :read_note
end end
rule { can?(:update_epic) }.policy do rule { can?(:read_epic) & ~anonymous }.policy do
enable :create_note enable :create_note
end end
......
---
title: Allow guests to comment on epics
merge_request: 9783
author:
type: added
...@@ -2,153 +2,153 @@ require 'spec_helper' ...@@ -2,153 +2,153 @@ require 'spec_helper'
describe EpicPolicy do describe EpicPolicy do
include ExternalAuthorizationServiceHelpers include ExternalAuthorizationServiceHelpers
let(:user) { create(:user) } let(:user) { create(:user) }
let(:epic) { create(:epic, group: group) }
def permissions(user, group) subject { described_class.new(user, epic) }
epic = create(:epic, group: group)
described_class.new(user, epic) shared_examples 'can comment on epics' do
it { is_expected.to be_allowed(:create_note, :award_emoji) }
end end
context 'when epics feature is disabled' do shared_examples 'cannot comment on epics' do
let(:group) { create(:group, :public) } it { is_expected.to be_disallowed(:create_note, :award_emoji) }
it 'no one can read epics' do
group.add_owner(user)
expect(permissions(user, group))
.to be_disallowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic)
end
end end
context 'when epics feature is enabled' do shared_examples 'can only read epics' do
before do it do
stub_licensed_features(epics: true) is_expected.to be_allowed(:read_epic, :read_epic_iid)
is_expected.to be_disallowed(:update_epic, :destroy_epic, :admin_epic, :create_epic)
end end
end
context 'when an epic is in a private group' do shared_examples 'can manage epics' do
let(:group) { create(:group, :private) } it { is_expected.to be_allowed(:read_epic, :read_epic_iid, :update_epic, :admin_epic, :create_epic) }
end
it 'anonymous user can not read epics' do shared_examples 'all epic permissions disabled' do
expect(permissions(nil, group)) it { is_expected.to be_disallowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic, :create_note, :award_emoji) }
.to be_disallowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic) end
end
it 'user who is not a group member can not read epics' do shared_examples 'group member permissions' do
expect(permissions(user, group)) context 'guest group member' do
.to be_disallowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic) before do
group.add_guest(user)
end end
it 'guest group member can only read epics' do it_behaves_like 'can only read epics'
group.add_guest(user) it_behaves_like 'can comment on epics'
end
expect(permissions(user, group)).to be_allowed(:read_epic, :read_epic_iid) context 'reporter group member' do
expect(permissions(user, group)).to be_disallowed(:update_epic, :destroy_epic, :admin_epic, :create_epic) before do
group.add_reporter(user)
end end
it 'reporter group member can manage epics' do it_behaves_like 'can manage epics'
group.add_reporter(user) it_behaves_like 'can comment on epics'
expect(permissions(user, group)).to be_disallowed(:destroy_epic) it 'cannot destroy epics' do
expect(permissions(user, group)) is_expected.to be_disallowed(:destroy_epic)
.to be_allowed(:read_epic, :read_epic_iid, :update_epic, :admin_epic, :create_epic)
end end
end
it 'only group owner can destroy epics' do context 'group owner' do
before do
group.add_owner(user) group.add_owner(user)
end
it_behaves_like 'can manage epics'
it_behaves_like 'can comment on epics'
expect(permissions(user, group)) it 'can destroy epics' do
.to be_allowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic) is_expected.to be_allowed(:destroy_epic)
end end
end end
end
context 'when an epic is in an internal group' do context 'when epics feature is disabled' do
let(:group) { create(:group, :internal) } let(:group) { create(:group, :public) }
before do
group.add_owner(user)
end
it 'anonymous user can not read epics' do it_behaves_like 'all epic permissions disabled'
expect(permissions(nil, group)) end
.to be_disallowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic)
context 'when epics feature is enabled' do
before do
stub_licensed_features(epics: true)
end
context 'when an epic is in a private group' do
let(:group) { create(:group, :private) }
context 'anonymous user' do
let(:user) { nil }
it_behaves_like 'all epic permissions disabled'
end end
it 'user who is not a group member can only read epics' do context 'user who is not a group member' do
expect(permissions(user, group)).to be_allowed(:read_epic, :read_epic_iid) it_behaves_like 'all epic permissions disabled'
expect(permissions(user, group)).to be_disallowed(:update_epic, :destroy_epic, :admin_epic, :create_epic)
end end
it 'guest group member can only read epics' do it_behaves_like 'group member permissions'
group.add_guest(user) end
expect(permissions(user, group)).to be_allowed(:read_epic, :read_epic_iid) context 'when an epic is in an internal group' do
expect(permissions(user, group)).to be_disallowed(:update_epic, :destroy_epic, :admin_epic, :create_epic) let(:group) { create(:group, :internal) }
end
it 'reporter group member can manage epics' do context 'anonymous user' do
group.add_reporter(user) let(:user) { nil }
expect(permissions(user, group)).to be_disallowed(:destroy_epic) it_behaves_like 'all epic permissions disabled'
expect(permissions(user, group))
.to be_allowed(:read_epic, :read_epic_iid, :update_epic, :admin_epic, :create_epic)
end end
it 'only group owner can destroy epics' do context 'user who is not a group member' do
group.add_owner(user) it_behaves_like 'can only read epics'
it_behaves_like 'can comment on epics'
expect(permissions(user, group))
.to be_allowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic)
end end
it_behaves_like 'group member permissions'
end end
context 'when an epic is in a public group' do context 'when an epic is in a public group' do
let(:group) { create(:group, :public) } let(:group) { create(:group, :public) }
it 'anonymous user can only read epics' do context 'anonymous user' do
expect(permissions(nil, group)).to be_allowed(:read_epic, :read_epic_iid) let(:user) { nil }
expect(permissions(nil, group)).to be_disallowed(:update_epic, :destroy_epic, :admin_epic, :create_epic)
end
it 'user who is not a group member can only read epics' do it_behaves_like 'can only read epics'
expect(permissions(user, group)).to be_allowed(:read_epic, :read_epic_iid) it_behaves_like 'cannot comment on epics'
expect(permissions(user, group)).to be_disallowed(:update_epic, :destroy_epic, :admin_epic, :create_epic)
end end
it 'guest group member can only read epics' do context 'user who is not a group member' do
group.add_guest(user) it_behaves_like 'can only read epics'
it_behaves_like 'can comment on epics'
expect(permissions(user, group)).to be_allowed(:read_epic, :read_epic_iid)
expect(permissions(user, group)).to be_disallowed(:update_epic, :destroy_epic, :admin_epic, :create_epic)
end end
it 'reporter group member can manage epics' do it_behaves_like 'group member permissions'
group.add_reporter(user) end
expect(permissions(user, group)).to be_disallowed(:destroy_epic) context 'when external authorization is enabled' do
expect(permissions(user, group)) let(:group) { create(:group) }
.to be_allowed(:read_epic, :read_epic_iid, :update_epic, :admin_epic, :create_epic)
end
it 'only group owner can destroy epics' do before do
enable_external_authorization_service_check
group.add_owner(user) group.add_owner(user)
expect(permissions(user, group))
.to be_allowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic)
end end
end
end
context 'when external authorization is enabled' do
let(:group) { create(:group) }
before do it 'does not call external authorization service' do
enable_external_authorization_service_check expect(EE::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
group.add_owner(user)
end
it 'does not allow any epic permissions' do subject
expect(EE::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) end
expect(permissions(user, group)) it_behaves_like 'all epic permissions disabled'
.not_to be_allowed(:read_epic, :read_epic_iid, :update_epic,
:destroy_epic, :admin_epic, :create_epic)
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment