Merge branch '10078-dependencies_policy' into 'master'

Add policy for dependencies See merge request gitlab-org/gitlab-ee!14561

Merge branch '10078-dependencies_policy' into 'master'
Add policy for dependencies See merge request gitlab-org/gitlab-ee!14561
43d5f5a6 · Douglas Barbosa Alexandre · f547026a · 2cd7a78b · 43d5f5a6 · 43d5f5a6
Commit 43d5f5a6 authored Jul 09, 2019 by Douglas Barbosa Alexandre
3 changed files
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -74,6 +74,11 @@ module EE
        @subject.feature_available?(:license_management)
      end

+      with_scope :subject
+      condition(:dependency_list_enabled) do
+        @subject.feature_available?(:dependency_list)
+      end
+
      with_scope :subject
      condition(:feature_flags_disabled) do
        !@subject.feature_available?(:feature_flags)
@@ -148,6 +153,8 @@ module EE

      rule { license_management_enabled & can?(:read_project) }.enable :read_software_license_policy

+      rule { dependency_list_enabled & can?(:download_code) }.enable :read_dependencies
+
      rule { repository_mirrors_enabled & ((mirror_available & can?(:admin_project)) | admin) }.enable :admin_mirror

      rule { deploy_board_disabled & ~is_development }.prevent :read_deploy_board

--- a/ee/changelogs/unreleased/10078-dependencies_policy.yml
+++ b/ee/changelogs/unreleased/10078-dependencies_policy.yml
+---
+title: Add policy for accessing dependencies
+merge_request: 14561
+author:
+type: added
--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -613,6 +613,88 @@ describe ProjectPolicy do
    end
  end

+  describe 'read_dependencies' do
+    context 'when dependency list feature available' do
+      before do
+        stub_licensed_features(dependency_list: true)
+      end
+
+      context 'with public project' do
+        let(:current_user) { create(:user) }
+
+        context 'with public access to repository' do
+          let(:project) { create(:project, :public) }
+
+          it { is_expected.to be_allowed(:read_dependencies) }
+        end
+
+        context 'with limited access to repository' do
+          let(:project) { create(:project, :public, :repository_private) }
+
+          it { is_expected.not_to be_allowed(:read_dependencies) }
+        end
+      end
+
+      context 'with private project' do
+        let(:project) { create(:project, :private, namespace: owner.namespace) }
+
+        context 'with admin' do
+          let(:current_user) { admin }
+
+          it { is_expected.to be_allowed(:read_dependencies) }
+        end
+
+        context 'with owner' do
+          let(:current_user) { owner }
+
+          it { is_expected.to be_allowed(:read_dependencies) }
+        end
+
+        context 'with maintainer' do
+          let(:current_user) { maintainer }
+
+          it { is_expected.to be_allowed(:read_dependencies) }
+        end
+
+        context 'with developer' do
+          let(:current_user) { developer }
+
+          it { is_expected.to be_allowed(:read_dependencies) }
+        end
+
+        context 'with reporter' do
+          let(:current_user) { reporter }
+
+          it { is_expected.to be_allowed(:read_dependencies) }
+        end
+
+        context 'with guest' do
+          let(:current_user) { guest }
+
+          it { is_expected.to be_disallowed(:read_dependencies) }
+        end
+
+        context 'with not member' do
+          let(:current_user) { create(:user) }
+
+          it { is_expected.to be_disallowed(:read_dependencies) }
+        end
+
+        context 'with anonymous' do
+          let(:current_user) { nil }
+
+          it { is_expected.to be_disallowed(:read_dependencies) }
+        end
+      end
+    end
+
+    context 'when dependency list feature not available' do
+      let(:current_user) { admin }
+
+      it { is_expected.not_to be_allowed(:read_dependencies) }
+    end
+  end
+
  describe 'create_web_ide_terminal' do
    before do
      stub_licensed_features(web_ide_terminal: true)