Merge branch '227133-storage-limit-namespace-policy-2' into 'master'

Prevent some abilities when namespace is over storage limit See merge request gitlab-org/gitlab!36493

Merge branch '227133-storage-limit-namespace-policy-2' into 'master'
Prevent some abilities when namespace is over storage limit See merge request gitlab-org/gitlab!36493
6a3e0df4 · Mayra Cabrera · e2728fee · caa1ec9a · 6a3e0df4 · 6a3e0df4
Commit 6a3e0df4 authored Jul 17, 2020 by Mayra Cabrera
8 changed files
--- a/app/finders/group_members_finder.rb
+++ b/app/finders/group_members_finder.rb
@@ -57,7 +57,7 @@ class GroupMembersFinder < UnionFinder
    members = members.search(params[:search]) if params[:search].present?
    members = members.sort_by_attribute(params[:sort]) if params[:sort].present?

-    if can_manage_members && params[:two_factor].present?
+    if params[:two_factor].present? && can_manage_members
      members = members.filter_by_2fa(params[:two_factor])
    end


--- a/ee/app/models/ee/namespace.rb
+++ b/ee/app/models/ee/namespace.rb
@@ -177,7 +177,9 @@ module EE
    end

    def over_storage_limit?
-      ::Namespace::RootStorageSize.new(root_ancestor).above_size_limit?
+      ::Gitlab.dev_env_or_com? &&
+        ::Feature.enabled?(:namespace_storage_limit, root_ancestor) &&
+        RootStorageSize.new(root_ancestor).above_size_limit?
    end

    def actual_size_limit

--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -87,6 +87,8 @@ module EE
        ::Feature.enabled?(:group_push_rules, @subject.root_ancestor) && @subject.feature_available?(:push_rules)
      end

+      condition(:over_storage_limit, scope: :subject) { @subject.over_storage_limit? }
+
      rule { public_group | logged_in_viewable }.policy do
        enable :read_wiki
        enable :download_wiki_code
@@ -253,6 +255,25 @@ module EE
      rule { admin & is_gitlab_com }.enable :update_subscription_limit

      rule { public_group }.enable :view_embedded_analytics_report
+
+      rule { over_storage_limit }.policy do
+        prevent :create_projects
+        prevent :create_epic
+        prevent :update_epic
+        prevent :admin_milestone
+        prevent :upload_file
+        prevent :admin_label
+        prevent :admin_list
+        prevent :admin_issue
+        prevent :admin_pipeline
+        prevent :add_cluster
+        prevent :create_cluster
+        prevent :update_cluster
+        prevent :admin_cluster
+        prevent :admin_group_member
+        prevent :create_deploy_token
+        prevent :create_subgroup
+      end
    end

    override :lookup_access_level!

--- a/ee/app/policies/ee/namespace_policy.rb
+++ b/ee/app/policies/ee/namespace_policy.rb
@@ -5,11 +5,17 @@ module EE
    extend ActiveSupport::Concern

    prepended do
+      condition(:over_storage_limit, scope: :subject) { @subject.over_storage_limit? }
+
      rule { owner | admin }.policy do
        enable :create_jira_connect_subscription
      end

      rule { admin & is_gitlab_com }.enable :update_subscription_limit
+
+      rule { over_storage_limit }.policy do
+        prevent :create_projects
+      end
    end
  end
 end
--- a/ee/changelogs/unreleased/227133-storage-limit-namespace-policy-2.yml
+++ b/ee/changelogs/unreleased/227133-storage-limit-namespace-policy-2.yml
+---
+title: Prevent some abilities at namespace or group level when over storage limit
+merge_request: 36493
+author:
+type: added
--- a/ee/spec/models/ee/namespace_spec.rb
+++ b/ee/spec/models/ee/namespace_spec.rb
@@ -1311,14 +1311,31 @@ RSpec.describe Namespace do
  end

  describe '#over_storage_limit?' do
-    before do
-      allow_next_instance_of(::Namespace::RootStorageSize, namespace.root_ancestor) do |project|
-        allow(project).to receive(:above_size_limit?).and_return(true)
-      end
+    using RSpec::Parameterized::TableSyntax
+
+    where(:is_dot_com, :feature_enabled, :above_size_limit, :result) do
+      false | false | false | false
+      false | false | true  | false
+      false | true  | false | false
+      false | true  | true  | false
+      true  | false | false | false
+      true  | false | true  | false
+      true  | true  | false | false
+      true  | true  | true  | true
    end

-    it 'returns a boolean indicating whether the root namespace is over the storage limit' do
-      expect(namespace.over_storage_limit?).to be true
+    with_them do
+      before do
+        allow(Gitlab).to receive(:dev_env_or_com?).and_return(is_dot_com)
+        stub_feature_flags(namespace_storage_limit: feature_enabled)
+        allow_next_instance_of(EE::Namespace::RootStorageSize, namespace.root_ancestor) do |project|
+          allow(project).to receive(:above_size_limit?).and_return(above_size_limit)
+        end
+      end
+
+      it 'returns a boolean indicating whether the root namespace is over the storage limit' do
+        expect(namespace.over_storage_limit?).to be result
+      end
    end
  end


--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -1022,6 +1022,32 @@ RSpec.describe GroupPolicy do
    end
  end

+  context 'when group is locked because storage usage limit exceeded' do
+    let(:current_user) { owner }
+    let(:policies) do
+      %i[create_projects create_epic update_epic admin_milestone upload_file admin_label
+         admin_list admin_issue admin_pipeline add_cluster create_cluster update_cluster
+         admin_cluster admin_group_member create_deploy_token create_subgroup]
+    end
+
+    before do
+      allow(group).to receive(:over_storage_limit?).and_return(over_storage_limit)
+      stub_licensed_features(epics: true)
+    end
+
+    context 'when the group has exceeded its storage limit' do
+      let(:over_storage_limit) { true }
+
+      it { is_expected.to(be_disallowed(*policies)) }
+    end
+
+    context 'when the group has not exceeded its storage limit' do
+      let(:over_storage_limit) { false }
+
+      it { is_expected.to(be_allowed(*policies)) }
+    end
+  end
+
  it_behaves_like 'model with wiki policies' do
    let_it_be(:container) { create(:group) }
    let_it_be(:user) { owner }

--- a/ee/spec/policies/namespace_policy_spec.rb
+++ b/ee/spec/policies/namespace_policy_spec.rb
@@ -49,5 +49,25 @@ RSpec.describe NamespacePolicy do
    end
  end

+  context ':over_storage_limit' do
+    let(:current_user) { owner }
+
+    before do
+      allow(namespace).to receive(:over_storage_limit?).and_return(over_storage_limit)
+    end
+
+    context 'when the namespace has exceeded its storage limit' do
+      let(:over_storage_limit) { true }
+
+      it { is_expected.to(be_disallowed(:create_projects)) }
+    end
+
+    context 'when the namespace has not exceeded its storage limit' do
+      let(:over_storage_limit) { false }
+
+      it { is_expected.to(be_allowed(:create_projects)) }
+    end
+  end
+
  it_behaves_like 'update namespace limit policy'
 end