Commit 6a3e0df4 authored by Mayra Cabrera's avatar Mayra Cabrera

Merge branch '227133-storage-limit-namespace-policy-2' into 'master'

Prevent some abilities when namespace is over storage limit

See merge request gitlab-org/gitlab!36493
parents e2728fee caa1ec9a
...@@ -57,7 +57,7 @@ class GroupMembersFinder < UnionFinder ...@@ -57,7 +57,7 @@ class GroupMembersFinder < UnionFinder
members = members.search(params[:search]) if params[:search].present? members = members.search(params[:search]) if params[:search].present?
members = members.sort_by_attribute(params[:sort]) if params[:sort].present? members = members.sort_by_attribute(params[:sort]) if params[:sort].present?
if can_manage_members && params[:two_factor].present? if params[:two_factor].present? && can_manage_members
members = members.filter_by_2fa(params[:two_factor]) members = members.filter_by_2fa(params[:two_factor])
end end
......
...@@ -177,7 +177,9 @@ module EE ...@@ -177,7 +177,9 @@ module EE
end end
def over_storage_limit? def over_storage_limit?
::Namespace::RootStorageSize.new(root_ancestor).above_size_limit? ::Gitlab.dev_env_or_com? &&
::Feature.enabled?(:namespace_storage_limit, root_ancestor) &&
RootStorageSize.new(root_ancestor).above_size_limit?
end end
def actual_size_limit def actual_size_limit
......
...@@ -87,6 +87,8 @@ module EE ...@@ -87,6 +87,8 @@ module EE
::Feature.enabled?(:group_push_rules, @subject.root_ancestor) && @subject.feature_available?(:push_rules) ::Feature.enabled?(:group_push_rules, @subject.root_ancestor) && @subject.feature_available?(:push_rules)
end end
condition(:over_storage_limit, scope: :subject) { @subject.over_storage_limit? }
rule { public_group | logged_in_viewable }.policy do rule { public_group | logged_in_viewable }.policy do
enable :read_wiki enable :read_wiki
enable :download_wiki_code enable :download_wiki_code
...@@ -253,6 +255,25 @@ module EE ...@@ -253,6 +255,25 @@ module EE
rule { admin & is_gitlab_com }.enable :update_subscription_limit rule { admin & is_gitlab_com }.enable :update_subscription_limit
rule { public_group }.enable :view_embedded_analytics_report rule { public_group }.enable :view_embedded_analytics_report
rule { over_storage_limit }.policy do
prevent :create_projects
prevent :create_epic
prevent :update_epic
prevent :admin_milestone
prevent :upload_file
prevent :admin_label
prevent :admin_list
prevent :admin_issue
prevent :admin_pipeline
prevent :add_cluster
prevent :create_cluster
prevent :update_cluster
prevent :admin_cluster
prevent :admin_group_member
prevent :create_deploy_token
prevent :create_subgroup
end
end end
override :lookup_access_level! override :lookup_access_level!
......
...@@ -5,11 +5,17 @@ module EE ...@@ -5,11 +5,17 @@ module EE
extend ActiveSupport::Concern extend ActiveSupport::Concern
prepended do prepended do
condition(:over_storage_limit, scope: :subject) { @subject.over_storage_limit? }
rule { owner | admin }.policy do rule { owner | admin }.policy do
enable :create_jira_connect_subscription enable :create_jira_connect_subscription
end end
rule { admin & is_gitlab_com }.enable :update_subscription_limit rule { admin & is_gitlab_com }.enable :update_subscription_limit
rule { over_storage_limit }.policy do
prevent :create_projects
end
end end
end end
end end
---
title: Prevent some abilities at namespace or group level when over storage limit
merge_request: 36493
author:
type: added
...@@ -1311,14 +1311,31 @@ RSpec.describe Namespace do ...@@ -1311,14 +1311,31 @@ RSpec.describe Namespace do
end end
describe '#over_storage_limit?' do describe '#over_storage_limit?' do
before do using RSpec::Parameterized::TableSyntax
allow_next_instance_of(::Namespace::RootStorageSize, namespace.root_ancestor) do |project|
allow(project).to receive(:above_size_limit?).and_return(true) where(:is_dot_com, :feature_enabled, :above_size_limit, :result) do
end false | false | false | false
false | false | true | false
false | true | false | false
false | true | true | false
true | false | false | false
true | false | true | false
true | true | false | false
true | true | true | true
end end
it 'returns a boolean indicating whether the root namespace is over the storage limit' do with_them do
expect(namespace.over_storage_limit?).to be true before do
allow(Gitlab).to receive(:dev_env_or_com?).and_return(is_dot_com)
stub_feature_flags(namespace_storage_limit: feature_enabled)
allow_next_instance_of(EE::Namespace::RootStorageSize, namespace.root_ancestor) do |project|
allow(project).to receive(:above_size_limit?).and_return(above_size_limit)
end
end
it 'returns a boolean indicating whether the root namespace is over the storage limit' do
expect(namespace.over_storage_limit?).to be result
end
end end
end end
......
...@@ -1022,6 +1022,32 @@ RSpec.describe GroupPolicy do ...@@ -1022,6 +1022,32 @@ RSpec.describe GroupPolicy do
end end
end end
context 'when group is locked because storage usage limit exceeded' do
let(:current_user) { owner }
let(:policies) do
%i[create_projects create_epic update_epic admin_milestone upload_file admin_label
admin_list admin_issue admin_pipeline add_cluster create_cluster update_cluster
admin_cluster admin_group_member create_deploy_token create_subgroup]
end
before do
allow(group).to receive(:over_storage_limit?).and_return(over_storage_limit)
stub_licensed_features(epics: true)
end
context 'when the group has exceeded its storage limit' do
let(:over_storage_limit) { true }
it { is_expected.to(be_disallowed(*policies)) }
end
context 'when the group has not exceeded its storage limit' do
let(:over_storage_limit) { false }
it { is_expected.to(be_allowed(*policies)) }
end
end
it_behaves_like 'model with wiki policies' do it_behaves_like 'model with wiki policies' do
let_it_be(:container) { create(:group) } let_it_be(:container) { create(:group) }
let_it_be(:user) { owner } let_it_be(:user) { owner }
......
...@@ -49,5 +49,25 @@ RSpec.describe NamespacePolicy do ...@@ -49,5 +49,25 @@ RSpec.describe NamespacePolicy do
end end
end end
context ':over_storage_limit' do
let(:current_user) { owner }
before do
allow(namespace).to receive(:over_storage_limit?).and_return(over_storage_limit)
end
context 'when the namespace has exceeded its storage limit' do
let(:over_storage_limit) { true }
it { is_expected.to(be_disallowed(:create_projects)) }
end
context 'when the namespace has not exceeded its storage limit' do
let(:over_storage_limit) { false }
it { is_expected.to(be_allowed(:create_projects)) }
end
end
it_behaves_like 'update namespace limit policy' it_behaves_like 'update namespace limit policy'
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment