Commit 8bf5081a authored by Mikolaj Wawrzyniak's avatar Mikolaj Wawrzyniak

Add annotation policies

To assure correct access
protection to annotation related
actions we need to introduce new policy
and update existing ones for project
and group.
parent 9ce52b06
......@@ -75,6 +75,9 @@ class GroupPolicy < BasePolicy
rule { developer }.policy do
enable :admin_milestone
enable :read_package
enable :create_metrics_dashboard_annotation
enable :delete_metrics_dashboard_annotation
enable :update_metrics_dashboard_annotation
end
rule { reporter }.policy do
......@@ -82,6 +85,7 @@ class GroupPolicy < BasePolicy
enable :admin_label
enable :admin_list
enable :admin_issue
enable :read_metrics_dashboard_annotation
end
rule { maintainer }.policy do
......
# frozen_string_literal: true
module Metrics
module Dashboard
class AnnotationPolicy < BasePolicy
delegate { @subject.cluster }
delegate { @subject.environment }
end
end
end
......@@ -224,6 +224,7 @@ class ProjectPolicy < BasePolicy
enable :read_sentry_issue
enable :update_sentry_issue
enable :read_prometheus
enable :read_metrics_dashboard_annotation
end
# We define `:public_user_access` separately because there are cases in gitlab-ee
......@@ -276,6 +277,9 @@ class ProjectPolicy < BasePolicy
enable :update_deployment
enable :create_release
enable :update_release
enable :create_metrics_dashboard_annotation
enable :delete_metrics_dashboard_annotation
enable :update_metrics_dashboard_annotation
end
rule { can?(:developer_access) & user_confirmed? }.policy do
......
# frozen_string_literal: true
require 'spec_helper'
describe Metrics::Dashboard::AnnotationPolicy, :models do
shared_examples 'metrics dashboard annotation policy' do
context 'when guest' do
before do
project.add_guest(user)
end
it { expect(policy).to be_disallowed :read_metrics_dashboard_annotation }
it { expect(policy).to be_disallowed :create_metrics_dashboard_annotation }
it { expect(policy).to be_disallowed :update_metrics_dashboard_annotation }
it { expect(policy).to be_disallowed :delete_metrics_dashboard_annotation }
end
context 'when reporter' do
before do
project.add_reporter(user)
end
it { expect(policy).to be_allowed :read_metrics_dashboard_annotation }
it { expect(policy).to be_disallowed :create_metrics_dashboard_annotation }
it { expect(policy).to be_disallowed :update_metrics_dashboard_annotation }
it { expect(policy).to be_disallowed :delete_metrics_dashboard_annotation }
end
context 'when developer' do
before do
project.add_developer(user)
end
it { expect(policy).to be_allowed :read_metrics_dashboard_annotation }
it { expect(policy).to be_allowed :create_metrics_dashboard_annotation }
it { expect(policy).to be_allowed :update_metrics_dashboard_annotation }
it { expect(policy).to be_allowed :delete_metrics_dashboard_annotation }
end
context 'when maintainer' do
before do
project.add_maintainer(user)
end
it { expect(policy).to be_allowed :read_metrics_dashboard_annotation }
it { expect(policy).to be_allowed :create_metrics_dashboard_annotation }
it { expect(policy).to be_allowed :update_metrics_dashboard_annotation }
it { expect(policy).to be_allowed :delete_metrics_dashboard_annotation }
end
end
describe 'rules' do
context 'environments annotation' do
let(:annotation) { create(:metrics_dashboard_annotation, environment: environment) }
let(:environment) { create(:environment) }
let!(:project) { environment.project }
let(:user) { create(:user) }
let(:policy) { described_class.new(user, annotation) }
it_behaves_like 'metrics dashboard annotation policy'
end
context 'cluster annotation' do
let(:annotation) { create(:metrics_dashboard_annotation, environment: nil, cluster: cluster) }
let(:cluster) { create(:cluster, :project) }
let(:project) { cluster.project }
let(:user) { create(:user) }
let(:policy) { described_class.new(user, annotation) }
it_behaves_like 'metrics dashboard annotation policy'
end
end
end
......@@ -28,7 +28,7 @@ describe ProjectPolicy do
download_code fork_project create_snippet update_issue
admin_issue admin_label admin_list read_commit_status read_build
read_container_image read_pipeline read_environment read_deployment
read_merge_request download_wiki_code read_sentry_issue
read_merge_request download_wiki_code read_sentry_issue read_metrics_dashboard_annotation
]
end
......@@ -43,6 +43,7 @@ describe ProjectPolicy do
update_pipeline create_merge_request_from create_wiki push_code
resolve_note create_container_image update_container_image destroy_container_image
create_environment update_environment create_deployment update_deployment create_release update_release
create_metrics_dashboard_annotation delete_metrics_dashboard_annotation update_metrics_dashboard_annotation
]
end
......
......@@ -18,8 +18,8 @@ RSpec.shared_context 'GroupPolicy context' do
]
end
let(:read_group_permissions) { %i[read_label read_list read_milestone read_board] }
let(:reporter_permissions) { %i[admin_label read_container_image] }
let(:developer_permissions) { [:admin_milestone] }
let(:reporter_permissions) { %i[admin_label read_container_image read_metrics_dashboard_annotation] }
let(:developer_permissions) { %i[admin_milestone create_metrics_dashboard_annotation delete_metrics_dashboard_annotation update_metrics_dashboard_annotation] }
let(:maintainer_permissions) do
%i[
create_projects
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment