Commit ab2d75db authored by charlie ablett's avatar charlie ablett

Use NamespacePolicy as base namespace policy class

- subclass NamespacePolicy from BasePolicy
- subclass UserNamespacePolicy from NamespacePolicy
- subclass ProjectNamespacePolicy from NamespacePolicy
- update ProjectNamespace specs to disallow everything
parent 95f43e44
# frozen_string_literal: true # frozen_string_literal: true
class NamespacePolicy < ::Namespaces::UserNamespacePolicy class NamespacePolicy < BasePolicy
# NamespacePolicy has been traditionally for user namespaces. # NamespacePolicy has been traditionally for user namespaces.
# So these policies have been moved into Namespaces::UserNamespacePolicy. # So these policies have been moved into Namespaces::UserNamespacePolicy.
# Once the user namespace conversion is complete, we can look at # Once the user namespace conversion is complete, we can look at
# either removing this file or locating common namespace policy items # either removing this file or locating common namespace policy items
# here. # here.
# See https://gitlab.com/groups/gitlab-org/-/epics/6689 for details
end end
# frozen_string_literal: true # frozen_string_literal: true
module Namespaces module Namespaces
class ProjectNamespacePolicy < BasePolicy class ProjectNamespacePolicy < NamespacePolicy
# For now users are not granted any permissions on project namespace # For now users are not granted any permissions on project namespace
# as it's completely hidden to them. When we start using project # as it's completely hidden to them. When we start using project
# namespaces in queries, we will have to extend this policy. # namespaces in queries, we will have to extend this policy.
......
# frozen_string_literal: true # frozen_string_literal: true
module Namespaces module Namespaces
class UserNamespacePolicy < BasePolicy class UserNamespacePolicy < ::NamespacePolicy
rule { anonymous }.prevent_all rule { anonymous }.prevent_all
condition(:personal_project, scope: :subject) { @subject.kind == 'user' } condition(:personal_project, scope: :subject) { @subject.kind == 'user' }
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe NamespacePolicy do RSpec.describe Namespaces::ProjectNamespacePolicy do
let_it_be(:parent) { create(:namespace) } let_it_be(:parent) { create(:namespace) }
let_it_be(:project) { create(:project, namespace: parent) } let_it_be(:project) { create(:project, namespace: parent) }
let_it_be(:namespace) { project.project_namespace } let_it_be(:namespace) { project.project_namespace }
...@@ -37,7 +37,7 @@ RSpec.describe NamespacePolicy do ...@@ -37,7 +37,7 @@ RSpec.describe NamespacePolicy do
let_it_be(:current_user) { create(:admin) } let_it_be(:current_user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(*permissions) } it { is_expected.to be_disallowed(*permissions) }
end end
context 'when admin mode is disabled' do context 'when admin mode is disabled' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment