Merge branch 'vij-move-change-repo-policy' into 'master'

Move change_repository_storage policy to BasePolicy See merge request gitlab-org/gitlab!46164

Merge branch 'vij-move-change-repo-policy' into 'master'
Move change_repository_storage policy to BasePolicy See merge request gitlab-org/gitlab!46164
ada81c36 · Sean McGivern · 3803fff4 · 4b90cccb · ada81c36 · ada81c36
Commit ada81c36 authored Oct 27, 2020 by Sean McGivern
Showing with 35 additions and 43 deletions

app/policies/base_policy.rb app/policies/base_policy.rb +2 -0

app/policies/project_policy.rb app/policies/project_policy.rb +0 -2

spec/policies/base_policy_spec.rb spec/policies/base_policy_spec.rb +33 -41

No files found.
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -57,6 +57,8 @@ class BasePolicy < DeclarativePolicy::Base
  rule { default }.enable :read_cross_project

  condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? }
+
+  rule { admin }.enable :change_repository_storage
 end

 BasePolicy.prepend_if_ee('EE::BasePolicy')
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -546,8 +546,6 @@ class ProjectPolicy < BasePolicy
    prevent :create_pipeline
  end

-  rule { admin }.enable :change_repository_storage
-
  rule { can?(:read_issue) }.policy do
    enable :read_design
    enable :read_design_activity

--- a/spec/policies/base_policy_spec.rb
+++ b/spec/policies/base_policy_spec.rb
@@ -22,6 +22,34 @@ RSpec.describe BasePolicy do
    end
  end

+  shared_examples 'admin only access' do |policy|
+    let(:current_user) { build_stubbed(:user) }
+
+    subject { described_class.new(current_user, nil) }
+
+    it { is_expected.not_to be_allowed(policy) }
+
+    context 'for admins' do
+      let(:current_user) { build_stubbed(:admin) }
+
+      it 'allowed when in admin mode' do
+        enable_admin_mode!(current_user)
+
+        is_expected.to be_allowed(policy)
+      end
+
+      it 'prevented when not in admin mode' do
+        is_expected.not_to be_allowed(policy)
+      end
+    end
+
+    context 'for anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.not_to be_allowed(policy) }
+    end
+  end
+
  describe 'read cross project' do
    let(:current_user) { build_stubbed(:user) }
    let(:user) { build_stubbed(:user) }
@@ -41,51 +69,15 @@ RSpec.describe BasePolicy do
        enable_external_authorization_service_check
      end

-      it { is_expected.not_to be_allowed(:read_cross_project) }
-
-      context 'for admins' do
-        let(:current_user) { build_stubbed(:admin) }
-
-        subject { described_class.new(current_user, nil) }
-
-        it 'allowed when in admin mode' do
-          enable_admin_mode!(current_user)
-
-          is_expected.to be_allowed(:read_cross_project)
-        end
-
-        it 'prevented when not in admin mode' do
-          is_expected.not_to be_allowed(:read_cross_project)
-        end
-      end
-
-      context 'for anonymous' do
-        let(:current_user) { nil }
-
-        it { is_expected.not_to be_allowed(:read_cross_project) }
-      end
+      it_behaves_like 'admin only access', :read_cross_project
    end
  end

  describe 'full private access' do
-    let(:current_user) { build_stubbed(:user) }
-
-    subject { described_class.new(current_user, nil) }
-
-    it { is_expected.not_to be_allowed(:read_all_resources) }
-
-    context 'for admins' do
-      let(:current_user) { build_stubbed(:admin) }
-
-      it 'allowed when in admin mode' do
-        enable_admin_mode!(current_user)
-
-        is_expected.to be_allowed(:read_all_resources)
-      end
+    it_behaves_like 'admin only access', :read_all_resources
+  end

-      it 'prevented when not in admin mode' do
-        is_expected.not_to be_allowed(:read_all_resources)
-      end
-    end
+  describe 'change_repository_storage' do
+    it_behaves_like 'admin only access', :change_repository_storage
  end
 end