Merge branch 'mw/create_pat_policies' into 'master'

Add policy for Personal Access Tokens See merge request gitlab-org/gitlab!37955

Merge branch 'mw/create_pat_policies' into 'master'
Add policy for Personal Access Tokens See merge request gitlab-org/gitlab!37955
bcc3ed8a · Markus Koller · 9ca4fee4 · 977f23a1 · bcc3ed8a · bcc3ed8a
Commit bcc3ed8a authored Jul 29, 2020 by Markus Koller
Showing with 40 additions and 0 deletions

app/policies/personal_access_token_policy.rb app/policies/personal_access_token_policy.rb +9 -0

spec/policies/personal_access_token_policy_spec.rb spec/policies/personal_access_token_policy_spec.rb +31 -0

No files found.
--- a/app/policies/personal_access_token_policy.rb
+++ b/app/policies/personal_access_token_policy.rb
+# frozen_string_literal: true
+
+class PersonalAccessTokenPolicy < BasePolicy
+  condition(:is_owner) { user && subject.user_id == user.id }
+
+  rule { is_owner | admin }.policy do
+    enable :read_token
+  end
+end
--- a/spec/policies/personal_access_token_policy_spec.rb
+++ b/spec/policies/personal_access_token_policy_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe PersonalAccessTokenPolicy do
+  include AdminModeHelper
+
+  using RSpec::Parameterized::TableSyntax
+
+  where(:user_type, :owned_by_same_user, :expected_permitted?) do
+    :user  | true  | true
+    :user  | false | false
+    :admin | false | true
+  end
+
+  with_them do
+    context 'determine if a token is readable by a user' do
+      let(:user) { build_stubbed(user_type) }
+      let(:token_owner) { owned_by_same_user ? user : build(:user) }
+      let(:token) { build(:personal_access_token, user: token_owner) }
+
+      subject { described_class.new(user, token) }
+
+      before do
+        enable_admin_mode!(user) if user.admin?
+      end
+
+      it { is_expected.to(expected_permitted? ? be_allowed(:read_token) : be_disallowed(:read_token)) }
+    end
+  end
+end