Commit c465d977 authored by Drew Blessing's avatar Drew Blessing Committed by Drew Blessing

Allow auditor user to access project private features

Previously the auditor user was unable to access a project
repository for public/internal projects with the repository
visibility set to 'only project members'. This change allows
the project policy to respect the :read_all_resources ability
for admins and auditors to allow all private features to be
accessible.
parent ae811a1f
......@@ -650,7 +650,7 @@ class ProjectPolicy < BasePolicy
when ProjectFeature::DISABLED
false
when ProjectFeature::PRIVATE
admin? || team_access_level >= ProjectFeature.required_minimum_access_level(feature)
can?(:read_all_resources) || team_access_level >= ProjectFeature.required_minimum_access_level(feature)
else
true
end
......
---
title: Allow auditor user to access project private features
merge_request: 34794
author:
type: fixed
......@@ -98,6 +98,10 @@ RSpec.describe ProjectPolicy do
is_expected.to be_allowed(*auditor_permissions)
end
end
it_behaves_like 'project private features with read_all_resources ability' do
let(:user) { current_user }
end
end
end
......
......@@ -41,6 +41,28 @@ RSpec.shared_examples 'archived project policies' do
end
end
RSpec.shared_examples 'project private features with read_all_resources ability' do
subject { described_class.new(user, project) }
before do
project.project_feature.update!(
repository_access_level: ProjectFeature::PRIVATE,
merge_requests_access_level: ProjectFeature::PRIVATE,
builds_access_level: ProjectFeature::PRIVATE
)
end
[:public, :internal, :private].each do |visibility|
context "for #{visibility} projects" do
let(:project) { create(:project, visibility, namespace: owner.namespace) }
it 'allows the download_code ability' do
expect_allowed(:download_code)
end
end
end
end
RSpec.shared_examples 'project policies as anonymous' do
context 'abilities for public projects' do
context 'when a project has pending invites' do
......@@ -231,6 +253,12 @@ RSpec.shared_examples 'project policies as admin with admin mode' do
let(:regular_abilities) { owner_permissions }
end
end
context 'abilities for all project visibility', :enable_admin_mode do
it_behaves_like 'project private features with read_all_resources ability' do
let(:user) { admin }
end
end
end
RSpec.shared_examples 'project policies as admin without admin mode' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment