Skip to content

G
gitlab-ce
Commit d8a5e326 authored by Rémy Coutable's avatar Rémy Coutable
Browse files
Options

[EE] Reduce the diff with CE in spec/policies/project_policy_spec.rb 

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent e18c287a
Hide whitespace changes
Inline Side-by-side
Showing with 415 additions and 623 deletions
ee/spec/policies/project_policy_spec.rb
View file @ d8a5e326
......@@ -11,19 +11,94 @@ describe ProjectPolicy do
set(:guest) { create(:user) }
let(:project) { create(:project, :public, namespace: owner.namespace) }
subject { described_class.new(current_user, project) }
before do
project.add_maintainer(maintainer)
project.add_developer(developer)
project.add_reporter(reporter)
project.add_guest(guest)
stub_licensed_features(license_management: true)
end
context 'basic permissions' do
include_context 'ProjectPolicy context'
let(:additional_guest_permissions) do
%i[read_issue_link read_vulnerability_feedback read_software_license_policy]
end
let(:additional_reporter_permissions) { [:admin_issue_link] }
let(:additional_developer_permissions) { %i[admin_vulnerability_feedback read_project_security_dashboard read_feature_flag] }
let(:additional_maintainer_permissions) { %i[push_code_to_protected_branches] }
let(:auditor_permissions) do
%i[
download_code download_wiki_code read_project read_board read_list
read_project_for_iids read_issue_iid read_merge_request_iid read_wiki
read_issue read_label read_issue_link read_milestone read_release
read_project_snippet read_project_member read_note read_cycle_analytics
read_pipeline read_build read_commit_status read_container_image
read_environment read_deployment read_merge_request read_pages
create_merge_request_in award_emoji
read_vulnerability_feedback read_software_license_policy
]
end
it_behaves_like 'project policies as anonymous'
it_behaves_like 'project policies as guest'
it_behaves_like 'project policies as reporter'
it_behaves_like 'project policies as developer'
it_behaves_like 'project policies as maintainer'
it_behaves_like 'project policies as owner'
it_behaves_like 'project policies as admin'
context 'auditor' do
let(:current_user) { create(:user, :auditor) }
context 'who is not a team member' do
it do
is_expected.to be_disallowed(*developer_permissions)
is_expected.to be_disallowed(*maintainer_permissions)
is_expected.to be_disallowed(*owner_permissions)
is_expected.to be_disallowed(*(guest_permissions - auditor_permissions))
is_expected.to be_allowed(*auditor_permissions)
end
end
context 'who is a team member' do
before do
project.add_guest(current_user)
end
it do
is_expected.to be_disallowed(*developer_permissions)
is_expected.to be_disallowed(*maintainer_permissions)
is_expected.to be_disallowed(*owner_permissions)
is_expected.to be_allowed(*(guest_permissions - auditor_permissions))
is_expected.to be_allowed(*auditor_permissions)
end
end
end
end
context 'issues feature' do
subject { described_class.new(owner, project) }
context 'when the feature is disabled' do
before do
project.issues_enabled = false
project.save!
end
it 'disables boards permissions' do
expect_disallowed :admin_board
end
end
end
context 'admin_mirror' do
context 'with remote mirror setting enabled' do
context 'with admin' do
subject do
described_class.new(admin, project)
end
let(:current_user) { admin }
it do
is_expected.to be_allowed(:admin_mirror)
......@@ -31,9 +106,7 @@ describe ProjectPolicy do
end
context 'with owner' do
subject do
described_class.new(owner, project)
end
let(:current_user) { owner }
it do
is_expected.to be_allowed(:admin_mirror)
......@@ -41,9 +114,7 @@ describe ProjectPolicy do
end
context 'with developer' do
subject do
described_class.new(developer, project)
end
let(:current_user) { developer }
it do
is_expected.to be_disallowed(:admin_mirror)
......@@ -57,9 +128,7 @@ describe ProjectPolicy do
end
context 'with admin' do
subject do
described_class.new(admin, project)
end
let(:current_user) { admin }
it do
is_expected.to be_allowed(:admin_mirror)
......@@ -67,9 +136,7 @@ describe ProjectPolicy do
end
context 'with owner' do
subject do
described_class.new(owner, project)
end
let(:current_user) { owner }
it do
is_expected.to be_disallowed(:admin_mirror)
......@@ -83,9 +150,7 @@ describe ProjectPolicy do
end
context 'with admin' do
subject do
described_class.new(admin, project)
end
let(:current_user) { admin }
it do
is_expected.to be_disallowed(:admin_mirror)
......@@ -93,9 +158,7 @@ describe ProjectPolicy do
end
context 'with owner' do
subject do
described_class.new(owner, project)
end
let(:current_user) { owner }
it do
is_expected.to be_disallowed(:admin_mirror)
......@@ -109,9 +172,7 @@ describe ProjectPolicy do
end
context 'with admin' do
subject do
described_class.new(admin, project)
end
let(:current_user) { admin }
it do
is_expected.to be_allowed(:admin_mirror)
......@@ -119,9 +180,7 @@ describe ProjectPolicy do
end
context 'with owner' do
subject do
described_class.new(owner, project)
end
let(:current_user) { owner }
it do
is_expected.to be_allowed(:admin_mirror)
......@@ -190,14 +249,6 @@ describe ProjectPolicy do
end
describe 'read_vulnerability_feedback' do
subject { described_class.new(current_user, project) }
context 'with public project' do
let(:current_user) { nil }
it { is_expected.to be_allowed(:read_vulnerability_feedback) }
end
context 'with private project' do
let(:current_user) { admin }
let(:project) { create(:project, :private, namespace: owner.namespace) }
......@@ -252,88 +303,10 @@ describe ProjectPolicy do
end
end
describe 'admin_vulnerability_feedback' do
subject { described_class.new(current_user, project) }
context 'with admin' do
let(:current_user) { admin }
it { is_expected.to be_allowed(:admin_vulnerability_feedback) }
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:admin_vulnerability_feedback) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:admin_vulnerability_feedback) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:admin_vulnerability_feedback) }
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_disallowed(:admin_vulnerability_feedback) }
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:admin_vulnerability_feedback) }
end
context 'with non member' do
let(:current_user) { create(:user) }
it { is_expected.to be_disallowed(:admin_vulnerability_feedback) }
end
context 'with anonymous' do
let(:current_user) { nil }
it { is_expected.to be_disallowed(:admin_vulnerability_feedback) }
end
end
describe 'read_project_security_dashboard' do
before do
stub_licensed_features(security_dashboard: true)
end
subject { described_class.new(current_user, project) }
context 'with admin' do
let(:current_user) { admin }
it { is_expected.to be_allowed(:read_project_security_dashboard) }
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:read_project_security_dashboard) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:read_project_security_dashboard) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:read_project_security_dashboard) }
context 'when security dashboard features is not available' do
before do
stub_licensed_features(security_dashboard: false)
......@@ -342,35 +315,9 @@ describe ProjectPolicy do
it { is_expected.to be_disallowed(:read_project_security_dashboard) }
end
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_disallowed(:read_project_security_dashboard) }
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:read_project_security_dashboard) }
end
context 'with non member' do
let(:current_user) { create(:user) }
it { is_expected.to be_disallowed(:read_project_security_dashboard) }
end
context 'with anonymous' do
let(:current_user) { nil }
it { is_expected.to be_disallowed(:read_project_security_dashboard) }
end
end
describe 'read_package' do
subject { described_class.new(current_user, project) }
context 'with admin' do
let(:current_user) { admin }
......@@ -429,17 +376,9 @@ describe ProjectPolicy do
end
describe 'read_feature_flag' do
before do
stub_licensed_features(feature_flags: true)
end
subject { described_class.new(current_user, project) }
context 'with admin' do
let(:current_user) { admin }
it { is_expected.to be_allowed(:read_feature_flag) }
context 'when repository is disabled' do
before do
project.project_feature.update(repository_access_level: ProjectFeature::DISABLED)
......@@ -449,23 +388,9 @@ describe ProjectPolicy do
end
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:read_feature_flag) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:read_feature_flag) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:read_feature_flag) }
context 'when feature flags features is not available' do
before do
stub_licensed_features(feature_flags: false)
......@@ -474,39 +399,9 @@ describe ProjectPolicy do
it { is_expected.to be_disallowed(:read_feature_flag) }
end
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_disallowed(:read_feature_flag) }
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:read_feature_flag) }
end
context 'with non member' do
let(:current_user) { create(:user) }
it { is_expected.to be_disallowed(:read_feature_flag) }
end
context 'with anonymous' do
let(:current_user) { nil }
it { is_expected.to be_disallowed(:read_feature_flag) }
end
end
describe 'admin_license_management' do
before do
stub_licensed_features(license_management: true)
end
subject { described_class.new(current_user, project) }
context 'without license management feature available' do
before do
stub_licensed_features(license_management: false)
......@@ -567,12 +462,6 @@ describe ProjectPolicy do
end
describe 'read_license_management' do
before do
stub_licensed_features(license_management: true)
end
subject { described_class.new(current_user, project) }
context 'without license management feature available' do
before do
stub_licensed_features(license_management: false)
......@@ -582,54 +471,6 @@ describe ProjectPolicy do
it { is_expected.to be_disallowed(:read_software_license_policy) }
end
context 'with admin' do
let(:current_user) { admin }
it { is_expected.to be_allowed(:read_software_license_policy) }
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:read_software_license_policy) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:read_software_license_policy) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:read_software_license_policy) }
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:read_software_license_policy) }
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_allowed(:read_software_license_policy) }
end
context 'with non member' do
let(:current_user) { create(:user) }
it { is_expected.to be_allowed(:read_software_license_policy) }
end
context 'with anonymous' do
let(:current_user) { nil }
it { is_expected.to be_allowed(:read_software_license_policy) }
end
end
describe 'create_web_ide_terminal' do
......@@ -637,8 +478,6 @@ describe ProjectPolicy do
stub_licensed_features(web_ide_terminal: true)
end
subject { described_class.new(current_user, project) }
context 'without ide terminal feature available' do
before do
stub_licensed_features(web_ide_terminal: false)
......
spec/policies/project_policy_spec.rb
View file @ d8a5e326
require 'spec_helper'
describe ProjectPolicy do
set(:guest) { create(:user) }
set(:reporter) { create(:user) }
set(:developer) { create(:user) }
set(:maintainer) { create(:user) }
set(:owner) { create(:user) }
set(:admin) { create(:admin) }
let(:project) { create(:project, :public, namespace: owner.namespace) }
let(:base_guest_permissions) do
%i[
read_project read_board read_list read_wiki read_issue
read_project_for_iids read_issue_iid read_label
read_milestone read_project_snippet read_project_member read_note
create_project create_issue create_note upload_file create_merge_request_in
award_emoji read_release
]
end
let(:base_reporter_permissions) do
%i[
download_code fork_project create_project_snippet update_issue
admin_issue admin_label admin_list read_commit_status read_build
read_container_image read_pipeline read_environment read_deployment
read_merge_request download_wiki_code read_sentry_issue
]
end
let(:team_member_reporter_permissions) do
%i[build_download_code build_read_container_image]
end
let(:developer_permissions) do
%i[
admin_milestone admin_merge_request update_merge_request create_commit_status
update_commit_status create_build update_build create_pipeline
update_pipeline create_merge_request_from create_wiki push_code
resolve_note create_container_image update_container_image
create_environment create_deployment create_release update_release
]
end
let(:base_maintainer_permissions) do
%i[
push_to_delete_protected_branch update_project_snippet update_environment
update_deployment admin_project_snippet admin_project_member admin_note admin_wiki admin_project
admin_commit_status admin_build admin_container_image
admin_pipeline admin_environment admin_deployment destroy_release add_cluster
daily_statistics
]
end
let(:public_permissions) do
%i[
download_code fork_project read_commit_status read_pipeline
read_container_image build_download_code build_read_container_image
download_wiki_code read_release
]
end
let(:owner_permissions) do
%i[
change_namespace change_visibility_level rename_project remove_project
archive_project remove_fork_project destroy_merge_request destroy_issue
set_issue_iid set_issue_created_at set_note_created_at
]
end
# Used in EE specs
let(:additional_guest_permissions) { [] }
let(:additional_reporter_permissions) { [] }
let(:additional_maintainer_permissions) { [] }
let(:guest_permissions) { base_guest_permissions + additional_guest_permissions }
let(:reporter_permissions) { base_reporter_permissions + additional_reporter_permissions }
let(:maintainer_permissions) { base_maintainer_permissions + additional_maintainer_permissions }
before do
project.add_guest(guest)
project.add_maintainer(maintainer)
project.add_developer(developer)
project.add_reporter(reporter)
end
def expect_allowed(*permissions)
permissions.each { |p| is_expected.to be_allowed(p) }
end
def expect_disallowed(*permissions)
permissions.each { |p| is_expected.not_to be_allowed(p) }
end
include_context 'ProjectPolicy context'
it 'does not include the read_issue permission when the issue author is not a member of the private project' do
project = create(:project, :private)
......@@ -140,7 +51,7 @@ describe ProjectPolicy do
end
it 'disables boards and lists permissions' do
expect_disallowed :read_board, :create_board, :update_board, :admin_board
expect_disallowed :read_board, :create_board, :update_board
expect_disallowed :read_list, :create_list, :update_list, :admin_list
end
......@@ -237,236 +148,6 @@ describe ProjectPolicy do
end
end
shared_examples 'archived project policies' do
let(:feature_write_abilities) do
described_class::READONLY_FEATURES_WHEN_ARCHIVED.flat_map do |feature|
described_class.create_update_admin_destroy(feature)
end + additional_reporter_permissions + additional_maintainer_permissions
end
let(:other_write_abilities) do
%i[
create_merge_request_in
create_merge_request_from
push_to_delete_protected_branch
push_code
request_access
upload_file
resolve_note
award_emoji
]
end
context 'when the project is archived' do
before do
project.archived = true
end
it 'disables write actions on all relevant project features' do
expect_disallowed(*feature_write_abilities)
end
it 'disables some other important write actions' do
expect_disallowed(*other_write_abilities)
end
it 'does not disable other abilities' do
expect_allowed(*(regular_abilities - feature_write_abilities - other_write_abilities))
end
end
end
shared_examples 'project policies as anonymous' do
context 'abilities for public projects' do
context 'when a project has pending invites' do
let(:group) { create(:group, :public) }
let(:project) { create(:project, :public, namespace: group) }
let(:user_permissions) { [:create_merge_request_in, :create_project, :create_issue, :create_note, :upload_file, :award_emoji] }
let(:anonymous_permissions) { guest_permissions - user_permissions }
subject { described_class.new(nil, project) }
before do
create(:group_member, :invited, group: group)
end
it 'does not grant owner access' do
expect_allowed(*anonymous_permissions)
expect_disallowed(*user_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { anonymous_permissions }
end
end
end
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(nil, project) }
it { is_expected.to be_banned }
end
end
shared_examples 'project policies as guest' do
subject { described_class.new(guest, project) }
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
let(:reporter_public_build_permissions) do
reporter_permissions - [:read_build, :read_pipeline]
end
it do
expect_allowed(*guest_permissions)
expect_disallowed(*reporter_public_build_permissions)
expect_disallowed(*team_member_reporter_permissions)
expect_disallowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { guest_permissions }
end
context 'public builds enabled' do
it do
expect_allowed(*guest_permissions)
expect_allowed(:read_build, :read_pipeline)
end
end
context 'when public builds disabled' do
before do
project.update(public_builds: false)
end
it do
expect_allowed(*guest_permissions)
expect_disallowed(:read_build, :read_pipeline)
end
end
context 'when builds are disabled' do
before do
project.project_feature.update(builds_access_level: ProjectFeature::DISABLED)
end
it do
expect_disallowed(:read_build)
expect_allowed(:read_pipeline)
end
end
end
end
shared_examples 'project policies as reporter' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(reporter, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_disallowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { reporter_permissions }
end
end
end
shared_examples 'project policies as developer' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(developer, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { developer_permissions }
end
end
end
shared_examples 'project policies as maintainer' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(maintainer, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { maintainer_permissions }
end
end
end
shared_examples 'project policies as owner' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(owner, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_allowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { owner_permissions }
end
end
end
shared_examples 'project policies as admin' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(admin, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_disallowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_allowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { owner_permissions }
end
end
end
it_behaves_like 'project policies as anonymous'
it_behaves_like 'project policies as guest'
it_behaves_like 'project policies as reporter'
......@@ -475,61 +156,6 @@ describe ProjectPolicy do
it_behaves_like 'project policies as owner'
it_behaves_like 'project policies as admin'
context 'EE' do
let(:additional_guest_permissions) { [:read_issue_link] }
let(:additional_reporter_permissions) { [:admin_issue_link]}
let(:additional_maintainer_permissions) { [:push_code_to_protected_branches] }
let(:auditor_permissions) do
%i[
download_code download_wiki_code read_project read_board read_list
read_project_for_iids read_issue_iid read_merge_request_iid read_wiki
read_issue read_label read_issue_link read_milestone read_release
read_project_snippet read_project_member read_note read_cycle_analytics
read_pipeline read_build read_commit_status read_container_image
read_environment read_deployment read_merge_request read_pages
create_merge_request_in award_emoji
]
end
it_behaves_like 'project policies as anonymous'
it_behaves_like 'project policies as guest'
it_behaves_like 'project policies as reporter'
it_behaves_like 'project policies as developer'
it_behaves_like 'project policies as maintainer'
it_behaves_like 'project policies as owner'
it_behaves_like 'project policies as admin'
context 'auditor' do
let(:auditor) { create(:user, :auditor) }
subject { described_class.new(auditor, project) }
context 'who is not a team member' do
it do
is_expected.to be_disallowed(*developer_permissions)
is_expected.to be_disallowed(*maintainer_permissions)
is_expected.to be_disallowed(*owner_permissions)
is_expected.to be_disallowed(*(guest_permissions - auditor_permissions))
is_expected.to be_allowed(*auditor_permissions)
end
end
context 'who is a team member' do
before do
project.add_guest(auditor)
end
it do
is_expected.to be_disallowed(*developer_permissions)
is_expected.to be_disallowed(*maintainer_permissions)
is_expected.to be_disallowed(*owner_permissions)
is_expected.to be_allowed(*(guest_permissions - auditor_permissions))
is_expected.to be_allowed(*auditor_permissions)
end
end
end
end
context 'when a public project has merge requests allowing access' do
include ProjectForksHelper
let(:user) { create(:user) }
......
spec/support/shared_context/policies/project_policy_shared_context.rb 0 → 100644
View file @ d8a5e326
# frozen_string_literal: true
RSpec.shared_context 'ProjectPolicy context' do
set(:guest) { create(:user) }
set(:reporter) { create(:user) }
set(:developer) { create(:user) }
set(:maintainer) { create(:user) }
set(:owner) { create(:user) }
set(:admin) { create(:admin) }
let(:project) { create(:project, :public, namespace: owner.namespace) }
let(:base_guest_permissions) do
%i[
read_project read_board read_list read_wiki read_issue
read_project_for_iids read_issue_iid read_label
read_milestone read_project_snippet read_project_member read_note
create_project create_issue create_note upload_file create_merge_request_in
award_emoji read_release
]
end
let(:base_reporter_permissions) do
%i[
download_code fork_project create_project_snippet update_issue
admin_issue admin_label admin_list read_commit_status read_build
read_container_image read_pipeline read_environment read_deployment
read_merge_request download_wiki_code read_sentry_issue
]
end
let(:team_member_reporter_permissions) do
%i[build_download_code build_read_container_image]
end
let(:developer_permissions) do
%i[
admin_milestone admin_merge_request update_merge_request create_commit_status
update_commit_status create_build update_build create_pipeline
update_pipeline create_merge_request_from create_wiki push_code
resolve_note create_container_image update_container_image
create_environment create_deployment create_release update_release
]
end
let(:base_maintainer_permissions) do
%i[
push_to_delete_protected_branch update_project_snippet update_environment
update_deployment admin_project_snippet admin_project_member admin_note admin_wiki admin_project
admin_commit_status admin_build admin_container_image
admin_pipeline admin_environment admin_deployment destroy_release add_cluster
daily_statistics
]
end
let(:public_permissions) do
%i[
download_code fork_project read_commit_status read_pipeline
read_container_image build_download_code build_read_container_image
download_wiki_code read_release
]
end
let(:base_owner_permissions) do
%i[
change_namespace change_visibility_level rename_project remove_project
archive_project remove_fork_project destroy_merge_request destroy_issue
set_issue_iid set_issue_created_at set_note_created_at
]
end
# Used in EE specs
let(:additional_guest_permissions) { [] }
let(:additional_reporter_permissions) { [] }
let(:additional_maintainer_permissions) { [] }
let(:additional_owner_permissions) { [] }
let(:guest_permissions) { base_guest_permissions + additional_guest_permissions }
let(:reporter_permissions) { base_reporter_permissions + additional_reporter_permissions }
let(:maintainer_permissions) { base_maintainer_permissions + additional_maintainer_permissions }
let(:owner_permissions) { base_owner_permissions + additional_owner_permissions }
before do
project.add_guest(guest)
project.add_maintainer(maintainer)
project.add_developer(developer)
project.add_reporter(reporter)
end
def expect_allowed(*permissions)
permissions.each { |p| is_expected.to be_allowed(p) }
end
def expect_disallowed(*permissions)
permissions.each { |p| is_expected.not_to be_allowed(p) }
end
end
spec/support/shared_examples/policies/project_policy_shared_examples.rb 0 → 100644
View file @ d8a5e326
# frozen_string_literal: true
RSpec.shared_examples 'archived project policies' do
let(:feature_write_abilities) do
described_class::READONLY_FEATURES_WHEN_ARCHIVED.flat_map do |feature|
described_class.create_update_admin_destroy(feature)
end + additional_reporter_permissions + additional_maintainer_permissions
end
let(:other_write_abilities) do
%i[
create_merge_request_in
create_merge_request_from
push_to_delete_protected_branch
push_code
request_access
upload_file
resolve_note
award_emoji
]
end
context 'when the project is archived' do
before do
project.archived = true
end
it 'disables write actions on all relevant project features' do
expect_disallowed(*feature_write_abilities)
end
it 'disables some other important write actions' do
expect_disallowed(*other_write_abilities)
end
it 'does not disable other abilities' do
expect_allowed(*(regular_abilities - feature_write_abilities - other_write_abilities))
end
end
end
RSpec.shared_examples 'project policies as anonymous' do
context 'abilities for public projects' do
context 'when a project has pending invites' do
let(:group) { create(:group, :public) }
let(:project) { create(:project, :public, namespace: group) }
let(:user_permissions) { [:create_merge_request_in, :create_project, :create_issue, :create_note, :upload_file, :award_emoji] }
let(:anonymous_permissions) { guest_permissions - user_permissions }
subject { described_class.new(nil, project) }
before do
create(:group_member, :invited, group: group)
end
it 'does not grant owner access' do
expect_allowed(*anonymous_permissions)
expect_disallowed(*user_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { anonymous_permissions }
end
end
end
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(nil, project) }
it { is_expected.to be_banned }
end
end
RSpec.shared_examples 'project policies as guest' do
subject { described_class.new(guest, project) }
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
let(:reporter_public_build_permissions) do
reporter_permissions - [:read_build, :read_pipeline]
end
it do
expect_allowed(*guest_permissions)
expect_disallowed(*reporter_public_build_permissions)
expect_disallowed(*team_member_reporter_permissions)
expect_disallowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { guest_permissions }
end
context 'public builds enabled' do
it do
expect_allowed(*guest_permissions)
expect_allowed(:read_build, :read_pipeline)
end
end
context 'when public builds disabled' do
before do
project.update(public_builds: false)
end
it do
expect_allowed(*guest_permissions)
expect_disallowed(:read_build, :read_pipeline)
end
end
context 'when builds are disabled' do
before do
project.project_feature.update(builds_access_level: ProjectFeature::DISABLED)
end
it do
expect_disallowed(:read_build)
expect_allowed(:read_pipeline)
end
end
end
end
RSpec.shared_examples 'project policies as reporter' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(reporter, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_disallowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { reporter_permissions }
end
end
end
RSpec.shared_examples 'project policies as developer' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(developer, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { developer_permissions }
end
end
end
RSpec.shared_examples 'project policies as maintainer' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(maintainer, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { maintainer_permissions }
end
end
end
RSpec.shared_examples 'project policies as owner' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(owner, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_allowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_allowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { owner_permissions }
end
end
end
RSpec.shared_examples 'project policies as admin' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(admin, project) }
it do
expect_allowed(*guest_permissions)
expect_allowed(*reporter_permissions)
expect_disallowed(*team_member_reporter_permissions)
expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions)
expect_allowed(*owner_permissions)
end
it_behaves_like 'archived project policies' do
let(:regular_abilities) { owner_permissions }
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7