Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
f539b03a
Commit
f539b03a
authored
Mar 09, 2021
by
Diego Louzán
Committed by
Bob Van Landuyt
Mar 09, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Use policies framework for determining admin access to groups
parent
3c0902c7
Changes
33
Show whitespace changes
Inline
Side-by-side
Showing
33 changed files
with
615 additions
and
201 deletions
+615
-201
app/models/group.rb
app/models/group.rb
+1
-1
app/models/user.rb
app/models/user.rb
+4
-0
app/policies/base_policy.rb
app/policies/base_policy.rb
+7
-4
changelogs/unreleased/refactor-use-policies-framework-for-admin.yml
.../unreleased/refactor-use-policies-framework-for-admin.yml
+5
-0
ee/spec/controllers/groups/clusters_controller_spec.rb
ee/spec/controllers/groups/clusters_controller_spec.rb
+12
-2
ee/spec/features/security/group/private_access_spec.rb
ee/spec/features/security/group/private_access_spec.rb
+6
-1
ee/spec/models/ee/event_spec.rb
ee/spec/models/ee/event_spec.rb
+1
-3
ee/spec/models/ee/user_spec.rb
ee/spec/models/ee/user_spec.rb
+8
-0
ee/spec/policies/base_policy_spec.rb
ee/spec/policies/base_policy_spec.rb
+6
-0
ee/spec/policies/group_policy_spec.rb
ee/spec/policies/group_policy_spec.rb
+197
-80
ee/spec/services/epics/transfer_service_spec.rb
ee/spec/services/epics/transfer_service_spec.rb
+6
-1
ee/spec/services/todo_service_spec.rb
ee/spec/services/todo_service_spec.rb
+2
-2
ee/spec/views/groups/compliance_frameworks/edit.html.haml_spec.rb
...views/groups/compliance_frameworks/edit.html.haml_spec.rb
+1
-0
ee/spec/views/groups/compliance_frameworks/new.html.haml_spec.rb
.../views/groups/compliance_frameworks/new.html.haml_spec.rb
+1
-0
lib/declarative_policy/policy_dsl.rb
lib/declarative_policy/policy_dsl.rb
+1
-1
spec/controllers/groups/clusters/applications_controller_spec.rb
...ntrollers/groups/clusters/applications_controller_spec.rb
+2
-1
spec/controllers/groups/clusters_controller_spec.rb
spec/controllers/groups/clusters_controller_spec.rb
+22
-11
spec/controllers/groups_controller_spec.rb
spec/controllers/groups_controller_spec.rb
+22
-6
spec/features/groups_spec.rb
spec/features/groups_spec.rb
+15
-7
spec/features/projects/new_project_spec.rb
spec/features/projects/new_project_spec.rb
+34
-12
spec/features/security/group/internal_access_spec.rb
spec/features/security/group/internal_access_spec.rb
+30
-5
spec/features/security/group/private_access_spec.rb
spec/features/security/group/private_access_spec.rb
+36
-6
spec/features/security/group/public_access_spec.rb
spec/features/security/group/public_access_spec.rb
+30
-5
spec/helpers/namespaces_helper_spec.rb
spec/helpers/namespaces_helper_spec.rb
+26
-10
spec/lib/gitlab/import_export/project/tree_saver_spec.rb
spec/lib/gitlab/import_export/project/tree_saver_spec.rb
+14
-6
spec/models/group_spec.rb
spec/models/group_spec.rb
+10
-2
spec/models/member_spec.rb
spec/models/member_spec.rb
+2
-4
spec/models/user_spec.rb
spec/models/user_spec.rb
+31
-0
spec/policies/base_policy_spec.rb
spec/policies/base_policy_spec.rb
+5
-1
spec/policies/group_policy_spec.rb
spec/policies/group_policy_spec.rb
+29
-9
spec/presenters/projects/import_export/project_export_presenter_spec.rb
...s/projects/import_export/project_export_presenter_spec.rb
+14
-6
spec/services/groups/import_export/import_service_spec.rb
spec/services/groups/import_export/import_service_spec.rb
+21
-7
spec/workers/purge_dependency_proxy_cache_worker_spec.rb
spec/workers/purge_dependency_proxy_cache_worker_spec.rb
+14
-8
No files found.
app/models/group.rb
View file @
f539b03a
...
@@ -505,7 +505,7 @@ class Group < Namespace
...
@@ -505,7 +505,7 @@ class Group < Namespace
# @param only_concrete_membership [Bool] whether require admin concrete membership status
# @param only_concrete_membership [Bool] whether require admin concrete membership status
def
max_member_access_for_user
(
user
,
only_concrete_membership:
false
)
def
max_member_access_for_user
(
user
,
only_concrete_membership:
false
)
return
GroupMember
::
NO_ACCESS
unless
user
return
GroupMember
::
NO_ACCESS
unless
user
return
GroupMember
::
OWNER
if
user
.
admin
?
&&
!
only_concrete_membership
return
GroupMember
::
OWNER
if
user
.
can_admin_all_resources
?
&&
!
only_concrete_membership
max_member_access
=
members_with_parents
.
where
(
user_id:
user
)
max_member_access
=
members_with_parents
.
where
(
user_id:
user
)
.
reorder
(
access_level: :desc
)
.
reorder
(
access_level: :desc
)
...
...
app/models/user.rb
View file @
f539b03a
...
@@ -1704,6 +1704,10 @@ class User < ApplicationRecord
...
@@ -1704,6 +1704,10 @@ class User < ApplicationRecord
can?
(
:read_all_resources
)
can?
(
:read_all_resources
)
end
end
def
can_admin_all_resources?
can?
(
:admin_all_resources
)
end
def
update_two_factor_requirement
def
update_two_factor_requirement
periods
=
expanded_groups_requiring_two_factor_authentication
.
pluck
(
:two_factor_grace_period
)
periods
=
expanded_groups_requiring_two_factor_authentication
.
pluck
(
:two_factor_grace_period
)
...
...
app/policies/base_policy.rb
View file @
f539b03a
...
@@ -55,14 +55,17 @@ class BasePolicy < DeclarativePolicy::Base
...
@@ -55,14 +55,17 @@ class BasePolicy < DeclarativePolicy::Base
prevent
:read_cross_project
prevent
:read_cross_project
end
end
rule
{
admin
}.
policy
do
# Only for actual administrator accounts, behaviour affected by admin mode application setting
enable
:admin_all_resources
# Policy extended in EE to also enable auditors
# Policy extended in EE to also enable auditors
rule
{
admin
}.
enable
:read_all_resources
enable
:read_all_resources
enable
:change_repository_storage
end
rule
{
default
}.
enable
:read_cross_project
rule
{
default
}.
enable
:read_cross_project
condition
(
:is_gitlab_com
)
{
::
Gitlab
.
dev_env_or_com?
}
condition
(
:is_gitlab_com
)
{
::
Gitlab
.
dev_env_or_com?
}
rule
{
admin
}.
enable
:change_repository_storage
end
end
BasePolicy
.
prepend_if_ee
(
'EE::BasePolicy'
)
BasePolicy
.
prepend_if_ee
(
'EE::BasePolicy'
)
changelogs/unreleased/refactor-use-policies-framework-for-admin.yml
0 → 100644
View file @
f539b03a
---
title
:
Use policies for group access rights as admin
merge_request
:
55349
author
:
Diego Louzán
type
:
changed
ee/spec/controllers/groups/clusters_controller_spec.rb
View file @
f539b03a
...
@@ -41,7 +41,12 @@ RSpec.describe Groups::ClustersController do
...
@@ -41,7 +41,12 @@ RSpec.describe Groups::ClustersController do
allow
(
controller
).
to
receive
(
:prometheus_adapter
).
and_return
(
prometheus_adapter
)
allow
(
controller
).
to
receive
(
:prometheus_adapter
).
and_return
(
prometheus_adapter
)
end
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
end
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
clusterable
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
clusterable
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
clusterable
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
clusterable
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
clusterable
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
clusterable
)
}
...
@@ -78,7 +83,12 @@ RSpec.describe Groups::ClustersController do
...
@@ -78,7 +83,12 @@ RSpec.describe Groups::ClustersController do
end
end
describe
'security'
do
describe
'security'
do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
expect
{
get_cluster_environments
}.
to
be_allowed_for
(
:admin
)
}
it
{
expect
{
get_cluster_environments
}.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
expect
{
get_cluster_environments
}.
to
be_denied_for
(
:admin
)
}
end
it
{
expect
{
get_cluster_environments
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
get_cluster_environments
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
get_cluster_environments
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
get_cluster_environments
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
get_cluster_environments
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
get_cluster_environments
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
ee/spec/features/security/group/private_access_spec.rb
View file @
f539b03a
...
@@ -20,7 +20,12 @@ RSpec.describe '[EE] Private Group access' do
...
@@ -20,7 +20,12 @@ RSpec.describe '[EE] Private Group access' do
subject
{
group_insights_path
(
group
)
}
subject
{
group_insights_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:auditor
)
}
it
{
is_expected
.
to
be_allowed_for
(
:auditor
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
...
...
ee/spec/models/ee/event_spec.rb
View file @
f539b03a
...
@@ -75,9 +75,7 @@ RSpec.describe Event do
...
@@ -75,9 +75,7 @@ RSpec.describe Event do
end
end
context
'when admin mode disabled'
do
context
'when admin mode disabled'
do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
it
'is not visible to admin'
,
:aggregate_failures
do
# See https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit
'is not visible to admin'
,
:aggregate_failures
do
expect
(
event
).
not_to
be_visible_to
(
admin
)
expect
(
event
).
not_to
be_visible_to
(
admin
)
end
end
end
end
...
...
ee/spec/models/ee/user_spec.rb
View file @
f539b03a
...
@@ -265,6 +265,14 @@ RSpec.describe User do
...
@@ -265,6 +265,14 @@ RSpec.describe User do
end
end
end
end
describe
'#can_admin_all_resources?'
do
it
'returns false for auditor user'
do
user
=
build
(
:user
,
:auditor
)
expect
(
user
.
can_admin_all_resources?
).
to
be_falsy
end
end
describe
'#forget_me!'
do
describe
'#forget_me!'
do
subject
{
create
(
:user
,
remember_created_at:
Time
.
current
)
}
subject
{
create
(
:user
,
remember_created_at:
Time
.
current
)
}
...
...
ee/spec/policies/base_policy_spec.rb
View file @
f539b03a
...
@@ -26,4 +26,10 @@ RSpec.describe BasePolicy do
...
@@ -26,4 +26,10 @@ RSpec.describe BasePolicy do
is_expected
.
to
be_allowed
(
:read_all_resources
)
is_expected
.
to
be_allowed
(
:read_all_resources
)
end
end
end
end
describe
'admin all resources'
do
it
'forbids auditors'
do
is_expected
.
to
be_disallowed
(
:admin_all_resources
)
end
end
end
end
ee/spec/policies/group_policy_spec.rb
View file @
f539b03a
...
@@ -3,6 +3,8 @@
...
@@ -3,6 +3,8 @@
require
'spec_helper'
require
'spec_helper'
RSpec
.
describe
GroupPolicy
do
RSpec
.
describe
GroupPolicy
do
include
AdminModeHelper
include_context
'GroupPolicy context'
include_context
'GroupPolicy context'
let
(
:epic_rules
)
do
let
(
:epic_rules
)
do
...
@@ -31,9 +33,15 @@ RSpec.describe GroupPolicy do
...
@@ -31,9 +33,15 @@ RSpec.describe GroupPolicy do
context
'when user is admin'
do
context
'when user is admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
*
epic_rules
)
}
it
{
is_expected
.
to
be_allowed
(
*
epic_rules
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
*
epic_rules
)
}
end
end
context
'when user is maintainer'
do
context
'when user is maintainer'
do
let
(
:current_user
)
{
maintainer
}
let
(
:current_user
)
{
maintainer
}
...
@@ -273,7 +281,7 @@ RSpec.describe GroupPolicy do
...
@@ -273,7 +281,7 @@ RSpec.describe GroupPolicy do
end
end
context
'when group repository analytics is not available'
do
context
'when group repository analytics is not available'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
maintainer
}
before
do
before
do
stub_licensed_features
(
group_repository_analytics:
false
)
stub_licensed_features
(
group_repository_analytics:
false
)
...
@@ -290,9 +298,15 @@ RSpec.describe GroupPolicy do
...
@@ -290,9 +298,15 @@ RSpec.describe GroupPolicy do
context
'admin'
do
context
'admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:read_group_timelogs
)
}
it
{
is_expected
.
to
be_allowed
(
:read_group_timelogs
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:read_group_timelogs
)
}
end
end
context
'with owner'
do
context
'with owner'
do
let
(
:current_user
)
{
owner
}
let
(
:current_user
)
{
owner
}
...
@@ -337,7 +351,9 @@ RSpec.describe GroupPolicy do
...
@@ -337,7 +351,9 @@ RSpec.describe GroupPolicy do
stub_licensed_features
(
group_timelogs:
false
)
stub_licensed_features
(
group_timelogs:
false
)
end
end
it
{
is_expected
.
to
be_disallowed
(
:read_group_timelogs
)
}
it
'is disallowed even with admin mode'
,
:enable_admin_mode
do
is_expected
.
to
be_disallowed
(
:read_group_timelogs
)
end
end
end
describe
'per group SAML'
do
describe
'per group SAML'
do
...
@@ -396,7 +412,9 @@ RSpec.describe GroupPolicy do
...
@@ -396,7 +412,9 @@ RSpec.describe GroupPolicy do
context
'admin'
do
context
'admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
it
{
is_expected
.
to
be_disallowed
(
:admin_saml_group_links
)
}
it
'is disallowed even with admin mode'
,
:enable_admin_mode
do
is_expected
.
to
be_disallowed
(
:admin_saml_group_links
)
end
end
end
end
end
end
end
...
@@ -430,9 +448,16 @@ RSpec.describe GroupPolicy do
...
@@ -430,9 +448,16 @@ RSpec.describe GroupPolicy do
context
'admin'
do
context
'admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:admin_group_saml
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_group_saml
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_saml_group_links
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_saml_group_links
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:admin_group_saml
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_saml_group_links
)
}
end
end
end
end
context
'with an enabled SAML provider'
do
context
'with an enabled SAML provider'
do
...
@@ -453,9 +478,15 @@ RSpec.describe GroupPolicy do
...
@@ -453,9 +478,15 @@ RSpec.describe GroupPolicy do
context
'admin'
do
context
'admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:admin_saml_group_links
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_saml_group_links
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:admin_saml_group_links
)
}
end
end
context
'when the group is a subgroup'
do
context
'when the group is a subgroup'
do
let_it_be
(
:subgroup
)
{
create
(
:group
,
:private
,
parent:
group
)
}
let_it_be
(
:subgroup
)
{
create
(
:group
,
:private
,
parent:
group
)
}
let
(
:current_user
)
{
owner
}
let
(
:current_user
)
{
owner
}
...
@@ -503,11 +534,19 @@ RSpec.describe GroupPolicy do
...
@@ -503,11 +534,19 @@ RSpec.describe GroupPolicy do
context
'as an admin'
do
context
'as an admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'allows access without a SAML session'
do
it
'allows access without a SAML session'
do
is_expected
.
to
allow_action
(
:read_group
)
is_expected
.
to
allow_action
(
:read_group
)
end
end
end
end
context
'when admin mode is disabled'
do
it
'prevents access without a SAML session'
do
is_expected
.
not_to
allow_action
(
:read_group
)
end
end
end
context
'as an auditor'
do
context
'as an auditor'
do
let
(
:current_user
)
{
create
(
:user
,
:auditor
)
}
let
(
:current_user
)
{
create
(
:user
,
:auditor
)
}
...
@@ -598,10 +637,18 @@ RSpec.describe GroupPolicy do
...
@@ -598,10 +637,18 @@ RSpec.describe GroupPolicy do
context
'admin'
do
context
'admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_disallowed
(
:override_group_member
)
}
it
{
is_expected
.
to
be_disallowed
(
:override_group_member
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_links
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_links
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_settings
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_settings
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:override_group_member
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_ldap_group_links
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_ldap_group_settings
)
}
end
end
end
end
context
'when LDAP sync is enabled'
do
context
'when LDAP sync is enabled'
do
...
@@ -670,11 +717,19 @@ RSpec.describe GroupPolicy do
...
@@ -670,11 +717,19 @@ RSpec.describe GroupPolicy do
context
'admin'
do
context
'admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:override_group_member
)
}
it
{
is_expected
.
to
be_allowed
(
:override_group_member
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_links
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_links
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_settings
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_settings
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:override_group_member
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_ldap_group_links
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_ldap_group_settings
)
}
end
end
context
'when memberships locked to LDAP'
do
context
'when memberships locked to LDAP'
do
before
do
before
do
stub_application_setting
(
allow_group_owners_to_manage_ldap:
true
)
stub_application_setting
(
allow_group_owners_to_manage_ldap:
true
)
...
@@ -756,9 +811,15 @@ RSpec.describe GroupPolicy do
...
@@ -756,9 +811,15 @@ RSpec.describe GroupPolicy do
context
'with admin'
do
context
'with admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:read_group_credentials_inventory
)
}
it
{
is_expected
.
to
be_allowed
(
:read_group_credentials_inventory
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:read_group_credentials_inventory
)
}
end
end
context
'with owner'
do
context
'with owner'
do
let
(
:current_user
)
{
owner
}
let
(
:current_user
)
{
owner
}
...
@@ -860,9 +921,15 @@ RSpec.describe GroupPolicy do
...
@@ -860,9 +921,15 @@ RSpec.describe GroupPolicy do
context
'with admin'
do
context
'with admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
*
abilities
)
}
it
{
is_expected
.
to
be_allowed
(
*
abilities
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
*
abilities
)
}
end
end
context
'with owner'
do
context
'with owner'
do
let
(
:current_user
)
{
owner
}
let
(
:current_user
)
{
owner
}
...
@@ -1070,10 +1137,22 @@ RSpec.describe GroupPolicy do
...
@@ -1070,10 +1137,22 @@ RSpec.describe GroupPolicy do
end
end
end
end
%w[
admin
owner maintainer developer reporter]
.
each
do
|
role
|
%w[owner maintainer developer reporter]
.
each
do
|
role
|
include_examples
'policy by role'
,
role
include_examples
'policy by role'
,
role
end
end
context
'admin'
do
let
(
:current_user
)
{
admin
}
it
'is allowed when admin mode is enabled'
,
:enable_admin_mode
do
is_expected
.
to
be_allowed
(
action
)
end
it
'is not allowed when admin mode is disabled'
do
is_expected
.
to
be_disallowed
(
action
)
end
end
context
'guest'
do
context
'guest'
do
let
(
:current_user
)
{
guest
}
let
(
:current_user
)
{
guest
}
...
@@ -1131,9 +1210,15 @@ RSpec.describe GroupPolicy do
...
@@ -1131,9 +1210,15 @@ RSpec.describe GroupPolicy do
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
true
)
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
true
)
end
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:update_default_branch_protection
)
}
it
{
is_expected
.
to
be_allowed
(
:update_default_branch_protection
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:update_default_branch_protection
)
}
end
end
context
'when the setting `group_owners_can_manage_default_branch_protection` is disabled'
do
context
'when the setting `group_owners_can_manage_default_branch_protection` is disabled'
do
before
do
before
do
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
false
)
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
false
)
...
@@ -1159,16 +1244,28 @@ RSpec.describe GroupPolicy do
...
@@ -1159,16 +1244,28 @@ RSpec.describe GroupPolicy do
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
true
)
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
true
)
end
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:update_default_branch_protection
)
}
it
{
is_expected
.
to
be_allowed
(
:update_default_branch_protection
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:update_default_branch_protection
)
}
end
end
context
'when the setting `group_owners_can_manage_default_branch_protection` is disabled'
do
context
'when the setting `group_owners_can_manage_default_branch_protection` is disabled'
do
before
do
before
do
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
false
)
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
false
)
end
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:update_default_branch_protection
)
}
it
{
is_expected
.
to
be_allowed
(
:update_default_branch_protection
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:update_default_branch_protection
)
}
end
end
end
end
end
end
...
@@ -1226,18 +1323,23 @@ RSpec.describe GroupPolicy do
...
@@ -1226,18 +1323,23 @@ RSpec.describe GroupPolicy do
let
(
:policy
)
{
:read_ci_minutes_quota
}
let
(
:policy
)
{
:read_ci_minutes_quota
}
where
(
:role
,
:allowed
)
do
where
(
:role
,
:admin_mode
,
:allowed
)
do
:guest
|
false
:guest
|
nil
|
false
:reporter
|
false
:reporter
|
nil
|
false
:developer
|
true
:developer
|
nil
|
true
:maintainer
|
true
:maintainer
|
nil
|
true
:owner
|
true
:owner
|
nil
|
true
:admin
|
true
:admin
|
true
|
true
:admin
|
false
|
false
end
end
with_them
do
with_them
do
let
(
:current_user
)
{
public_send
(
role
)
}
let
(
:current_user
)
{
public_send
(
role
)
}
before
do
enable_admin_mode!
(
current_user
)
if
admin_mode
end
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
end
end
end
end
...
@@ -1247,18 +1349,23 @@ RSpec.describe GroupPolicy do
...
@@ -1247,18 +1349,23 @@ RSpec.describe GroupPolicy do
let
(
:policy
)
{
:read_group_audit_events
}
let
(
:policy
)
{
:read_group_audit_events
}
where
(
:role
,
:allowed
)
do
where
(
:role
,
:admin_mode
,
:allowed
)
do
:guest
|
false
:guest
|
nil
|
false
:reporter
|
false
:reporter
|
nil
|
false
:developer
|
true
:developer
|
nil
|
true
:maintainer
|
true
:maintainer
|
nil
|
true
:owner
|
true
:owner
|
nil
|
true
:admin
|
true
:admin
|
true
|
true
:admin
|
false
|
false
end
end
with_them
do
with_them
do
let
(
:current_user
)
{
public_send
(
role
)
}
let
(
:current_user
)
{
public_send
(
role
)
}
before
do
enable_admin_mode!
(
current_user
)
if
admin_mode
end
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
end
end
end
end
...
@@ -1397,19 +1504,21 @@ RSpec.describe GroupPolicy do
...
@@ -1397,19 +1504,21 @@ RSpec.describe GroupPolicy do
let
(
:policy
)
{
:admin_merge_request_approval_settings
}
let
(
:policy
)
{
:admin_merge_request_approval_settings
}
where
(
:role
,
:licensed
,
:allowed
)
do
where
(
:role
,
:licensed
,
:admin_mode
,
:allowed
)
do
:guest
|
true
|
false
:guest
|
true
|
nil
|
false
:guest
|
false
|
false
:guest
|
false
|
nil
|
false
:reporter
|
true
|
false
:reporter
|
true
|
nil
|
false
:reporter
|
false
|
false
:reporter
|
false
|
nil
|
false
:developer
|
true
|
false
:developer
|
true
|
nil
|
false
:developer
|
false
|
false
:developer
|
false
|
nil
|
false
:maintainer
|
true
|
false
:maintainer
|
true
|
nil
|
false
:maintainer
|
false
|
false
:maintainer
|
false
|
nil
|
false
:owner
|
true
|
true
:owner
|
true
|
nil
|
true
:owner
|
false
|
false
:owner
|
false
|
nil
|
false
:admin
|
true
|
true
:admin
|
true
|
true
|
true
:admin
|
false
|
false
:admin
|
false
|
true
|
false
:admin
|
true
|
false
|
false
:admin
|
false
|
false
|
false
end
end
with_them
do
with_them
do
...
@@ -1417,6 +1526,7 @@ RSpec.describe GroupPolicy do
...
@@ -1417,6 +1526,7 @@ RSpec.describe GroupPolicy do
before
do
before
do
stub_licensed_features
(
group_merge_request_approval_settings:
licensed
)
stub_licensed_features
(
group_merge_request_approval_settings:
licensed
)
enable_admin_mode!
(
current_user
)
if
admin_mode
end
end
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
...
@@ -1428,19 +1538,21 @@ RSpec.describe GroupPolicy do
...
@@ -1428,19 +1538,21 @@ RSpec.describe GroupPolicy do
let
(
:policy
)
{
:start_trial
}
let
(
:policy
)
{
:start_trial
}
where
(
:role
,
:eligible_for_trial
,
:allowed
)
do
where
(
:role
,
:eligible_for_trial
,
:admin_mode
,
:allowed
)
do
:guest
|
true
|
false
:guest
|
true
|
nil
|
false
:guest
|
false
|
false
:guest
|
false
|
nil
|
false
:reporter
|
true
|
false
:reporter
|
true
|
nil
|
false
:reporter
|
false
|
false
:reporter
|
false
|
nil
|
false
:developer
|
true
|
false
:developer
|
true
|
nil
|
false
:developer
|
false
|
false
:developer
|
false
|
nil
|
false
:maintainer
|
true
|
true
:maintainer
|
true
|
nil
|
true
:maintainer
|
false
|
false
:maintainer
|
false
|
nil
|
false
:owner
|
true
|
true
:owner
|
true
|
nil
|
true
:owner
|
false
|
false
:owner
|
false
|
nil
|
false
:admin
|
true
|
true
:admin
|
true
|
true
|
true
:admin
|
false
|
false
:admin
|
false
|
true
|
false
:admin
|
true
|
false
|
false
:admin
|
false
|
false
|
false
end
end
with_them
do
with_them
do
...
@@ -1448,6 +1560,7 @@ RSpec.describe GroupPolicy do
...
@@ -1448,6 +1560,7 @@ RSpec.describe GroupPolicy do
before
do
before
do
allow
(
group
).
to
receive
(
:eligible_for_trial?
).
and_return
(
eligible_for_trial
)
allow
(
group
).
to
receive
(
:eligible_for_trial?
).
and_return
(
eligible_for_trial
)
enable_admin_mode!
(
current_user
)
if
admin_mode
end
end
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
...
@@ -1459,16 +1572,17 @@ RSpec.describe GroupPolicy do
...
@@ -1459,16 +1572,17 @@ RSpec.describe GroupPolicy do
shared_context
'compliance framework permissions'
do
shared_context
'compliance framework permissions'
do
using
RSpec
::
Parameterized
::
TableSyntax
using
RSpec
::
Parameterized
::
TableSyntax
where
(
:role
,
:licensed
,
:feature_flag
,
:allowed
)
do
where
(
:role
,
:licensed
,
:feature_flag
,
:admin_mode
,
:allowed
)
do
:owner
|
true
|
true
|
true
:owner
|
true
|
true
|
nil
|
true
:owner
|
true
|
false
|
false
:owner
|
true
|
false
|
nil
|
false
:owner
|
false
|
true
|
false
:owner
|
false
|
true
|
nil
|
false
:owner
|
false
|
false
|
false
:owner
|
false
|
false
|
nil
|
false
:admin
|
true
|
true
|
true
:admin
|
true
|
true
|
true
|
true
:maintainer
|
true
|
true
|
false
:admin
|
true
|
true
|
false
|
false
:developer
|
true
|
true
|
false
:maintainer
|
true
|
true
|
nil
|
false
:reporter
|
true
|
true
|
false
:developer
|
true
|
true
|
nil
|
false
:guest
|
true
|
true
|
false
:reporter
|
true
|
true
|
nil
|
false
:guest
|
true
|
true
|
nil
|
false
end
end
with_them
do
with_them
do
...
@@ -1477,6 +1591,7 @@ RSpec.describe GroupPolicy do
...
@@ -1477,6 +1591,7 @@ RSpec.describe GroupPolicy do
before
do
before
do
stub_licensed_features
(
licensed_feature
=>
licensed
)
stub_licensed_features
(
licensed_feature
=>
licensed
)
stub_feature_flags
(
ff_custom_compliance_frameworks:
feature_flag
)
stub_feature_flags
(
ff_custom_compliance_frameworks:
feature_flag
)
enable_admin_mode!
(
current_user
)
if
admin_mode
end
end
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
...
@@ -1522,19 +1637,21 @@ RSpec.describe GroupPolicy do
...
@@ -1522,19 +1637,21 @@ RSpec.describe GroupPolicy do
context
'when feature is enabled and license include the feature'
do
context
'when feature is enabled and license include the feature'
do
using
RSpec
::
Parameterized
::
TableSyntax
using
RSpec
::
Parameterized
::
TableSyntax
where
(
:role
,
:allowed
)
do
where
(
:role
,
:admin_mode
,
:allowed
)
do
:admin
|
true
:admin
|
true
|
true
:owner
|
true
:admin
|
false
|
false
:maintainer
|
true
:owner
|
nil
|
true
:developer
|
true
:maintainer
|
nil
|
true
:reporter
|
true
:developer
|
nil
|
true
:guest
|
false
:reporter
|
nil
|
true
:non_group_member
|
false
:guest
|
nil
|
false
:non_group_member
|
nil
|
false
end
end
before
do
before
do
stub_feature_flags
(
group_devops_adoption:
true
)
stub_feature_flags
(
group_devops_adoption:
true
)
stub_licensed_features
(
group_level_devops_adoption:
true
)
stub_licensed_features
(
group_level_devops_adoption:
true
)
enable_admin_mode!
(
current_user
)
if
admin_mode
end
end
with_them
do
with_them
do
...
...
ee/spec/services/epics/transfer_service_spec.rb
View file @
f539b03a
...
@@ -4,9 +4,14 @@ require 'spec_helper'
...
@@ -4,9 +4,14 @@ require 'spec_helper'
RSpec
.
describe
Epics
::
TransferService
do
RSpec
.
describe
Epics
::
TransferService
do
describe
'#execute'
do
describe
'#execute'
do
let_it_be
(
:user
)
{
create
(
:
admin
)
}
let_it_be
(
:user
)
{
create
(
:
user
)
}
let_it_be
(
:new_group
,
refind:
true
)
{
create
(
:group
)
}
let_it_be
(
:new_group
,
refind:
true
)
{
create
(
:group
)
}
let_it_be
(
:old_group
,
refind:
true
)
{
create
(
:group
)
}
let_it_be
(
:old_group
,
refind:
true
)
{
create
(
:group
)
}
before
do
old_group
.
add_maintainer
(
user
)
if
old_group
end
subject
(
:service
)
{
described_class
.
new
(
user
,
old_group
,
project
)
}
subject
(
:service
)
{
described_class
.
new
(
user
,
old_group
,
project
)
}
context
'when old_group is present'
do
context
'when old_group is present'
do
...
...
ee/spec/services/todo_service_spec.rb
View file @
f539b03a
...
@@ -114,7 +114,7 @@ RSpec.describe TodoService do
...
@@ -114,7 +114,7 @@ RSpec.describe TodoService do
context
'for mentioned users'
do
context
'for mentioned users'
do
let
(
:todo_params
)
{
{
action:
Todo
::
MENTIONED
}
}
let
(
:todo_params
)
{
{
action:
Todo
::
MENTIONED
}
}
let
(
:todos_for
)
{
[
member
,
author
,
guest
,
admin
]
}
let
(
:todos_for
)
{
[
member
,
author
,
guest
]
}
let
(
:todos_not_for
)
{
[
non_member
,
john_doe
,
skipped
]
}
let
(
:todos_not_for
)
{
[
non_member
,
john_doe
,
skipped
]
}
include_examples
'todos creation'
include_examples
'todos creation'
...
@@ -126,7 +126,7 @@ RSpec.describe TodoService do
...
@@ -126,7 +126,7 @@ RSpec.describe TodoService do
end
end
let
(
:todo_params
)
{
{
action:
Todo
::
DIRECTLY_ADDRESSED
}
}
let
(
:todo_params
)
{
{
action:
Todo
::
DIRECTLY_ADDRESSED
}
}
let
(
:todos_for
)
{
[
member
,
author
,
guest
,
admin
]
}
let
(
:todos_for
)
{
[
member
,
author
,
guest
]
}
let
(
:todos_not_for
)
{
[
non_member
,
john_doe
,
skipped
]
}
let
(
:todos_not_for
)
{
[
non_member
,
john_doe
,
skipped
]
}
include_examples
'todos creation'
include_examples
'todos creation'
...
...
ee/spec/views/groups/compliance_frameworks/edit.html.haml_spec.rb
View file @
f539b03a
...
@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/edit.html.haml' do
...
@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/edit.html.haml' do
assign
(
:group
,
group
)
assign
(
:group
,
group
)
allow
(
view
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
view
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
user
).
to
receive
(
:can_admin_all_resources?
).
and_return
(
false
)
allow
(
user
).
to
receive
(
:can?
).
with
(
:admin_compliance_pipeline_configuration
,
group
).
and_return
(
true
)
allow
(
user
).
to
receive
(
:can?
).
with
(
:admin_compliance_pipeline_configuration
,
group
).
and_return
(
true
)
allow
(
view
).
to
receive
(
:params
).
and_return
(
id:
1
)
allow
(
view
).
to
receive
(
:params
).
and_return
(
id:
1
)
end
end
...
...
ee/spec/views/groups/compliance_frameworks/new.html.haml_spec.rb
View file @
f539b03a
...
@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/new.html.haml' do
...
@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/new.html.haml' do
assign
(
:group
,
group
)
assign
(
:group
,
group
)
allow
(
view
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
view
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
user
).
to
receive
(
:can_admin_all_resources?
).
and_return
(
false
)
allow
(
user
).
to
receive
(
:can?
).
with
(
:admin_compliance_pipeline_configuration
,
group
).
and_return
(
true
)
allow
(
user
).
to
receive
(
:can?
).
with
(
:admin_compliance_pipeline_configuration
,
group
).
and_return
(
true
)
end
end
...
...
lib/declarative_policy/policy_dsl.rb
View file @
f539b03a
...
@@ -6,7 +6,7 @@ module DeclarativePolicy
...
@@ -6,7 +6,7 @@ module DeclarativePolicy
# Policy class (context_class here). See Base.rule
# Policy class (context_class here). See Base.rule
#
#
# Note that the #policy method just performs an #instance_eval,
# Note that the #policy method just performs an #instance_eval,
# which is useful for multiple #enable or #prevent calls
e
.
# which is useful for multiple #enable or #prevent calls.
#
#
# Also provides a #method_missing proxy to the context
# Also provides a #method_missing proxy to the context
# class's class methods, so that helper methods can be
# class's class methods, so that helper methods can be
...
...
spec/controllers/groups/clusters/applications_controller_spec.rb
View file @
f539b03a
...
@@ -10,7 +10,8 @@ RSpec.describe Groups::Clusters::ApplicationsController do
...
@@ -10,7 +10,8 @@ RSpec.describe Groups::Clusters::ApplicationsController do
end
end
shared_examples
'a secure endpoint'
do
shared_examples
'a secure endpoint'
do
it
{
expect
{
subject
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
subject
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
subject
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
subject
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
subject
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
subject
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
subject
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
subject
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
subject
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
spec/controllers/groups/clusters_controller_spec.rb
View file @
f539b03a
...
@@ -99,7 +99,8 @@ RSpec.describe Groups::ClustersController do
...
@@ -99,7 +99,8 @@ RSpec.describe Groups::ClustersController do
describe
'security'
do
describe
'security'
do
let
(
:cluster
)
{
create
(
:cluster
,
:provided_by_gcp
,
cluster_type: :group_type
,
groups:
[
group
])
}
let
(
:cluster
)
{
create
(
:cluster
,
:provided_by_gcp
,
cluster_type: :group_type
,
groups:
[
group
])
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
@@ -183,7 +184,8 @@ RSpec.describe Groups::ClustersController do
...
@@ -183,7 +184,8 @@ RSpec.describe Groups::ClustersController do
include_examples
'GET new cluster shared examples'
include_examples
'GET new cluster shared examples'
describe
'security'
do
describe
'security'
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
@@ -316,7 +318,8 @@ RSpec.describe Groups::ClustersController do
...
@@ -316,7 +318,8 @@ RSpec.describe Groups::ClustersController do
allow
(
WaitForClusterCreationWorker
).
to
receive
(
:perform_in
).
and_return
(
nil
)
allow
(
WaitForClusterCreationWorker
).
to
receive
(
:perform_in
).
and_return
(
nil
)
end
end
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
@@ -418,7 +421,8 @@ RSpec.describe Groups::ClustersController do
...
@@ -418,7 +421,8 @@ RSpec.describe Groups::ClustersController do
end
end
describe
'security'
do
describe
'security'
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
@@ -486,7 +490,8 @@ RSpec.describe Groups::ClustersController do
...
@@ -486,7 +490,8 @@ RSpec.describe Groups::ClustersController do
allow
(
WaitForClusterCreationWorker
).
to
receive
(
:perform_in
)
allow
(
WaitForClusterCreationWorker
).
to
receive
(
:perform_in
)
end
end
it
{
expect
{
post_create_aws
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
post_create_aws
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
post_create_aws
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
post_create_aws
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
post_create_aws
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
post_create_aws
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
post_create_aws
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
post_create_aws
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
post_create_aws
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
@@ -544,7 +549,8 @@ RSpec.describe Groups::ClustersController do
...
@@ -544,7 +549,8 @@ RSpec.describe Groups::ClustersController do
end
end
end
end
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
@@ -580,7 +586,8 @@ RSpec.describe Groups::ClustersController do
...
@@ -580,7 +586,8 @@ RSpec.describe Groups::ClustersController do
end
end
describe
'security'
do
describe
'security'
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
@@ -619,7 +626,8 @@ RSpec.describe Groups::ClustersController do
...
@@ -619,7 +626,8 @@ RSpec.describe Groups::ClustersController do
end
end
describe
'security'
do
describe
'security'
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
@@ -651,7 +659,8 @@ RSpec.describe Groups::ClustersController do
...
@@ -651,7 +659,8 @@ RSpec.describe Groups::ClustersController do
end
end
describe
'security'
do
describe
'security'
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
@@ -759,7 +768,8 @@ RSpec.describe Groups::ClustersController do
...
@@ -759,7 +768,8 @@ RSpec.describe Groups::ClustersController do
describe
'security'
do
describe
'security'
do
let_it_be
(
:cluster
)
{
create
(
:cluster
,
:provided_by_gcp
,
cluster_type: :group_type
,
groups:
[
group
])
}
let_it_be
(
:cluster
)
{
create
(
:cluster
,
:provided_by_gcp
,
cluster_type: :group_type
,
groups:
[
group
])
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
@@ -827,7 +837,8 @@ RSpec.describe Groups::ClustersController do
...
@@ -827,7 +837,8 @@ RSpec.describe Groups::ClustersController do
describe
'security'
do
describe
'security'
do
let_it_be
(
:cluster
)
{
create
(
:cluster
,
:provided_by_gcp
,
:production_environment
,
cluster_type: :group_type
,
groups:
[
group
])
}
let_it_be
(
:cluster
)
{
create
(
:cluster
,
:provided_by_gcp
,
:production_environment
,
cluster_type: :group_type
,
groups:
[
group
])
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
spec/controllers/groups_controller_spec.rb
View file @
f539b03a
...
@@ -4,17 +4,23 @@ require 'spec_helper'
...
@@ -4,17 +4,23 @@ require 'spec_helper'
RSpec
.
describe
GroupsController
,
factory_default: :keep
do
RSpec
.
describe
GroupsController
,
factory_default: :keep
do
include
ExternalAuthorizationServiceHelpers
include
ExternalAuthorizationServiceHelpers
include
AdminModeHelper
let_it_be_with_refind
(
:group
)
{
create_default
(
:group
,
:public
)
}
let_it_be_with_refind
(
:group
)
{
create_default
(
:group
,
:public
)
}
let_it_be_with_refind
(
:project
)
{
create
(
:project
,
namespace:
group
)
}
let_it_be_with_refind
(
:project
)
{
create
(
:project
,
namespace:
group
)
}
let_it_be
(
:user
)
{
create
(
:user
)
}
let_it_be
(
:user
)
{
create
(
:user
)
}
let_it_be
(
:admin
)
{
create
(
:admin
)
}
let_it_be
(
:admin_with_admin_mode
)
{
create
(
:admin
)
}
let_it_be
(
:admin_without_admin_mode
)
{
create
(
:admin
)
}
let_it_be
(
:group_member
)
{
create
(
:group_member
,
group:
group
,
user:
user
)
}
let_it_be
(
:group_member
)
{
create
(
:group_member
,
group:
group
,
user:
user
)
}
let_it_be
(
:owner
)
{
group
.
add_owner
(
create
(
:user
)).
user
}
let_it_be
(
:owner
)
{
group
.
add_owner
(
create
(
:user
)).
user
}
let_it_be
(
:maintainer
)
{
group
.
add_maintainer
(
create
(
:user
)).
user
}
let_it_be
(
:maintainer
)
{
group
.
add_maintainer
(
create
(
:user
)).
user
}
let_it_be
(
:developer
)
{
group
.
add_developer
(
create
(
:user
)).
user
}
let_it_be
(
:developer
)
{
group
.
add_developer
(
create
(
:user
)).
user
}
let_it_be
(
:guest
)
{
group
.
add_guest
(
create
(
:user
)).
user
}
let_it_be
(
:guest
)
{
group
.
add_guest
(
create
(
:user
)).
user
}
before
do
enable_admin_mode!
(
admin_with_admin_mode
)
end
shared_examples
'member with ability to create subgroups'
do
shared_examples
'member with ability to create subgroups'
do
it
'renders the new page'
do
it
'renders the new page'
do
sign_in
(
member
)
sign_in
(
member
)
...
@@ -105,10 +111,10 @@ RSpec.describe GroupsController, factory_default: :keep do
...
@@ -105,10 +111,10 @@ RSpec.describe GroupsController, factory_default: :keep do
[
true
,
false
].
each
do
|
can_create_group_status
|
[
true
,
false
].
each
do
|
can_create_group_status
|
context
"and can_create_group is
#{
can_create_group_status
}
"
do
context
"and can_create_group is
#{
can_create_group_status
}
"
do
before
do
before
do
User
.
where
(
id:
[
admin
,
owner
,
maintainer
,
developer
,
guest
]).
update_all
(
can_create_group:
can_create_group_status
)
User
.
where
(
id:
[
admin
_with_admin_mode
,
admin_without_admin_mode
,
owner
,
maintainer
,
developer
,
guest
]).
update_all
(
can_create_group:
can_create_group_status
)
end
end
[
:admin
,
:owner
,
:maintainer
].
each
do
|
member_type
|
[
:admin
_with_admin_mode
,
:owner
,
:maintainer
].
each
do
|
member_type
|
context
"and logged in as
#{
member_type
.
capitalize
}
"
do
context
"and logged in as
#{
member_type
.
capitalize
}
"
do
it_behaves_like
'member with ability to create subgroups'
do
it_behaves_like
'member with ability to create subgroups'
do
let
(
:member
)
{
send
(
member_type
)
}
let
(
:member
)
{
send
(
member_type
)
}
...
@@ -116,7 +122,7 @@ RSpec.describe GroupsController, factory_default: :keep do
...
@@ -116,7 +122,7 @@ RSpec.describe GroupsController, factory_default: :keep do
end
end
end
end
[
:guest
,
:developer
].
each
do
|
member_type
|
[
:guest
,
:developer
,
:admin_without_admin_mode
].
each
do
|
member_type
|
context
"and logged in as
#{
member_type
.
capitalize
}
"
do
context
"and logged in as
#{
member_type
.
capitalize
}
"
do
it_behaves_like
'member without ability to create subgroups'
do
it_behaves_like
'member without ability to create subgroups'
do
let
(
:member
)
{
send
(
member_type
)
}
let
(
:member
)
{
send
(
member_type
)
}
...
@@ -856,6 +862,12 @@ RSpec.describe GroupsController, factory_default: :keep do
...
@@ -856,6 +862,12 @@ RSpec.describe GroupsController, factory_default: :keep do
end
end
describe
'POST #export'
do
describe
'POST #export'
do
let
(
:admin
)
{
create
(
:admin
)
}
before
do
enable_admin_mode!
(
admin
)
end
context
'when the group export feature flag is not enabled'
do
context
'when the group export feature flag is not enabled'
do
before
do
before
do
sign_in
(
admin
)
sign_in
(
admin
)
...
@@ -918,6 +930,12 @@ RSpec.describe GroupsController, factory_default: :keep do
...
@@ -918,6 +930,12 @@ RSpec.describe GroupsController, factory_default: :keep do
end
end
describe
'GET #download_export'
do
describe
'GET #download_export'
do
let
(
:admin
)
{
create
(
:admin
)
}
before
do
enable_admin_mode!
(
admin
)
end
context
'when there is a file available to download'
do
context
'when there is a file available to download'
do
let
(
:export_file
)
{
fixture_file_upload
(
'spec/fixtures/group_export.tar.gz'
)
}
let
(
:export_file
)
{
fixture_file_upload
(
'spec/fixtures/group_export.tar.gz'
)
}
...
@@ -934,8 +952,6 @@ RSpec.describe GroupsController, factory_default: :keep do
...
@@ -934,8 +952,6 @@ RSpec.describe GroupsController, factory_default: :keep do
end
end
context
'when there is no file available to download'
do
context
'when there is no file available to download'
do
let
(
:admin
)
{
create
(
:admin
)
}
before
do
before
do
sign_in
(
admin
)
sign_in
(
admin
)
end
end
...
...
spec/features/groups_spec.rb
View file @
f539b03a
...
@@ -143,7 +143,7 @@ RSpec.describe 'Group' do
...
@@ -143,7 +143,7 @@ RSpec.describe 'Group' do
end
end
end
end
describe
'create a nested group'
,
:js
do
describe
'create a nested group'
do
let_it_be
(
:group
)
{
create
(
:group
,
path:
'foo'
)
}
let_it_be
(
:group
)
{
create
(
:group
,
path:
'foo'
)
}
context
'as admin'
do
context
'as admin'
do
...
@@ -153,6 +153,7 @@ RSpec.describe 'Group' do
...
@@ -153,6 +153,7 @@ RSpec.describe 'Group' do
visit
new_group_path
(
group
,
parent_id:
group
.
id
)
visit
new_group_path
(
group
,
parent_id:
group
.
id
)
end
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'creates a nested group'
do
it
'creates a nested group'
do
fill_in
'Group name'
,
with:
'bar'
fill_in
'Group name'
,
with:
'bar'
fill_in
'Group URL'
,
with:
'bar'
fill_in
'Group URL'
,
with:
'bar'
...
@@ -163,6 +164,13 @@ RSpec.describe 'Group' do
...
@@ -163,6 +164,13 @@ RSpec.describe 'Group' do
end
end
end
end
context
'when admin mode is disabled'
do
it
'is not allowed'
do
expect
(
page
).
to
have_gitlab_http_status
(
:not_found
)
end
end
end
context
'as group owner'
do
context
'as group owner'
do
it
'creates a nested group'
do
it
'creates a nested group'
do
user
=
create
(
:user
)
user
=
create
(
:user
)
...
...
spec/features/projects/new_project_spec.rb
View file @
f539b03a
...
@@ -95,12 +95,14 @@ RSpec.describe 'New project', :js do
...
@@ -95,12 +95,14 @@ RSpec.describe 'New project', :js do
end
end
context
'when group visibility is private but default is internal'
do
context
'when group visibility is private but default is internal'
do
let_it_be
(
:group
)
{
create
(
:group
,
visibility_level:
Gitlab
::
VisibilityLevel
::
PRIVATE
)
}
before
do
before
do
stub_application_setting
(
default_project_visibility:
Gitlab
::
VisibilityLevel
::
INTERNAL
)
stub_application_setting
(
default_project_visibility:
Gitlab
::
VisibilityLevel
::
INTERNAL
)
end
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'has private selected'
do
it
'has private selected'
do
group
=
create
(
:group
,
visibility_level:
Gitlab
::
VisibilityLevel
::
PRIVATE
)
visit
new_project_path
(
namespace_id:
group
.
id
)
visit
new_project_path
(
namespace_id:
group
.
id
)
find
(
'[data-qa-selector="blank_project_link"]'
).
click
find
(
'[data-qa-selector="blank_project_link"]'
).
click
...
@@ -110,13 +112,24 @@ RSpec.describe 'New project', :js do
...
@@ -110,13 +112,24 @@ RSpec.describe 'New project', :js do
end
end
end
end
context
'when admin mode is disabled'
do
it
'is not allowed'
do
visit
new_project_path
(
namespace_id:
group
.
id
)
expect
(
page
).
to
have_content
(
'Not Found'
)
end
end
end
context
'when group visibility is public but user requests private'
do
context
'when group visibility is public but user requests private'
do
let_it_be
(
:group
)
{
create
(
:group
,
visibility_level:
Gitlab
::
VisibilityLevel
::
PUBLIC
)
}
before
do
before
do
stub_application_setting
(
default_project_visibility:
Gitlab
::
VisibilityLevel
::
INTERNAL
)
stub_application_setting
(
default_project_visibility:
Gitlab
::
VisibilityLevel
::
INTERNAL
)
end
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'has private selected'
do
it
'has private selected'
do
group
=
create
(
:group
,
visibility_level:
Gitlab
::
VisibilityLevel
::
PUBLIC
)
visit
new_project_path
(
namespace_id:
group
.
id
,
project:
{
visibility_level:
Gitlab
::
VisibilityLevel
::
PRIVATE
})
visit
new_project_path
(
namespace_id:
group
.
id
,
project:
{
visibility_level:
Gitlab
::
VisibilityLevel
::
PRIVATE
})
find
(
'[data-qa-selector="blank_project_link"]'
).
click
find
(
'[data-qa-selector="blank_project_link"]'
).
click
...
@@ -125,6 +138,15 @@ RSpec.describe 'New project', :js do
...
@@ -125,6 +138,15 @@ RSpec.describe 'New project', :js do
end
end
end
end
end
end
context
'when admin mode is disabled'
do
it
'is not allowed'
do
visit
new_project_path
(
namespace_id:
group
.
id
,
project:
{
visibility_level:
Gitlab
::
VisibilityLevel
::
PRIVATE
})
expect
(
page
).
to
have_content
(
'Not Found'
)
end
end
end
end
end
context
'Readme selector'
do
context
'Readme selector'
do
...
...
spec/features/security/group/internal_access_spec.rb
View file @
f539b03a
...
@@ -24,7 +24,12 @@ RSpec.describe 'Internal Group access' do
...
@@ -24,7 +24,12 @@ RSpec.describe 'Internal Group access' do
describe
'GET /groups/:path'
do
describe
'GET /groups/:path'
do
subject
{
group_path
(
group
)
}
subject
{
group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -39,7 +44,12 @@ RSpec.describe 'Internal Group access' do
...
@@ -39,7 +44,12 @@ RSpec.describe 'Internal Group access' do
describe
'GET /groups/:path/-/issues'
do
describe
'GET /groups/:path/-/issues'
do
subject
{
issues_group_path
(
group
)
}
subject
{
issues_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -56,7 +66,12 @@ RSpec.describe 'Internal Group access' do
...
@@ -56,7 +66,12 @@ RSpec.describe 'Internal Group access' do
subject
{
merge_requests_group_path
(
group
)
}
subject
{
merge_requests_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -71,7 +86,12 @@ RSpec.describe 'Internal Group access' do
...
@@ -71,7 +86,12 @@ RSpec.describe 'Internal Group access' do
describe
'GET /groups/:path/-/group_members'
do
describe
'GET /groups/:path/-/group_members'
do
subject
{
group_group_members_path
(
group
)
}
subject
{
group_group_members_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -86,7 +106,12 @@ RSpec.describe 'Internal Group access' do
...
@@ -86,7 +106,12 @@ RSpec.describe 'Internal Group access' do
describe
'GET /groups/:path/-/edit'
do
describe
'GET /groups/:path/-/edit'
do
subject
{
edit_group_path
(
group
)
}
subject
{
edit_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
spec/features/security/group/private_access_spec.rb
View file @
f539b03a
...
@@ -24,7 +24,12 @@ RSpec.describe 'Private Group access' do
...
@@ -24,7 +24,12 @@ RSpec.describe 'Private Group access' do
describe
'GET /groups/:path'
do
describe
'GET /groups/:path'
do
subject
{
group_path
(
group
)
}
subject
{
group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -39,7 +44,12 @@ RSpec.describe 'Private Group access' do
...
@@ -39,7 +44,12 @@ RSpec.describe 'Private Group access' do
describe
'GET /groups/:path/-/issues'
do
describe
'GET /groups/:path/-/issues'
do
subject
{
issues_group_path
(
group
)
}
subject
{
issues_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -56,7 +66,12 @@ RSpec.describe 'Private Group access' do
...
@@ -56,7 +66,12 @@ RSpec.describe 'Private Group access' do
subject
{
merge_requests_group_path
(
group
)
}
subject
{
merge_requests_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -71,7 +86,12 @@ RSpec.describe 'Private Group access' do
...
@@ -71,7 +86,12 @@ RSpec.describe 'Private Group access' do
describe
'GET /groups/:path/-/group_members'
do
describe
'GET /groups/:path/-/group_members'
do
subject
{
group_group_members_path
(
group
)
}
subject
{
group_group_members_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -86,7 +106,12 @@ RSpec.describe 'Private Group access' do
...
@@ -86,7 +106,12 @@ RSpec.describe 'Private Group access' do
describe
'GET /groups/:path/-/edit'
do
describe
'GET /groups/:path/-/edit'
do
subject
{
edit_group_path
(
group
)
}
subject
{
edit_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
@@ -107,7 +132,12 @@ RSpec.describe 'Private Group access' do
...
@@ -107,7 +132,12 @@ RSpec.describe 'Private Group access' do
subject
{
group_path
(
group
)
}
subject
{
group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
spec/features/security/group/public_access_spec.rb
View file @
f539b03a
...
@@ -24,7 +24,12 @@ RSpec.describe 'Public Group access' do
...
@@ -24,7 +24,12 @@ RSpec.describe 'Public Group access' do
describe
'GET /groups/:path'
do
describe
'GET /groups/:path'
do
subject
{
group_path
(
group
)
}
subject
{
group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -39,7 +44,12 @@ RSpec.describe 'Public Group access' do
...
@@ -39,7 +44,12 @@ RSpec.describe 'Public Group access' do
describe
'GET /groups/:path/-/issues'
do
describe
'GET /groups/:path/-/issues'
do
subject
{
issues_group_path
(
group
)
}
subject
{
issues_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -56,7 +66,12 @@ RSpec.describe 'Public Group access' do
...
@@ -56,7 +66,12 @@ RSpec.describe 'Public Group access' do
subject
{
merge_requests_group_path
(
group
)
}
subject
{
merge_requests_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -71,7 +86,12 @@ RSpec.describe 'Public Group access' do
...
@@ -71,7 +86,12 @@ RSpec.describe 'Public Group access' do
describe
'GET /groups/:path/-/group_members'
do
describe
'GET /groups/:path/-/group_members'
do
subject
{
group_group_members_path
(
group
)
}
subject
{
group_group_members_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
@@ -86,7 +106,12 @@ RSpec.describe 'Public Group access' do
...
@@ -86,7 +106,12 @@ RSpec.describe 'Public Group access' do
describe
'GET /groups/:path/-/edit'
do
describe
'GET /groups/:path/-/edit'
do
subject
{
edit_group_path
(
group
)
}
subject
{
edit_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:developer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
spec/helpers/namespaces_helper_spec.rb
View file @
f539b03a
...
@@ -46,6 +46,7 @@ RSpec.describe NamespacesHelper do
...
@@ -46,6 +46,7 @@ RSpec.describe NamespacesHelper do
end
end
describe
'#namespaces_options'
do
describe
'#namespaces_options'
do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'returns groups without being a member for admin'
do
it
'returns groups without being a member for admin'
do
allow
(
helper
).
to
receive
(
:current_user
).
and_return
(
admin
)
allow
(
helper
).
to
receive
(
:current_user
).
and_return
(
admin
)
...
@@ -54,6 +55,18 @@ RSpec.describe NamespacesHelper do
...
@@ -54,6 +55,18 @@ RSpec.describe NamespacesHelper do
expect
(
options
).
to
include
(
admin_group
.
name
)
expect
(
options
).
to
include
(
admin_group
.
name
)
expect
(
options
).
to
include
(
user_group
.
name
)
expect
(
options
).
to
include
(
user_group
.
name
)
end
end
end
context
'when admin mode is disabled'
do
it
'returns only allowed namespaces for admin'
do
allow
(
helper
).
to
receive
(
:current_user
).
and_return
(
admin
)
options
=
helper
.
namespaces_options
(
user_group
.
id
,
display_path:
true
,
extra_group:
user_group
.
id
)
expect
(
options
).
to
include
(
admin_group
.
name
)
expect
(
options
).
not_to
include
(
user_group
.
name
)
end
end
it
'returns only allowed namespaces for user'
do
it
'returns only allowed namespaces for user'
do
allow
(
helper
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
helper
).
to
receive
(
:current_user
).
and_return
(
user
)
...
@@ -74,14 +87,17 @@ RSpec.describe NamespacesHelper do
...
@@ -74,14 +87,17 @@ RSpec.describe NamespacesHelper do
expect
(
options
).
to
include
(
admin_group
.
name
)
expect
(
options
).
to
include
(
admin_group
.
name
)
end
end
context
'when admin mode is disabled'
do
it
'selects existing group'
do
it
'selects existing group'
do
allow
(
helper
).
to
receive
(
:current_user
).
and_return
(
admin
)
allow
(
helper
).
to
receive
(
:current_user
).
and_return
(
admin
)
user_group
.
add_owner
(
admin
)
options
=
helper
.
namespaces_options
(
:extra_group
,
display_path:
true
,
extra_group:
user_group
)
options
=
helper
.
namespaces_options
(
:extra_group
,
display_path:
true
,
extra_group:
user_group
)
expect
(
options
).
to
include
(
"selected=
\"
selected
\"
value=
\"
#{
user_group
.
id
}
\"
"
)
expect
(
options
).
to
include
(
"selected=
\"
selected
\"
value=
\"
#{
user_group
.
id
}
\"
"
)
expect
(
options
).
to
include
(
admin_group
.
name
)
expect
(
options
).
to
include
(
admin_group
.
name
)
end
end
end
it
'selects the new group by default'
do
it
'selects the new group by default'
do
# Ensure we don't select a group with the same name
# Ensure we don't select a group with the same name
...
...
spec/lib/gitlab/import_export/project/tree_saver_spec.rb
View file @
f539b03a
...
@@ -349,6 +349,7 @@ RSpec.describe Gitlab::ImportExport::Project::TreeSaver do
...
@@ -349,6 +349,7 @@ RSpec.describe Gitlab::ImportExport::Project::TreeSaver do
project_tree_saver
.
save
project_tree_saver
.
save
end
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'exports group members as admin'
do
it
'exports group members as admin'
do
expect
(
member_emails
).
to
include
(
'group@member.com'
)
expect
(
member_emails
).
to
include
(
'group@member.com'
)
end
end
...
@@ -359,6 +360,13 @@ RSpec.describe Gitlab::ImportExport::Project::TreeSaver do
...
@@ -359,6 +360,13 @@ RSpec.describe Gitlab::ImportExport::Project::TreeSaver do
expect
(
member_types
).
to
all
(
eq
(
'Project'
))
expect
(
member_types
).
to
all
(
eq
(
'Project'
))
end
end
end
end
context
'when admin mode is disabled'
do
it
'does not export group members'
do
expect
(
member_emails
).
not_to
include
(
'group@member.com'
)
end
end
end
end
end
context
'with description override'
do
context
'with description override'
do
...
...
spec/models/group_spec.rb
View file @
f539b03a
...
@@ -781,9 +781,17 @@ RSpec.describe Group do
...
@@ -781,9 +781,17 @@ RSpec.describe Group do
context
'evaluating admin access level'
do
context
'evaluating admin access level'
do
let_it_be
(
:admin
)
{
create
(
:admin
)
}
let_it_be
(
:admin
)
{
create
(
:admin
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'returns OWNER by default'
do
it
'returns OWNER by default'
do
expect
(
group
.
max_member_access_for_user
(
admin
)).
to
eq
(
Gitlab
::
Access
::
OWNER
)
expect
(
group
.
max_member_access_for_user
(
admin
)).
to
eq
(
Gitlab
::
Access
::
OWNER
)
end
end
end
context
'when admin mode is disabled'
do
it
'returns NO_ACCESS'
do
expect
(
group
.
max_member_access_for_user
(
admin
)).
to
eq
(
Gitlab
::
Access
::
NO_ACCESS
)
end
end
it
'returns NO_ACCESS when only concrete membership should be considered'
do
it
'returns NO_ACCESS when only concrete membership should be considered'
do
expect
(
group
.
max_member_access_for_user
(
admin
,
only_concrete_membership:
true
))
expect
(
group
.
max_member_access_for_user
(
admin
,
only_concrete_membership:
true
))
...
...
spec/models/member_spec.rb
View file @
f539b03a
...
@@ -425,12 +425,10 @@ RSpec.describe Member do
...
@@ -425,12 +425,10 @@ RSpec.describe Member do
end
end
context
'when admin mode is disabled'
do
context
'when admin mode is disabled'
do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
it
'rejects setting members.created_by to the given admin current_user'
do
# https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit
'rejects setting members.created_by to the given admin current_user'
do
member
=
described_class
.
add_user
(
source
,
user
,
:maintainer
,
current_user:
admin
)
member
=
described_class
.
add_user
(
source
,
user
,
:maintainer
,
current_user:
admin
)
expect
(
member
.
created_by
).
not_to
be_persisted
expect
(
member
.
created_by
).
to
be_nil
end
end
end
end
...
...
spec/models/user_spec.rb
View file @
f539b03a
...
@@ -3961,6 +3961,37 @@ RSpec.describe User do
...
@@ -3961,6 +3961,37 @@ RSpec.describe User do
end
end
end
end
describe
'#can_admin_all_resources?'
,
:request_store
do
it
'returns false for regular user'
do
user
=
build_stubbed
(
:user
)
expect
(
user
.
can_admin_all_resources?
).
to
be_falsy
end
context
'for admin user'
do
include_context
'custom session'
let
(
:user
)
{
build_stubbed
(
:user
,
:admin
)
}
context
'when admin mode is disabled'
do
it
'returns false'
do
expect
(
user
.
can_admin_all_resources?
).
to
be_falsy
end
end
context
'when admin mode is enabled'
do
before
do
Gitlab
::
Auth
::
CurrentUserMode
.
new
(
user
).
request_admin_mode!
Gitlab
::
Auth
::
CurrentUserMode
.
new
(
user
).
enable_admin_mode!
(
password:
user
.
password
)
end
it
'returns true'
do
expect
(
user
.
can_admin_all_resources?
).
to
be_truthy
end
end
end
end
describe
'.ghost'
do
describe
'.ghost'
do
it
"creates a ghost user if one isn't already present"
do
it
"creates a ghost user if one isn't already present"
do
ghost
=
described_class
.
ghost
ghost
=
described_class
.
ghost
...
...
spec/policies/base_policy_spec.rb
View file @
f539b03a
...
@@ -73,10 +73,14 @@ RSpec.describe BasePolicy do
...
@@ -73,10 +73,14 @@ RSpec.describe BasePolicy do
end
end
end
end
describe
'full private access'
do
describe
'full private access
: read_all_resources
'
do
it_behaves_like
'admin only access'
,
:read_all_resources
it_behaves_like
'admin only access'
,
:read_all_resources
end
end
describe
'full private access: admin_all_resources'
do
it_behaves_like
'admin only access'
,
:admin_all_resources
end
describe
'change_repository_storage'
do
describe
'change_repository_storage'
do
it_behaves_like
'admin only access'
,
:change_repository_storage
it_behaves_like
'admin only access'
,
:change_repository_storage
end
end
...
...
spec/policies/group_policy_spec.rb
View file @
f539b03a
...
@@ -192,6 +192,16 @@ RSpec.describe GroupPolicy do
...
@@ -192,6 +192,16 @@ RSpec.describe GroupPolicy do
context
'admin'
do
context
'admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
specify
do
expect_disallowed
(
*
read_group_permissions
)
expect_disallowed
(
*
guest_permissions
)
expect_disallowed
(
*
reporter_permissions
)
expect_disallowed
(
*
developer_permissions
)
expect_disallowed
(
*
maintainer_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
context
'with admin mode'
,
:enable_admin_mode
do
specify
do
specify
do
expect_allowed
(
*
read_group_permissions
)
expect_allowed
(
*
read_group_permissions
)
expect_allowed
(
*
guest_permissions
)
expect_allowed
(
*
guest_permissions
)
...
@@ -199,10 +209,8 @@ RSpec.describe GroupPolicy do
...
@@ -199,10 +209,8 @@ RSpec.describe GroupPolicy do
expect_allowed
(
*
developer_permissions
)
expect_allowed
(
*
developer_permissions
)
expect_allowed
(
*
maintainer_permissions
)
expect_allowed
(
*
maintainer_permissions
)
expect_allowed
(
*
owner_permissions
)
expect_allowed
(
*
owner_permissions
)
expect_allowed
(
*
admin_permissions
)
end
end
context
'with admin mode'
,
:enable_admin_mode
do
specify
{
expect_allowed
(
*
admin_permissions
)
}
end
end
it_behaves_like
'deploy token does not get confused with user'
do
it_behaves_like
'deploy token does not get confused with user'
do
...
@@ -773,9 +781,15 @@ RSpec.describe GroupPolicy do
...
@@ -773,9 +781,15 @@ RSpec.describe GroupPolicy do
context
'admin'
do
context
'admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:create_jira_connect_subscription
)
}
it
{
is_expected
.
to
be_allowed
(
:create_jira_connect_subscription
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:create_jira_connect_subscription
)
}
end
end
context
'with owner'
do
context
'with owner'
do
let
(
:current_user
)
{
owner
}
let
(
:current_user
)
{
owner
}
...
@@ -817,9 +831,15 @@ RSpec.describe GroupPolicy do
...
@@ -817,9 +831,15 @@ RSpec.describe GroupPolicy do
context
'admin'
do
context
'admin'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:read_package
)
}
it
{
is_expected
.
to
be_allowed
(
:read_package
)
}
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:read_package
)
}
end
end
context
'with owner'
do
context
'with owner'
do
let
(
:current_user
)
{
owner
}
let
(
:current_user
)
{
owner
}
...
...
spec/presenters/projects/import_export/project_export_presenter_spec.rb
View file @
f539b03a
...
@@ -86,6 +86,7 @@ RSpec.describe Projects::ImportExport::ProjectExportPresenter do
...
@@ -86,6 +86,7 @@ RSpec.describe Projects::ImportExport::ProjectExportPresenter do
context
'as admin'
do
context
'as admin'
do
let
(
:user
)
{
create
(
:admin
)
}
let
(
:user
)
{
create
(
:admin
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'exports group members as admin'
do
it
'exports group members as admin'
do
expect
(
member_emails
).
to
include
(
'group@member.com'
)
expect
(
member_emails
).
to
include
(
'group@member.com'
)
end
end
...
@@ -96,5 +97,12 @@ RSpec.describe Projects::ImportExport::ProjectExportPresenter do
...
@@ -96,5 +97,12 @@ RSpec.describe Projects::ImportExport::ProjectExportPresenter do
expect
(
member_types
).
to
all
(
eq
(
'Project'
))
expect
(
member_types
).
to
all
(
eq
(
'Project'
))
end
end
end
end
context
'when admin mode is disabled'
do
it
'does not export group members'
do
expect
(
member_emails
).
not_to
include
(
'group@member.com'
)
end
end
end
end
end
end
end
spec/services/groups/import_export/import_service_spec.rb
View file @
f539b03a
...
@@ -54,7 +54,7 @@ RSpec.describe Groups::ImportExport::ImportService do
...
@@ -54,7 +54,7 @@ RSpec.describe Groups::ImportExport::ImportService do
end
end
context
'with group_import_ndjson feature flag disabled'
do
context
'with group_import_ndjson feature flag disabled'
do
let
(
:user
)
{
create
(
:
admin
)
}
let
(
:user
)
{
create
(
:
user
)
}
let
(
:group
)
{
create
(
:group
)
}
let
(
:group
)
{
create
(
:group
)
}
let
(
:import_logger
)
{
instance_double
(
Gitlab
::
Import
::
Logger
)
}
let
(
:import_logger
)
{
instance_double
(
Gitlab
::
Import
::
Logger
)
}
...
@@ -63,6 +63,8 @@ RSpec.describe Groups::ImportExport::ImportService do
...
@@ -63,6 +63,8 @@ RSpec.describe Groups::ImportExport::ImportService do
before
do
before
do
stub_feature_flags
(
group_import_ndjson:
false
)
stub_feature_flags
(
group_import_ndjson:
false
)
group
.
add_owner
(
user
)
ImportExportUpload
.
create!
(
group:
group
,
import_file:
import_file
)
ImportExportUpload
.
create!
(
group:
group
,
import_file:
import_file
)
allow
(
Gitlab
::
Import
::
Logger
).
to
receive
(
:build
).
and_return
(
import_logger
)
allow
(
Gitlab
::
Import
::
Logger
).
to
receive
(
:build
).
and_return
(
import_logger
)
...
@@ -95,7 +97,7 @@ RSpec.describe Groups::ImportExport::ImportService do
...
@@ -95,7 +97,7 @@ RSpec.describe Groups::ImportExport::ImportService do
end
end
context
'when importing a ndjson export'
do
context
'when importing a ndjson export'
do
let
(
:user
)
{
create
(
:
admin
)
}
let
(
:user
)
{
create
(
:
user
)
}
let
(
:group
)
{
create
(
:group
)
}
let
(
:group
)
{
create
(
:group
)
}
let
(
:service
)
{
described_class
.
new
(
group:
group
,
user:
user
)
}
let
(
:service
)
{
described_class
.
new
(
group:
group
,
user:
user
)
}
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/group_export.tar.gz'
)
}
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/group_export.tar.gz'
)
}
...
@@ -115,6 +117,10 @@ RSpec.describe Groups::ImportExport::ImportService do
...
@@ -115,6 +117,10 @@ RSpec.describe Groups::ImportExport::ImportService do
end
end
context
'when user has correct permissions'
do
context
'when user has correct permissions'
do
before
do
group
.
add_owner
(
user
)
end
it
'imports group structure successfully'
do
it
'imports group structure successfully'
do
expect
(
subject
).
to
be_truthy
expect
(
subject
).
to
be_truthy
end
end
...
@@ -147,8 +153,6 @@ RSpec.describe Groups::ImportExport::ImportService do
...
@@ -147,8 +153,6 @@ RSpec.describe Groups::ImportExport::ImportService do
end
end
context
'when user does not have correct permissions'
do
context
'when user does not have correct permissions'
do
let
(
:user
)
{
create
(
:user
)
}
it
'logs the error and raises an exception'
do
it
'logs the error and raises an exception'
do
expect
(
import_logger
).
to
receive
(
:error
).
with
(
expect
(
import_logger
).
to
receive
(
:error
).
with
(
group_id:
group
.
id
,
group_id:
group
.
id
,
...
@@ -188,6 +192,10 @@ RSpec.describe Groups::ImportExport::ImportService do
...
@@ -188,6 +192,10 @@ RSpec.describe Groups::ImportExport::ImportService do
context
'when there are errors with the sub-relations'
do
context
'when there are errors with the sub-relations'
do
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/group_export_invalid_subrelations.tar.gz'
)
}
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/group_export_invalid_subrelations.tar.gz'
)
}
before
do
group
.
add_owner
(
user
)
end
it
'successfully imports the group'
do
it
'successfully imports the group'
do
expect
(
subject
).
to
be_truthy
expect
(
subject
).
to
be_truthy
end
end
...
@@ -207,7 +215,7 @@ RSpec.describe Groups::ImportExport::ImportService do
...
@@ -207,7 +215,7 @@ RSpec.describe Groups::ImportExport::ImportService do
end
end
context
'when importing a json export'
do
context
'when importing a json export'
do
let
(
:user
)
{
create
(
:
admin
)
}
let
(
:user
)
{
create
(
:
user
)
}
let
(
:group
)
{
create
(
:group
)
}
let
(
:group
)
{
create
(
:group
)
}
let
(
:service
)
{
described_class
.
new
(
group:
group
,
user:
user
)
}
let
(
:service
)
{
described_class
.
new
(
group:
group
,
user:
user
)
}
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/legacy_group_export.tar.gz'
)
}
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/legacy_group_export.tar.gz'
)
}
...
@@ -227,6 +235,10 @@ RSpec.describe Groups::ImportExport::ImportService do
...
@@ -227,6 +235,10 @@ RSpec.describe Groups::ImportExport::ImportService do
end
end
context
'when user has correct permissions'
do
context
'when user has correct permissions'
do
before
do
group
.
add_owner
(
user
)
end
it
'imports group structure successfully'
do
it
'imports group structure successfully'
do
expect
(
subject
).
to
be_truthy
expect
(
subject
).
to
be_truthy
end
end
...
@@ -259,8 +271,6 @@ RSpec.describe Groups::ImportExport::ImportService do
...
@@ -259,8 +271,6 @@ RSpec.describe Groups::ImportExport::ImportService do
end
end
context
'when user does not have correct permissions'
do
context
'when user does not have correct permissions'
do
let
(
:user
)
{
create
(
:user
)
}
it
'logs the error and raises an exception'
do
it
'logs the error and raises an exception'
do
expect
(
import_logger
).
to
receive
(
:error
).
with
(
expect
(
import_logger
).
to
receive
(
:error
).
with
(
group_id:
group
.
id
,
group_id:
group
.
id
,
...
@@ -300,6 +310,10 @@ RSpec.describe Groups::ImportExport::ImportService do
...
@@ -300,6 +310,10 @@ RSpec.describe Groups::ImportExport::ImportService do
context
'when there are errors with the sub-relations'
do
context
'when there are errors with the sub-relations'
do
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/legacy_group_export_invalid_subrelations.tar.gz'
)
}
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/legacy_group_export_invalid_subrelations.tar.gz'
)
}
before
do
group
.
add_owner
(
user
)
end
it
'successfully imports the group'
do
it
'successfully imports the group'
do
expect
(
subject
).
to
be_truthy
expect
(
subject
).
to
be_truthy
end
end
...
...
spec/workers/purge_dependency_proxy_cache_worker_spec.rb
View file @
f539b03a
...
@@ -26,6 +26,7 @@ RSpec.describe PurgeDependencyProxyCacheWorker do
...
@@ -26,6 +26,7 @@ RSpec.describe PurgeDependencyProxyCacheWorker do
end
end
context
'an admin user'
do
context
'an admin user'
do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
include_examples
'an idempotent worker'
do
include_examples
'an idempotent worker'
do
let
(
:job_args
)
{
[
user
.
id
,
group_id
]
}
let
(
:job_args
)
{
[
user
.
id
,
group_id
]
}
...
@@ -41,6 +42,11 @@ RSpec.describe PurgeDependencyProxyCacheWorker do
...
@@ -41,6 +42,11 @@ RSpec.describe PurgeDependencyProxyCacheWorker do
end
end
end
end
context
'when admin mode is disabled'
do
it_behaves_like
'returns nil'
end
end
context
'a non-admin user'
do
context
'a non-admin user'
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment