Commit f539b03a authored by Diego Louzán's avatar Diego Louzán Committed by Bob Van Landuyt

Use policies framework for determining admin access to groups

parent 3c0902c7
...@@ -505,7 +505,7 @@ class Group < Namespace ...@@ -505,7 +505,7 @@ class Group < Namespace
# @param only_concrete_membership [Bool] whether require admin concrete membership status # @param only_concrete_membership [Bool] whether require admin concrete membership status
def max_member_access_for_user(user, only_concrete_membership: false) def max_member_access_for_user(user, only_concrete_membership: false)
return GroupMember::NO_ACCESS unless user return GroupMember::NO_ACCESS unless user
return GroupMember::OWNER if user.admin? && !only_concrete_membership return GroupMember::OWNER if user.can_admin_all_resources? && !only_concrete_membership
max_member_access = members_with_parents.where(user_id: user) max_member_access = members_with_parents.where(user_id: user)
.reorder(access_level: :desc) .reorder(access_level: :desc)
......
...@@ -1704,6 +1704,10 @@ class User < ApplicationRecord ...@@ -1704,6 +1704,10 @@ class User < ApplicationRecord
can?(:read_all_resources) can?(:read_all_resources)
end end
def can_admin_all_resources?
can?(:admin_all_resources)
end
def update_two_factor_requirement def update_two_factor_requirement
periods = expanded_groups_requiring_two_factor_authentication.pluck(:two_factor_grace_period) periods = expanded_groups_requiring_two_factor_authentication.pluck(:two_factor_grace_period)
......
...@@ -55,14 +55,17 @@ class BasePolicy < DeclarativePolicy::Base ...@@ -55,14 +55,17 @@ class BasePolicy < DeclarativePolicy::Base
prevent :read_cross_project prevent :read_cross_project
end end
rule { admin }.policy do
# Only for actual administrator accounts, behaviour affected by admin mode application setting
enable :admin_all_resources
# Policy extended in EE to also enable auditors # Policy extended in EE to also enable auditors
rule { admin }.enable :read_all_resources enable :read_all_resources
enable :change_repository_storage
end
rule { default }.enable :read_cross_project rule { default }.enable :read_cross_project
condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? } condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? }
rule { admin }.enable :change_repository_storage
end end
BasePolicy.prepend_if_ee('EE::BasePolicy') BasePolicy.prepend_if_ee('EE::BasePolicy')
---
title: Use policies for group access rights as admin
merge_request: 55349
author: Diego Louzán
type: changed
...@@ -41,7 +41,12 @@ RSpec.describe Groups::ClustersController do ...@@ -41,7 +41,12 @@ RSpec.describe Groups::ClustersController do
allow(controller).to receive(:prometheus_adapter).and_return(prometheus_adapter) allow(controller).to receive(:prometheus_adapter).and_return(prometheus_adapter)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it { expect { go }.to be_allowed_for(:admin) } it { expect { go }.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { expect { go }.to be_denied_for(:admin) }
end
it { expect { go }.to be_allowed_for(:owner).of(clusterable) } it { expect { go }.to be_allowed_for(:owner).of(clusterable) }
it { expect { go }.to be_allowed_for(:maintainer).of(clusterable) } it { expect { go }.to be_allowed_for(:maintainer).of(clusterable) }
it { expect { go }.to be_denied_for(:developer).of(clusterable) } it { expect { go }.to be_denied_for(:developer).of(clusterable) }
...@@ -78,7 +83,12 @@ RSpec.describe Groups::ClustersController do ...@@ -78,7 +83,12 @@ RSpec.describe Groups::ClustersController do
end end
describe 'security' do describe 'security' do
context 'when admin mode is enabled', :enable_admin_mode do
it { expect { get_cluster_environments }.to be_allowed_for(:admin) } it { expect { get_cluster_environments }.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { expect { get_cluster_environments }.to be_denied_for(:admin) }
end
it { expect { get_cluster_environments }.to be_allowed_for(:owner).of(group) } it { expect { get_cluster_environments }.to be_allowed_for(:owner).of(group) }
it { expect { get_cluster_environments }.to be_allowed_for(:maintainer).of(group) } it { expect { get_cluster_environments }.to be_allowed_for(:maintainer).of(group) }
it { expect { get_cluster_environments }.to be_denied_for(:developer).of(group) } it { expect { get_cluster_environments }.to be_denied_for(:developer).of(group) }
......
...@@ -20,7 +20,12 @@ RSpec.describe '[EE] Private Group access' do ...@@ -20,7 +20,12 @@ RSpec.describe '[EE] Private Group access' do
subject { group_insights_path(group) } subject { group_insights_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_denied_for(:admin) }
end
it { is_expected.to be_allowed_for(:auditor) } it { is_expected.to be_allowed_for(:auditor) }
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
......
...@@ -75,9 +75,7 @@ RSpec.describe Event do ...@@ -75,9 +75,7 @@ RSpec.describe Event do
end end
context 'when admin mode disabled' do context 'when admin mode disabled' do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode it 'is not visible to admin', :aggregate_failures do
# See https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit 'is not visible to admin', :aggregate_failures do
expect(event).not_to be_visible_to(admin) expect(event).not_to be_visible_to(admin)
end end
end end
......
...@@ -265,6 +265,14 @@ RSpec.describe User do ...@@ -265,6 +265,14 @@ RSpec.describe User do
end end
end end
describe '#can_admin_all_resources?' do
it 'returns false for auditor user' do
user = build(:user, :auditor)
expect(user.can_admin_all_resources?).to be_falsy
end
end
describe '#forget_me!' do describe '#forget_me!' do
subject { create(:user, remember_created_at: Time.current) } subject { create(:user, remember_created_at: Time.current) }
......
...@@ -26,4 +26,10 @@ RSpec.describe BasePolicy do ...@@ -26,4 +26,10 @@ RSpec.describe BasePolicy do
is_expected.to be_allowed(:read_all_resources) is_expected.to be_allowed(:read_all_resources)
end end
end end
describe 'admin all resources' do
it 'forbids auditors' do
is_expected.to be_disallowed(:admin_all_resources)
end
end
end end
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe GroupPolicy do RSpec.describe GroupPolicy do
include AdminModeHelper
include_context 'GroupPolicy context' include_context 'GroupPolicy context'
let(:epic_rules) do let(:epic_rules) do
...@@ -31,9 +33,15 @@ RSpec.describe GroupPolicy do ...@@ -31,9 +33,15 @@ RSpec.describe GroupPolicy do
context 'when user is admin' do context 'when user is admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(*epic_rules) } it { is_expected.to be_allowed(*epic_rules) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(*epic_rules) }
end
end
context 'when user is maintainer' do context 'when user is maintainer' do
let(:current_user) { maintainer } let(:current_user) { maintainer }
...@@ -273,7 +281,7 @@ RSpec.describe GroupPolicy do ...@@ -273,7 +281,7 @@ RSpec.describe GroupPolicy do
end end
context 'when group repository analytics is not available' do context 'when group repository analytics is not available' do
let(:current_user) { admin } let(:current_user) { maintainer }
before do before do
stub_licensed_features(group_repository_analytics: false) stub_licensed_features(group_repository_analytics: false)
...@@ -290,9 +298,15 @@ RSpec.describe GroupPolicy do ...@@ -290,9 +298,15 @@ RSpec.describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_group_timelogs) } it { is_expected.to be_allowed(:read_group_timelogs) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_group_timelogs) }
end
end
context 'with owner' do context 'with owner' do
let(:current_user) { owner } let(:current_user) { owner }
...@@ -337,7 +351,9 @@ RSpec.describe GroupPolicy do ...@@ -337,7 +351,9 @@ RSpec.describe GroupPolicy do
stub_licensed_features(group_timelogs: false) stub_licensed_features(group_timelogs: false)
end end
it { is_expected.to be_disallowed(:read_group_timelogs) } it 'is disallowed even with admin mode', :enable_admin_mode do
is_expected.to be_disallowed(:read_group_timelogs)
end
end end
describe 'per group SAML' do describe 'per group SAML' do
...@@ -396,7 +412,9 @@ RSpec.describe GroupPolicy do ...@@ -396,7 +412,9 @@ RSpec.describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
it { is_expected.to be_disallowed(:admin_saml_group_links) } it 'is disallowed even with admin mode', :enable_admin_mode do
is_expected.to be_disallowed(:admin_saml_group_links)
end
end end
end end
end end
...@@ -430,9 +448,16 @@ RSpec.describe GroupPolicy do ...@@ -430,9 +448,16 @@ RSpec.describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:admin_group_saml) } it { is_expected.to be_allowed(:admin_group_saml) }
it { is_expected.to be_disallowed(:admin_saml_group_links) } it { is_expected.to be_disallowed(:admin_saml_group_links) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:admin_group_saml) }
it { is_expected.to be_disallowed(:admin_saml_group_links) }
end
end
end end
context 'with an enabled SAML provider' do context 'with an enabled SAML provider' do
...@@ -453,9 +478,15 @@ RSpec.describe GroupPolicy do ...@@ -453,9 +478,15 @@ RSpec.describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:admin_saml_group_links) } it { is_expected.to be_allowed(:admin_saml_group_links) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:admin_saml_group_links) }
end
end
context 'when the group is a subgroup' do context 'when the group is a subgroup' do
let_it_be(:subgroup) { create(:group, :private, parent: group) } let_it_be(:subgroup) { create(:group, :private, parent: group) }
let(:current_user) { owner } let(:current_user) { owner }
...@@ -503,11 +534,19 @@ RSpec.describe GroupPolicy do ...@@ -503,11 +534,19 @@ RSpec.describe GroupPolicy do
context 'as an admin' do context 'as an admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows access without a SAML session' do it 'allows access without a SAML session' do
is_expected.to allow_action(:read_group) is_expected.to allow_action(:read_group)
end end
end end
context 'when admin mode is disabled' do
it 'prevents access without a SAML session' do
is_expected.not_to allow_action(:read_group)
end
end
end
context 'as an auditor' do context 'as an auditor' do
let(:current_user) { create(:user, :auditor) } let(:current_user) { create(:user, :auditor) }
...@@ -598,10 +637,18 @@ RSpec.describe GroupPolicy do ...@@ -598,10 +637,18 @@ RSpec.describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_disallowed(:override_group_member) } it { is_expected.to be_disallowed(:override_group_member) }
it { is_expected.to be_allowed(:admin_ldap_group_links) } it { is_expected.to be_allowed(:admin_ldap_group_links) }
it { is_expected.to be_allowed(:admin_ldap_group_settings) } it { is_expected.to be_allowed(:admin_ldap_group_settings) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:override_group_member) }
it { is_expected.to be_disallowed(:admin_ldap_group_links) }
it { is_expected.to be_disallowed(:admin_ldap_group_settings) }
end
end
end end
context 'when LDAP sync is enabled' do context 'when LDAP sync is enabled' do
...@@ -670,11 +717,19 @@ RSpec.describe GroupPolicy do ...@@ -670,11 +717,19 @@ RSpec.describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:override_group_member) } it { is_expected.to be_allowed(:override_group_member) }
it { is_expected.to be_allowed(:admin_ldap_group_links) } it { is_expected.to be_allowed(:admin_ldap_group_links) }
it { is_expected.to be_allowed(:admin_ldap_group_settings) } it { is_expected.to be_allowed(:admin_ldap_group_settings) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:override_group_member) }
it { is_expected.to be_disallowed(:admin_ldap_group_links) }
it { is_expected.to be_disallowed(:admin_ldap_group_settings) }
end
end
context 'when memberships locked to LDAP' do context 'when memberships locked to LDAP' do
before do before do
stub_application_setting(allow_group_owners_to_manage_ldap: true) stub_application_setting(allow_group_owners_to_manage_ldap: true)
...@@ -756,9 +811,15 @@ RSpec.describe GroupPolicy do ...@@ -756,9 +811,15 @@ RSpec.describe GroupPolicy do
context 'with admin' do context 'with admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_group_credentials_inventory) } it { is_expected.to be_allowed(:read_group_credentials_inventory) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_group_credentials_inventory) }
end
end
context 'with owner' do context 'with owner' do
let(:current_user) { owner } let(:current_user) { owner }
...@@ -860,9 +921,15 @@ RSpec.describe GroupPolicy do ...@@ -860,9 +921,15 @@ RSpec.describe GroupPolicy do
context 'with admin' do context 'with admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(*abilities) } it { is_expected.to be_allowed(*abilities) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(*abilities) }
end
end
context 'with owner' do context 'with owner' do
let(:current_user) { owner } let(:current_user) { owner }
...@@ -1070,10 +1137,22 @@ RSpec.describe GroupPolicy do ...@@ -1070,10 +1137,22 @@ RSpec.describe GroupPolicy do
end end
end end
%w[admin owner maintainer developer reporter].each do |role| %w[owner maintainer developer reporter].each do |role|
include_examples 'policy by role', role include_examples 'policy by role', role
end end
context 'admin' do
let(:current_user) { admin }
it 'is allowed when admin mode is enabled', :enable_admin_mode do
is_expected.to be_allowed(action)
end
it 'is not allowed when admin mode is disabled' do
is_expected.to be_disallowed(action)
end
end
context 'guest' do context 'guest' do
let(:current_user) { guest } let(:current_user) { guest }
...@@ -1131,9 +1210,15 @@ RSpec.describe GroupPolicy do ...@@ -1131,9 +1210,15 @@ RSpec.describe GroupPolicy do
stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_default_branch_protection) } it { is_expected.to be_allowed(:update_default_branch_protection) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:update_default_branch_protection) }
end
end
context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do
before do before do
stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false)
...@@ -1159,16 +1244,28 @@ RSpec.describe GroupPolicy do ...@@ -1159,16 +1244,28 @@ RSpec.describe GroupPolicy do
stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_default_branch_protection) } it { is_expected.to be_allowed(:update_default_branch_protection) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:update_default_branch_protection) }
end
end
context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do
before do before do
stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_default_branch_protection) } it { is_expected.to be_allowed(:update_default_branch_protection) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:update_default_branch_protection) }
end
end
end end
end end
...@@ -1226,18 +1323,23 @@ RSpec.describe GroupPolicy do ...@@ -1226,18 +1323,23 @@ RSpec.describe GroupPolicy do
let(:policy) { :read_ci_minutes_quota } let(:policy) { :read_ci_minutes_quota }
where(:role, :allowed) do where(:role, :admin_mode, :allowed) do
:guest | false :guest | nil | false
:reporter | false :reporter | nil | false
:developer | true :developer | nil | true
:maintainer | true :maintainer | nil | true
:owner | true :owner | nil | true
:admin | true :admin | true | true
:admin | false | false
end end
with_them do with_them do
let(:current_user) { public_send(role) } let(:current_user) { public_send(role) }
before do
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) } it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
end end
end end
...@@ -1247,18 +1349,23 @@ RSpec.describe GroupPolicy do ...@@ -1247,18 +1349,23 @@ RSpec.describe GroupPolicy do
let(:policy) { :read_group_audit_events } let(:policy) { :read_group_audit_events }
where(:role, :allowed) do where(:role, :admin_mode, :allowed) do
:guest | false :guest | nil | false
:reporter | false :reporter | nil | false
:developer | true :developer | nil | true
:maintainer | true :maintainer | nil | true
:owner | true :owner | nil | true
:admin | true :admin | true | true
:admin | false | false
end end
with_them do with_them do
let(:current_user) { public_send(role) } let(:current_user) { public_send(role) }
before do
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) } it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
end end
end end
...@@ -1397,19 +1504,21 @@ RSpec.describe GroupPolicy do ...@@ -1397,19 +1504,21 @@ RSpec.describe GroupPolicy do
let(:policy) { :admin_merge_request_approval_settings } let(:policy) { :admin_merge_request_approval_settings }
where(:role, :licensed, :allowed) do where(:role, :licensed, :admin_mode, :allowed) do
:guest | true | false :guest | true | nil | false
:guest | false | false :guest | false | nil | false
:reporter | true | false :reporter | true | nil | false
:reporter | false | false :reporter | false | nil | false
:developer | true | false :developer | true | nil | false
:developer | false | false :developer | false | nil | false
:maintainer | true | false :maintainer | true | nil | false
:maintainer | false | false :maintainer | false | nil | false
:owner | true | true :owner | true | nil | true
:owner | false | false :owner | false | nil | false
:admin | true | true :admin | true | true | true
:admin | false | false :admin | false | true | false
:admin | true | false | false
:admin | false | false | false
end end
with_them do with_them do
...@@ -1417,6 +1526,7 @@ RSpec.describe GroupPolicy do ...@@ -1417,6 +1526,7 @@ RSpec.describe GroupPolicy do
before do before do
stub_licensed_features(group_merge_request_approval_settings: licensed) stub_licensed_features(group_merge_request_approval_settings: licensed)
enable_admin_mode!(current_user) if admin_mode
end end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) } it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
...@@ -1428,19 +1538,21 @@ RSpec.describe GroupPolicy do ...@@ -1428,19 +1538,21 @@ RSpec.describe GroupPolicy do
let(:policy) { :start_trial } let(:policy) { :start_trial }
where(:role, :eligible_for_trial, :allowed) do where(:role, :eligible_for_trial, :admin_mode, :allowed) do
:guest | true | false :guest | true | nil | false
:guest | false | false :guest | false | nil | false
:reporter | true | false :reporter | true | nil | false
:reporter | false | false :reporter | false | nil | false
:developer | true | false :developer | true | nil | false
:developer | false | false :developer | false | nil | false
:maintainer | true | true :maintainer | true | nil | true
:maintainer | false | false :maintainer | false | nil | false
:owner | true | true :owner | true | nil | true
:owner | false | false :owner | false | nil | false
:admin | true | true :admin | true | true | true
:admin | false | false :admin | false | true | false
:admin | true | false | false
:admin | false | false | false
end end
with_them do with_them do
...@@ -1448,6 +1560,7 @@ RSpec.describe GroupPolicy do ...@@ -1448,6 +1560,7 @@ RSpec.describe GroupPolicy do
before do before do
allow(group).to receive(:eligible_for_trial?).and_return(eligible_for_trial) allow(group).to receive(:eligible_for_trial?).and_return(eligible_for_trial)
enable_admin_mode!(current_user) if admin_mode
end end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) } it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
...@@ -1459,16 +1572,17 @@ RSpec.describe GroupPolicy do ...@@ -1459,16 +1572,17 @@ RSpec.describe GroupPolicy do
shared_context 'compliance framework permissions' do shared_context 'compliance framework permissions' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:role, :licensed, :feature_flag, :allowed) do where(:role, :licensed, :feature_flag, :admin_mode, :allowed) do
:owner | true | true | true :owner | true | true | nil | true
:owner | true | false | false :owner | true | false | nil | false
:owner | false | true | false :owner | false | true | nil | false
:owner | false | false | false :owner | false | false | nil | false
:admin | true | true | true :admin | true | true | true | true
:maintainer | true | true | false :admin | true | true | false | false
:developer | true | true | false :maintainer | true | true | nil | false
:reporter | true | true | false :developer | true | true | nil | false
:guest | true | true | false :reporter | true | true | nil | false
:guest | true | true | nil | false
end end
with_them do with_them do
...@@ -1477,6 +1591,7 @@ RSpec.describe GroupPolicy do ...@@ -1477,6 +1591,7 @@ RSpec.describe GroupPolicy do
before do before do
stub_licensed_features(licensed_feature => licensed) stub_licensed_features(licensed_feature => licensed)
stub_feature_flags(ff_custom_compliance_frameworks: feature_flag) stub_feature_flags(ff_custom_compliance_frameworks: feature_flag)
enable_admin_mode!(current_user) if admin_mode
end end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) } it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
...@@ -1522,19 +1637,21 @@ RSpec.describe GroupPolicy do ...@@ -1522,19 +1637,21 @@ RSpec.describe GroupPolicy do
context 'when feature is enabled and license include the feature' do context 'when feature is enabled and license include the feature' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:role, :allowed) do where(:role, :admin_mode, :allowed) do
:admin | true :admin | true | true
:owner | true :admin | false | false
:maintainer | true :owner | nil | true
:developer | true :maintainer | nil | true
:reporter | true :developer | nil | true
:guest | false :reporter | nil | true
:non_group_member | false :guest | nil | false
:non_group_member | nil | false
end end
before do before do
stub_feature_flags(group_devops_adoption: true) stub_feature_flags(group_devops_adoption: true)
stub_licensed_features(group_level_devops_adoption: true) stub_licensed_features(group_level_devops_adoption: true)
enable_admin_mode!(current_user) if admin_mode
end end
with_them do with_them do
......
...@@ -4,9 +4,14 @@ require 'spec_helper' ...@@ -4,9 +4,14 @@ require 'spec_helper'
RSpec.describe Epics::TransferService do RSpec.describe Epics::TransferService do
describe '#execute' do describe '#execute' do
let_it_be(:user) { create(:admin) } let_it_be(:user) { create(:user) }
let_it_be(:new_group, refind: true) { create(:group) } let_it_be(:new_group, refind: true) { create(:group) }
let_it_be(:old_group, refind: true) { create(:group) } let_it_be(:old_group, refind: true) { create(:group) }
before do
old_group.add_maintainer(user) if old_group
end
subject(:service) { described_class.new(user, old_group, project) } subject(:service) { described_class.new(user, old_group, project) }
context 'when old_group is present' do context 'when old_group is present' do
......
...@@ -114,7 +114,7 @@ RSpec.describe TodoService do ...@@ -114,7 +114,7 @@ RSpec.describe TodoService do
context 'for mentioned users' do context 'for mentioned users' do
let(:todo_params) { { action: Todo::MENTIONED } } let(:todo_params) { { action: Todo::MENTIONED } }
let(:todos_for) { [member, author, guest, admin] } let(:todos_for) { [member, author, guest] }
let(:todos_not_for) { [non_member, john_doe, skipped] } let(:todos_not_for) { [non_member, john_doe, skipped] }
include_examples 'todos creation' include_examples 'todos creation'
...@@ -126,7 +126,7 @@ RSpec.describe TodoService do ...@@ -126,7 +126,7 @@ RSpec.describe TodoService do
end end
let(:todo_params) { { action: Todo::DIRECTLY_ADDRESSED } } let(:todo_params) { { action: Todo::DIRECTLY_ADDRESSED } }
let(:todos_for) { [member, author, guest, admin] } let(:todos_for) { [member, author, guest] }
let(:todos_not_for) { [non_member, john_doe, skipped] } let(:todos_not_for) { [non_member, john_doe, skipped] }
include_examples 'todos creation' include_examples 'todos creation'
......
...@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/edit.html.haml' do ...@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/edit.html.haml' do
assign(:group, group) assign(:group, group)
allow(view).to receive(:current_user).and_return(user) allow(view).to receive(:current_user).and_return(user)
allow(user).to receive(:can_admin_all_resources?).and_return(false)
allow(user).to receive(:can?).with(:admin_compliance_pipeline_configuration, group).and_return(true) allow(user).to receive(:can?).with(:admin_compliance_pipeline_configuration, group).and_return(true)
allow(view).to receive(:params).and_return(id: 1) allow(view).to receive(:params).and_return(id: 1)
end end
......
...@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/new.html.haml' do ...@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/new.html.haml' do
assign(:group, group) assign(:group, group)
allow(view).to receive(:current_user).and_return(user) allow(view).to receive(:current_user).and_return(user)
allow(user).to receive(:can_admin_all_resources?).and_return(false)
allow(user).to receive(:can?).with(:admin_compliance_pipeline_configuration, group).and_return(true) allow(user).to receive(:can?).with(:admin_compliance_pipeline_configuration, group).and_return(true)
end end
......
...@@ -6,7 +6,7 @@ module DeclarativePolicy ...@@ -6,7 +6,7 @@ module DeclarativePolicy
# Policy class (context_class here). See Base.rule # Policy class (context_class here). See Base.rule
# #
# Note that the #policy method just performs an #instance_eval, # Note that the #policy method just performs an #instance_eval,
# which is useful for multiple #enable or #prevent callse. # which is useful for multiple #enable or #prevent calls.
# #
# Also provides a #method_missing proxy to the context # Also provides a #method_missing proxy to the context
# class's class methods, so that helper methods can be # class's class methods, so that helper methods can be
......
...@@ -10,7 +10,8 @@ RSpec.describe Groups::Clusters::ApplicationsController do ...@@ -10,7 +10,8 @@ RSpec.describe Groups::Clusters::ApplicationsController do
end end
shared_examples 'a secure endpoint' do shared_examples 'a secure endpoint' do
it { expect { subject }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { subject }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { subject }.to be_denied_for(:admin) }
it { expect { subject }.to be_allowed_for(:owner).of(group) } it { expect { subject }.to be_allowed_for(:owner).of(group) }
it { expect { subject }.to be_allowed_for(:maintainer).of(group) } it { expect { subject }.to be_allowed_for(:maintainer).of(group) }
it { expect { subject }.to be_denied_for(:developer).of(group) } it { expect { subject }.to be_denied_for(:developer).of(group) }
......
...@@ -99,7 +99,8 @@ RSpec.describe Groups::ClustersController do ...@@ -99,7 +99,8 @@ RSpec.describe Groups::ClustersController do
describe 'security' do describe 'security' do
let(:cluster) { create(:cluster, :provided_by_gcp, cluster_type: :group_type, groups: [group]) } let(:cluster) { create(:cluster, :provided_by_gcp, cluster_type: :group_type, groups: [group]) }
it { expect { go }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:owner).of(group) }
it { expect { go }.to be_allowed_for(:maintainer).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) }
it { expect { go }.to be_denied_for(:developer).of(group) } it { expect { go }.to be_denied_for(:developer).of(group) }
...@@ -183,7 +184,8 @@ RSpec.describe Groups::ClustersController do ...@@ -183,7 +184,8 @@ RSpec.describe Groups::ClustersController do
include_examples 'GET new cluster shared examples' include_examples 'GET new cluster shared examples'
describe 'security' do describe 'security' do
it { expect { go }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:owner).of(group) }
it { expect { go }.to be_allowed_for(:maintainer).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) }
it { expect { go }.to be_denied_for(:developer).of(group) } it { expect { go }.to be_denied_for(:developer).of(group) }
...@@ -316,7 +318,8 @@ RSpec.describe Groups::ClustersController do ...@@ -316,7 +318,8 @@ RSpec.describe Groups::ClustersController do
allow(WaitForClusterCreationWorker).to receive(:perform_in).and_return(nil) allow(WaitForClusterCreationWorker).to receive(:perform_in).and_return(nil)
end end
it { expect { go }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:owner).of(group) }
it { expect { go }.to be_allowed_for(:maintainer).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) }
it { expect { go }.to be_denied_for(:developer).of(group) } it { expect { go }.to be_denied_for(:developer).of(group) }
...@@ -418,7 +421,8 @@ RSpec.describe Groups::ClustersController do ...@@ -418,7 +421,8 @@ RSpec.describe Groups::ClustersController do
end end
describe 'security' do describe 'security' do
it { expect { go }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:owner).of(group) }
it { expect { go }.to be_allowed_for(:maintainer).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) }
it { expect { go }.to be_denied_for(:developer).of(group) } it { expect { go }.to be_denied_for(:developer).of(group) }
...@@ -486,7 +490,8 @@ RSpec.describe Groups::ClustersController do ...@@ -486,7 +490,8 @@ RSpec.describe Groups::ClustersController do
allow(WaitForClusterCreationWorker).to receive(:perform_in) allow(WaitForClusterCreationWorker).to receive(:perform_in)
end end
it { expect { post_create_aws }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { post_create_aws }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { post_create_aws }.to be_denied_for(:admin) }
it { expect { post_create_aws }.to be_allowed_for(:owner).of(group) } it { expect { post_create_aws }.to be_allowed_for(:owner).of(group) }
it { expect { post_create_aws }.to be_allowed_for(:maintainer).of(group) } it { expect { post_create_aws }.to be_allowed_for(:maintainer).of(group) }
it { expect { post_create_aws }.to be_denied_for(:developer).of(group) } it { expect { post_create_aws }.to be_denied_for(:developer).of(group) }
...@@ -544,7 +549,8 @@ RSpec.describe Groups::ClustersController do ...@@ -544,7 +549,8 @@ RSpec.describe Groups::ClustersController do
end end
end end
it { expect { go }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:owner).of(group) }
it { expect { go }.to be_allowed_for(:maintainer).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) }
it { expect { go }.to be_denied_for(:developer).of(group) } it { expect { go }.to be_denied_for(:developer).of(group) }
...@@ -580,7 +586,8 @@ RSpec.describe Groups::ClustersController do ...@@ -580,7 +586,8 @@ RSpec.describe Groups::ClustersController do
end end
describe 'security' do describe 'security' do
it { expect { go }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:owner).of(group) }
it { expect { go }.to be_allowed_for(:maintainer).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) }
it { expect { go }.to be_denied_for(:developer).of(group) } it { expect { go }.to be_denied_for(:developer).of(group) }
...@@ -619,7 +626,8 @@ RSpec.describe Groups::ClustersController do ...@@ -619,7 +626,8 @@ RSpec.describe Groups::ClustersController do
end end
describe 'security' do describe 'security' do
it { expect { go }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:owner).of(group) }
it { expect { go }.to be_allowed_for(:maintainer).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) }
it { expect { go }.to be_denied_for(:developer).of(group) } it { expect { go }.to be_denied_for(:developer).of(group) }
...@@ -651,7 +659,8 @@ RSpec.describe Groups::ClustersController do ...@@ -651,7 +659,8 @@ RSpec.describe Groups::ClustersController do
end end
describe 'security' do describe 'security' do
it { expect { go }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:owner).of(group) }
it { expect { go }.to be_allowed_for(:maintainer).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) }
it { expect { go }.to be_denied_for(:developer).of(group) } it { expect { go }.to be_denied_for(:developer).of(group) }
...@@ -759,7 +768,8 @@ RSpec.describe Groups::ClustersController do ...@@ -759,7 +768,8 @@ RSpec.describe Groups::ClustersController do
describe 'security' do describe 'security' do
let_it_be(:cluster) { create(:cluster, :provided_by_gcp, cluster_type: :group_type, groups: [group]) } let_it_be(:cluster) { create(:cluster, :provided_by_gcp, cluster_type: :group_type, groups: [group]) }
it { expect { go }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:owner).of(group) }
it { expect { go }.to be_allowed_for(:maintainer).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) }
it { expect { go }.to be_denied_for(:developer).of(group) } it { expect { go }.to be_denied_for(:developer).of(group) }
...@@ -827,7 +837,8 @@ RSpec.describe Groups::ClustersController do ...@@ -827,7 +837,8 @@ RSpec.describe Groups::ClustersController do
describe 'security' do describe 'security' do
let_it_be(:cluster) { create(:cluster, :provided_by_gcp, :production_environment, cluster_type: :group_type, groups: [group]) } let_it_be(:cluster) { create(:cluster, :provided_by_gcp, :production_environment, cluster_type: :group_type, groups: [group]) }
it { expect { go }.to be_allowed_for(:admin) } it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:owner).of(group) }
it { expect { go }.to be_allowed_for(:maintainer).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) }
it { expect { go }.to be_denied_for(:developer).of(group) } it { expect { go }.to be_denied_for(:developer).of(group) }
......
...@@ -4,17 +4,23 @@ require 'spec_helper' ...@@ -4,17 +4,23 @@ require 'spec_helper'
RSpec.describe GroupsController, factory_default: :keep do RSpec.describe GroupsController, factory_default: :keep do
include ExternalAuthorizationServiceHelpers include ExternalAuthorizationServiceHelpers
include AdminModeHelper
let_it_be_with_refind(:group) { create_default(:group, :public) } let_it_be_with_refind(:group) { create_default(:group, :public) }
let_it_be_with_refind(:project) { create(:project, namespace: group) } let_it_be_with_refind(:project) { create(:project, namespace: group) }
let_it_be(:user) { create(:user) } let_it_be(:user) { create(:user) }
let_it_be(:admin) { create(:admin) } let_it_be(:admin_with_admin_mode) { create(:admin) }
let_it_be(:admin_without_admin_mode) { create(:admin) }
let_it_be(:group_member) { create(:group_member, group: group, user: user) } let_it_be(:group_member) { create(:group_member, group: group, user: user) }
let_it_be(:owner) { group.add_owner(create(:user)).user } let_it_be(:owner) { group.add_owner(create(:user)).user }
let_it_be(:maintainer) { group.add_maintainer(create(:user)).user } let_it_be(:maintainer) { group.add_maintainer(create(:user)).user }
let_it_be(:developer) { group.add_developer(create(:user)).user } let_it_be(:developer) { group.add_developer(create(:user)).user }
let_it_be(:guest) { group.add_guest(create(:user)).user } let_it_be(:guest) { group.add_guest(create(:user)).user }
before do
enable_admin_mode!(admin_with_admin_mode)
end
shared_examples 'member with ability to create subgroups' do shared_examples 'member with ability to create subgroups' do
it 'renders the new page' do it 'renders the new page' do
sign_in(member) sign_in(member)
...@@ -105,10 +111,10 @@ RSpec.describe GroupsController, factory_default: :keep do ...@@ -105,10 +111,10 @@ RSpec.describe GroupsController, factory_default: :keep do
[true, false].each do |can_create_group_status| [true, false].each do |can_create_group_status|
context "and can_create_group is #{can_create_group_status}" do context "and can_create_group is #{can_create_group_status}" do
before do before do
User.where(id: [admin, owner, maintainer, developer, guest]).update_all(can_create_group: can_create_group_status) User.where(id: [admin_with_admin_mode, admin_without_admin_mode, owner, maintainer, developer, guest]).update_all(can_create_group: can_create_group_status)
end end
[:admin, :owner, :maintainer].each do |member_type| [:admin_with_admin_mode, :owner, :maintainer].each do |member_type|
context "and logged in as #{member_type.capitalize}" do context "and logged in as #{member_type.capitalize}" do
it_behaves_like 'member with ability to create subgroups' do it_behaves_like 'member with ability to create subgroups' do
let(:member) { send(member_type) } let(:member) { send(member_type) }
...@@ -116,7 +122,7 @@ RSpec.describe GroupsController, factory_default: :keep do ...@@ -116,7 +122,7 @@ RSpec.describe GroupsController, factory_default: :keep do
end end
end end
[:guest, :developer].each do |member_type| [:guest, :developer, :admin_without_admin_mode].each do |member_type|
context "and logged in as #{member_type.capitalize}" do context "and logged in as #{member_type.capitalize}" do
it_behaves_like 'member without ability to create subgroups' do it_behaves_like 'member without ability to create subgroups' do
let(:member) { send(member_type) } let(:member) { send(member_type) }
...@@ -856,6 +862,12 @@ RSpec.describe GroupsController, factory_default: :keep do ...@@ -856,6 +862,12 @@ RSpec.describe GroupsController, factory_default: :keep do
end end
describe 'POST #export' do describe 'POST #export' do
let(:admin) { create(:admin) }
before do
enable_admin_mode!(admin)
end
context 'when the group export feature flag is not enabled' do context 'when the group export feature flag is not enabled' do
before do before do
sign_in(admin) sign_in(admin)
...@@ -918,6 +930,12 @@ RSpec.describe GroupsController, factory_default: :keep do ...@@ -918,6 +930,12 @@ RSpec.describe GroupsController, factory_default: :keep do
end end
describe 'GET #download_export' do describe 'GET #download_export' do
let(:admin) { create(:admin) }
before do
enable_admin_mode!(admin)
end
context 'when there is a file available to download' do context 'when there is a file available to download' do
let(:export_file) { fixture_file_upload('spec/fixtures/group_export.tar.gz') } let(:export_file) { fixture_file_upload('spec/fixtures/group_export.tar.gz') }
...@@ -934,8 +952,6 @@ RSpec.describe GroupsController, factory_default: :keep do ...@@ -934,8 +952,6 @@ RSpec.describe GroupsController, factory_default: :keep do
end end
context 'when there is no file available to download' do context 'when there is no file available to download' do
let(:admin) { create(:admin) }
before do before do
sign_in(admin) sign_in(admin)
end end
......
...@@ -143,7 +143,7 @@ RSpec.describe 'Group' do ...@@ -143,7 +143,7 @@ RSpec.describe 'Group' do
end end
end end
describe 'create a nested group', :js do describe 'create a nested group' do
let_it_be(:group) { create(:group, path: 'foo') } let_it_be(:group) { create(:group, path: 'foo') }
context 'as admin' do context 'as admin' do
...@@ -153,6 +153,7 @@ RSpec.describe 'Group' do ...@@ -153,6 +153,7 @@ RSpec.describe 'Group' do
visit new_group_path(group, parent_id: group.id) visit new_group_path(group, parent_id: group.id)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it 'creates a nested group' do it 'creates a nested group' do
fill_in 'Group name', with: 'bar' fill_in 'Group name', with: 'bar'
fill_in 'Group URL', with: 'bar' fill_in 'Group URL', with: 'bar'
...@@ -163,6 +164,13 @@ RSpec.describe 'Group' do ...@@ -163,6 +164,13 @@ RSpec.describe 'Group' do
end end
end end
context 'when admin mode is disabled' do
it 'is not allowed' do
expect(page).to have_gitlab_http_status(:not_found)
end
end
end
context 'as group owner' do context 'as group owner' do
it 'creates a nested group' do it 'creates a nested group' do
user = create(:user) user = create(:user)
......
...@@ -95,12 +95,14 @@ RSpec.describe 'New project', :js do ...@@ -95,12 +95,14 @@ RSpec.describe 'New project', :js do
end end
context 'when group visibility is private but default is internal' do context 'when group visibility is private but default is internal' do
let_it_be(:group) { create(:group, visibility_level: Gitlab::VisibilityLevel::PRIVATE) }
before do before do
stub_application_setting(default_project_visibility: Gitlab::VisibilityLevel::INTERNAL) stub_application_setting(default_project_visibility: Gitlab::VisibilityLevel::INTERNAL)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it 'has private selected' do it 'has private selected' do
group = create(:group, visibility_level: Gitlab::VisibilityLevel::PRIVATE)
visit new_project_path(namespace_id: group.id) visit new_project_path(namespace_id: group.id)
find('[data-qa-selector="blank_project_link"]').click find('[data-qa-selector="blank_project_link"]').click
...@@ -110,13 +112,24 @@ RSpec.describe 'New project', :js do ...@@ -110,13 +112,24 @@ RSpec.describe 'New project', :js do
end end
end end
context 'when admin mode is disabled' do
it 'is not allowed' do
visit new_project_path(namespace_id: group.id)
expect(page).to have_content('Not Found')
end
end
end
context 'when group visibility is public but user requests private' do context 'when group visibility is public but user requests private' do
let_it_be(:group) { create(:group, visibility_level: Gitlab::VisibilityLevel::PUBLIC) }
before do before do
stub_application_setting(default_project_visibility: Gitlab::VisibilityLevel::INTERNAL) stub_application_setting(default_project_visibility: Gitlab::VisibilityLevel::INTERNAL)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it 'has private selected' do it 'has private selected' do
group = create(:group, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
visit new_project_path(namespace_id: group.id, project: { visibility_level: Gitlab::VisibilityLevel::PRIVATE }) visit new_project_path(namespace_id: group.id, project: { visibility_level: Gitlab::VisibilityLevel::PRIVATE })
find('[data-qa-selector="blank_project_link"]').click find('[data-qa-selector="blank_project_link"]').click
...@@ -125,6 +138,15 @@ RSpec.describe 'New project', :js do ...@@ -125,6 +138,15 @@ RSpec.describe 'New project', :js do
end end
end end
end end
context 'when admin mode is disabled' do
it 'is not allowed' do
visit new_project_path(namespace_id: group.id, project: { visibility_level: Gitlab::VisibilityLevel::PRIVATE })
expect(page).to have_content('Not Found')
end
end
end
end end
context 'Readme selector' do context 'Readme selector' do
......
...@@ -24,7 +24,12 @@ RSpec.describe 'Internal Group access' do ...@@ -24,7 +24,12 @@ RSpec.describe 'Internal Group access' do
describe 'GET /groups/:path' do describe 'GET /groups/:path' do
subject { group_path(group) } subject { group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_allowed_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -39,7 +44,12 @@ RSpec.describe 'Internal Group access' do ...@@ -39,7 +44,12 @@ RSpec.describe 'Internal Group access' do
describe 'GET /groups/:path/-/issues' do describe 'GET /groups/:path/-/issues' do
subject { issues_group_path(group) } subject { issues_group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_allowed_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -56,7 +66,12 @@ RSpec.describe 'Internal Group access' do ...@@ -56,7 +66,12 @@ RSpec.describe 'Internal Group access' do
subject { merge_requests_group_path(group) } subject { merge_requests_group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -71,7 +86,12 @@ RSpec.describe 'Internal Group access' do ...@@ -71,7 +86,12 @@ RSpec.describe 'Internal Group access' do
describe 'GET /groups/:path/-/group_members' do describe 'GET /groups/:path/-/group_members' do
subject { group_group_members_path(group) } subject { group_group_members_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -86,7 +106,12 @@ RSpec.describe 'Internal Group access' do ...@@ -86,7 +106,12 @@ RSpec.describe 'Internal Group access' do
describe 'GET /groups/:path/-/edit' do describe 'GET /groups/:path/-/edit' do
subject { edit_group_path(group) } subject { edit_group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_denied_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_denied_for(:maintainer).of(group) } it { is_expected.to be_denied_for(:maintainer).of(group) }
it { is_expected.to be_denied_for(:developer).of(group) } it { is_expected.to be_denied_for(:developer).of(group) }
......
...@@ -24,7 +24,12 @@ RSpec.describe 'Private Group access' do ...@@ -24,7 +24,12 @@ RSpec.describe 'Private Group access' do
describe 'GET /groups/:path' do describe 'GET /groups/:path' do
subject { group_path(group) } subject { group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_denied_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -39,7 +44,12 @@ RSpec.describe 'Private Group access' do ...@@ -39,7 +44,12 @@ RSpec.describe 'Private Group access' do
describe 'GET /groups/:path/-/issues' do describe 'GET /groups/:path/-/issues' do
subject { issues_group_path(group) } subject { issues_group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_denied_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -56,7 +66,12 @@ RSpec.describe 'Private Group access' do ...@@ -56,7 +66,12 @@ RSpec.describe 'Private Group access' do
subject { merge_requests_group_path(group) } subject { merge_requests_group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_denied_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -71,7 +86,12 @@ RSpec.describe 'Private Group access' do ...@@ -71,7 +86,12 @@ RSpec.describe 'Private Group access' do
describe 'GET /groups/:path/-/group_members' do describe 'GET /groups/:path/-/group_members' do
subject { group_group_members_path(group) } subject { group_group_members_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_denied_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -86,7 +106,12 @@ RSpec.describe 'Private Group access' do ...@@ -86,7 +106,12 @@ RSpec.describe 'Private Group access' do
describe 'GET /groups/:path/-/edit' do describe 'GET /groups/:path/-/edit' do
subject { edit_group_path(group) } subject { edit_group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_denied_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_denied_for(:maintainer).of(group) } it { is_expected.to be_denied_for(:maintainer).of(group) }
it { is_expected.to be_denied_for(:developer).of(group) } it { is_expected.to be_denied_for(:developer).of(group) }
...@@ -107,7 +132,12 @@ RSpec.describe 'Private Group access' do ...@@ -107,7 +132,12 @@ RSpec.describe 'Private Group access' do
subject { group_path(group) } subject { group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_denied_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
......
...@@ -24,7 +24,12 @@ RSpec.describe 'Public Group access' do ...@@ -24,7 +24,12 @@ RSpec.describe 'Public Group access' do
describe 'GET /groups/:path' do describe 'GET /groups/:path' do
subject { group_path(group) } subject { group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_allowed_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -39,7 +44,12 @@ RSpec.describe 'Public Group access' do ...@@ -39,7 +44,12 @@ RSpec.describe 'Public Group access' do
describe 'GET /groups/:path/-/issues' do describe 'GET /groups/:path/-/issues' do
subject { issues_group_path(group) } subject { issues_group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_allowed_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -56,7 +66,12 @@ RSpec.describe 'Public Group access' do ...@@ -56,7 +66,12 @@ RSpec.describe 'Public Group access' do
subject { merge_requests_group_path(group) } subject { merge_requests_group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -71,7 +86,12 @@ RSpec.describe 'Public Group access' do ...@@ -71,7 +86,12 @@ RSpec.describe 'Public Group access' do
describe 'GET /groups/:path/-/group_members' do describe 'GET /groups/:path/-/group_members' do
subject { group_group_members_path(group) } subject { group_group_members_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_allowed_for(:maintainer).of(group) } it { is_expected.to be_allowed_for(:maintainer).of(group) }
it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:developer).of(group) }
...@@ -86,7 +106,12 @@ RSpec.describe 'Public Group access' do ...@@ -86,7 +106,12 @@ RSpec.describe 'Public Group access' do
describe 'GET /groups/:path/-/edit' do describe 'GET /groups/:path/-/edit' do
subject { edit_group_path(group) } subject { edit_group_path(group) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed_for(:admin) } it { is_expected.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_denied_for(:admin) }
end
it { is_expected.to be_allowed_for(:owner).of(group) } it { is_expected.to be_allowed_for(:owner).of(group) }
it { is_expected.to be_denied_for(:maintainer).of(group) } it { is_expected.to be_denied_for(:maintainer).of(group) }
it { is_expected.to be_denied_for(:developer).of(group) } it { is_expected.to be_denied_for(:developer).of(group) }
......
...@@ -46,6 +46,7 @@ RSpec.describe NamespacesHelper do ...@@ -46,6 +46,7 @@ RSpec.describe NamespacesHelper do
end end
describe '#namespaces_options' do describe '#namespaces_options' do
context 'when admin mode is enabled', :enable_admin_mode do
it 'returns groups without being a member for admin' do it 'returns groups without being a member for admin' do
allow(helper).to receive(:current_user).and_return(admin) allow(helper).to receive(:current_user).and_return(admin)
...@@ -54,6 +55,18 @@ RSpec.describe NamespacesHelper do ...@@ -54,6 +55,18 @@ RSpec.describe NamespacesHelper do
expect(options).to include(admin_group.name) expect(options).to include(admin_group.name)
expect(options).to include(user_group.name) expect(options).to include(user_group.name)
end end
end
context 'when admin mode is disabled' do
it 'returns only allowed namespaces for admin' do
allow(helper).to receive(:current_user).and_return(admin)
options = helper.namespaces_options(user_group.id, display_path: true, extra_group: user_group.id)
expect(options).to include(admin_group.name)
expect(options).not_to include(user_group.name)
end
end
it 'returns only allowed namespaces for user' do it 'returns only allowed namespaces for user' do
allow(helper).to receive(:current_user).and_return(user) allow(helper).to receive(:current_user).and_return(user)
...@@ -74,14 +87,17 @@ RSpec.describe NamespacesHelper do ...@@ -74,14 +87,17 @@ RSpec.describe NamespacesHelper do
expect(options).to include(admin_group.name) expect(options).to include(admin_group.name)
end end
context 'when admin mode is disabled' do
it 'selects existing group' do it 'selects existing group' do
allow(helper).to receive(:current_user).and_return(admin) allow(helper).to receive(:current_user).and_return(admin)
user_group.add_owner(admin)
options = helper.namespaces_options(:extra_group, display_path: true, extra_group: user_group) options = helper.namespaces_options(:extra_group, display_path: true, extra_group: user_group)
expect(options).to include("selected=\"selected\" value=\"#{user_group.id}\"") expect(options).to include("selected=\"selected\" value=\"#{user_group.id}\"")
expect(options).to include(admin_group.name) expect(options).to include(admin_group.name)
end end
end
it 'selects the new group by default' do it 'selects the new group by default' do
# Ensure we don't select a group with the same name # Ensure we don't select a group with the same name
......
...@@ -349,6 +349,7 @@ RSpec.describe Gitlab::ImportExport::Project::TreeSaver do ...@@ -349,6 +349,7 @@ RSpec.describe Gitlab::ImportExport::Project::TreeSaver do
project_tree_saver.save project_tree_saver.save
end end
context 'when admin mode is enabled', :enable_admin_mode do
it 'exports group members as admin' do it 'exports group members as admin' do
expect(member_emails).to include('group@member.com') expect(member_emails).to include('group@member.com')
end end
...@@ -359,6 +360,13 @@ RSpec.describe Gitlab::ImportExport::Project::TreeSaver do ...@@ -359,6 +360,13 @@ RSpec.describe Gitlab::ImportExport::Project::TreeSaver do
expect(member_types).to all(eq('Project')) expect(member_types).to all(eq('Project'))
end end
end end
context 'when admin mode is disabled' do
it 'does not export group members' do
expect(member_emails).not_to include('group@member.com')
end
end
end
end end
context 'with description override' do context 'with description override' do
......
...@@ -781,9 +781,17 @@ RSpec.describe Group do ...@@ -781,9 +781,17 @@ RSpec.describe Group do
context 'evaluating admin access level' do context 'evaluating admin access level' do
let_it_be(:admin) { create(:admin) } let_it_be(:admin) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it 'returns OWNER by default' do it 'returns OWNER by default' do
expect(group.max_member_access_for_user(admin)).to eq(Gitlab::Access::OWNER) expect(group.max_member_access_for_user(admin)).to eq(Gitlab::Access::OWNER)
end end
end
context 'when admin mode is disabled' do
it 'returns NO_ACCESS' do
expect(group.max_member_access_for_user(admin)).to eq(Gitlab::Access::NO_ACCESS)
end
end
it 'returns NO_ACCESS when only concrete membership should be considered' do it 'returns NO_ACCESS when only concrete membership should be considered' do
expect(group.max_member_access_for_user(admin, only_concrete_membership: true)) expect(group.max_member_access_for_user(admin, only_concrete_membership: true))
......
...@@ -425,12 +425,10 @@ RSpec.describe Member do ...@@ -425,12 +425,10 @@ RSpec.describe Member do
end end
context 'when admin mode is disabled' do context 'when admin mode is disabled' do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode it 'rejects setting members.created_by to the given admin current_user' do
# https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit 'rejects setting members.created_by to the given admin current_user' do
member = described_class.add_user(source, user, :maintainer, current_user: admin) member = described_class.add_user(source, user, :maintainer, current_user: admin)
expect(member.created_by).not_to be_persisted expect(member.created_by).to be_nil
end end
end end
......
...@@ -3961,6 +3961,37 @@ RSpec.describe User do ...@@ -3961,6 +3961,37 @@ RSpec.describe User do
end end
end end
describe '#can_admin_all_resources?', :request_store do
it 'returns false for regular user' do
user = build_stubbed(:user)
expect(user.can_admin_all_resources?).to be_falsy
end
context 'for admin user' do
include_context 'custom session'
let(:user) { build_stubbed(:user, :admin) }
context 'when admin mode is disabled' do
it 'returns false' do
expect(user.can_admin_all_resources?).to be_falsy
end
end
context 'when admin mode is enabled' do
before do
Gitlab::Auth::CurrentUserMode.new(user).request_admin_mode!
Gitlab::Auth::CurrentUserMode.new(user).enable_admin_mode!(password: user.password)
end
it 'returns true' do
expect(user.can_admin_all_resources?).to be_truthy
end
end
end
end
describe '.ghost' do describe '.ghost' do
it "creates a ghost user if one isn't already present" do it "creates a ghost user if one isn't already present" do
ghost = described_class.ghost ghost = described_class.ghost
......
...@@ -73,10 +73,14 @@ RSpec.describe BasePolicy do ...@@ -73,10 +73,14 @@ RSpec.describe BasePolicy do
end end
end end
describe 'full private access' do describe 'full private access: read_all_resources' do
it_behaves_like 'admin only access', :read_all_resources it_behaves_like 'admin only access', :read_all_resources
end end
describe 'full private access: admin_all_resources' do
it_behaves_like 'admin only access', :admin_all_resources
end
describe 'change_repository_storage' do describe 'change_repository_storage' do
it_behaves_like 'admin only access', :change_repository_storage it_behaves_like 'admin only access', :change_repository_storage
end end
......
...@@ -192,6 +192,16 @@ RSpec.describe GroupPolicy do ...@@ -192,6 +192,16 @@ RSpec.describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
specify do
expect_disallowed(*read_group_permissions)
expect_disallowed(*guest_permissions)
expect_disallowed(*reporter_permissions)
expect_disallowed(*developer_permissions)
expect_disallowed(*maintainer_permissions)
expect_disallowed(*owner_permissions)
end
context 'with admin mode', :enable_admin_mode do
specify do specify do
expect_allowed(*read_group_permissions) expect_allowed(*read_group_permissions)
expect_allowed(*guest_permissions) expect_allowed(*guest_permissions)
...@@ -199,10 +209,8 @@ RSpec.describe GroupPolicy do ...@@ -199,10 +209,8 @@ RSpec.describe GroupPolicy do
expect_allowed(*developer_permissions) expect_allowed(*developer_permissions)
expect_allowed(*maintainer_permissions) expect_allowed(*maintainer_permissions)
expect_allowed(*owner_permissions) expect_allowed(*owner_permissions)
expect_allowed(*admin_permissions)
end end
context 'with admin mode', :enable_admin_mode do
specify { expect_allowed(*admin_permissions) }
end end
it_behaves_like 'deploy token does not get confused with user' do it_behaves_like 'deploy token does not get confused with user' do
...@@ -773,9 +781,15 @@ RSpec.describe GroupPolicy do ...@@ -773,9 +781,15 @@ RSpec.describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:create_jira_connect_subscription) } it { is_expected.to be_allowed(:create_jira_connect_subscription) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
end
end
context 'with owner' do context 'with owner' do
let(:current_user) { owner } let(:current_user) { owner }
...@@ -817,9 +831,15 @@ RSpec.describe GroupPolicy do ...@@ -817,9 +831,15 @@ RSpec.describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_package) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_package) }
end
end
context 'with owner' do context 'with owner' do
let(:current_user) { owner } let(:current_user) { owner }
......
...@@ -86,6 +86,7 @@ RSpec.describe Projects::ImportExport::ProjectExportPresenter do ...@@ -86,6 +86,7 @@ RSpec.describe Projects::ImportExport::ProjectExportPresenter do
context 'as admin' do context 'as admin' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it 'exports group members as admin' do it 'exports group members as admin' do
expect(member_emails).to include('group@member.com') expect(member_emails).to include('group@member.com')
end end
...@@ -96,5 +97,12 @@ RSpec.describe Projects::ImportExport::ProjectExportPresenter do ...@@ -96,5 +97,12 @@ RSpec.describe Projects::ImportExport::ProjectExportPresenter do
expect(member_types).to all(eq('Project')) expect(member_types).to all(eq('Project'))
end end
end end
context 'when admin mode is disabled' do
it 'does not export group members' do
expect(member_emails).not_to include('group@member.com')
end
end
end
end end
end end
...@@ -54,7 +54,7 @@ RSpec.describe Groups::ImportExport::ImportService do ...@@ -54,7 +54,7 @@ RSpec.describe Groups::ImportExport::ImportService do
end end
context 'with group_import_ndjson feature flag disabled' do context 'with group_import_ndjson feature flag disabled' do
let(:user) { create(:admin) } let(:user) { create(:user) }
let(:group) { create(:group) } let(:group) { create(:group) }
let(:import_logger) { instance_double(Gitlab::Import::Logger) } let(:import_logger) { instance_double(Gitlab::Import::Logger) }
...@@ -63,6 +63,8 @@ RSpec.describe Groups::ImportExport::ImportService do ...@@ -63,6 +63,8 @@ RSpec.describe Groups::ImportExport::ImportService do
before do before do
stub_feature_flags(group_import_ndjson: false) stub_feature_flags(group_import_ndjson: false)
group.add_owner(user)
ImportExportUpload.create!(group: group, import_file: import_file) ImportExportUpload.create!(group: group, import_file: import_file)
allow(Gitlab::Import::Logger).to receive(:build).and_return(import_logger) allow(Gitlab::Import::Logger).to receive(:build).and_return(import_logger)
...@@ -95,7 +97,7 @@ RSpec.describe Groups::ImportExport::ImportService do ...@@ -95,7 +97,7 @@ RSpec.describe Groups::ImportExport::ImportService do
end end
context 'when importing a ndjson export' do context 'when importing a ndjson export' do
let(:user) { create(:admin) } let(:user) { create(:user) }
let(:group) { create(:group) } let(:group) { create(:group) }
let(:service) { described_class.new(group: group, user: user) } let(:service) { described_class.new(group: group, user: user) }
let(:import_file) { fixture_file_upload('spec/fixtures/group_export.tar.gz') } let(:import_file) { fixture_file_upload('spec/fixtures/group_export.tar.gz') }
...@@ -115,6 +117,10 @@ RSpec.describe Groups::ImportExport::ImportService do ...@@ -115,6 +117,10 @@ RSpec.describe Groups::ImportExport::ImportService do
end end
context 'when user has correct permissions' do context 'when user has correct permissions' do
before do
group.add_owner(user)
end
it 'imports group structure successfully' do it 'imports group structure successfully' do
expect(subject).to be_truthy expect(subject).to be_truthy
end end
...@@ -147,8 +153,6 @@ RSpec.describe Groups::ImportExport::ImportService do ...@@ -147,8 +153,6 @@ RSpec.describe Groups::ImportExport::ImportService do
end end
context 'when user does not have correct permissions' do context 'when user does not have correct permissions' do
let(:user) { create(:user) }
it 'logs the error and raises an exception' do it 'logs the error and raises an exception' do
expect(import_logger).to receive(:error).with( expect(import_logger).to receive(:error).with(
group_id: group.id, group_id: group.id,
...@@ -188,6 +192,10 @@ RSpec.describe Groups::ImportExport::ImportService do ...@@ -188,6 +192,10 @@ RSpec.describe Groups::ImportExport::ImportService do
context 'when there are errors with the sub-relations' do context 'when there are errors with the sub-relations' do
let(:import_file) { fixture_file_upload('spec/fixtures/group_export_invalid_subrelations.tar.gz') } let(:import_file) { fixture_file_upload('spec/fixtures/group_export_invalid_subrelations.tar.gz') }
before do
group.add_owner(user)
end
it 'successfully imports the group' do it 'successfully imports the group' do
expect(subject).to be_truthy expect(subject).to be_truthy
end end
...@@ -207,7 +215,7 @@ RSpec.describe Groups::ImportExport::ImportService do ...@@ -207,7 +215,7 @@ RSpec.describe Groups::ImportExport::ImportService do
end end
context 'when importing a json export' do context 'when importing a json export' do
let(:user) { create(:admin) } let(:user) { create(:user) }
let(:group) { create(:group) } let(:group) { create(:group) }
let(:service) { described_class.new(group: group, user: user) } let(:service) { described_class.new(group: group, user: user) }
let(:import_file) { fixture_file_upload('spec/fixtures/legacy_group_export.tar.gz') } let(:import_file) { fixture_file_upload('spec/fixtures/legacy_group_export.tar.gz') }
...@@ -227,6 +235,10 @@ RSpec.describe Groups::ImportExport::ImportService do ...@@ -227,6 +235,10 @@ RSpec.describe Groups::ImportExport::ImportService do
end end
context 'when user has correct permissions' do context 'when user has correct permissions' do
before do
group.add_owner(user)
end
it 'imports group structure successfully' do it 'imports group structure successfully' do
expect(subject).to be_truthy expect(subject).to be_truthy
end end
...@@ -259,8 +271,6 @@ RSpec.describe Groups::ImportExport::ImportService do ...@@ -259,8 +271,6 @@ RSpec.describe Groups::ImportExport::ImportService do
end end
context 'when user does not have correct permissions' do context 'when user does not have correct permissions' do
let(:user) { create(:user) }
it 'logs the error and raises an exception' do it 'logs the error and raises an exception' do
expect(import_logger).to receive(:error).with( expect(import_logger).to receive(:error).with(
group_id: group.id, group_id: group.id,
...@@ -300,6 +310,10 @@ RSpec.describe Groups::ImportExport::ImportService do ...@@ -300,6 +310,10 @@ RSpec.describe Groups::ImportExport::ImportService do
context 'when there are errors with the sub-relations' do context 'when there are errors with the sub-relations' do
let(:import_file) { fixture_file_upload('spec/fixtures/legacy_group_export_invalid_subrelations.tar.gz') } let(:import_file) { fixture_file_upload('spec/fixtures/legacy_group_export_invalid_subrelations.tar.gz') }
before do
group.add_owner(user)
end
it 'successfully imports the group' do it 'successfully imports the group' do
expect(subject).to be_truthy expect(subject).to be_truthy
end end
......
...@@ -26,6 +26,7 @@ RSpec.describe PurgeDependencyProxyCacheWorker do ...@@ -26,6 +26,7 @@ RSpec.describe PurgeDependencyProxyCacheWorker do
end end
context 'an admin user' do context 'an admin user' do
context 'when admin mode is enabled', :enable_admin_mode do
include_examples 'an idempotent worker' do include_examples 'an idempotent worker' do
let(:job_args) { [user.id, group_id] } let(:job_args) { [user.id, group_id] }
...@@ -41,6 +42,11 @@ RSpec.describe PurgeDependencyProxyCacheWorker do ...@@ -41,6 +42,11 @@ RSpec.describe PurgeDependencyProxyCacheWorker do
end end
end end
context 'when admin mode is disabled' do
it_behaves_like 'returns nil'
end
end
context 'a non-admin user' do context 'a non-admin user' do
let(:user) { create(:user) } let(:user) { create(:user) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment