Merge branch '228617-prevent-mr-policies' into 'master'

Prevent certain policies at MR level when namespace is read only See merge request gitlab-org/gitlab!36713

Merge branch '228617-prevent-mr-policies' into 'master'
Prevent certain policies at MR level when namespace is read only See merge request gitlab-org/gitlab!36713
f5ac701e · Douglas Barbosa Alexandre · 586f09e4 · c16dbbf0 · f5ac701e · f5ac701e
Commit f5ac701e authored Jul 28, 2020 by Douglas Barbosa Alexandre
3 changed files
--- a/ee/app/policies/ee/merge_request_policy.rb
+++ b/ee/app/policies/ee/merge_request_policy.rb
@@ -10,10 +10,20 @@ module EE
        @subject.target_project&.can_override_approvers?
      end

+      condition(:over_storage_limit, scope: :subject) { @subject.target_project&.namespace&.over_storage_limit? }
+
      rule { ~can_override_approvers }.prevent :update_approvers
      rule { can?(:update_merge_request) }.policy do
        enable :update_approvers
      end
+
+      rule { over_storage_limit }.policy do
+        prevent :approve_merge_request
+        prevent :update_merge_request
+        prevent :reopen_merge_request
+        prevent :create_note
+        prevent :resolve_note
+      end
    end
  end
 end
--- a/ee/changelogs/unreleased/228617-prevent-mr-policies.yml
+++ b/ee/changelogs/unreleased/228617-prevent-mr-policies.yml
+---
+title: Prevent certain policies at Merge Request level when namespace exceeds storage limit
+merge_request: 36713
+author:
+type: added
--- a/ee/spec/policies/merge_request_policy_spec.rb
+++ b/ee/spec/policies/merge_request_policy_spec.rb
@@ -134,4 +134,34 @@ RSpec.describe MergeRequestPolicy do
      end
    end
  end
+
+  context 'when checking for namespace whether exceeding storage limit' do
+    context 'when namespace does exceeds storage limit' do
+      before do
+        allow(merge_request.target_project.namespace).to receive(:over_storage_limit?).and_return(true)
+      end
+
+      it 'does not allow few policies for all users including maintainer' do
+        expect(policy_for(maintainer)).to be_disallowed(:approve_merge_request,
+                                                        :update_merge_request,
+                                                        :reopen_merge_request,
+                                                        :create_note,
+                                                        :resolve_note)
+      end
+    end
+
+    context 'when namespace does not exceeds storage limit' do
+      before do
+        allow(merge_request.target_project.namespace).to receive(:over_storage_limit?).and_return(false)
+      end
+
+      it 'does not lock basic policies for any user' do
+        expect(policy_for(maintainer)).to be_allowed(:approve_merge_request,
+                                                      :update_merge_request,
+                                                      :reopen_merge_request,
+                                                      :create_note,
+                                                      :resolve_note)
+      end
+    end
+  end
 end