BigW Consortium Gitlab

project_policy_spec.rb 7.88 KB
Newer Older
1 2
require 'spec_helper'

3
describe ProjectPolicy do
4 5 6 7 8
  let(:guest) { create(:user) }
  let(:reporter) { create(:user) }
  let(:dev) { create(:user) }
  let(:master) { create(:user) }
  let(:owner) { create(:user) }
9
  let(:admin) { create(:admin) }
10
  let(:project) { create(:project, :public, namespace: owner.namespace) }
11

12
  let(:guest_permissions) do
Douwe Maan committed
13 14 15 16 17
    %i[
      read_project read_board read_list read_wiki read_issue read_label
      read_milestone read_project_snippet read_project_member
      read_note create_project create_issue create_note
      upload_file
18
    ]
19 20
  end

21
  let(:reporter_permissions) do
Douwe Maan committed
22 23 24 25 26
    %i[
      download_code fork_project create_project_snippet update_issue
      admin_issue admin_label admin_list read_commit_status read_build
      read_container_image read_pipeline read_environment read_deployment
      read_merge_request download_wiki_code
27 28 29 30
    ]
  end

  let(:team_member_reporter_permissions) do
Douwe Maan committed
31
    %i[build_download_code build_read_container_image]
32 33 34
  end

  let(:developer_permissions) do
Douwe Maan committed
35 36 37 38 39 40
    %i[
      admin_merge_request update_merge_request create_commit_status
      update_commit_status create_build update_build create_pipeline
      update_pipeline create_merge_request create_wiki push_code
      resolve_note create_container_image update_container_image
      create_environment create_deployment
41 42 43 44
    ]
  end

  let(:master_permissions) do
Douwe Maan committed
45
    %i[
46
      delete_protected_branch update_project_snippet update_environment
Douwe Maan committed
47 48 49 50
      update_deployment admin_milestone admin_project_snippet
      admin_project_member admin_note admin_wiki admin_project
      admin_commit_status admin_build admin_container_image
      admin_pipeline admin_environment admin_deployment
51 52 53 54
    ]
  end

  let(:public_permissions) do
Douwe Maan committed
55 56 57 58
    %i[
      download_code fork_project read_commit_status read_pipeline
      read_container_image build_download_code build_read_container_image
      download_wiki_code
59 60 61 62
    ]
  end

  let(:owner_permissions) do
Douwe Maan committed
63 64 65
    %i[
      change_namespace change_visibility_level rename_project remove_project
      archive_project remove_fork_project destroy_merge_request destroy_issue
66
    ]
67 68 69 70 71 72 73 74
  end

  before do
    project.team << [guest, :guest]
    project.team << [master, :master]
    project.team << [dev, :developer]
    project.team << [reporter, :reporter]
  end
75

76 77 78 79 80 81 82 83
  def expect_allowed(*permissions)
    permissions.each { |p| is_expected.to be_allowed(p) }
  end

  def expect_disallowed(*permissions)
    permissions.each { |p| is_expected.not_to be_allowed(p) }
  end

84
  it 'does not include the read_issue permission when the issue author is not a member of the private project' do
85
    project = create(:project, :private)
86 87 88
    issue   = create(:issue, project: project)
    user    = issue.author

89
    expect(project.team.member?(issue.author)).to be false
90

91
    expect(Ability).not_to be_allowed(user, :read_issue, project)
92
  end
93

94 95
  context 'when the feature is disabled' do
    subject { described_class.new(owner, project) }
96

97 98 99
    before do
      project.project_feature.update_attribute(:wiki_access_level, ProjectFeature::DISABLED)
    end
100

101 102 103
    it 'does not include the wiki permissions' do
      expect_disallowed :read_wiki, :create_wiki, :update_wiki, :admin_wiki, :download_wiki_code
    end
104 105
  end

106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129
  context 'issues feature' do
    subject { described_class.new(owner, project) }

    context 'when the feature is disabled' do
      it 'does not include the issues permissions' do
        project.issues_enabled = false
        project.save!

        expect_disallowed :read_issue, :create_issue, :update_issue, :admin_issue
      end
    end

    context 'when the feature is disabled and external tracker configured' do
      it 'does not include the issues permissions' do
        create(:jira_service, project: project)

        project.issues_enabled = false
        project.save!

        expect_disallowed :read_issue, :create_issue, :update_issue, :admin_issue
      end
    end
  end

130 131
  context 'when a project has pending invites, and the current user is anonymous' do
    let(:group) { create(:group, :public) }
132
    let(:project) { create(:project, :public, namespace: group) }
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147
    let(:user_permissions) { [:create_project, :create_issue, :create_note, :upload_file] }
    let(:anonymous_permissions) { guest_permissions - user_permissions }

    subject { described_class.new(nil, project) }

    before do
      create(:group_member, :invited, group: group)
    end

    it 'does not grant owner access' do
      expect_allowed(*anonymous_permissions)
      expect_disallowed(*user_permissions)
    end
  end

148
  context 'abilities for non-public projects' do
149
    let(:project) { create(:project, namespace: owner.namespace) }
150

151
    subject { described_class.new(current_user, project) }
152 153 154 155

    context 'with no user' do
      let(:current_user) { nil }

156
      it { is_expected.to be_banned }
157 158 159 160 161
    end

    context 'guests' do
      let(:current_user) { guest }

162 163 164 165 166
      let(:reporter_public_build_permissions) do
        reporter_permissions - [:read_build, :read_pipeline]
      end

      it do
167 168 169 170 171 172
        expect_allowed(*guest_permissions)
        expect_disallowed(*reporter_public_build_permissions)
        expect_disallowed(*team_member_reporter_permissions)
        expect_disallowed(*developer_permissions)
        expect_disallowed(*master_permissions)
        expect_disallowed(*owner_permissions)
173
      end
174

175
      context 'public builds enabled' do
176
        it do
177 178
          expect_allowed(*guest_permissions)
          expect_allowed(:read_build, :read_pipeline)
179 180 181 182 183
        end
      end

      context 'public builds disabled' do
        before do
184
          project.update(public_builds: false)
185 186 187
        end

        it do
188 189
          expect_allowed(*guest_permissions)
          expect_disallowed(:read_build, :read_pipeline)
190
        end
191
      end
192 193 194 195 196 197 198 199

      context 'when builds are disabled' do
        before do
          project.project_feature.update(
            builds_access_level: ProjectFeature::DISABLED)
        end

        it do
200 201
          expect_disallowed(:read_build)
          expect_allowed(:read_pipeline)
202 203
        end
      end
204 205 206 207 208 209
    end

    context 'reporter' do
      let(:current_user) { reporter }

      it do
210 211 212 213 214 215 216
        expect_allowed(*guest_permissions)
        expect_allowed(*reporter_permissions)
        expect_allowed(*reporter_permissions)
        expect_allowed(*team_member_reporter_permissions)
        expect_disallowed(*developer_permissions)
        expect_disallowed(*master_permissions)
        expect_disallowed(*owner_permissions)
217 218 219 220 221 222 223
      end
    end

    context 'developer' do
      let(:current_user) { dev }

      it do
224 225 226 227 228 229
        expect_allowed(*guest_permissions)
        expect_allowed(*reporter_permissions)
        expect_allowed(*team_member_reporter_permissions)
        expect_allowed(*developer_permissions)
        expect_disallowed(*master_permissions)
        expect_disallowed(*owner_permissions)
230 231 232 233 234 235 236
      end
    end

    context 'master' do
      let(:current_user) { master }

      it do
237 238 239 240 241 242
        expect_allowed(*guest_permissions)
        expect_allowed(*reporter_permissions)
        expect_allowed(*team_member_reporter_permissions)
        expect_allowed(*developer_permissions)
        expect_allowed(*master_permissions)
        expect_disallowed(*owner_permissions)
243 244 245 246 247 248
      end
    end

    context 'owner' do
      let(:current_user) { owner }

249
      it do
250 251 252 253 254 255
        expect_allowed(*guest_permissions)
        expect_allowed(*reporter_permissions)
        expect_allowed(*team_member_reporter_permissions)
        expect_allowed(*developer_permissions)
        expect_allowed(*master_permissions)
        expect_allowed(*owner_permissions)
256 257 258 259 260 261
      end
    end

    context 'admin' do
      let(:current_user) { admin }

262
      it do
263 264 265 266 267 268
        expect_allowed(*guest_permissions)
        expect_allowed(*reporter_permissions)
        expect_disallowed(*team_member_reporter_permissions)
        expect_allowed(*developer_permissions)
        expect_allowed(*master_permissions)
        expect_allowed(*owner_permissions)
269 270 271
      end
    end
  end
272
end