BigW Consortium Gitlab

group_policy_spec.rb 9.71 KB
Newer Older
1 2
require 'spec_helper'

3
describe GroupPolicy do
4 5 6 7 8 9 10 11
  let(:guest) { create(:user) }
  let(:reporter) { create(:user) }
  let(:developer) { create(:user) }
  let(:master) { create(:user) }
  let(:owner) { create(:user) }
  let(:admin) { create(:admin) }
  let(:group) { create(:group) }

12 13
  let(:reporter_permissions) { [:admin_label] }

14 15
  let(:developer_permissions) { [:admin_milestones] }

16 17
  let(:master_permissions) do
    [
18
      :create_projects
19 20 21 22 23 24 25 26
    ]
  end

  let(:owner_permissions) do
    [
      :admin_group,
      :admin_namespace,
      :admin_group_member,
27
      :change_visibility_level,
28 29
      (Gitlab::Database.postgresql? ? :create_subgroup : nil)
    ].compact
30 31 32 33 34 35 36 37 38 39
  end

  before do
    group.add_guest(guest)
    group.add_reporter(reporter)
    group.add_developer(developer)
    group.add_master(master)
    group.add_owner(owner)
  end

40 41 42 43 44 45 46 47 48
  subject { described_class.new(current_user, group) }

  def expect_allowed(*permissions)
    permissions.each { |p| is_expected.to be_allowed(p) }
  end

  def expect_disallowed(*permissions)
    permissions.each { |p| is_expected.not_to be_allowed(p) }
  end
49 50 51 52 53

  context 'with no user' do
    let(:current_user) { nil }

    it do
54 55
      expect_allowed(:read_group)
      expect_disallowed(*reporter_permissions)
56
      expect_disallowed(*developer_permissions)
57 58
      expect_disallowed(*master_permissions)
      expect_disallowed(*owner_permissions)
59 60 61 62 63 64 65
    end
  end

  context 'guests' do
    let(:current_user) { guest }

    it do
66 67
      expect_allowed(:read_group)
      expect_disallowed(*reporter_permissions)
68
      expect_disallowed(*developer_permissions)
69 70
      expect_disallowed(*master_permissions)
      expect_disallowed(*owner_permissions)
71 72 73 74 75 76 77
    end
  end

  context 'reporter' do
    let(:current_user) { reporter }

    it do
78 79
      expect_allowed(:read_group)
      expect_allowed(*reporter_permissions)
80
      expect_disallowed(*developer_permissions)
81 82
      expect_disallowed(*master_permissions)
      expect_disallowed(*owner_permissions)
83 84 85 86 87 88 89
    end
  end

  context 'developer' do
    let(:current_user) { developer }

    it do
90 91
      expect_allowed(:read_group)
      expect_allowed(*reporter_permissions)
92
      expect_allowed(*developer_permissions)
93 94
      expect_disallowed(*master_permissions)
      expect_disallowed(*owner_permissions)
95 96 97 98 99 100 101
    end
  end

  context 'master' do
    let(:current_user) { master }

    it do
102 103
      expect_allowed(:read_group)
      expect_allowed(*reporter_permissions)
104
      expect_allowed(*developer_permissions)
105 106
      expect_allowed(*master_permissions)
      expect_disallowed(*owner_permissions)
107 108 109 110 111 112 113
    end
  end

  context 'owner' do
    let(:current_user) { owner }

    it do
114 115
      allow(Group).to receive(:supports_nested_groups?).and_return(true)

116 117
      expect_allowed(:read_group)
      expect_allowed(*reporter_permissions)
118
      expect_allowed(*developer_permissions)
119 120
      expect_allowed(*master_permissions)
      expect_allowed(*owner_permissions)
121 122 123 124 125 126 127
    end
  end

  context 'admin' do
    let(:current_user) { admin }

    it do
128 129
      allow(Group).to receive(:supports_nested_groups?).and_return(true)

130 131
      expect_allowed(:read_group)
      expect_allowed(*reporter_permissions)
132
      expect_allowed(*developer_permissions)
133 134
      expect_allowed(*master_permissions)
      expect_allowed(*owner_permissions)
135 136
    end
  end
137

138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167
  describe 'when nested group support feature is disabled' do
    before do
      allow(Group).to receive(:supports_nested_groups?).and_return(false)
    end

    context 'admin' do
      let(:current_user) { admin }

      it 'allows every owner permission except creating subgroups' do
        create_subgroup_permission = [:create_subgroup]
        updated_owner_permissions = owner_permissions - create_subgroup_permission

        expect_disallowed(*create_subgroup_permission)
        expect_allowed(*updated_owner_permissions)
      end
    end

    context 'owner' do
      let(:current_user) { owner }

      it 'allows every owner permission except creating subgroups' do
        create_subgroup_permission = [:create_subgroup]
        updated_owner_permissions = owner_permissions - create_subgroup_permission

        expect_disallowed(*create_subgroup_permission)
        expect_allowed(*updated_owner_permissions)
      end
    end
  end

168
  describe 'private nested group use the highest access level from the group and inherited permissions', :nested_groups do
169 170
    let(:nested_group) { create(:group, :private, parent: group) }

171 172 173 174 175 176 177 178 179 180 181 182
    before do
      nested_group.add_guest(guest)
      nested_group.add_guest(reporter)
      nested_group.add_guest(developer)
      nested_group.add_guest(master)

      group.owners.destroy_all

      group.add_guest(owner)
      nested_group.add_owner(owner)
    end

183
    subject { described_class.new(current_user, nested_group) }
184 185 186 187 188

    context 'with no user' do
      let(:current_user) { nil }

      it do
189 190
        expect_disallowed(:read_group)
        expect_disallowed(*reporter_permissions)
191
        expect_disallowed(*developer_permissions)
192 193
        expect_disallowed(*master_permissions)
        expect_disallowed(*owner_permissions)
194 195 196 197 198 199 200
      end
    end

    context 'guests' do
      let(:current_user) { guest }

      it do
201 202
        expect_allowed(:read_group)
        expect_disallowed(*reporter_permissions)
203
        expect_disallowed(*developer_permissions)
204 205
        expect_disallowed(*master_permissions)
        expect_disallowed(*owner_permissions)
206 207 208 209 210 211 212
      end
    end

    context 'reporter' do
      let(:current_user) { reporter }

      it do
213 214
        expect_allowed(:read_group)
        expect_allowed(*reporter_permissions)
215
        expect_disallowed(*developer_permissions)
216 217
        expect_disallowed(*master_permissions)
        expect_disallowed(*owner_permissions)
218 219 220 221 222 223 224
      end
    end

    context 'developer' do
      let(:current_user) { developer }

      it do
225 226
        expect_allowed(:read_group)
        expect_allowed(*reporter_permissions)
227
        expect_allowed(*developer_permissions)
228 229
        expect_disallowed(*master_permissions)
        expect_disallowed(*owner_permissions)
230 231 232 233 234 235 236
      end
    end

    context 'master' do
      let(:current_user) { master }

      it do
237 238
        expect_allowed(:read_group)
        expect_allowed(*reporter_permissions)
239
        expect_allowed(*developer_permissions)
240 241
        expect_allowed(*master_permissions)
        expect_disallowed(*owner_permissions)
242 243 244 245 246 247 248
      end
    end

    context 'owner' do
      let(:current_user) { owner }

      it do
249 250
        allow(Group).to receive(:supports_nested_groups?).and_return(true)

251 252
        expect_allowed(:read_group)
        expect_allowed(*reporter_permissions)
253
        expect_allowed(*developer_permissions)
254 255
        expect_allowed(*master_permissions)
        expect_allowed(*owner_permissions)
256 257 258
      end
    end
  end
259 260

  describe 'change_share_with_group_lock' do
261 262
    context 'when the current_user owns the group' do
      let(:current_user) { owner }
263

264 265
      context 'when the group share_with_group_lock is enabled' do
        let(:group) { create(:group, share_with_group_lock: true, parent: parent) }
266

267 268 269
        context 'when the parent group share_with_group_lock is enabled' do
          context 'when the group has a grandparent' do
            let(:parent) { create(:group, share_with_group_lock: true, parent: grandparent) }
270

271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289
            context 'when the grandparent share_with_group_lock is enabled' do
              let(:grandparent) { create(:group, share_with_group_lock: true) }

              context 'when the current_user owns the parent' do
                before do
                  parent.add_owner(current_user)
                end

                context 'when the current_user owns the grandparent' do
                  before do
                    grandparent.add_owner(current_user)
                  end

                  it { expect_allowed(:change_share_with_group_lock) }
                end

                context 'when the current_user does not own the grandparent' do
                  it { expect_disallowed(:change_share_with_group_lock) }
                end
290 291
              end

292 293 294
              context 'when the current_user does not own the parent' do
                it { expect_disallowed(:change_share_with_group_lock) }
              end
295 296
            end

297 298 299 300 301 302 303 304 305
            context 'when the grandparent share_with_group_lock is disabled' do
              let(:grandparent) { create(:group) }

              context 'when the current_user owns the parent' do
                before do
                  parent.add_owner(current_user)
                end

                it { expect_allowed(:change_share_with_group_lock) }
306 307
              end

308 309 310
              context 'when the current_user does not own the parent' do
                it { expect_disallowed(:change_share_with_group_lock) }
              end
311 312
            end
          end
313

314 315
          context 'when the group does not have a grandparent' do
            let(:parent) { create(:group, share_with_group_lock: true) }
316

317 318 319 320
            context 'when the current_user owns the parent' do
              before do
                parent.add_owner(current_user)
              end
321

322 323
              it { expect_allowed(:change_share_with_group_lock) }
            end
324

325 326 327
            context 'when the current_user does not own the parent' do
              it { expect_disallowed(:change_share_with_group_lock) }
            end
328
          end
329 330
        end

331 332
        context 'when the parent group share_with_group_lock is disabled' do
          let(:parent) { create(:group) }
333 334 335

          it { expect_allowed(:change_share_with_group_lock) }
        end
336
      end
337

338 339
      context 'when the group share_with_group_lock is disabled' do
        it { expect_allowed(:change_share_with_group_lock) }
340 341 342
      end
    end

343 344
    context 'when the current_user does not own the group' do
      let(:current_user) { create(:user) }
345

346
      it { expect_disallowed(:change_share_with_group_lock) }
347 348
    end
  end
349
end