Extract EE specific files/lines for spec/policies
We have the following files containing EE specific code. We should move them to ee/
spec/policies/group_policy_spec.rb
diff --git a/spec/policies/group_policy_spec.rb b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/policies/group_policy_spec.rb
index be1804c5ce0..6035cbe3f2a 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/policies/group_policy_spec.rb
@@ -6,6 +6,7 @@ describe GroupPolicy do
let(:developer) { create(:user) }
let(:maintainer) { create(:user) }
let(:owner) { create(:user) }
+ let(:auditor) { create(:user, :auditor) }
let(:admin) { create(:admin) }
let(:group) { create(:group, :private) }
@@ -292,6 +293,107 @@ describe GroupPolicy do
expect_allowed(*owner_permissions)
end
end
+
+ context 'auditor' do
+ let(:current_user) { auditor }
+
+ it do
+ expect_allowed(:read_group)
+ expect_disallowed(:upload_file)
+ is_expected.to be_disallowed(*maintainer_permissions)
+ is_expected.to be_disallowed(*owner_permissions)
+ end
+ end
+ end
+
+ describe 'change_share_with_group_lock' do
+ context 'when the current_user owns the group' do
+ let(:current_user) { owner }
+
+ context 'when the group share_with_group_lock is enabled' do
+ let(:group) { create(:group, share_with_group_lock: true, parent: parent) }
+
+ context 'when the parent group share_with_group_lock is enabled' do
+ context 'when the group has a grandparent' do
+ let(:parent) { create(:group, share_with_group_lock: true, parent: grandparent) }
+
+ context 'when the grandparent share_with_group_lock is enabled' do
+ let(:grandparent) { create(:group, share_with_group_lock: true) }
+
+ context 'when the current_user owns the parent' do
+ before do
+ parent.add_owner(current_user)
+ end
+
+ context 'when the current_user owns the grandparent' do
+ before do
+ grandparent.add_owner(current_user)
+ end
+
+ it { expect_allowed(:change_share_with_group_lock) }
+ end
+
+ context 'when the current_user does not own the grandparent' do
+ it { expect_disallowed(:change_share_with_group_lock) }
+ end
+ end
+
+ context 'when the current_user does not own the parent' do
+ it { expect_disallowed(:change_share_with_group_lock) }
+ end
+ end
+
+ context 'when the grandparent share_with_group_lock is disabled' do
+ let(:grandparent) { create(:group) }
+
+ context 'when the current_user owns the parent' do
+ before do
+ parent.add_owner(current_user)
+ end
+
+ it { expect_allowed(:change_share_with_group_lock) }
+ end
+
+ context 'when the current_user does not own the parent' do
+ it { expect_disallowed(:change_share_with_group_lock) }
+ end
+ end
+ end
+
+ context 'when the group does not have a grandparent' do
+ let(:parent) { create(:group, share_with_group_lock: true) }
+
+ context 'when the current_user owns the parent' do
+ before do
+ parent.add_owner(current_user)
+ end
+
+ it { expect_allowed(:change_share_with_group_lock) }
+ end
+
+ context 'when the current_user does not own the parent' do
+ it { expect_disallowed(:change_share_with_group_lock) }
+ end
+ end
+ end
+
+ context 'when the parent group share_with_group_lock is disabled' do
+ let(:parent) { create(:group) }
+
+ it { expect_allowed(:change_share_with_group_lock) }
+ end
+ end
+
+ context 'when the group share_with_group_lock is disabled' do
+ it { expect_allowed(:change_share_with_group_lock) }
+ end
+ end
+
+ context 'when the current_user does not own the group' do
+ let(:current_user) { create(:user) }
+
+ it { expect_disallowed(:change_share_with_group_lock) }
+ end
end
describe 'change_share_with_group_lock' do
spec/policies/namespace_policy_spec.rb
diff --git a/spec/policies/namespace_policy_spec.rb b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/policies/namespace_policy_spec.rb
index 1fdf95ad716..a7aaeed9ac8 100644
--- a/spec/policies/namespace_policy_spec.rb
+++ b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/policies/namespace_policy_spec.rb
@@ -3,6 +3,7 @@ require 'spec_helper'
describe NamespacePolicy do
let(:user) { create(:user) }
let(:owner) { create(:user) }
+ let(:auditor) { create(:user, :auditor) }
let(:admin) { create(:admin) }
let(:namespace) { create(:namespace, owner: owner) }
@@ -30,7 +31,21 @@ describe NamespacePolicy do
context 'user who has exceeded project limit' do
let(:owner) { create(:user, projects_limit: 0) }
- it { is_expected.not_to be_allowed(:create_projects) }
+ it { is_expected.to be_disallowed(:create_projects) }
+ end
+ end
+
+ context 'auditor' do
+ let(:current_user) { auditor }
+
+ context 'owner' do
+ let(:namespace) { create(:namespace, owner: auditor) }
+
+ it { is_expected.to be_allowed(*owner_permissions) }
+ end
+
+ context 'non-owner' do
+ it { is_expected.to be_disallowed(*owner_permissions) }
end
end
spec/policies/project_policy_spec.rb
diff --git a/spec/policies/project_policy_spec.rb b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/policies/project_policy_spec.rb
index 93a468f585b..b44bf520afb 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/policies/project_policy_spec.rb
@@ -237,7 +237,7 @@ describe ProjectPolicy do
let(:feature_write_abilities) do
described_class::READONLY_FEATURES_WHEN_ARCHIVED.flat_map do |feature|
described_class.create_update_admin_destroy(feature)
- end
+ end + additional_reporter_permissions + additional_maintainer_permissions
end
let(:other_write_abilities) do
@@ -383,7 +383,6 @@ describe ProjectPolicy do
shared_examples 'project policies as developer' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
-
subject { described_class.new(developer, project) }
it do
@@ -472,6 +471,61 @@ describe ProjectPolicy do
it_behaves_like 'project policies as owner'
it_behaves_like 'project policies as admin'
+ context 'EE' do
+ let(:additional_guest_permissions) { [:read_issue_link] }
+ let(:additional_reporter_permissions) { [:admin_issue_link]}
+ let(:additional_maintainer_permissions) { [:push_code_to_protected_branches] }
+ let(:auditor_permissions) do
+ %i[
+ download_code download_wiki_code read_project read_board read_list
+ read_project_for_iids read_issue_iid read_merge_request_iid read_wiki
+ read_issue read_label read_issue_link read_milestone read_release
+ read_project_snippet read_project_member read_note read_cycle_analytics
+ read_pipeline read_build read_commit_status read_container_image
+ read_environment read_deployment read_merge_request read_pages
+ create_merge_request_in award_emoji
+ ]
+ end
+
+ it_behaves_like 'project policies as anonymous'
+ it_behaves_like 'project policies as guest'
+ it_behaves_like 'project policies as reporter'
+ it_behaves_like 'project policies as developer'
+ it_behaves_like 'project policies as maintainer'
+ it_behaves_like 'project policies as owner'
+ it_behaves_like 'project policies as admin'
+
+ context 'auditor' do
+ let(:auditor) { create(:user, :auditor) }
+
+ subject { described_class.new(auditor, project) }
+
+ context 'who is not a team member' do
+ it do
+ is_expected.to be_disallowed(*developer_permissions)
+ is_expected.to be_disallowed(*maintainer_permissions)
+ is_expected.to be_disallowed(*owner_permissions)
+ is_expected.to be_disallowed(*(guest_permissions - auditor_permissions))
+ is_expected.to be_allowed(*auditor_permissions)
+ end
+ end
+
+ context 'who is a team member' do
+ before do
+ project.add_guest(auditor)
+ end
+
+ it do
+ is_expected.to be_disallowed(*developer_permissions)
+ is_expected.to be_disallowed(*maintainer_permissions)
+ is_expected.to be_disallowed(*owner_permissions)
+ is_expected.to be_allowed(*(guest_permissions - auditor_permissions))
+ is_expected.to be_allowed(*auditor_permissions)
+ end
+ end
+ end
+ end
+
context 'when a public project has merge requests allowing access' do
include ProjectForksHelper
let(:user) { create(:user) }
spec/policies/project_snippet_policy_spec.rb
diff --git a/spec/policies/project_snippet_policy_spec.rb b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/policies/project_snippet_policy_spec.rb
index d6329e84579..05dba1413f2 100644
--- a/spec/policies/project_snippet_policy_spec.rb
+++ b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/policies/project_snippet_policy_spec.rb
@@ -96,6 +96,16 @@ describe ProjectSnippetPolicy do
expect_disallowed(*author_permissions)
end
end
+
+ context 'external user' do
+ let(:current_user) { create(:user, :external) }
+ subject { abilities(current_user, :private) }
+
+ it do
+ is_expected.to be_disallowed(:read_project_snippet)
+ is_expected.to be_disallowed(*author_permissions)
+ end
+ end
end
context 'private snippet' do
@@ -154,6 +164,16 @@ describe ProjectSnippetPolicy do
end
end
+ context 'auditor user' do
+ let(:current_user) { create(:user, :auditor) }
+ subject { abilities(current_user, :private) }
+
+ it do
+ is_expected.to be_allowed(:read_project_snippet)
+ is_expected.to be_disallowed(*author_permissions)
+ end
+ end
+
context 'admin user' do
subject { abilities(create(:admin), :private) }
Edited by Yorick Peterse