Write exhaustive tests around project policy
In https://gitlab.com/gitlab-org/gitlab-ee/issues/12787#note_193244051 we noticed that making some changes to the ProjectPolicy
didn't cause failures in project_policy_spec.rb
.
We would need to ensure that the following tests are explicitly added to project_policy_spec.rb
.
When project access level is PRIVATE
> p = Project.first
> p.public_builds
=> true
# project has PRIVATE access level (10) for all features
> p.project_feature
=> #<ProjectFeature:0x00007fa1cd564728
id: 1,
project_id: 1,
merge_requests_access_level: 10,
issues_access_level: 10,
wiki_access_level: 10,
snippets_access_level: 10,
builds_access_level: 10,
created_at: Thu, 06 Jun 2019 14:09:11 UTC +00:00,
updated_at: Tue, 16 Jul 2019 14:32:51 UTC +00:00,
repository_access_level: 10,
pages_access_level: 10>
# unauthenticated user
> ProjectPolicy.new(nil, p).allowed?(:read_build)
=> false
# user logged in but no access to the project
> ProjectPolicy.new(u, p).allowed?(:read_build)
=> false
# guest user
> guest = User.last
> p.add_guest(guest)
> ProjectPolicy.new(guest, p).allowed?(:read_build)
=> true
Unless we add a user as guest
we don't allow :read_build
even if public_builds = true
.
When project access level is INTERNAL
> p.project_feature.update!(merge_requests_access_level: 20, issues_access_level: 20, wiki_access_level: 20, snippets_access_level: 20, builds_access_level: 20, repository_access_level: 20)
# allows guest users
> ProjectPolicy.new(guest, p).allowed?(:read_build)
=> true
# prevents unauthenticated users
> ProjectPolicy.new(nil, p).allowed?(:read_build)
=> false
When project access level is PUBLIC
> p.visibility_level = Project::PUBLIC
=> 20
> p.save!
=> true
> p.project_feature.update!(merge_requests_access_level: 20, builds_access_level: 20, repository_access_level: 20)
# unauthenticated user is allowed
> ProjectPolicy.new(nil, p).allowed?(:read_build)
=> true
# any user logged in
> ProjectPolicy.new(u, p).allowed?(:read_build)
=> true
These seem to match exactly the expectations when public builds
are enabled. However it would be good to see more exhaustive testing around these permissions because the ProjectPolicy specs don't cover well these scenarios with public builds
. That's why after changing the policy, none of the tests failed.