Commit 42fcd388 authored by Zeger-Jan van de Weg's avatar Zeger-Jan van de Weg

External Users

The user has the rights of a public user execpt it can never create a project,
 group, or team. Also it cant view internal projects.
parent 065de4ab
...@@ -150,7 +150,7 @@ class Admin::UsersController < Admin::ApplicationController ...@@ -150,7 +150,7 @@ class Admin::UsersController < Admin::ApplicationController
:email, :remember_me, :bio, :name, :username, :email, :remember_me, :bio, :name, :username,
:skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password, :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password,
:extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key, :hide_no_password, :extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key, :hide_no_password,
:projects_limit, :can_create_group, :admin, :key_id :projects_limit, :can_create_group, :admin, :key_id, :external
) )
end end
......
...@@ -51,13 +51,12 @@ class ProjectsFinder ...@@ -51,13 +51,12 @@ class ProjectsFinder
end end
def all_projects(current_user) def all_projects(current_user)
if current_user return [Project.public_only] unless current_user
[
current_user.authorized_projects, if current_user.external?
public_and_internal_projects [current_user.authorized_projects, public_projects]
]
else else
[Project.public_only] [current_user.authorized_projects, public_and_internal_projects]
end end
end end
......
...@@ -109,23 +109,10 @@ class Ability ...@@ -109,23 +109,10 @@ class Ability
key = "/user/#{user.id}/project/#{project.id}" key = "/user/#{user.id}/project/#{project.id}"
RequestStore.store[key] ||= begin RequestStore.store[key] ||= begin
team = project.team # Push abilities on the users team role
rules.push(*project_team_rules(project.team, user))
# Rules based on role in project if project.public? || (project.internal? && !user.external?)
if team.master?(user)
rules.push(*project_master_rules)
elsif team.developer?(user)
rules.push(*project_dev_rules)
elsif team.reporter?(user)
rules.push(*project_report_rules)
elsif team.guest?(user)
rules.push(*project_guest_rules)
end
if project.public? || project.internal?
rules.push(*public_project_rules) rules.push(*public_project_rules)
# Allow to read builds for internal projects # Allow to read builds for internal projects
...@@ -148,6 +135,19 @@ class Ability ...@@ -148,6 +135,19 @@ class Ability
end end
end end
def project_team_rules(team, user)
# Rules based on role in project
if team.master?(user)
project_master_rules
elsif team.developer?(user)
project_dev_rules
elsif team.reporter?(user)
project_report_rules
elsif team.guest?(user)
project_guest_rules
end
end
def public_project_rules def public_project_rules
@public_project_rules ||= project_guest_rules + [ @public_project_rules ||= project_guest_rules + [
:download_code, :download_code,
...@@ -356,7 +356,7 @@ class Ability ...@@ -356,7 +356,7 @@ class Ability
] ]
end end
if snippet.public? || snippet.internal? if snippet.public? || (snippet.internal? && !user.external?)
rules << :read_personal_snippet rules << :read_personal_snippet
end end
......
...@@ -59,6 +59,7 @@ ...@@ -59,6 +59,7 @@
# hide_project_limit :boolean default(FALSE) # hide_project_limit :boolean default(FALSE)
# unlock_token :string # unlock_token :string
# otp_grace_period_started_at :datetime # otp_grace_period_started_at :datetime
# external :boolean default(FALSE)
# #
require 'carrierwave/orm/activerecord' require 'carrierwave/orm/activerecord'
...@@ -77,6 +78,7 @@ class User < ActiveRecord::Base ...@@ -77,6 +78,7 @@ class User < ActiveRecord::Base
add_authentication_token_field :authentication_token add_authentication_token_field :authentication_token
default_value_for :admin, false default_value_for :admin, false
default_value_for :external, false
default_value_for :can_create_group, gitlab_config.default_can_create_group default_value_for :can_create_group, gitlab_config.default_can_create_group
default_value_for :can_create_team, false default_value_for :can_create_team, false
default_value_for :hide_no_ssh_key, false default_value_for :hide_no_ssh_key, false
...@@ -179,6 +181,7 @@ class User < ActiveRecord::Base ...@@ -179,6 +181,7 @@ class User < ActiveRecord::Base
after_update :update_emails_with_primary_email, if: ->(user) { user.email_changed? } after_update :update_emails_with_primary_email, if: ->(user) { user.email_changed? }
before_save :ensure_authentication_token before_save :ensure_authentication_token
before_save :ensure_external_user_rights
after_save :ensure_namespace_correct after_save :ensure_namespace_correct
after_initialize :set_projects_limit after_initialize :set_projects_limit
after_create :post_create_hook after_create :post_create_hook
...@@ -848,4 +851,13 @@ class User < ActiveRecord::Base ...@@ -848,4 +851,13 @@ class User < ActiveRecord::Base
def send_devise_notification(notification, *args) def send_devise_notification(notification, *args)
devise_mailer.send(notification, self, *args).deliver_later devise_mailer.send(notification, self, *args).deliver_later
end end
def ensure_external_user_rights
return unless self.external?
self.can_create_team = false
self.can_create_group = false
self.projects_limit = 0
self.hide_project_limit = true
end
end end
...@@ -61,6 +61,11 @@ ...@@ -61,6 +61,11 @@
.col-sm-10 You cannot remove your own admin rights .col-sm-10 You cannot remove your own admin rights
- else - else
.col-sm-10= f.check_box :admin .col-sm-10= f.check_box :admin
.form-group
= f.label :external, class: 'control-label'
.col-sm-10= f.check_box :external
%fieldset %fieldset
%legend Profile %legend Profile
.form-group .form-group
......
...@@ -47,6 +47,10 @@ ...@@ -47,6 +47,10 @@
- else - else
Disabled Disabled
%li
%span.light External User:
%strong
= @user.external? ? "Yes" : "No"
%li %li
%span.light Can create groups: %span.light Can create groups:
%strong %strong
......
class AddExternalFlagToUsers < ActiveRecord::Migration
def change
add_column :users, :external, :boolean, default: false
end
end
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
# #
# It's strongly recommended that you check this file into your version control system. # It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema.define(version: 20160309140734) do ActiveRecord::Schema.define(version: 20160310185910) do
# These are extensions that must be enabled in order to support this database # These are extensions that must be enabled in order to support this database
enable_extension "plpgsql" enable_extension "plpgsql"
...@@ -929,6 +929,7 @@ ActiveRecord::Schema.define(version: 20160309140734) do ...@@ -929,6 +929,7 @@ ActiveRecord::Schema.define(version: 20160309140734) do
t.string "unlock_token" t.string "unlock_token"
t.datetime "otp_grace_period_started_at" t.datetime "otp_grace_period_started_at"
t.boolean "ldap_email", default: false, null: false t.boolean "ldap_email", default: false, null: false
t.boolean "external", default: false
end end
add_index "users", ["admin"], name: "index_users_on_admin", using: :btree add_index "users", ["admin"], name: "index_users_on_admin", using: :btree
......
...@@ -61,19 +61,20 @@ module API ...@@ -61,19 +61,20 @@ module API
# admin - User is admin - true or false (default) # admin - User is admin - true or false (default)
# can_create_group - User can create groups - true or false # can_create_group - User can create groups - true or false
# confirm - Require user confirmation - true (default) or false # confirm - Require user confirmation - true (default) or false
# external - Is user an external user - true or false(default)
# Example Request: # Example Request:
# POST /users # POST /users
post do post do
authenticated_as_admin! authenticated_as_admin!
required_attributes! [:email, :password, :name, :username] required_attributes! [:email, :password, :name, :username]
attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :bio, :can_create_group, :admin, :confirm] attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :bio, :can_create_group, :admin, :confirm, :external]
admin = attrs.delete(:admin) admin = attrs.delete(:admin)
confirm = !(attrs.delete(:confirm) =~ (/(false|f|no|0)$/i)) confirm = !(attrs.delete(:confirm) =~ (/(false|f|no|0)$/i))
user = User.build_user(attrs) user = User.build_user(attrs)
user.admin = admin unless admin.nil? user.admin = admin unless admin.nil?
user.skip_confirmation! unless confirm user.skip_confirmation! unless confirm
identity_attrs = attributes_for_keys [:provider, :extern_uid] identity_attrs = attributes_for_keys [:provider, :extern_uid]
if identity_attrs.any? if identity_attrs.any?
user.identities.build(identity_attrs) user.identities.build(identity_attrs)
end end
......
...@@ -34,6 +34,7 @@ describe "Internal Project Access", feature: true do ...@@ -34,6 +34,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -45,6 +46,7 @@ describe "Internal Project Access", feature: true do ...@@ -45,6 +46,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -56,6 +58,7 @@ describe "Internal Project Access", feature: true do ...@@ -56,6 +58,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -67,6 +70,7 @@ describe "Internal Project Access", feature: true do ...@@ -67,6 +70,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -78,6 +82,7 @@ describe "Internal Project Access", feature: true do ...@@ -78,6 +82,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -89,22 +94,21 @@ describe "Internal Project Access", feature: true do ...@@ -89,22 +94,21 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
describe "GET /:project_path/blob" do describe "GET /:project_path/blob" do
before do let(:commit) { project.repository.commit }
commit = project.repository.commit subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }
path = '.gitignore'
@blob_path = namespace_project_blob_path(project.namespace, project, File.join(commit.id, path))
end
it { expect(@blob_path).to be_allowed_for master } it { is_expected.to be_allowed_for master }
it { expect(@blob_path).to be_allowed_for reporter } it { is_expected.to be_allowed_for reporter }
it { expect(@blob_path).to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { expect(@blob_path).to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { expect(@blob_path).to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { expect(@blob_path).to be_denied_for :visitor } it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor }
end end
describe "GET /:project_path/edit" do describe "GET /:project_path/edit" do
...@@ -115,6 +119,7 @@ describe "Internal Project Access", feature: true do ...@@ -115,6 +119,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -126,6 +131,7 @@ describe "Internal Project Access", feature: true do ...@@ -126,6 +131,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -137,6 +143,7 @@ describe "Internal Project Access", feature: true do ...@@ -137,6 +143,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -149,6 +156,7 @@ describe "Internal Project Access", feature: true do ...@@ -149,6 +156,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -160,6 +168,7 @@ describe "Internal Project Access", feature: true do ...@@ -160,6 +168,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -171,6 +180,7 @@ describe "Internal Project Access", feature: true do ...@@ -171,6 +180,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -182,6 +192,7 @@ describe "Internal Project Access", feature: true do ...@@ -182,6 +192,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -193,6 +204,7 @@ describe "Internal Project Access", feature: true do ...@@ -193,6 +204,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -209,6 +221,7 @@ describe "Internal Project Access", feature: true do ...@@ -209,6 +221,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -225,6 +238,7 @@ describe "Internal Project Access", feature: true do ...@@ -225,6 +238,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -236,6 +250,7 @@ describe "Internal Project Access", feature: true do ...@@ -236,6 +250,7 @@ describe "Internal Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
end end
...@@ -34,6 +34,7 @@ describe "Private Project Access", feature: true do ...@@ -34,6 +34,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -45,6 +46,7 @@ describe "Private Project Access", feature: true do ...@@ -45,6 +46,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -56,6 +58,7 @@ describe "Private Project Access", feature: true do ...@@ -56,6 +58,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -78,6 +81,7 @@ describe "Private Project Access", feature: true do ...@@ -78,6 +81,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -89,22 +93,21 @@ describe "Private Project Access", feature: true do ...@@ -89,22 +93,21 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
describe "GET /:project_path/blob" do describe "GET /:project_path/blob" do
before do let(:commit) { project.repository.commit }
commit = project.repository.commit subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore'))}
path = '.gitignore'
@blob_path = namespace_project_blob_path(project.namespace, project, File.join(commit.id, path))
end
it { expect(@blob_path).to be_allowed_for master } it { is_expected.to be_allowed_for master }
it { expect(@blob_path).to be_allowed_for reporter } it { is_expected.to be_allowed_for reporter }
it { expect(@blob_path).to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { expect(@blob_path).to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { expect(@blob_path).to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { expect(@blob_path).to be_denied_for :visitor } it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor }
end end
describe "GET /:project_path/edit" do describe "GET /:project_path/edit" do
...@@ -115,6 +118,7 @@ describe "Private Project Access", feature: true do ...@@ -115,6 +118,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -126,6 +130,7 @@ describe "Private Project Access", feature: true do ...@@ -126,6 +130,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -137,6 +142,7 @@ describe "Private Project Access", feature: true do ...@@ -137,6 +142,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -149,6 +155,7 @@ describe "Private Project Access", feature: true do ...@@ -149,6 +155,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -160,6 +167,7 @@ describe "Private Project Access", feature: true do ...@@ -160,6 +167,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -171,6 +179,7 @@ describe "Private Project Access", feature: true do ...@@ -171,6 +179,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -187,6 +196,7 @@ describe "Private Project Access", feature: true do ...@@ -187,6 +196,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -203,6 +213,7 @@ describe "Private Project Access", feature: true do ...@@ -203,6 +213,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -214,6 +225,7 @@ describe "Private Project Access", feature: true do ...@@ -214,6 +225,7 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
end end
...@@ -38,6 +38,7 @@ describe "Public Project Access", feature: true do ...@@ -38,6 +38,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -49,6 +50,7 @@ describe "Public Project Access", feature: true do ...@@ -49,6 +50,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -60,6 +62,7 @@ describe "Public Project Access", feature: true do ...@@ -60,6 +62,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -71,6 +74,7 @@ describe "Public Project Access", feature: true do ...@@ -71,6 +74,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -82,6 +86,7 @@ describe "Public Project Access", feature: true do ...@@ -82,6 +86,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -93,6 +98,7 @@ describe "Public Project Access", feature: true do ...@@ -93,6 +98,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -107,6 +113,7 @@ describe "Public Project Access", feature: true do ...@@ -107,6 +113,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -118,6 +125,7 @@ describe "Public Project Access", feature: true do ...@@ -118,6 +125,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
end end
...@@ -135,6 +143,7 @@ describe "Public Project Access", feature: true do ...@@ -135,6 +143,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -146,23 +155,22 @@ describe "Public Project Access", feature: true do ...@@ -146,23 +155,22 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
end end
describe "GET /:project_path/blob" do describe "GET /:project_path/blob" do
before do let(:commit) { project.repository.commit }
commit = project.repository.commit
path = '.gitignore' subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }
@blob_path = namespace_project_blob_path(project.namespace, project, File.join(commit.id, path))
end
it { expect(@blob_path).to be_allowed_for master } it { is_expected.to be_allowed_for master }
it { expect(@blob_path).to be_allowed_for reporter } it { is_expected.to be_allowed_for reporter }
it { expect(@blob_path).to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { expect(@blob_path).to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { expect(@blob_path).to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { expect(@blob_path).to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
describe "GET /:project_path/edit" do describe "GET /:project_path/edit" do
...@@ -173,6 +181,7 @@ describe "Public Project Access", feature: true do ...@@ -173,6 +181,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -184,6 +193,7 @@ describe "Public Project Access", feature: true do ...@@ -184,6 +193,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -195,6 +205,7 @@ describe "Public Project Access", feature: true do ...@@ -195,6 +205,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -207,6 +218,7 @@ describe "Public Project Access", feature: true do ...@@ -207,6 +218,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -218,6 +230,7 @@ describe "Public Project Access", feature: true do ...@@ -218,6 +230,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -229,6 +242,7 @@ describe "Public Project Access", feature: true do ...@@ -229,6 +242,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -240,6 +254,7 @@ describe "Public Project Access", feature: true do ...@@ -240,6 +254,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -251,6 +266,7 @@ describe "Public Project Access", feature: true do ...@@ -251,6 +266,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
...@@ -267,6 +283,7 @@ describe "Public Project Access", feature: true do ...@@ -267,6 +283,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -283,6 +300,7 @@ describe "Public Project Access", feature: true do ...@@ -283,6 +300,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for guest } it { is_expected.to be_allowed_for guest }
it { is_expected.to be_allowed_for :user } it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :external }
it { is_expected.to be_allowed_for :visitor } it { is_expected.to be_allowed_for :visitor }
end end
...@@ -294,6 +312,7 @@ describe "Public Project Access", feature: true do ...@@ -294,6 +312,7 @@ describe "Public Project Access", feature: true do
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for guest } it { is_expected.to be_denied_for guest }
it { is_expected.to be_denied_for :user } it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :external }
it { is_expected.to be_denied_for :visitor } it { is_expected.to be_denied_for :visitor }
end end
end end
...@@ -206,6 +206,21 @@ describe User, models: true do ...@@ -206,6 +206,21 @@ describe User, models: true do
it { is_expected.to respond_to(:is_admin?) } it { is_expected.to respond_to(:is_admin?) }
it { is_expected.to respond_to(:name) } it { is_expected.to respond_to(:name) }
it { is_expected.to respond_to(:private_token) } it { is_expected.to respond_to(:private_token) }
it { is_expected.to respond_to(:external?) }
end
describe 'before save hook' do
context 'when saving an external user' do
let(:user) { create(:user) }
let(:external_user) { create(:user, external: true) }
it "sets other properties aswell" do
expect(external_user.can_create_team).to be_falsey
expect(external_user.can_create_group).to be_falsey
expect(external_user.hide_project_limit).to be_truthy
expect(external_user.projects_limit).to be 0
end
end
end end
describe '#confirm' do describe '#confirm' do
...@@ -430,6 +445,7 @@ describe User, models: true do ...@@ -430,6 +445,7 @@ describe User, models: true do
expect(user.projects_limit).to eq(Gitlab.config.gitlab.default_projects_limit) expect(user.projects_limit).to eq(Gitlab.config.gitlab.default_projects_limit)
expect(user.can_create_group).to eq(Gitlab.config.gitlab.default_can_create_group) expect(user.can_create_group).to eq(Gitlab.config.gitlab.default_can_create_group)
expect(user.theme_id).to eq(Gitlab.config.gitlab.default_theme) expect(user.theme_id).to eq(Gitlab.config.gitlab.default_theme)
expect(user.external).to be_falsey
end end
end end
......
...@@ -120,6 +120,26 @@ describe API::API, api: true do ...@@ -120,6 +120,26 @@ describe API::API, api: true do
expect(response.status).to eq(201) expect(response.status).to eq(201)
end end
it 'creates non-external users by default' do
post api("/users", admin), attributes_for(:user)
expect(response.status).to eq(201)
user_id = json_response['id']
new_user = User.find(user_id)
expect(new_user).not_to eq nil
expect(new_user.external).to be_falsy
end
it 'should allow an external user to be created' do
post api("/users", admin), attributes_for(:user, external: true)
expect(response.status).to eq(201)
user_id = json_response['id']
new_user = User.find(user_id)
expect(new_user).not_to eq nil
expect(new_user.external).to be_truthy
end
it "should not create user with invalid email" do it "should not create user with invalid email" do
post api('/users', admin), post api('/users', admin),
email: 'invalid email', email: 'invalid email',
......
...@@ -15,6 +15,8 @@ module AccessMatchers ...@@ -15,6 +15,8 @@ module AccessMatchers
logout logout
when :admin when :admin
login_as(create(:admin)) login_as(create(:admin))
when :external
login_as(create(:user, external: true))
when User when User
login_as(user) login_as(user)
else else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment