Commit 96fc1d90 authored by Felipe Artur's avatar Felipe Artur

Add security specs

parent c3e70280
...@@ -296,7 +296,7 @@ class Ability ...@@ -296,7 +296,7 @@ class Ability
def can_read_group?(user, group) def can_read_group?(user, group)
is_project_member = ProjectsFinder.new.execute(user, group: group).any? is_project_member = ProjectsFinder.new.execute(user, group: group).any?
user.admin? || group.public? || group.internal? || group.users.include?(user) user.admin? || group.public? || group.internal? || is_project_member || group.users.include?(user)
end end
def namespace_abilities(user, namespace) def namespace_abilities(user, namespace)
......
require 'rails_helper'
describe 'Internal group access', feature: true do
include AccessMatchers
include GroupAccessHelper
describe 'GET /groups/:path' do
subject { group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to_not be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to_not be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/issues' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to_not be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to_not be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/merge_requests' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to_not be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to_not be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/group_members' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to_not be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to_not be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/edit' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to_not be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to_not be_allowed_for :visitor }
end
end
end
require 'rails_helper'
describe 'Private group access', feature: true do
include AccessMatchers
include GroupAccessHelper
describe 'GET /groups/:path' do
subject { group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to_not be_allowed_for :user }
it { is_expected.to_not be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to_not be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/issues' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to_not be_allowed_for :user }
it { is_expected.to_not be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to_not be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/merge_requests' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to_not be_allowed_for :user }
it { is_expected.to_not be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to_not be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/group_members' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to_not be_allowed_for :user }
it { is_expected.to_not be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to_not be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/edit' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to_not be_allowed_for :user }
it { is_expected.to_not be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to_not be_allowed_for :visitor }
end
end
end
require 'rails_helper'
describe 'Public group access', feature: true do
include AccessMatchers
include GroupAccessHelper
describe 'GET /groups/:path' do
subject { group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/issues' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/merge_requests' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/group_members' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to be_allowed_for :visitor }
end
end
describe 'GET /groups/:path/edit' do
subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
context "when user not in group project" do
it { is_expected.to be_allowed_for group_member(:owner) }
it { is_expected.to be_allowed_for group_member(:master) }
it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end
context "when user in group project" do
it { is_expected.to be_allowed_for project_group_member(:user) }
it { is_expected.to be_allowed_for :visitor }
end
end
end
...@@ -43,8 +43,6 @@ describe 'Group access', feature: true do ...@@ -43,8 +43,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end end
context 'with mixed projects' do context 'with mixed projects' do
...@@ -55,8 +53,6 @@ describe 'Group access', feature: true do ...@@ -55,8 +53,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end end
context 'with internal projects' do context 'with internal projects' do
...@@ -67,8 +63,6 @@ describe 'Group access', feature: true do ...@@ -67,8 +63,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end end
context 'with no projects' do context 'with no projects' do
...@@ -77,8 +71,6 @@ describe 'Group access', feature: true do ...@@ -77,8 +71,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end end
end end
...@@ -93,8 +85,6 @@ describe 'Group access', feature: true do ...@@ -93,8 +85,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end end
context 'with mixed projects' do context 'with mixed projects' do
...@@ -105,8 +95,6 @@ describe 'Group access', feature: true do ...@@ -105,8 +95,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end end
context 'with internal projects' do context 'with internal projects' do
...@@ -117,8 +105,6 @@ describe 'Group access', feature: true do ...@@ -117,8 +105,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :visitor }
end end
context 'with no projects' do context 'with no projects' do
...@@ -127,8 +113,6 @@ describe 'Group access', feature: true do ...@@ -127,8 +113,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :visitor }
end end
end end
...@@ -143,8 +127,6 @@ describe 'Group access', feature: true do ...@@ -143,8 +127,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end end
context 'with mixed projects' do context 'with mixed projects' do
...@@ -155,8 +137,6 @@ describe 'Group access', feature: true do ...@@ -155,8 +137,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end end
context 'with internal projects' do context 'with internal projects' do
...@@ -167,8 +147,6 @@ describe 'Group access', feature: true do ...@@ -167,8 +147,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :visitor }
end end
context 'with no projects' do context 'with no projects' do
...@@ -177,8 +155,6 @@ describe 'Group access', feature: true do ...@@ -177,8 +155,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :visitor }
end end
end end
...@@ -193,8 +169,6 @@ describe 'Group access', feature: true do ...@@ -193,8 +169,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end end
context 'with mixed projects' do context 'with mixed projects' do
...@@ -205,8 +179,6 @@ describe 'Group access', feature: true do ...@@ -205,8 +179,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_allowed_for :visitor }
end end
context 'with internal projects' do context 'with internal projects' do
...@@ -217,8 +189,6 @@ describe 'Group access', feature: true do ...@@ -217,8 +189,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_allowed_for :user }
it { is_expected.to be_denied_for :visitor }
end end
context 'with no projects' do context 'with no projects' do
...@@ -227,8 +197,6 @@ describe 'Group access', feature: true do ...@@ -227,8 +197,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_allowed_for group_member(:reporter) } it { is_expected.to be_allowed_for group_member(:reporter) }
it { is_expected.to be_allowed_for group_member(:guest) } it { is_expected.to be_allowed_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :visitor }
end end
end end
...@@ -243,8 +211,6 @@ describe 'Group access', feature: true do ...@@ -243,8 +211,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_denied_for group_member(:reporter) } it { is_expected.to be_denied_for group_member(:reporter) }
it { is_expected.to be_denied_for group_member(:guest) } it { is_expected.to be_denied_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :visitor }
end end
context 'with mixed projects' do context 'with mixed projects' do
...@@ -255,8 +221,6 @@ describe 'Group access', feature: true do ...@@ -255,8 +221,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_denied_for group_member(:reporter) } it { is_expected.to be_denied_for group_member(:reporter) }
it { is_expected.to be_denied_for group_member(:guest) } it { is_expected.to be_denied_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :visitor }
end end
context 'with internal projects' do context 'with internal projects' do
...@@ -267,8 +231,6 @@ describe 'Group access', feature: true do ...@@ -267,8 +231,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_denied_for group_member(:reporter) } it { is_expected.to be_denied_for group_member(:reporter) }
it { is_expected.to be_denied_for group_member(:guest) } it { is_expected.to be_denied_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :visitor }
end end
context 'with no projects' do context 'with no projects' do
...@@ -277,8 +239,6 @@ describe 'Group access', feature: true do ...@@ -277,8 +239,6 @@ describe 'Group access', feature: true do
it { is_expected.to be_denied_for group_member(:reporter) } it { is_expected.to be_denied_for group_member(:reporter) }
it { is_expected.to be_denied_for group_member(:guest) } it { is_expected.to be_denied_for group_member(:guest) }
it { is_expected.to be_allowed_for :admin } it { is_expected.to be_allowed_for :admin }
it { is_expected.to be_denied_for :user }
it { is_expected.to be_denied_for :visitor }
end end
end end
end end
module GroupAccessHelper
def group(visibility_level=0)
@group ||= create(:group, visibility_level: visibility_level)
end
def project_group_member(access_level)
project = create(:project, visibility_level: group.visibility_level, group: group, name: 'B', path: 'B')
create(:user).tap { |user| project.team.add_user(user, Gitlab::Access::DEVELOPER) }
end
def group_member(access_level, grp=group())
level = Object.const_get("Gitlab::Access::#{access_level.upcase}")
create(:user).tap { |user| grp.add_user(user, level) }
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment