Merge branch 'fix/cycle-analytics-permissions' into 'master'

Added permissions per stage to cycle analytics endpoint See merge request !7613

Merge branch 'fix/cycle-analytics-permissions' into 'master'
Added permissions per stage to cycle analytics endpoint See merge request !7613
7ea30578 · Sean McGivern · Alejandro Rodríguez · 959b503c · 7ea30578 · 7ea30578
Commit 7ea30578 authored Nov 21, 2016 by Sean McGivern Committed by Alejandro Rodríguez Nov 21, 2016
5 changed files
--- a/app/controllers/projects/cycle_analytics_controller.rb
+++ b/app/controllers/projects/cycle_analytics_controller.rb
@@ -54,7 +54,8 @@ class Projects::CycleAnalyticsController < Projects::ApplicationController

    {
      summary: summary,
-      stats: stats
+      stats: stats,
+      permissions: @cycle_analytics.permissions(user: current_user)
    }
  end
 end
--- a/app/models/cycle_analytics.rb
+++ b/app/models/cycle_analytics.rb
 class CycleAnalytics
+  STAGES = %i[issue plan code test review staging production].freeze
+
  def initialize(project, from:)
    @project = project
    @from = from
@@ -9,6 +11,10 @@ class CycleAnalytics
    @summary ||= Summary.new(@project, from: @from)
  end

+  def permissions(user:)
+    Gitlab::CycleAnalytics::Permissions.get(user: user, project: @project)
+  end
+
  def issue
    @fetcher.calculate_metric(:issue,
                     Issue.arel_table[:created_at],

--- a/changelogs/unreleased/fix-cycle-analytics-permissions.yml
+++ b/changelogs/unreleased/fix-cycle-analytics-permissions.yml
+---
+title: Added permissions per stage to cycle analytics endpoint
+merge_request: 
+author: 
--- a/lib/gitlab/cycle_analytics/permissions.rb
+++ b/lib/gitlab/cycle_analytics/permissions.rb
+module Gitlab
+  module CycleAnalytics
+    class Permissions
+      STAGE_PERMISSIONS = {
+        issue: :read_issue,
+        code: :read_merge_request,
+        test: :read_build,
+        review: :read_merge_request,
+        staging: :read_build,
+        production: :read_issue,
+      }.freeze
+
+      def self.get(*args)
+        new(*args).get
+      end
+
+      def initialize(user:, project:)
+        @user = user
+        @project = project
+        @stage_permission_hash = {}
+      end
+
+      def get
+        ::CycleAnalytics::STAGES.each do |stage|
+          @stage_permission_hash[stage] = authorized_stage?(stage)
+        end
+
+        @stage_permission_hash
+      end
+
+      private
+
+      def authorized_stage?(stage)
+        return false unless authorize_project(:read_cycle_analytics)
+
+        STAGE_PERMISSIONS[stage] ? authorize_project(STAGE_PERMISSIONS[stage]) : true
+      end
+
+      def authorize_project(permission)
+        Ability.allowed?(@user, permission, @project)
+      end
+    end
+  end
+end
--- a/spec/lib/gitlab/cycle_analytics/permissions_spec.rb
+++ b/spec/lib/gitlab/cycle_analytics/permissions_spec.rb
+require 'spec_helper'
+
+describe Gitlab::CycleAnalytics::Permissions do
+  let(:project) { create(:empty_project) }
+  let(:user) { create(:user) }
+
+  subject { described_class.get(user: user, project: project) }
+
+  context 'user with no relation to the project' do
+    it 'has no permissions to issue stage' do
+      expect(subject[:issue]).to eq(false)
+    end
+
+    it 'has no permissions to test stage' do
+      expect(subject[:test]).to eq(false)
+    end
+
+    it 'has no permissions to staging stage' do
+      expect(subject[:staging]).to eq(false)
+    end
+
+    it 'has no permissions to production stage' do
+      expect(subject[:production]).to eq(false)
+    end
+
+    it 'has no permissions to code stage' do
+      expect(subject[:code]).to eq(false)
+    end
+
+    it 'has no permissions to review stage' do
+      expect(subject[:review]).to eq(false)
+    end
+
+    it 'has no permissions to plan stage' do
+      expect(subject[:plan]).to eq(false)
+    end
+  end
+
+  context 'user is master' do
+    before do
+      project.team << [user, :master]
+    end
+
+    it 'has permissions to issue stage' do
+      expect(subject[:issue]).to eq(true)
+    end
+
+    it 'has permissions to test stage' do
+      expect(subject[:test]).to eq(true)
+    end
+
+    it 'has permissions to staging stage' do
+      expect(subject[:staging]).to eq(true)
+    end
+
+    it 'has permissions to production stage' do
+      expect(subject[:production]).to eq(true)
+    end
+
+    it 'has permissions to code stage' do
+      expect(subject[:code]).to eq(true)
+    end
+
+    it 'has permissions to review stage' do
+      expect(subject[:review]).to eq(true)
+    end
+
+    it 'has permissions to plan stage' do
+      expect(subject[:plan]).to eq(true)
+    end
+  end
+
+  context 'user has no build permissions' do
+    before do
+      project.team << [user, :guest]
+    end
+
+    it 'has permissions to issue stage' do
+      expect(subject[:issue]).to eq(true)
+    end
+
+    it 'has no permissions to test stage' do
+      expect(subject[:test]).to eq(false)
+    end
+
+    it 'has no permissions to staging stage' do
+      expect(subject[:staging]).to eq(false)
+    end
+  end
+
+  context 'user has no merge request permissions' do
+    before do
+      project.team << [user, :guest]
+    end
+
+    it 'has permissions to issue stage' do
+      expect(subject[:issue]).to eq(true)
+    end
+
+    it 'has no permissions to code stage' do
+      expect(subject[:code]).to eq(false)
+    end
+
+    it 'has no permissions to review stage' do
+      expect(subject[:review]).to eq(false)
+    end
+  end
+
+  context 'user has no issue permissions' do
+    before do
+      project.team << [user, :developer]
+      project.project_feature.update_attribute(:issues_access_level, ProjectFeature::DISABLED)
+    end
+
+    it 'has permissions to code stage' do
+      expect(subject[:code]).to eq(true)
+    end
+
+    it 'has no permissions to issue stage' do
+      expect(subject[:issue]).to eq(false)
+    end
+
+    it 'has no permissions to production stage' do
+      expect(subject[:production]).to eq(false)
+    end
+  end
+end