Merge branch 'issue_32364' into 'master'

Fix permissions for group milestones See merge request gitlab-org/gitlab!17783

Merge branch 'issue_32364' into 'master'
Fix permissions for group milestones See merge request gitlab-org/gitlab!17783
17c5e274 · Stan Hu · af80dec7 · 28930bc7 · 17c5e274 · 17c5e274
Commit 17c5e274 authored Oct 01, 2019 by Stan Hu
5 changed files
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -44,25 +44,25 @@ class GroupPolicy < BasePolicy
  rule { public_group }.policy do
    enable :read_group
-    enable :read_list
-    enable :read_label
  end
  rule { logged_in_viewable }.enable :read_group
  rule { guest }.policy do
    enable :read_group
-    enable :read_list
    enable :upload_file
-    enable :read_label
  end
  rule { admin }.enable :read_group
  rule { has_projects }.policy do
+    enable :read_group
+  end
+  rule { can?(:read_group) }.policy do
+    enable :read_milestone
    enable :read_list
    enable :read_label
-    enable :read_group
  end
  rule { has_access }.enable :read_namespace

--- a/app/policies/milestone_policy.rb
+++ b/app/policies/milestone_policy.rb
 # frozen_string_literal: true
 class MilestonePolicy < BasePolicy
-  delegate { @subject.project }
+  delegate { @subject.parent }
 end
--- a/changelogs/unreleased/issue_32364.yml
+++ b/changelogs/unreleased/issue_32364.yml
+---
+title: Fix permissions for group milestones
+merge_request:
+author:
+type: fixed
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -9,6 +9,7 @@ describe GroupPolicy do
    it do
      expect_allowed(:read_group)
+      expect_allowed(*read_group_permissions)
      expect_disallowed(:upload_file)
      expect_disallowed(*reporter_permissions)
      expect_disallowed(*developer_permissions)
@@ -27,6 +28,7 @@ describe GroupPolicy do
    end
    it { expect_disallowed(:read_group) }
+    it { expect_disallowed(*read_group_permissions) }
  end
  context 'with foreign user and public project' do
@@ -39,6 +41,7 @@ describe GroupPolicy do
    end
    it { expect_disallowed(:read_group) }
+    it { expect_disallowed(*read_group_permissions) }
  end
  context 'has projects' do
@@ -49,13 +52,13 @@ describe GroupPolicy do
      project.add_developer(current_user)
    end
-    it { expect_allowed(:read_label, :read_list) }
+    it { expect_allowed(*read_group_permissions) }
    context 'in subgroups' do
      let(:subgroup) { create(:group, :private, parent: group) }
      let(:project) { create(:project, namespace: subgroup) }
-      it { expect_allowed(:read_label, :read_list) }
+      it { expect_allowed(*read_group_permissions) }
    end
  end
@@ -63,6 +66,7 @@ describe GroupPolicy do
    let(:current_user) { guest }
    it do
+      expect_allowed(*read_group_permissions)
      expect_allowed(*guest_permissions)
      expect_disallowed(*reporter_permissions)
      expect_disallowed(*developer_permissions)
@@ -75,6 +79,7 @@ describe GroupPolicy do
    let(:current_user) { reporter }
    it do
+      expect_allowed(*read_group_permissions)
      expect_allowed(*guest_permissions)
      expect_allowed(*reporter_permissions)
      expect_disallowed(*developer_permissions)
@@ -87,6 +92,7 @@ describe GroupPolicy do
    let(:current_user) { developer }
    it do
+      expect_allowed(*read_group_permissions)
      expect_allowed(*guest_permissions)
      expect_allowed(*reporter_permissions)
      expect_allowed(*developer_permissions)
@@ -110,6 +116,7 @@ describe GroupPolicy do
        updated_owner_permissions =
          owner_permissions - create_subgroup_permission
+        expect_allowed(*read_group_permissions)
        expect_allowed(*guest_permissions)
        expect_allowed(*reporter_permissions)
        expect_allowed(*developer_permissions)
@@ -120,6 +127,7 @@ describe GroupPolicy do
    context 'with subgroup_creation_level set to owner' do
      it 'allows every maintainer permission' do
+        expect_allowed(*read_group_permissions)
        expect_allowed(*guest_permissions)
        expect_allowed(*reporter_permissions)
        expect_allowed(*developer_permissions)
@@ -133,6 +141,7 @@ describe GroupPolicy do
    let(:current_user) { owner }
    it do
+      expect_allowed(*read_group_permissions)
      expect_allowed(*guest_permissions)
      expect_allowed(*reporter_permissions)
      expect_allowed(*developer_permissions)
@@ -145,6 +154,7 @@ describe GroupPolicy do
    let(:current_user) { admin }
    it do
+      expect_allowed(*read_group_permissions)
      expect_allowed(*guest_permissions)
      expect_allowed(*reporter_permissions)
      expect_allowed(*developer_permissions)
@@ -176,6 +186,7 @@ describe GroupPolicy do
      let(:current_user) { nil }
      it do
+        expect_disallowed(*read_group_permissions)
        expect_disallowed(*guest_permissions)
        expect_disallowed(*reporter_permissions)
        expect_disallowed(*developer_permissions)
@@ -188,6 +199,7 @@ describe GroupPolicy do
      let(:current_user) { guest }
      it do
+        expect_allowed(*read_group_permissions)
        expect_allowed(*guest_permissions)
        expect_disallowed(*reporter_permissions)
        expect_disallowed(*developer_permissions)
@@ -200,6 +212,7 @@ describe GroupPolicy do
      let(:current_user) { reporter }
      it do
+        expect_allowed(*read_group_permissions)
        expect_allowed(*guest_permissions)
        expect_allowed(*reporter_permissions)
        expect_disallowed(*developer_permissions)
@@ -212,6 +225,7 @@ describe GroupPolicy do
      let(:current_user) { developer }
      it do
+        expect_allowed(*read_group_permissions)
        expect_allowed(*guest_permissions)
        expect_allowed(*reporter_permissions)
        expect_allowed(*developer_permissions)
@@ -224,6 +238,7 @@ describe GroupPolicy do
      let(:current_user) { maintainer }
      it do
+        expect_allowed(*read_group_permissions)
        expect_allowed(*guest_permissions)
        expect_allowed(*reporter_permissions)
        expect_allowed(*developer_permissions)
@@ -236,6 +251,7 @@ describe GroupPolicy do
      let(:current_user) { owner }
      it do
+        expect_allowed(*read_group_permissions)
        expect_allowed(*guest_permissions)
        expect_allowed(*reporter_permissions)
        expect_allowed(*developer_permissions)

--- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
@@ -16,6 +16,7 @@ RSpec.shared_context 'GroupPolicy context' do
      read_group_merge_requests
   ]
  end
+  let(:read_group_permissions) { %i[read_label read_list read_milestone] }
  let(:reporter_permissions) { %i[admin_label read_container_image] }
  let(:developer_permissions) { [:admin_milestone] }
  let(:maintainer_permissions) do