Commit 34084e31 authored by Michael Kozono's avatar Michael Kozono

Merge branch '227135-add-policies-issue' into 'master'

Prevent certain policies at issue level when namespace is read only

Closes #227135

See merge request gitlab-org/gitlab!36431
parents 9daa303d 889a3e8c
...@@ -30,6 +30,8 @@ class Issue < ApplicationRecord ...@@ -30,6 +30,8 @@ class Issue < ApplicationRecord
SORTING_PREFERENCE_FIELD = :issues_sort SORTING_PREFERENCE_FIELD = :issues_sort
belongs_to :project belongs_to :project
has_one :namespace, through: :project
belongs_to :duplicated_to, class_name: 'Issue' belongs_to :duplicated_to, class_name: 'Issue'
belongs_to :closed_by, class_name: 'User' belongs_to :closed_by, class_name: 'User'
belongs_to :iteration, foreign_key: 'sprint_id' belongs_to :iteration, foreign_key: 'sprint_id'
......
...@@ -40,3 +40,5 @@ class IssuePolicy < IssuablePolicy ...@@ -40,3 +40,5 @@ class IssuePolicy < IssuablePolicy
prevent :destroy_design prevent :destroy_design
end end
end end
IssuePolicy.prepend_if_ee('EE::IssuePolicy')
# frozen_string_literal: true
module EE
module IssuePolicy
extend ActiveSupport::Concern
prepended do
condition(:over_storage_limit, scope: :subject) { @subject.namespace.over_storage_limit? }
rule { over_storage_limit }.policy do
prevent :create_issue
prevent :update_issue
prevent :read_issue_iid
prevent :reopen_issue
prevent :create_design
prevent :create_note
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe IssuePolicy do
let(:owner) { build_stubbed(:user) }
let(:namespace) { build_stubbed(:namespace, owner: owner) }
let(:project) { build_stubbed(:project, namespace: namespace) }
let(:issue) { build_stubbed(:issue, project: project) }
subject { described_class.new(owner, issue) }
before do
allow(issue).to receive(:namespace).and_return namespace
allow(project).to receive(:design_management_enabled?).and_return true
end
context 'when namespace is locked because storage usage limit exceeded' do
before do
allow(namespace).to receive(:over_storage_limit?).and_return true
end
it { is_expected.to be_disallowed(:create_issue, :update_issue, :read_issue_iid, :reopen_issue, :create_design, :create_note) }
end
context 'when namespace is not locked because storage usage limit not exceeded' do
before do
allow(namespace).to receive(:over_storage_limit?).and_return false
end
it { is_expected.to be_allowed(:create_issue, :update_issue, :read_issue_iid, :reopen_issue, :create_design, :create_note) }
end
end
...@@ -46,6 +46,7 @@ issues: ...@@ -46,6 +46,7 @@ issues:
- system_note_metadata - system_note_metadata
- alert_management_alert - alert_management_alert
- status_page_published_incident - status_page_published_incident
- namespace
events: events:
- author - author
- project - project
......
...@@ -11,6 +11,7 @@ RSpec.describe Issue do ...@@ -11,6 +11,7 @@ RSpec.describe Issue do
it { is_expected.to belong_to(:milestone) } it { is_expected.to belong_to(:milestone) }
it { is_expected.to belong_to(:iteration) } it { is_expected.to belong_to(:iteration) }
it { is_expected.to belong_to(:project) } it { is_expected.to belong_to(:project) }
it { is_expected.to have_one(:namespace).through(:project) }
it { is_expected.to belong_to(:moved_to).class_name('Issue') } it { is_expected.to belong_to(:moved_to).class_name('Issue') }
it { is_expected.to have_one(:moved_from).class_name('Issue') } it { is_expected.to have_one(:moved_from).class_name('Issue') }
it { is_expected.to belong_to(:duplicated_to).class_name('Issue') } it { is_expected.to belong_to(:duplicated_to).class_name('Issue') }
......
...@@ -104,7 +104,7 @@ RSpec.describe IssuePolicy do ...@@ -104,7 +104,7 @@ RSpec.describe IssuePolicy do
end end
it 'does not allow issue author to read or update confidential issue moved to an private project' do it 'does not allow issue author to read or update confidential issue moved to an private project' do
confidential_issue.project = build(:project, :private) confidential_issue.project = create(:project, :private)
expect(permissions(author, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue) expect(permissions(author, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue)
end end
...@@ -117,7 +117,7 @@ RSpec.describe IssuePolicy do ...@@ -117,7 +117,7 @@ RSpec.describe IssuePolicy do
end end
it 'does not allow issue assignees to read or update confidential issue moved to an private project' do it 'does not allow issue assignees to read or update confidential issue moved to an private project' do
confidential_issue.project = build(:project, :private) confidential_issue.project = create(:project, :private)
expect(permissions(assignee, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue) expect(permissions(assignee, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment