Commit 4842489d authored by Imre Farkas's avatar Imre Farkas

Merge branch 'chore/migrate-models-policies-specs-admin-mode' into 'master'

Migrate models and policies specs to consider admin mode

See merge request gitlab-org/gitlab!30430
parents 3219bfa5 fa73571b
...@@ -359,7 +359,7 @@ class Issue < ApplicationRecord ...@@ -359,7 +359,7 @@ class Issue < ApplicationRecord
# for performance reasons, check commit: 002ad215818450d2cbbc5fa065850a953dc7ada8 # for performance reasons, check commit: 002ad215818450d2cbbc5fa065850a953dc7ada8
# Make sure to sync this method with issue_policy.rb # Make sure to sync this method with issue_policy.rb
def readable_by?(user) def readable_by?(user)
if user.admin? if user.can_read_all_resources?
true true
elsif project.owner == user elsif project.owner == user
true true
......
---
title: Migrate models and policies specs to consider admin mode
merge_request: 30430
author: Diego Louzán
type: other
...@@ -3,10 +3,10 @@ ...@@ -3,10 +3,10 @@
require 'spec_helper' require 'spec_helper'
describe Analytics::CycleAnalytics::GroupLevel do describe Analytics::CycleAnalytics::GroupLevel do
let_it_be(:group) { create(:group)} let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, :repository, namespace: group) } let_it_be(:project) { create(:project, :repository, namespace: group) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { create(:user) }
let(:issue) { create(:issue, project: project, created_at: 2.days.ago) } let(:issue) { create(:issue, project: project, created_at: 2.days.ago) }
let_it_be(:milestone) { create(:milestone, project: project) } let_it_be(:milestone) { create(:milestone, project: project) }
let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") } let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") }
...@@ -18,6 +18,12 @@ describe Analytics::CycleAnalytics::GroupLevel do ...@@ -18,6 +18,12 @@ describe Analytics::CycleAnalytics::GroupLevel do
subject { described_class.new(group: group, options: { from: from_date, current_user: user }) } subject { described_class.new(group: group, options: { from: from_date, current_user: user }) }
before do
# Cannot set the owner directly when calling `create(:group)`
# See spec/factories/groups.rb#after(:create)
group.add_owner(user)
end
describe '#permissions' do describe '#permissions' do
it 'returns true for all stages' do it 'returns true for all stages' do
expect(subject.permissions.values.uniq).to eq([true]) expect(subject.permissions.values.uniq).to eq([true])
......
...@@ -152,8 +152,8 @@ describe Note, :elastic do ...@@ -152,8 +152,8 @@ describe Note, :elastic do
expect(Note.elastic_search('term', options: options).total_count).to eq(1) expect(Note.elastic_search('term', options: options).total_count).to eq(1)
end end
[:admin, :auditor].each do |user_type| shared_examples 'notes finder' do |user_type, no_of_notes|
it "finds note for #{user_type}", :sidekiq_might_not_need_inline do it "finds #{no_of_notes} notes for #{user_type}", :sidekiq_might_not_need_inline do
superuser = create(user_type) superuser = create(user_type)
issue = create(:issue, :confidential, author: create(:user)) issue = create(:issue, :confidential, author: create(:user))
...@@ -164,10 +164,18 @@ describe Note, :elastic do ...@@ -164,10 +164,18 @@ describe Note, :elastic do
options = { project_ids: [issue.project.id], current_user: superuser } options = { project_ids: [issue.project.id], current_user: superuser }
expect(Note.elastic_search('term', options: options).total_count).to eq(1) expect(Note.elastic_search('term', options: options).total_count).to eq(no_of_notes)
end end
end end
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'notes finder', :admin, 1
end
it_behaves_like 'notes finder', :admin, 0
it_behaves_like 'notes finder', :auditor, 1
it "return notes with matching content for project members", :sidekiq_might_not_need_inline do it "return notes with matching content for project members", :sidekiq_might_not_need_inline do
user = create :user user = create :user
issue = create :issue, :confidential, author: user issue = create :issue, :confidential, author: user
......
...@@ -66,7 +66,20 @@ describe Event do ...@@ -66,7 +66,20 @@ describe Event do
expect(event).to be_visible_to(member) expect(event).to be_visible_to(member)
expect(event).to be_visible_to(guest) expect(event).to be_visible_to(guest)
expect(event).to be_visible_to(admin) end
context 'when admin mode enabled', :enable_admin_mode do
it 'is visible to admin', :aggregate_failures do
expect(event).to be_visible_to(admin)
end
end
context 'when admin mode disabled' do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
# See https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit 'is not visible to admin', :aggregate_failures do
expect(event).not_to be_visible_to(admin)
end
end end
end end
......
...@@ -240,7 +240,7 @@ describe Issue do ...@@ -240,7 +240,7 @@ describe Issue do
describe 'when a user cannot read cross project' do describe 'when a user cannot read cross project' do
it 'only returns issues within the same project' do it 'only returns issues within the same project' do
expect(Ability).to receive(:allowed?).with(user, :read_all_resources, :global).and_call_original expect(Ability).to receive(:allowed?).with(user, :read_all_resources, :global).at_least(:once).and_call_original
expect(Ability).to receive(:allowed?).with(user, :read_cross_project).and_return(false) expect(Ability).to receive(:allowed?).with(user, :read_cross_project).and_return(false)
expect(authorized_issue_a.related_issues(user)) expect(authorized_issue_a.related_issues(user))
......
...@@ -6,13 +6,16 @@ describe ProductivityAnalytics do ...@@ -6,13 +6,16 @@ describe ProductivityAnalytics do
describe 'metrics data' do describe 'metrics data' do
subject(:analytics) { described_class.new(merge_requests: finder_mrs, sort: custom_sort) } subject(:analytics) { described_class.new(merge_requests: finder_mrs, sort: custom_sort) }
let(:finder_mrs) { ProductivityAnalyticsFinder.new(create(:admin), finder_options).execute } let(:project) { create(:project) }
let(:user) { project.owner }
let(:finder_mrs) { ProductivityAnalyticsFinder.new(user, finder_options).execute }
let(:finder_options) { { state: 'merged' } } let(:finder_options) { { state: 'merged' } }
let(:custom_sort) { nil } let(:custom_sort) { nil }
let(:label_a) { create(:label) } let(:label_a) { create(:label, project: project) }
let(:label_b) { create(:label) } let(:label_b) { create(:label, project: project) }
let(:long_mr) do let(:long_mr) do
metrics_data = { metrics_data = {
...@@ -25,6 +28,7 @@ describe ProductivityAnalytics do ...@@ -25,6 +28,7 @@ describe ProductivityAnalytics do
} }
create(:labeled_merge_request, :merged, :with_productivity_metrics, create(:labeled_merge_request, :merged, :with_productivity_metrics,
labels: [label_a, label_b], labels: [label_a, label_b],
source_project: project,
created_at: 31.days.ago, created_at: 31.days.ago,
metrics_data: metrics_data) metrics_data: metrics_data)
end end
...@@ -40,6 +44,7 @@ describe ProductivityAnalytics do ...@@ -40,6 +44,7 @@ describe ProductivityAnalytics do
} }
create(:labeled_merge_request, :merged, :with_productivity_metrics, create(:labeled_merge_request, :merged, :with_productivity_metrics,
source_project: project,
created_at: 15.days.ago, created_at: 15.days.ago,
metrics_data: metrics_data) metrics_data: metrics_data)
end end
...@@ -56,6 +61,7 @@ describe ProductivityAnalytics do ...@@ -56,6 +61,7 @@ describe ProductivityAnalytics do
create(:labeled_merge_request, :merged, :with_productivity_metrics, create(:labeled_merge_request, :merged, :with_productivity_metrics,
labels: [label_a, label_b], labels: [label_a, label_b],
source_project: project,
created_at: 31.days.ago, created_at: 31.days.ago,
metrics_data: metrics_data) metrics_data: metrics_data)
end end
...@@ -72,6 +78,7 @@ describe ProductivityAnalytics do ...@@ -72,6 +78,7 @@ describe ProductivityAnalytics do
create(:labeled_merge_request, :merged, :with_productivity_metrics, create(:labeled_merge_request, :merged, :with_productivity_metrics,
labels: [label_a, label_b], labels: [label_a, label_b],
source_project: project,
created_at: 31.days.ago, created_at: 31.days.ago,
metrics_data: metrics_data) metrics_data: metrics_data)
end end
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe BasePolicy, :do_not_mock_admin_mode do describe BasePolicy do
include ExternalAuthorizationServiceHelpers include ExternalAuthorizationServiceHelpers
let(:auditor) { build(:auditor) } let(:auditor) { build(:auditor) }
......
...@@ -74,7 +74,13 @@ describe Ci::BuildPolicy do ...@@ -74,7 +74,13 @@ describe Ci::BuildPolicy do
context 'with admin' do context 'with admin' do
let(:current_user) { admin } let(:current_user) { admin }
it { expect_allowed(*build_permissions) } context 'when admin mode enabled', :enable_admin_mode do
it { expect_allowed(*build_permissions) }
end
context 'when admin mode disabled' do
it { expect_disallowed(*build_permissions) }
end
context 'when build is not from a webide pipeline' do context 'when build is not from a webide pipeline' do
let(:pipeline) { create(:ci_empty_pipeline, project: project, source: :chat) } let(:pipeline) { create(:ci_empty_pipeline, project: project, source: :chat) }
...@@ -87,8 +93,15 @@ describe Ci::BuildPolicy do ...@@ -87,8 +93,15 @@ describe Ci::BuildPolicy do
allow(build).to receive(:has_terminal?).and_return(false) allow(build).to receive(:has_terminal?).and_return(false)
end end
it { expect_allowed(:read_web_ide_terminal, :update_web_ide_terminal) } context 'when admin mode enabled', :enable_admin_mode do
it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) } it { expect_allowed(:read_web_ide_terminal, :update_web_ide_terminal) }
it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) }
end
context 'when admin mode disabled' do
it { expect_disallowed(:read_web_ide_terminal, :update_web_ide_terminal) }
it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) }
end
end end
context 'feature flag "build_service_proxy" is disabled' do context 'feature flag "build_service_proxy" is disabled' do
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe Clusters::InstancePolicy do describe Clusters::InstancePolicy, :enable_admin_mode do
let(:user) { build(:admin) } let(:user) { build(:admin) }
let(:instance) { Clusters::Instance.new } let(:instance) { Clusters::Instance.new }
......
...@@ -10,8 +10,16 @@ describe Geo::RegistryPolicy do ...@@ -10,8 +10,16 @@ describe Geo::RegistryPolicy do
context 'when the user is an admin' do context 'when the user is an admin' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
it 'allows read_geo_registry for any registry' do context 'when admin mode is enabled', :enable_admin_mode do
expect(policy).to be_allowed(:read_geo_registry) it 'allows read_geo_registry for any registry' do
expect(policy).to be_allowed(:read_geo_registry)
end
end
context 'when admin mode is disabled' do
it 'disallows read_geo_registry for any registry' do
expect(policy).to be_disallowed(:read_geo_registry)
end
end end
end end
......
...@@ -10,8 +10,16 @@ describe GeoNodePolicy do ...@@ -10,8 +10,16 @@ describe GeoNodePolicy do
context 'when the user is an admin' do context 'when the user is an admin' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
it 'allows read_geo_node for any GeoNode' do context 'when admin mode is enabled', :enable_admin_mode do
expect(policy).to be_allowed(:read_geo_node) it 'allows read_geo_node for any GeoNode' do
expect(policy).to be_allowed(:read_geo_node)
end
end
context 'when admin mode is disabled' do
it 'disallows read_geo_node for any GeoNode' do
expect(policy).to be_disallowed(:read_geo_node)
end
end end
end end
......
...@@ -5,6 +5,8 @@ require 'spec_helper' ...@@ -5,6 +5,8 @@ require 'spec_helper'
describe GlobalPolicy do describe GlobalPolicy do
include ExternalAuthorizationServiceHelpers include ExternalAuthorizationServiceHelpers
let_it_be(:admin) { create(:admin) }
let(:current_user) { create(:user) } let(:current_user) { create(:user) }
let(:user) { create(:user) } let(:user) { create(:user) }
...@@ -38,9 +40,17 @@ describe GlobalPolicy do ...@@ -38,9 +40,17 @@ describe GlobalPolicy do
it { is_expected.to be_disallowed(:destroy_licenses) } it { is_expected.to be_disallowed(:destroy_licenses) }
it { is_expected.to be_disallowed(:read_all_geo) } it { is_expected.to be_disallowed(:read_all_geo) }
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:read_licenses) } context 'when admin mode enabled', :enable_admin_mode do
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:destroy_licenses) } it { expect(described_class.new(admin, [user])).to be_allowed(:read_licenses) }
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:read_all_geo) } it { expect(described_class.new(admin, [user])).to be_allowed(:destroy_licenses) }
it { expect(described_class.new(admin, [user])).to be_allowed(:read_all_geo) }
end
context 'when admin mode disabled' do
it { expect(described_class.new(admin, [user])).to be_disallowed(:read_licenses) }
it { expect(described_class.new(admin, [user])).to be_disallowed(:destroy_licenses) }
it { expect(described_class.new(admin, [user])).to be_disallowed(:read_all_geo) }
end
shared_examples 'analytics policy' do |action| shared_examples 'analytics policy' do |action|
context 'anonymous user' do context 'anonymous user' do
...@@ -69,15 +79,22 @@ describe GlobalPolicy do ...@@ -69,15 +79,22 @@ describe GlobalPolicy do
end end
it { is_expected.to be_disallowed(:update_max_pages_size) } it { is_expected.to be_disallowed(:update_max_pages_size) }
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:update_max_pages_size) }
context 'when admin mode enabled', :enable_admin_mode do
it { expect(described_class.new(admin, [user])).to be_allowed(:update_max_pages_size) }
end
context 'when admin mode disabled' do
it { expect(described_class.new(admin, [user])).to be_disallowed(:update_max_pages_size) }
end
end end
it { expect(described_class.new(create(:admin), [user])).to be_disallowed(:update_max_pages_size) } it { expect(described_class.new(admin, [user])).to be_disallowed(:update_max_pages_size) }
end end
describe 'create_group_with_default_branch_protection' do describe 'create_group_with_default_branch_protection' do
context 'for an admin' do context 'for an admin' do
let(:current_user) { create(:admin) } let(:current_user) { admin }
context 'when the `default_branch_protection_restriction_in_groups` feature is available' do context 'when the `default_branch_protection_restriction_in_groups` feature is available' do
before do before do
...@@ -97,7 +114,13 @@ describe GlobalPolicy do ...@@ -97,7 +114,13 @@ describe GlobalPolicy do
stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false)
end end
it { is_expected.to be_allowed(:create_group_with_default_branch_protection) } context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:create_group_with_default_branch_protection) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:create_group_with_default_branch_protection) }
end
end end
end end
......
...@@ -418,8 +418,15 @@ describe GroupPolicy do ...@@ -418,8 +418,15 @@ describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
it { is_expected.to be_allowed(:override_group_member) } context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_group_member) } it { is_expected.to be_allowed(:override_group_member) }
it { is_expected.to be_allowed(:update_group_member) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:override_group_member) }
it { is_expected.to be_disallowed(:update_group_member) }
end
end end
context 'owner' do context 'owner' do
...@@ -801,7 +808,13 @@ describe GroupPolicy do ...@@ -801,7 +808,13 @@ describe GroupPolicy do
stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false)
end end
it { is_expected.to be_allowed(:update_default_branch_protection) } context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_default_branch_protection) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:update_default_branch_protection) }
end
end end
end end
......
...@@ -27,7 +27,13 @@ describe NamespacePolicy do ...@@ -27,7 +27,13 @@ describe NamespacePolicy do
context 'admin' do context 'admin' do
let(:current_user) { build_stubbed(:admin) } let(:current_user) { build_stubbed(:admin) }
it { is_expected.to be_allowed(:create_jira_connect_subscription) } context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:create_jira_connect_subscription) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
end
end end
context 'owner' do context 'owner' do
......
This diff is collapsed.
...@@ -22,14 +22,26 @@ describe UserPolicy do ...@@ -22,14 +22,26 @@ describe UserPolicy do
context 'when an admin user tries to update a regular user' do context 'when an admin user tries to update a regular user' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
it { is_expected.to be_allowed(ability) } context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(ability) }
end
context 'when admin mode disabled' do
it { is_expected.not_to be_allowed(ability) }
end
end end
context 'when an admin user tries to update a ghost user' do context 'when an admin user tries to update a ghost user' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
let(:user) { create(:user, :ghost) } let(:user) { create(:user, :ghost) }
it { is_expected.not_to be_allowed(ability) } context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.not_to be_allowed(ability) }
end
context 'when admin mode disabled' do
it { is_expected.not_to be_allowed(ability) }
end
end end
end end
...@@ -65,7 +77,13 @@ describe UserPolicy do ...@@ -65,7 +77,13 @@ describe UserPolicy do
context 'for an admin user' do context 'for an admin user' do
let(:current_user) { create(:admin) } let(:current_user) { create(:admin) }
it { is_expected.to be_allowed(:update_name) } context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_name) }
end
context 'when admin mode disabled' do
it { is_expected.not_to be_allowed(:update_name) }
end
end end
end end
end end
......
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
RSpec.shared_examples 'protected environments access' do |developer_access = true| RSpec.shared_examples 'protected environments access' do |developer_access = true|
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
include AdminModeHelper
before do before do
allow(License).to receive(:feature_available?).and_call_original allow(License).to receive(:feature_available?).and_call_original
allow(License).to receive(:feature_available?).with(:protected_environments).and_return(feature_available) allow(License).to receive(:feature_available?).with(:protected_environments).and_return(feature_available)
...@@ -11,19 +13,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru ...@@ -11,19 +13,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
context 'when Protected Environments feature is not available in the project' do context 'when Protected Environments feature is not available in the project' do
let(:feature_available) { false } let(:feature_available) { false }
where(:access_level, :result) do where(:access_level, :admin_mode, :result) do
:guest | false :guest | nil | false
:reporter | false :reporter | nil | false
:developer | developer_access :developer | nil | developer_access
:maintainer | true :maintainer | nil | true
:admin | true :admin | false | false
:admin | true | true
end end
with_them do with_them do
before do before do
environment environment
update_user_access(access_level, user, project) update_user_access(access_level, admin_mode, user, project)
end end
it { is_expected.to eq(result) } it { is_expected.to eq(result) }
...@@ -37,19 +40,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru ...@@ -37,19 +40,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
let(:protected_environment) { create(:protected_environment, name: environment.name, project: project) } let(:protected_environment) { create(:protected_environment, name: environment.name, project: project) }
context 'when user does not have access to the environment' do context 'when user does not have access to the environment' do
where(:access_level, :result) do where(:access_level, :admin_mode, :result) do
:guest | false :guest | nil | false
:reporter | false :reporter | nil | false
:developer | false :developer | nil | false
:maintainer | false :maintainer | nil | false
:admin | true :admin | false | false
:admin | true | true
end end
with_them do with_them do
before do before do
protected_environment protected_environment
update_user_access(access_level, user, project) update_user_access(access_level, admin_mode, user, project)
end end
it { is_expected.to eq(result) } it { is_expected.to eq(result) }
...@@ -57,19 +61,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru ...@@ -57,19 +61,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
end end
context 'when user has access to the environment' do context 'when user has access to the environment' do
where(:access_level, :result) do where(:access_level, :admin_mode, :result) do
:guest | false :guest | nil | false
:reporter | false :reporter | nil | false
:developer | developer_access :developer | nil | developer_access
:maintainer | true :maintainer | nil | true
:admin | true :admin | false | false
:admin | true | true
end end
with_them do with_them do
before do before do
protected_environment.deploy_access_levels.create(user: user) protected_environment.deploy_access_levels.create(user: user)
update_user_access(access_level, user, project) update_user_access(access_level, admin_mode, user, project)
end end
it { is_expected.to eq(result) } it { is_expected.to eq(result) }
...@@ -78,17 +83,18 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru ...@@ -78,17 +83,18 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
end end
context 'when environment is not protected' do context 'when environment is not protected' do
where(:access_level, :result) do where(:access_level, :admin_mode, :result) do
:guest | false :guest | nil | false
:reporter | false :reporter | nil | false
:developer | developer_access :developer | nil | developer_access
:maintainer | true :maintainer | nil | true
:admin | true :admin | false | false
:admin | true | true
end end
with_them do with_them do
before do before do
update_user_access(access_level, user, project) update_user_access(access_level, admin_mode, user, project)
end end
it { is_expected.to eq(result) } it { is_expected.to eq(result) }
...@@ -96,9 +102,10 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru ...@@ -96,9 +102,10 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
end end
end end
def update_user_access(access_level, user, project) def update_user_access(access_level, admin_mode, user, project)
if access_level == :admin if access_level == :admin
user.update_attribute(:admin, true) user.update_attribute(:admin, true)
enable_admin_mode!(user) if admin_mode
elsif access_level.present? elsif access_level.present?
project.add_user(user, access_level) project.add_user(user, access_level)
end end
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe Ldap::OmniauthCallbacksController, :do_not_mock_admin_mode do describe Ldap::OmniauthCallbacksController do
include_context 'Ldap::OmniauthCallbacksController' include_context 'Ldap::OmniauthCallbacksController'
it 'allows sign in' do it 'allows sign in' do
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe OmniauthCallbacksController, type: :controller, do_not_mock_admin_mode: true do describe OmniauthCallbacksController, type: :controller do
include LoginHelpers include LoginHelpers
describe 'omniauth' do describe 'omniauth' do
......
...@@ -74,13 +74,20 @@ describe Ability do ...@@ -74,13 +74,20 @@ describe Ability do
context 'using a private project' do context 'using a private project' do
let(:project) { create(:project, :private) } let(:project) { create(:project, :private) }
it 'returns users that are administrators' do it 'returns users that are administrators when admin mode is enabled', :enable_admin_mode do
user = build(:user, admin: true) user = build(:user, admin: true)
expect(described_class.users_that_can_read_project([user], project)) expect(described_class.users_that_can_read_project([user], project))
.to eq([user]) .to eq([user])
end end
it 'does not return users that are administrators when admin mode is disabled' do
user = build(:user, admin: true)
expect(described_class.users_that_can_read_project([user], project))
.to eq([])
end
it 'returns external users if they are the project owner' do it 'returns external users if they are the project owner' do
user1 = build(:user, external: true) user1 = build(:user, external: true)
user2 = build(:user, external: true) user2 = build(:user, external: true)
...@@ -145,7 +152,7 @@ describe Ability do ...@@ -145,7 +152,7 @@ describe Ability do
end end
describe '.merge_requests_readable_by_user' do describe '.merge_requests_readable_by_user' do
context 'with an admin' do context 'with an admin when admin mode is enabled', :enable_admin_mode do
it 'returns all merge requests' do it 'returns all merge requests' do
user = build(:user, admin: true) user = build(:user, admin: true)
merge_request = build(:merge_request) merge_request = build(:merge_request)
...@@ -155,6 +162,19 @@ describe Ability do ...@@ -155,6 +162,19 @@ describe Ability do
end end
end end
context 'with an admin when admin mode is disabled' do
it 'returns merge_requests that are publicly visible' do
user = build(:user, admin: true)
hidden_merge_request = build(:merge_request)
visible_merge_request = build(:merge_request, source_project: build(:project, :public))
merge_requests = described_class
.merge_requests_readable_by_user([hidden_merge_request, visible_merge_request], user)
expect(merge_requests).to eq([visible_merge_request])
end
end
context 'without a user' do context 'without a user' do
it 'returns merge_requests that are publicly visible' do it 'returns merge_requests that are publicly visible' do
hidden_merge_request = build(:merge_request) hidden_merge_request = build(:merge_request)
...@@ -217,7 +237,7 @@ describe Ability do ...@@ -217,7 +237,7 @@ describe Ability do
end end
describe '.issues_readable_by_user' do describe '.issues_readable_by_user' do
context 'with an admin user' do context 'with an admin when admin mode is enabled', :enable_admin_mode do
it 'returns all given issues' do it 'returns all given issues' do
user = build(:user, admin: true) user = build(:user, admin: true)
issue = build(:issue) issue = build(:issue)
...@@ -227,6 +247,26 @@ describe Ability do ...@@ -227,6 +247,26 @@ describe Ability do
end end
end end
context 'with an admin when admin mode is disabled' do
it 'returns the issues readable by the admin' do
user = build(:user, admin: true)
issue = build(:issue)
expect(issue).to receive(:readable_by?).with(user).and_return(true)
expect(described_class.issues_readable_by_user([issue], user))
.to eq([issue])
end
it 'returns no issues when not given access' do
user = build(:user, admin: true)
issue = build(:issue)
expect(described_class.issues_readable_by_user([issue], user))
.to be_empty
end
end
context 'with a regular user' do context 'with a regular user' do
it 'returns the issues readable by the user' do it 'returns the issues readable by the user' do
user = build(:user) user = build(:user)
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#code' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#code' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level } subject { project_level }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#issue' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#issue' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level } subject { project_level }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#plan' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#plan' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level } subject { project_level }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#production' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#production' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level } subject { project_level }
......
...@@ -5,7 +5,7 @@ require 'spec_helper' ...@@ -5,7 +5,7 @@ require 'spec_helper'
describe CycleAnalytics::ProjectLevel do describe CycleAnalytics::ProjectLevel do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:issue) { create(:issue, project: project, created_at: 2.days.ago) } let_it_be(:issue) { create(:issue, project: project, created_at: 2.days.ago) }
let_it_be(:milestone) { create(:milestone, project: project) } let_it_be(:milestone) { create(:milestone, project: project) }
let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") } let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#review' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#review' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
subject { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } subject { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#staging' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#staging' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level } subject { project_level }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#test' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#test' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:issue) { create(:issue, project: project) } let_it_be(:issue) { create(:issue, project: project) }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
let!(:merge_request) { create_merge_request_closing_issue(user, project, issue) } let!(:merge_request) { create_merge_request_closing_issue(user, project, issue) }
......
...@@ -287,8 +287,16 @@ describe Event do ...@@ -287,8 +287,16 @@ describe Event do
context 'private project' do context 'private project' do
let(:project) { create(:project, :private, :repository) } let(:project) { create(:project, :private, :repository) }
include_examples 'visibility examples' do context 'when admin mode enabled', :enable_admin_mode do
let(:visibility) { visible_to_none_except(:member, :admin) } include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member, :admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member) }
end
end end
end end
end end
...@@ -340,8 +348,16 @@ describe Event do ...@@ -340,8 +348,16 @@ describe Event do
let(:project) { private_project } let(:project) { private_project }
let(:target) { note_on_issue } let(:target) { note_on_issue }
include_examples 'visibility examples' do context 'when admin mode enabled', :enable_admin_mode do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) } include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member) }
end
end end
include_examples 'visible to assignee and author', false include_examples 'visible to assignee and author', false
...@@ -366,8 +382,16 @@ describe Event do ...@@ -366,8 +382,16 @@ describe Event do
context 'private project' do context 'private project' do
let(:project) { private_project } let(:project) { private_project }
include_examples 'visibility examples' do context 'when admin mode enabled', :enable_admin_mode do
let(:visibility) { visible_to_none_except(:member, :admin) } include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member, :admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member) }
end
end end
include_examples 'visible to assignee', false include_examples 'visible to assignee', false
...@@ -384,16 +408,32 @@ describe Event do ...@@ -384,16 +408,32 @@ describe Event do
context 'on public project with private issue tracker and merge requests' do context 'on public project with private issue tracker and merge requests' do
let(:project) { create(:project, :public, :issues_private, :merge_requests_private) } let(:project) { create(:project, :public, :issues_private, :merge_requests_private) }
include_examples 'visibility examples' do context 'when admin mode enabled', :enable_admin_mode do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) } include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
end
end end
end end
context 'on private project' do context 'on private project' do
let(:project) { create(:project, :private) } let(:project) { create(:project, :private) }
include_examples 'visibility examples' do context 'when admin mode enabled', :enable_admin_mode do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) } include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
end
end end
end end
end end
...@@ -404,8 +444,16 @@ describe Event do ...@@ -404,8 +444,16 @@ describe Event do
context 'on private project', :aggregate_failures do context 'on private project', :aggregate_failures do
let(:project) { create(:project, :wiki_repo) } let(:project) { create(:project, :wiki_repo) }
include_examples 'visibility examples' do context 'when admin mode enabled', :enable_admin_mode do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) } include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
end
end end
end end
...@@ -428,9 +476,18 @@ describe Event do ...@@ -428,9 +476,18 @@ describe Event do
context 'on public project with private snippets' do context 'on public project with private snippets' do
let(:project) { create(:project, :public, :snippets_private) } let(:project) { create(:project, :public, :snippets_private) }
include_examples 'visibility examples' do context 'when admin mode enabled', :enable_admin_mode do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) } include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member) }
end
end end
# Normally, we'd expect the author of a comment to be able to view it. # Normally, we'd expect the author of a comment to be able to view it.
# However, this doesn't seem to be the case for comments on snippets. # However, this doesn't seem to be the case for comments on snippets.
...@@ -440,9 +497,18 @@ describe Event do ...@@ -440,9 +497,18 @@ describe Event do
context 'on private project' do context 'on private project' do
let(:project) { create(:project, :private) } let(:project) { create(:project, :private) }
include_examples 'visibility examples' do context 'when admin mode enabled', :enable_admin_mode do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) } include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member) }
end
end end
# Normally, we'd expect the author of a comment to be able to view it. # Normally, we'd expect the author of a comment to be able to view it.
# However, this doesn't seem to be the case for comments on snippets. # However, this doesn't seem to be the case for comments on snippets.
...@@ -470,8 +536,16 @@ describe Event do ...@@ -470,8 +536,16 @@ describe Event do
context 'on private snippet' do context 'on private snippet' do
let(:personal_snippet) { create(:personal_snippet, :private, author: author) } let(:personal_snippet) { create(:personal_snippet, :private, author: author) }
include_examples 'visibility examples' do context 'when admin mode enabled', :enable_admin_mode do
let(:visibility) { visible_to_none_except(:admin) } include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none }
end
end end
include_examples 'visible to author', true include_examples 'visible to author', true
......
...@@ -612,8 +612,15 @@ describe Issue do ...@@ -612,8 +612,15 @@ describe Issue do
context 'with an admin user' do context 'with an admin user' do
let(:user) { build(:admin) } let(:user) { build(:admin) }
it_behaves_like 'issue readable by user' context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'confidential issue readable by user' it_behaves_like 'issue readable by user'
it_behaves_like 'confidential issue readable by user'
end
context 'when admin mode is disabled' do
it_behaves_like 'issue not readable by user'
it_behaves_like 'confidential issue not readable by user'
end
end end
context 'with an owner' do context 'with an owner' do
...@@ -732,13 +739,29 @@ describe Issue do ...@@ -732,13 +739,29 @@ describe Issue do
expect(issue.visible_to_user?(user)).to be_falsy expect(issue.visible_to_user?(user)).to be_falsy
end end
it 'does not check the external webservice for admins' do context 'with an admin' do
issue = build(:issue) context 'when admin mode is enabled', :enable_admin_mode do
user = build(:admin) it 'does not check the external webservice' do
issue = build(:issue)
user = build(:admin)
expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
issue.visible_to_user?(user)
end
end
context 'when admin mode is disabled' do
it 'checks the external service to determine if an issue is readable by the admin' do
project = build(:project, :public,
external_authorization_classification_label: 'a-label')
issue = build(:issue, project: project)
user = build(:admin)
issue.visible_to_user?(user) expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?).with(user, 'a-label') { false }
expect(issue.visible_to_user?(user)).to be_falsy
end
end
end end
end end
......
...@@ -241,10 +241,22 @@ describe Member do ...@@ -241,10 +241,22 @@ describe Member do
expect(member).to be_persisted expect(member).to be_persisted
end end
it 'sets members.created_by to the given current_user' do context 'when admin mode is enabled', :enable_admin_mode do
member = described_class.add_user(source, user, :maintainer, current_user: admin) it 'sets members.created_by to the given admin current_user' do
member = described_class.add_user(source, user, :maintainer, current_user: admin)
expect(member.created_by).to eq(admin) expect(member.created_by).to eq(admin)
end
end
context 'when admin mode is disabled' do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
# https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit 'rejects setting members.created_by to the given admin current_user' do
member = described_class.add_user(source, user, :maintainer, current_user: admin)
expect(member.created_by).not_to be_persisted
end
end end
it 'sets members.expires_at to the given expires_at' do it 'sets members.expires_at to the given expires_at' do
...@@ -353,7 +365,7 @@ describe Member do ...@@ -353,7 +365,7 @@ describe Member do
end end
end end
context 'when current_user can update member' do context 'when current_user can update member', :enable_admin_mode do
it 'creates the member' do it 'creates the member' do
expect(source.users).not_to include(user) expect(source.users).not_to include(user)
...@@ -421,7 +433,7 @@ describe Member do ...@@ -421,7 +433,7 @@ describe Member do
end end
end end
context 'when current_user can update member' do context 'when current_user can update member', :enable_admin_mode do
it 'updates the member' do it 'updates the member' do
expect(source.users).to include(user) expect(source.users).to include(user)
......
...@@ -31,27 +31,30 @@ describe ProjectFeature do ...@@ -31,27 +31,30 @@ describe ProjectFeature do
context 'when features are disabled' do context 'when features are disabled' do
it "returns false" do it "returns false" do
update_all_project_features(project, features, ProjectFeature::DISABLED)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::DISABLED) expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
expect(project.feature_available?(:issues, user)).to eq(false)
end end
end end
end end
context 'when features are enabled only for team members' do context 'when features are enabled only for team members' do
it "returns false when user is not a team member" do it "returns false when user is not a team member" do
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE) expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
expect(project.feature_available?(:issues, user)).to eq(false)
end end
end end
it "returns true when user is a team member" do it "returns true when user is a team member" do
project.add_developer(user) project.add_developer(user)
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE) expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
expect(project.feature_available?(:issues, user)).to eq(true)
end end
end end
...@@ -60,27 +63,41 @@ describe ProjectFeature do ...@@ -60,27 +63,41 @@ describe ProjectFeature do
project = create(:project, namespace: group) project = create(:project, namespace: group)
group.add_developer(user) group.add_developer(user)
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE) expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
expect(project.feature_available?(:issues, user)).to eq(true)
end end
end end
it "returns true if user is an admin" do context 'when admin mode is enabled', :enable_admin_mode do
user.update_attribute(:admin, true) it "returns true if user is an admin" do
user.update_attribute(:admin, true)
features.each do |feature| update_all_project_features(project, features, ProjectFeature::PRIVATE)
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
expect(project.feature_available?(:issues, user)).to eq(true) features.each do |feature|
expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
end
end
end
context 'when admin mode is disabled' do
it "returns false when user is an admin" do
user.update_attribute(:admin, true)
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature|
expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
end
end end
end end
end end
context 'when feature is enabled for everyone' do context 'when feature is enabled for everyone' do
it "returns true" do it "returns true" do
features.each do |feature| expect(project.feature_available?(:issues, user)).to eq(true)
expect(project.feature_available?(:issues, user)).to eq(true)
end
end end
end end
...@@ -117,7 +134,7 @@ describe ProjectFeature do ...@@ -117,7 +134,7 @@ describe ProjectFeature do
features.each do |feature| features.each do |feature|
field = "#{feature}_access_level".to_sym field = "#{feature}_access_level".to_sym
project_feature.update_attribute(field, ProjectFeature::ENABLED) project_feature.update_attribute(field, ProjectFeature::ENABLED)
expect(project_feature.valid?).to be_falsy expect(project_feature.valid?).to be_falsy, "#{field} failed"
end end
end end
end end
...@@ -131,7 +148,7 @@ describe ProjectFeature do ...@@ -131,7 +148,7 @@ describe ProjectFeature do
field = "#{feature}_access_level".to_sym field = "#{feature}_access_level".to_sym
project_feature.update_attribute(field, ProjectFeature::PUBLIC) project_feature.update_attribute(field, ProjectFeature::PUBLIC)
expect(project_feature.valid?).to be_falsy expect(project_feature.valid?).to be_falsy, "#{field} failed"
end end
end end
end end
...@@ -140,22 +157,24 @@ describe ProjectFeature do ...@@ -140,22 +157,24 @@ describe ProjectFeature do
let(:features) { %w(wiki builds merge_requests) } let(:features) { %w(wiki builds merge_requests) }
it "returns false when feature is disabled" do it "returns false when feature is disabled" do
update_all_project_features(project, features, ProjectFeature::DISABLED)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::DISABLED) expect(project.public_send("#{feature}_enabled?")).to eq(false), "#{feature} failed"
expect(project.public_send("#{feature}_enabled?")).to eq(false)
end end
end end
it "returns true when feature is enabled only for team members" do it "returns true when feature is enabled only for team members" do
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE) expect(project.public_send("#{feature}_enabled?")).to eq(true), "#{feature} failed"
expect(project.public_send("#{feature}_enabled?")).to eq(true)
end end
end end
it "returns true when feature is enabled for everyone" do it "returns true when feature is enabled for everyone" do
features.each do |feature| features.each do |feature|
expect(project.public_send("#{feature}_enabled?")).to eq(true) expect(project.public_send("#{feature}_enabled?")).to eq(true), "#{feature} failed"
end end
end end
end end
...@@ -198,7 +217,7 @@ describe ProjectFeature do ...@@ -198,7 +217,7 @@ describe ProjectFeature do
end end
describe '#public_pages?' do describe '#public_pages?' do
it 'returns true if Pages access controll is not enabled' do it 'returns true if Pages access control is not enabled' do
stub_config(pages: { access_control: false }) stub_config(pages: { access_control: false })
project_feature = described_class.new(pages_access_level: described_class::PRIVATE) project_feature = described_class.new(pages_access_level: described_class::PRIVATE)
...@@ -281,7 +300,7 @@ describe ProjectFeature do ...@@ -281,7 +300,7 @@ describe ProjectFeature do
it 'raises error if feature is invalid' do it 'raises error if feature is invalid' do
expect do expect do
described_class.required_minimum_access_level(:foos) described_class.required_minimum_access_level(:foos)
end.to raise_error end.to raise_error(ArgumentError)
end end
end end
...@@ -294,4 +313,9 @@ describe ProjectFeature do ...@@ -294,4 +313,9 @@ describe ProjectFeature do
expect(described_class.required_minimum_access_level_for_private_project(:issues)).to eq(Gitlab::Access::GUEST) expect(described_class.required_minimum_access_level_for_private_project(:issues)).to eq(Gitlab::Access::GUEST)
end end
end end
def update_all_project_features(project, features, value)
project_feature_attributes = features.map { |f| ["#{f}_access_level", value] }.to_h
project.project_feature.update(project_feature_attributes)
end
end end
...@@ -3777,7 +3777,7 @@ describe Project do ...@@ -3777,7 +3777,7 @@ describe Project do
end end
end end
describe '.filter_by_feature_visibility' do describe '.filter_by_feature_visibility', :enable_admin_mode do
include_context 'ProjectPolicyTable context' include_context 'ProjectPolicyTable context'
include ProjectHelpers include ProjectHelpers
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
......
...@@ -20,15 +20,30 @@ describe SpamLog do ...@@ -20,15 +20,30 @@ describe SpamLog do
expect { spam_log.remove_user(deleted_by: admin) }.to change { spam_log.user.blocked? }.to(true) expect { spam_log.remove_user(deleted_by: admin) }.to change { spam_log.user.blocked? }.to(true)
end end
it 'removes the user', :sidekiq_might_not_need_inline do context 'when admin mode is enabled', :enable_admin_mode do
spam_log = build(:spam_log) it 'removes the user', :sidekiq_might_not_need_inline do
user = spam_log.user spam_log = build(:spam_log)
user = spam_log.user
perform_enqueued_jobs do
spam_log.remove_user(deleted_by: admin)
end
perform_enqueued_jobs do expect { User.find(user.id) }.to raise_error(ActiveRecord::RecordNotFound)
spam_log.remove_user(deleted_by: admin)
end end
end
expect { User.find(user.id) }.to raise_error(ActiveRecord::RecordNotFound) context 'when admin mode is disabled' do
it 'does not allow to remove the user', :sidekiq_might_not_need_inline do
spam_log = build(:spam_log)
user = spam_log.user
perform_enqueued_jobs do
spam_log.remove_user(deleted_by: admin)
end
expect(User.exists?(user.id)).to be(true)
end
end end
end end
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe User, :do_not_mock_admin_mode do describe User do
include ProjectForksHelper include ProjectForksHelper
include TermsHelper include TermsHelper
include ExclusiveLeaseHelpers include ExclusiveLeaseHelpers
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe BasePolicy, :do_not_mock_admin_mode do describe BasePolicy do
include ExternalAuthorizationServiceHelpers include ExternalAuthorizationServiceHelpers
include AdminModeHelper include AdminModeHelper
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe BlobPolicy do describe BlobPolicy, :enable_admin_mode do
include_context 'ProjectPolicyTable context' include_context 'ProjectPolicyTable context'
include ProjectHelpers include ProjectHelpers
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
......
...@@ -80,8 +80,15 @@ describe Clusters::ClusterPolicy, :models do ...@@ -80,8 +80,15 @@ describe Clusters::ClusterPolicy, :models do
context 'when admin' do context 'when admin' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
it { expect(policy).to be_allowed :update_cluster } context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :admin_cluster } it { expect(policy).to be_allowed :update_cluster }
it { expect(policy).to be_allowed :admin_cluster }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :update_cluster }
it { expect(policy).to be_disallowed :admin_cluster }
end
end end
end end
end end
......
...@@ -18,11 +18,21 @@ describe Clusters::InstancePolicy do ...@@ -18,11 +18,21 @@ describe Clusters::InstancePolicy do
context 'when admin' do context 'when admin' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
it { expect(policy).to be_allowed :read_cluster } context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :add_cluster } it { expect(policy).to be_allowed :read_cluster }
it { expect(policy).to be_allowed :create_cluster } it { expect(policy).to be_allowed :add_cluster }
it { expect(policy).to be_allowed :update_cluster } it { expect(policy).to be_allowed :create_cluster }
it { expect(policy).to be_allowed :admin_cluster } it { expect(policy).to be_allowed :update_cluster }
it { expect(policy).to be_allowed :admin_cluster }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :read_cluster }
it { expect(policy).to be_disallowed :add_cluster }
it { expect(policy).to be_disallowed :create_cluster }
it { expect(policy).to be_disallowed :update_cluster }
it { expect(policy).to be_disallowed :admin_cluster }
end
end end
end end
end end
...@@ -42,16 +42,28 @@ describe DeployKeyPolicy do ...@@ -42,16 +42,28 @@ describe DeployKeyPolicy do
context 'when an admin user' do context 'when an admin user' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
context ' tries to update private deploy key' do context 'tries to update private deploy key' do
let(:deploy_key) { create(:deploy_key, public: false) } let(:deploy_key) { create(:deploy_key, public: false) }
it { is_expected.to be_allowed(:update_deploy_key) } context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_deploy_key) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:update_deploy_key) }
end
end end
context 'when an admin user tries to update public deploy key' do context 'when an admin user tries to update public deploy key' do
let(:deploy_key) { create(:another_deploy_key, public: true) } let(:deploy_key) { create(:another_deploy_key, public: true) }
it { is_expected.to be_allowed(:update_deploy_key) } context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_deploy_key) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:update_deploy_key) }
end
end end
end end
end end
......
...@@ -71,7 +71,14 @@ describe DesignManagement::DesignPolicy do ...@@ -71,7 +71,14 @@ describe DesignManagement::DesignPolicy do
context "for admins" do context "for admins" do
let(:current_user) { admin } let(:current_user) { admin }
it { is_expected.to be_allowed(*design_abilities) } context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(*design_abilities) }
end
context 'when admin mode disabled' do
it { is_expected.to be_allowed(*guest_design_abilities) }
it { is_expected.to be_disallowed(*developer_design_abilities) }
end
end end
context "for maintainers" do context "for maintainers" do
......
...@@ -37,7 +37,13 @@ describe EnvironmentPolicy do ...@@ -37,7 +37,13 @@ describe EnvironmentPolicy do
context 'when an admin user' do context 'when an admin user' do
let(:user) { create(:user, :admin) } let(:user) { create(:user, :admin) }
it { expect(policy).to be_allowed :stop_environment } context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :stop_environment }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :stop_environment }
end
end end
context 'with protected branch' do context 'with protected branch' do
...@@ -54,7 +60,13 @@ describe EnvironmentPolicy do ...@@ -54,7 +60,13 @@ describe EnvironmentPolicy do
context 'when an admin user' do context 'when an admin user' do
let(:user) { create(:user, :admin) } let(:user) { create(:user, :admin) }
it { expect(policy).to be_allowed :stop_environment } context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :stop_environment }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :stop_environment }
end
end end
end end
end end
...@@ -83,7 +95,13 @@ describe EnvironmentPolicy do ...@@ -83,7 +95,13 @@ describe EnvironmentPolicy do
context 'when an admin user' do context 'when an admin user' do
let(:user) { create(:user, :admin) } let(:user) { create(:user, :admin) }
it { expect(policy).to be_allowed :stop_environment } context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :stop_environment }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :stop_environment }
end
end end
end end
...@@ -126,7 +144,13 @@ describe EnvironmentPolicy do ...@@ -126,7 +144,13 @@ describe EnvironmentPolicy do
environment.stop! environment.stop!
end end
it { expect(policy).to be_allowed :destroy_environment } context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :destroy_environment }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :destroy_environment }
end
end end
end end
end end
......
...@@ -118,8 +118,15 @@ describe GlobalPolicy do ...@@ -118,8 +118,15 @@ describe GlobalPolicy do
context 'admin' do context 'admin' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
it { is_expected.to be_allowed(:read_custom_attribute) } context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_custom_attribute) } it { is_expected.to be_allowed(:read_custom_attribute) }
it { is_expected.to be_allowed(:update_custom_attribute) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_custom_attribute) }
it { is_expected.to be_disallowed(:update_custom_attribute) }
end
end end
end end
...@@ -368,7 +375,13 @@ describe GlobalPolicy do ...@@ -368,7 +375,13 @@ describe GlobalPolicy do
stub_application_setting(instance_statistics_visibility_private: true) stub_application_setting(instance_statistics_visibility_private: true)
end end
it { is_expected.to be_allowed(:read_instance_statistics) } context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_instance_statistics) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_instance_statistics) }
end
end end
end end
......
...@@ -644,7 +644,13 @@ describe GroupPolicy do ...@@ -644,7 +644,13 @@ describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
it { expect_allowed(:update_max_artifacts_size) } context 'when admin mode is enabled', :enable_admin_mode do
it { expect_allowed(:update_max_artifacts_size) }
end
context 'when admin mode is enabled' do
it { expect_disallowed(:update_max_artifacts_size) }
end
end end
%w(guest reporter developer maintainer owner).each do |role| %w(guest reporter developer maintainer owner).each do |role|
......
...@@ -206,11 +206,25 @@ describe IssuePolicy do ...@@ -206,11 +206,25 @@ describe IssuePolicy do
it 'allows guests to comment' do it 'allows guests to comment' do
expect(permissions(guest, issue)).to be_allowed(:create_note) expect(permissions(guest, issue)).to be_allowed(:create_note)
end end
it 'allows admins to view' do
expect(permissions(admin, issue)).to be_allowed(:read_issue) context 'when admin mode is enabled', :enable_admin_mode do
it 'allows admins to view' do
expect(permissions(admin, issue)).to be_allowed(:read_issue)
end
it 'allows admins to comment' do
expect(permissions(admin, issue)).to be_allowed(:create_note)
end
end end
it 'allows admins to comment' do
expect(permissions(admin, issue)).to be_allowed(:create_note) context 'when admin mode is disabled' do
it 'forbids admins to view' do
expect(permissions(admin, issue)).to be_disallowed(:read_issue)
end
it 'forbids admins to comment' do
expect(permissions(admin, issue)).to be_disallowed(:create_note)
end
end end
end end
......
...@@ -40,6 +40,12 @@ describe NamespacePolicy do ...@@ -40,6 +40,12 @@ describe NamespacePolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
it { is_expected.to be_allowed(*owner_permissions) } context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(*owner_permissions) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(*owner_permissions) }
end
end end
end end
...@@ -295,8 +295,16 @@ describe NotePolicy do ...@@ -295,8 +295,16 @@ describe NotePolicy do
expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
end end
it 'allows admins to read all notes and admin them' do context 'when admin mode is enabled', :enable_admin_mode do
expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) it 'allows admins to read all notes and admin them' do
expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
end
end
context 'when admin mode is disabled' do
it 'does not allow non members to read confidential notes and replies' do
expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
end
end end
it 'allows noteable author to read and resolve all notes' do it 'allows noteable author to read and resolve all notes' do
......
...@@ -19,8 +19,8 @@ describe PersonalSnippetPolicy do ...@@ -19,8 +19,8 @@ describe PersonalSnippetPolicy do
described_class.new(user, snippet) described_class.new(user, snippet)
end end
shared_examples 'admin access' do shared_examples 'admin access with admin mode' do
context 'admin user' do context 'admin user', :enable_admin_mode do
subject { permissions(admin_user) } subject { permissions(admin_user) }
it do it do
...@@ -68,7 +68,7 @@ describe PersonalSnippetPolicy do ...@@ -68,7 +68,7 @@ describe PersonalSnippetPolicy do
end end
end end
it_behaves_like 'admin access' it_behaves_like 'admin access with admin mode'
end end
context 'internal snippet' do context 'internal snippet' do
...@@ -118,7 +118,7 @@ describe PersonalSnippetPolicy do ...@@ -118,7 +118,7 @@ describe PersonalSnippetPolicy do
end end
end end
it_behaves_like 'admin access' it_behaves_like 'admin access with admin mode'
end end
context 'private snippet' do context 'private snippet' do
...@@ -168,6 +168,6 @@ describe PersonalSnippetPolicy do ...@@ -168,6 +168,6 @@ describe PersonalSnippetPolicy do
end end
end end
it_behaves_like 'admin access' it_behaves_like 'admin access with admin mode'
end end
end end
...@@ -275,7 +275,8 @@ describe ProjectPolicy do ...@@ -275,7 +275,8 @@ describe ProjectPolicy do
it_behaves_like 'project policies as developer' it_behaves_like 'project policies as developer'
it_behaves_like 'project policies as maintainer' it_behaves_like 'project policies as maintainer'
it_behaves_like 'project policies as owner' it_behaves_like 'project policies as owner'
it_behaves_like 'project policies as admin' it_behaves_like 'project policies as admin with admin mode'
it_behaves_like 'project policies as admin without admin mode'
context 'when a public project has merge requests allowing access' do context 'when a public project has merge requests allowing access' do
include ProjectForksHelper include ProjectForksHelper
...@@ -306,7 +307,7 @@ describe ProjectPolicy do ...@@ -306,7 +307,7 @@ describe ProjectPolicy do
expect_allowed(*maintainer_abilities) expect_allowed(*maintainer_abilities)
end end
it 'dissallows abilities to a maintainer if the merge request was closed' do it 'disallows abilities to a maintainer if the merge request was closed' do
target_project.add_developer(user) target_project.add_developer(user)
merge_request.close! merge_request.close!
...@@ -350,10 +351,24 @@ describe ProjectPolicy do ...@@ -350,10 +351,24 @@ describe ProjectPolicy do
expect(described_class.new(developer, project)).to be_allowed(:read_project) expect(described_class.new(developer, project)).to be_allowed(:read_project)
end end
it 'does not check the external service for admins and allows access' do context 'with an admin' do
expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) context 'when admin mode is enabled', :enable_admin_mode do
it 'does not check the external service and allows access' do
expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
expect(described_class.new(admin, project)).to be_allowed(:read_project) expect(described_class.new(admin, project)).to be_allowed(:read_project)
end
end
context 'when admin mode is disabled' do
it 'checks the external service and allows access' do
external_service_allow_access(admin, project)
expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?)
expect(described_class.new(admin, project)).to be_allowed(:read_project)
end
end
end end
it 'prevents all but seeing a public project in a list when access is denied' do it 'prevents all but seeing a public project in a list when access is denied' do
...@@ -416,7 +431,13 @@ describe ProjectPolicy do ...@@ -416,7 +431,13 @@ describe ProjectPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
it { expect_allowed(:update_max_artifacts_size) } context 'when admin mode is enabled', :enable_admin_mode do
it { expect_allowed(:update_max_artifacts_size) }
end
context 'when admin mode is disabled' do
it { expect_disallowed(:update_max_artifacts_size) }
end
end end
%w(guest reporter developer maintainer owner).each do |role| %w(guest reporter developer maintainer owner).each do |role|
...@@ -448,7 +469,13 @@ describe ProjectPolicy do ...@@ -448,7 +469,13 @@ describe ProjectPolicy do
context 'with admin' do context 'with admin' do
let(:current_user) { admin } let(:current_user) { admin }
it { is_expected.to be_allowed(:read_prometheus_alerts) } context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_prometheus_alerts) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_prometheus_alerts) }
end
end end
context 'with owner' do context 'with owner' do
......
...@@ -235,9 +235,18 @@ describe ProjectSnippetPolicy do ...@@ -235,9 +235,18 @@ describe ProjectSnippetPolicy do
let(:snippet_visibility) { :private } let(:snippet_visibility) { :private }
let(:current_user) { create(:admin) } let(:current_user) { create(:admin) }
it do context 'when admin mode is enabled', :enable_admin_mode do
expect_allowed(:read_snippet, :create_note) it do
expect_allowed(*author_permissions) expect_allowed(:read_snippet, :create_note)
expect_allowed(*author_permissions)
end
end
context 'when admin mode is disabled' do
it do
expect_disallowed(:read_snippet, :create_note)
expect_disallowed(*author_permissions)
end
end end
end end
end end
......
...@@ -26,7 +26,13 @@ describe UserPolicy do ...@@ -26,7 +26,13 @@ describe UserPolicy do
context "when an admin user tries to destroy a regular user" do context "when an admin user tries to destroy a regular user" do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
it { is_expected.to be_allowed(ability) } context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(ability) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(ability) }
end
end end
context "when an admin user tries to destroy a ghost user" do context "when an admin user tries to destroy a ghost user" do
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe WikiPagePolicy do describe WikiPagePolicy, :enable_admin_mode do
include_context 'ProjectPolicyTable context' include_context 'ProjectPolicyTable context'
include ProjectHelpers include ProjectHelpers
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
......
...@@ -229,26 +229,25 @@ RSpec.configure do |config| ...@@ -229,26 +229,25 @@ RSpec.configure do |config|
./ee/spec/features ./ee/spec/features
./ee/spec/finders ./ee/spec/finders
./ee/spec/lib ./ee/spec/lib
./ee/spec/models
./ee/spec/policies
./ee/spec/requests/admin ./ee/spec/requests/admin
./ee/spec/serializers ./ee/spec/serializers
./ee/spec/services ./ee/spec/services
./ee/spec/support/protected_tags ./ee/spec/support/protected_tags
./ee/spec/support/shared_examples ./ee/spec/support/shared_examples/features
./ee/spec/support/shared_examples/finders/geo
./ee/spec/support/shared_examples/graphql/geo
./ee/spec/support/shared_examples/services
./spec/features ./spec/features
./spec/finders ./spec/finders
./spec/frontend ./spec/frontend
./spec/helpers ./spec/helpers
./spec/lib ./spec/lib
./spec/models
./spec/policies
./spec/requests ./spec/requests
./spec/serializers ./spec/serializers
./spec/services ./spec/services
./spec/support/cycle_analytics_helpers
./spec/support/protected_tags ./spec/support/protected_tags
./spec/support/shared_examples ./spec/support/shared_examples/features
./spec/support/shared_examples/requests
./spec/views ./spec/views
./spec/workers ./spec/workers
) )
......
...@@ -29,6 +29,10 @@ module CycleAnalyticsHelpers ...@@ -29,6 +29,10 @@ module CycleAnalyticsHelpers
scenarios.each do |start_time_conditions, end_time_conditions| scenarios.each do |start_time_conditions, end_time_conditions|
let_it_be(:other_project) { create(:project, :repository) } let_it_be(:other_project) { create(:project, :repository) }
before do
other_project.add_developer(self.user)
end
context "start condition: #{start_time_conditions.map(&:first).to_sentence}" do context "start condition: #{start_time_conditions.map(&:first).to_sentence}" do
context "end condition: #{end_time_conditions.map(&:first).to_sentence}" do context "end condition: #{end_time_conditions.map(&:first).to_sentence}" do
it "finds the median of available durations between the two conditions", :sidekiq_might_not_need_inline do it "finds the median of available durations between the two conditions", :sidekiq_might_not_need_inline do
......
...@@ -7,6 +7,9 @@ module AdminModeHelper ...@@ -7,6 +7,9 @@ module AdminModeHelper
# mode for accessing any administrative functionality. This helper lets a user # mode for accessing any administrative functionality. This helper lets a user
# be in admin mode without requiring a second authentication step (provided # be in admin mode without requiring a second authentication step (provided
# the user is an admin) # the user is an admin)
#
# See also tag :enable_admin_mode in spec/spec_helper.rb for a spec-wide
# alternative
def enable_admin_mode!(user) def enable_admin_mode!(user)
fake_user_mode = instance_double(Gitlab::Auth::CurrentUserMode) fake_user_mode = instance_double(Gitlab::Auth::CurrentUserMode)
......
...@@ -50,9 +50,7 @@ module LoginHelpers ...@@ -50,9 +50,7 @@ module LoginHelpers
def gitlab_enable_admin_mode_sign_in(user) def gitlab_enable_admin_mode_sign_in(user)
visit new_admin_session_path visit new_admin_session_path
fill_in 'user_password', with: user.password fill_in 'user_password', with: user.password
click_button 'Enter Admin Mode' click_button 'Enter Admin Mode'
end end
......
...@@ -27,12 +27,24 @@ RSpec.shared_examples 'instance statistics availability' do ...@@ -27,12 +27,24 @@ RSpec.shared_examples 'instance statistics availability' do
context 'for admins' do context 'for admins' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
it 'allows access when the feature is not available publicly' do context 'when admin mode disabled' do
stub_application_setting(instance_statistics_visibility_private: true) it 'forbids access when the feature is not available publicly' do
stub_application_setting(instance_statistics_visibility_private: true)
get :index get :index
expect(response).to have_gitlab_http_status(:success) expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when admin mode enabled', :enable_admin_mode do
it 'allows access when the feature is not available publicly' do
stub_application_setting(instance_statistics_visibility_private: true)
get :index
expect(response).to have_gitlab_http_status(:success)
end
end end
end end
end end
......
...@@ -212,8 +212,8 @@ RSpec.shared_examples 'project policies as owner' do ...@@ -212,8 +212,8 @@ RSpec.shared_examples 'project policies as owner' do
end end
end end
RSpec.shared_examples 'project policies as admin' do RSpec.shared_examples 'project policies as admin with admin mode' do
context 'abilities for non-public projects' do context 'abilities for non-public projects', :enable_admin_mode do
let(:project) { create(:project, namespace: owner.namespace) } let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(admin, project) } subject { described_class.new(admin, project) }
...@@ -232,3 +232,13 @@ RSpec.shared_examples 'project policies as admin' do ...@@ -232,3 +232,13 @@ RSpec.shared_examples 'project policies as admin' do
end end
end end
end end
RSpec.shared_examples 'project policies as admin without admin mode' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(admin, project) }
it { is_expected.to be_banned }
end
end
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
RSpec.shared_examples 'model with wiki policies' do RSpec.shared_examples 'model with wiki policies' do
include ProjectHelpers include ProjectHelpers
include AdminModeHelper
let(:container) { raise NotImplementedError } let(:container) { raise NotImplementedError }
let(:user) { raise NotImplementedError } let(:user) { raise NotImplementedError }
...@@ -94,6 +95,7 @@ RSpec.shared_examples 'model with wiki policies' do ...@@ -94,6 +95,7 @@ RSpec.shared_examples 'model with wiki policies' do
before do before do
container.visibility = container_level.to_s container.visibility = container_level.to_s
set_access_level(ProjectFeature.access_level_from_str(access_level.to_s)) set_access_level(ProjectFeature.access_level_from_str(access_level.to_s))
enable_admin_mode!(user) if user&.admin?
if allowed_permissions.any? && [container_level, access_level, membership] != [:private, :private, :guest] if allowed_permissions.any? && [container_level, access_level, membership] != [:private, :private, :guest]
allowed_permissions << :download_wiki_code allowed_permissions << :download_wiki_code
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment