Commit 4842489d authored by Imre Farkas's avatar Imre Farkas

Merge branch 'chore/migrate-models-policies-specs-admin-mode' into 'master'

Migrate models and policies specs to consider admin mode

See merge request gitlab-org/gitlab!30430
parents 3219bfa5 fa73571b
...@@ -359,7 +359,7 @@ class Issue < ApplicationRecord ...@@ -359,7 +359,7 @@ class Issue < ApplicationRecord
# for performance reasons, check commit: 002ad215818450d2cbbc5fa065850a953dc7ada8 # for performance reasons, check commit: 002ad215818450d2cbbc5fa065850a953dc7ada8
# Make sure to sync this method with issue_policy.rb # Make sure to sync this method with issue_policy.rb
def readable_by?(user) def readable_by?(user)
if user.admin? if user.can_read_all_resources?
true true
elsif project.owner == user elsif project.owner == user
true true
......
---
title: Migrate models and policies specs to consider admin mode
merge_request: 30430
author: Diego Louzán
type: other
...@@ -3,10 +3,10 @@ ...@@ -3,10 +3,10 @@
require 'spec_helper' require 'spec_helper'
describe Analytics::CycleAnalytics::GroupLevel do describe Analytics::CycleAnalytics::GroupLevel do
let_it_be(:group) { create(:group)} let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, :repository, namespace: group) } let_it_be(:project) { create(:project, :repository, namespace: group) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { create(:user) }
let(:issue) { create(:issue, project: project, created_at: 2.days.ago) } let(:issue) { create(:issue, project: project, created_at: 2.days.ago) }
let_it_be(:milestone) { create(:milestone, project: project) } let_it_be(:milestone) { create(:milestone, project: project) }
let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") } let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") }
...@@ -18,6 +18,12 @@ describe Analytics::CycleAnalytics::GroupLevel do ...@@ -18,6 +18,12 @@ describe Analytics::CycleAnalytics::GroupLevel do
subject { described_class.new(group: group, options: { from: from_date, current_user: user }) } subject { described_class.new(group: group, options: { from: from_date, current_user: user }) }
before do
# Cannot set the owner directly when calling `create(:group)`
# See spec/factories/groups.rb#after(:create)
group.add_owner(user)
end
describe '#permissions' do describe '#permissions' do
it 'returns true for all stages' do it 'returns true for all stages' do
expect(subject.permissions.values.uniq).to eq([true]) expect(subject.permissions.values.uniq).to eq([true])
......
...@@ -152,8 +152,8 @@ describe Note, :elastic do ...@@ -152,8 +152,8 @@ describe Note, :elastic do
expect(Note.elastic_search('term', options: options).total_count).to eq(1) expect(Note.elastic_search('term', options: options).total_count).to eq(1)
end end
[:admin, :auditor].each do |user_type| shared_examples 'notes finder' do |user_type, no_of_notes|
it "finds note for #{user_type}", :sidekiq_might_not_need_inline do it "finds #{no_of_notes} notes for #{user_type}", :sidekiq_might_not_need_inline do
superuser = create(user_type) superuser = create(user_type)
issue = create(:issue, :confidential, author: create(:user)) issue = create(:issue, :confidential, author: create(:user))
...@@ -164,10 +164,18 @@ describe Note, :elastic do ...@@ -164,10 +164,18 @@ describe Note, :elastic do
options = { project_ids: [issue.project.id], current_user: superuser } options = { project_ids: [issue.project.id], current_user: superuser }
expect(Note.elastic_search('term', options: options).total_count).to eq(1) expect(Note.elastic_search('term', options: options).total_count).to eq(no_of_notes)
end
end end
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'notes finder', :admin, 1
end end
it_behaves_like 'notes finder', :admin, 0
it_behaves_like 'notes finder', :auditor, 1
it "return notes with matching content for project members", :sidekiq_might_not_need_inline do it "return notes with matching content for project members", :sidekiq_might_not_need_inline do
user = create :user user = create :user
issue = create :issue, :confidential, author: user issue = create :issue, :confidential, author: user
......
...@@ -66,10 +66,23 @@ describe Event do ...@@ -66,10 +66,23 @@ describe Event do
expect(event).to be_visible_to(member) expect(event).to be_visible_to(member)
expect(event).to be_visible_to(guest) expect(event).to be_visible_to(guest)
end
context 'when admin mode enabled', :enable_admin_mode do
it 'is visible to admin', :aggregate_failures do
expect(event).to be_visible_to(admin) expect(event).to be_visible_to(admin)
end end
end end
context 'when admin mode disabled' do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
# See https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit 'is not visible to admin', :aggregate_failures do
expect(event).not_to be_visible_to(admin)
end
end
end
shared_examples 'visible to everybody' do shared_examples 'visible to everybody' do
it 'is visible to other users', :aggregate_failures do it 'is visible to other users', :aggregate_failures do
expect(users).to all(have_access_to(event)) expect(users).to all(have_access_to(event))
......
...@@ -240,7 +240,7 @@ describe Issue do ...@@ -240,7 +240,7 @@ describe Issue do
describe 'when a user cannot read cross project' do describe 'when a user cannot read cross project' do
it 'only returns issues within the same project' do it 'only returns issues within the same project' do
expect(Ability).to receive(:allowed?).with(user, :read_all_resources, :global).and_call_original expect(Ability).to receive(:allowed?).with(user, :read_all_resources, :global).at_least(:once).and_call_original
expect(Ability).to receive(:allowed?).with(user, :read_cross_project).and_return(false) expect(Ability).to receive(:allowed?).with(user, :read_cross_project).and_return(false)
expect(authorized_issue_a.related_issues(user)) expect(authorized_issue_a.related_issues(user))
......
...@@ -6,13 +6,16 @@ describe ProductivityAnalytics do ...@@ -6,13 +6,16 @@ describe ProductivityAnalytics do
describe 'metrics data' do describe 'metrics data' do
subject(:analytics) { described_class.new(merge_requests: finder_mrs, sort: custom_sort) } subject(:analytics) { described_class.new(merge_requests: finder_mrs, sort: custom_sort) }
let(:finder_mrs) { ProductivityAnalyticsFinder.new(create(:admin), finder_options).execute } let(:project) { create(:project) }
let(:user) { project.owner }
let(:finder_mrs) { ProductivityAnalyticsFinder.new(user, finder_options).execute }
let(:finder_options) { { state: 'merged' } } let(:finder_options) { { state: 'merged' } }
let(:custom_sort) { nil } let(:custom_sort) { nil }
let(:label_a) { create(:label) } let(:label_a) { create(:label, project: project) }
let(:label_b) { create(:label) } let(:label_b) { create(:label, project: project) }
let(:long_mr) do let(:long_mr) do
metrics_data = { metrics_data = {
...@@ -25,6 +28,7 @@ describe ProductivityAnalytics do ...@@ -25,6 +28,7 @@ describe ProductivityAnalytics do
} }
create(:labeled_merge_request, :merged, :with_productivity_metrics, create(:labeled_merge_request, :merged, :with_productivity_metrics,
labels: [label_a, label_b], labels: [label_a, label_b],
source_project: project,
created_at: 31.days.ago, created_at: 31.days.ago,
metrics_data: metrics_data) metrics_data: metrics_data)
end end
...@@ -40,6 +44,7 @@ describe ProductivityAnalytics do ...@@ -40,6 +44,7 @@ describe ProductivityAnalytics do
} }
create(:labeled_merge_request, :merged, :with_productivity_metrics, create(:labeled_merge_request, :merged, :with_productivity_metrics,
source_project: project,
created_at: 15.days.ago, created_at: 15.days.ago,
metrics_data: metrics_data) metrics_data: metrics_data)
end end
...@@ -56,6 +61,7 @@ describe ProductivityAnalytics do ...@@ -56,6 +61,7 @@ describe ProductivityAnalytics do
create(:labeled_merge_request, :merged, :with_productivity_metrics, create(:labeled_merge_request, :merged, :with_productivity_metrics,
labels: [label_a, label_b], labels: [label_a, label_b],
source_project: project,
created_at: 31.days.ago, created_at: 31.days.ago,
metrics_data: metrics_data) metrics_data: metrics_data)
end end
...@@ -72,6 +78,7 @@ describe ProductivityAnalytics do ...@@ -72,6 +78,7 @@ describe ProductivityAnalytics do
create(:labeled_merge_request, :merged, :with_productivity_metrics, create(:labeled_merge_request, :merged, :with_productivity_metrics,
labels: [label_a, label_b], labels: [label_a, label_b],
source_project: project,
created_at: 31.days.ago, created_at: 31.days.ago,
metrics_data: metrics_data) metrics_data: metrics_data)
end end
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe BasePolicy, :do_not_mock_admin_mode do describe BasePolicy do
include ExternalAuthorizationServiceHelpers include ExternalAuthorizationServiceHelpers
let(:auditor) { build(:auditor) } let(:auditor) { build(:auditor) }
......
...@@ -74,7 +74,13 @@ describe Ci::BuildPolicy do ...@@ -74,7 +74,13 @@ describe Ci::BuildPolicy do
context 'with admin' do context 'with admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { expect_allowed(*build_permissions) } it { expect_allowed(*build_permissions) }
end
context 'when admin mode disabled' do
it { expect_disallowed(*build_permissions) }
end
context 'when build is not from a webide pipeline' do context 'when build is not from a webide pipeline' do
let(:pipeline) { create(:ci_empty_pipeline, project: project, source: :chat) } let(:pipeline) { create(:ci_empty_pipeline, project: project, source: :chat) }
...@@ -87,10 +93,17 @@ describe Ci::BuildPolicy do ...@@ -87,10 +93,17 @@ describe Ci::BuildPolicy do
allow(build).to receive(:has_terminal?).and_return(false) allow(build).to receive(:has_terminal?).and_return(false)
end end
context 'when admin mode enabled', :enable_admin_mode do
it { expect_allowed(:read_web_ide_terminal, :update_web_ide_terminal) } it { expect_allowed(:read_web_ide_terminal, :update_web_ide_terminal) }
it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) } it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) }
end end
context 'when admin mode disabled' do
it { expect_disallowed(:read_web_ide_terminal, :update_web_ide_terminal) }
it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) }
end
end
context 'feature flag "build_service_proxy" is disabled' do context 'feature flag "build_service_proxy" is disabled' do
before do before do
stub_feature_flags(build_service_proxy: false) stub_feature_flags(build_service_proxy: false)
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe Clusters::InstancePolicy do describe Clusters::InstancePolicy, :enable_admin_mode do
let(:user) { build(:admin) } let(:user) { build(:admin) }
let(:instance) { Clusters::Instance.new } let(:instance) { Clusters::Instance.new }
......
...@@ -10,11 +10,19 @@ describe Geo::RegistryPolicy do ...@@ -10,11 +10,19 @@ describe Geo::RegistryPolicy do
context 'when the user is an admin' do context 'when the user is an admin' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows read_geo_registry for any registry' do it 'allows read_geo_registry for any registry' do
expect(policy).to be_allowed(:read_geo_registry) expect(policy).to be_allowed(:read_geo_registry)
end end
end end
context 'when admin mode is disabled' do
it 'disallows read_geo_registry for any registry' do
expect(policy).to be_disallowed(:read_geo_registry)
end
end
end
context 'when the user is not an admin' do context 'when the user is not an admin' do
let(:current_user) { create(:user) } let(:current_user) { create(:user) }
......
...@@ -10,11 +10,19 @@ describe GeoNodePolicy do ...@@ -10,11 +10,19 @@ describe GeoNodePolicy do
context 'when the user is an admin' do context 'when the user is an admin' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows read_geo_node for any GeoNode' do it 'allows read_geo_node for any GeoNode' do
expect(policy).to be_allowed(:read_geo_node) expect(policy).to be_allowed(:read_geo_node)
end end
end end
context 'when admin mode is disabled' do
it 'disallows read_geo_node for any GeoNode' do
expect(policy).to be_disallowed(:read_geo_node)
end
end
end
context 'when the user is not an admin' do context 'when the user is not an admin' do
let(:current_user) { create(:user) } let(:current_user) { create(:user) }
......
...@@ -5,6 +5,8 @@ require 'spec_helper' ...@@ -5,6 +5,8 @@ require 'spec_helper'
describe GlobalPolicy do describe GlobalPolicy do
include ExternalAuthorizationServiceHelpers include ExternalAuthorizationServiceHelpers
let_it_be(:admin) { create(:admin) }
let(:current_user) { create(:user) } let(:current_user) { create(:user) }
let(:user) { create(:user) } let(:user) { create(:user) }
...@@ -38,9 +40,17 @@ describe GlobalPolicy do ...@@ -38,9 +40,17 @@ describe GlobalPolicy do
it { is_expected.to be_disallowed(:destroy_licenses) } it { is_expected.to be_disallowed(:destroy_licenses) }
it { is_expected.to be_disallowed(:read_all_geo) } it { is_expected.to be_disallowed(:read_all_geo) }
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:read_licenses) } context 'when admin mode enabled', :enable_admin_mode do
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:destroy_licenses) } it { expect(described_class.new(admin, [user])).to be_allowed(:read_licenses) }
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:read_all_geo) } it { expect(described_class.new(admin, [user])).to be_allowed(:destroy_licenses) }
it { expect(described_class.new(admin, [user])).to be_allowed(:read_all_geo) }
end
context 'when admin mode disabled' do
it { expect(described_class.new(admin, [user])).to be_disallowed(:read_licenses) }
it { expect(described_class.new(admin, [user])).to be_disallowed(:destroy_licenses) }
it { expect(described_class.new(admin, [user])).to be_disallowed(:read_all_geo) }
end
shared_examples 'analytics policy' do |action| shared_examples 'analytics policy' do |action|
context 'anonymous user' do context 'anonymous user' do
...@@ -69,15 +79,22 @@ describe GlobalPolicy do ...@@ -69,15 +79,22 @@ describe GlobalPolicy do
end end
it { is_expected.to be_disallowed(:update_max_pages_size) } it { is_expected.to be_disallowed(:update_max_pages_size) }
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:update_max_pages_size) }
context 'when admin mode enabled', :enable_admin_mode do
it { expect(described_class.new(admin, [user])).to be_allowed(:update_max_pages_size) }
end
context 'when admin mode disabled' do
it { expect(described_class.new(admin, [user])).to be_disallowed(:update_max_pages_size) }
end
end end
it { expect(described_class.new(create(:admin), [user])).to be_disallowed(:update_max_pages_size) } it { expect(described_class.new(admin, [user])).to be_disallowed(:update_max_pages_size) }
end end
describe 'create_group_with_default_branch_protection' do describe 'create_group_with_default_branch_protection' do
context 'for an admin' do context 'for an admin' do
let(:current_user) { create(:admin) } let(:current_user) { admin }
context 'when the `default_branch_protection_restriction_in_groups` feature is available' do context 'when the `default_branch_protection_restriction_in_groups` feature is available' do
before do before do
...@@ -97,8 +114,14 @@ describe GlobalPolicy do ...@@ -97,8 +114,14 @@ describe GlobalPolicy do
stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:create_group_with_default_branch_protection) } it { is_expected.to be_allowed(:create_group_with_default_branch_protection) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:create_group_with_default_branch_protection) }
end
end
end end
context 'when the `default_branch_protection_restriction_in_groups` feature is not available' do context 'when the `default_branch_protection_restriction_in_groups` feature is not available' do
......
...@@ -418,10 +418,17 @@ describe GroupPolicy do ...@@ -418,10 +418,17 @@ describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:override_group_member) } it { is_expected.to be_allowed(:override_group_member) }
it { is_expected.to be_allowed(:update_group_member) } it { is_expected.to be_allowed(:update_group_member) }
end end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:override_group_member) }
it { is_expected.to be_disallowed(:update_group_member) }
end
end
context 'owner' do context 'owner' do
let(:current_user) { owner } let(:current_user) { owner }
...@@ -801,8 +808,14 @@ describe GroupPolicy do ...@@ -801,8 +808,14 @@ describe GroupPolicy do
stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_default_branch_protection) } it { is_expected.to be_allowed(:update_default_branch_protection) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:update_default_branch_protection) }
end
end
end end
context 'when the `default_branch_protection_restriction_in_groups` feature is not available' do context 'when the `default_branch_protection_restriction_in_groups` feature is not available' do
......
...@@ -27,9 +27,15 @@ describe NamespacePolicy do ...@@ -27,9 +27,15 @@ describe NamespacePolicy do
context 'admin' do context 'admin' do
let(:current_user) { build_stubbed(:admin) } let(:current_user) { build_stubbed(:admin) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:create_jira_connect_subscription) } it { is_expected.to be_allowed(:create_jira_connect_subscription) }
end end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
end
end
context 'owner' do context 'owner' do
let(:current_user) { owner } let(:current_user) { owner }
......
This diff is collapsed.
...@@ -22,16 +22,28 @@ describe UserPolicy do ...@@ -22,16 +22,28 @@ describe UserPolicy do
context 'when an admin user tries to update a regular user' do context 'when an admin user tries to update a regular user' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(ability) } it { is_expected.to be_allowed(ability) }
end end
context 'when admin mode disabled' do
it { is_expected.not_to be_allowed(ability) }
end
end
context 'when an admin user tries to update a ghost user' do context 'when an admin user tries to update a ghost user' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
let(:user) { create(:user, :ghost) } let(:user) { create(:user, :ghost) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.not_to be_allowed(ability) }
end
context 'when admin mode disabled' do
it { is_expected.not_to be_allowed(ability) } it { is_expected.not_to be_allowed(ability) }
end end
end end
end
describe "updating a user's name" do describe "updating a user's name" do
context 'when `disable_name_update_for_users` feature is available' do context 'when `disable_name_update_for_users` feature is available' do
...@@ -65,8 +77,14 @@ describe UserPolicy do ...@@ -65,8 +77,14 @@ describe UserPolicy do
context 'for an admin user' do context 'for an admin user' do
let(:current_user) { create(:admin) } let(:current_user) { create(:admin) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_name) } it { is_expected.to be_allowed(:update_name) }
end end
context 'when admin mode disabled' do
it { is_expected.not_to be_allowed(:update_name) }
end
end
end end
end end
......
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
RSpec.shared_examples 'protected environments access' do |developer_access = true| RSpec.shared_examples 'protected environments access' do |developer_access = true|
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
include AdminModeHelper
before do before do
allow(License).to receive(:feature_available?).and_call_original allow(License).to receive(:feature_available?).and_call_original
allow(License).to receive(:feature_available?).with(:protected_environments).and_return(feature_available) allow(License).to receive(:feature_available?).with(:protected_environments).and_return(feature_available)
...@@ -11,19 +13,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru ...@@ -11,19 +13,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
context 'when Protected Environments feature is not available in the project' do context 'when Protected Environments feature is not available in the project' do
let(:feature_available) { false } let(:feature_available) { false }
where(:access_level, :result) do where(:access_level, :admin_mode, :result) do
:guest | false :guest | nil | false
:reporter | false :reporter | nil | false
:developer | developer_access :developer | nil | developer_access
:maintainer | true :maintainer | nil | true
:admin | true :admin | false | false
:admin | true | true
end end
with_them do with_them do
before do before do
environment environment
update_user_access(access_level, user, project) update_user_access(access_level, admin_mode, user, project)
end end
it { is_expected.to eq(result) } it { is_expected.to eq(result) }
...@@ -37,19 +40,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru ...@@ -37,19 +40,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
let(:protected_environment) { create(:protected_environment, name: environment.name, project: project) } let(:protected_environment) { create(:protected_environment, name: environment.name, project: project) }
context 'when user does not have access to the environment' do context 'when user does not have access to the environment' do
where(:access_level, :result) do where(:access_level, :admin_mode, :result) do
:guest | false :guest | nil | false
:reporter | false :reporter | nil | false
:developer | false :developer | nil | false
:maintainer | false :maintainer | nil | false
:admin | true :admin | false | false
:admin | true | true
end end
with_them do with_them do
before do before do
protected_environment protected_environment
update_user_access(access_level, user, project) update_user_access(access_level, admin_mode, user, project)
end end
it { is_expected.to eq(result) } it { is_expected.to eq(result) }
...@@ -57,19 +61,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru ...@@ -57,19 +61,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
end end
context 'when user has access to the environment' do context 'when user has access to the environment' do
where(:access_level, :result) do where(:access_level, :admin_mode, :result) do
:guest | false :guest | nil | false
:reporter | false :reporter | nil | false
:developer | developer_access :developer | nil | developer_access
:maintainer | true :maintainer | nil | true
:admin | true :admin | false | false
:admin | true | true
end end
with_them do with_them do
before do before do
protected_environment.deploy_access_levels.create(user: user) protected_environment.deploy_access_levels.create(user: user)
update_user_access(access_level, user, project) update_user_access(access_level, admin_mode, user, project)
end end
it { is_expected.to eq(result) } it { is_expected.to eq(result) }
...@@ -78,17 +83,18 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru ...@@ -78,17 +83,18 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
end end
context 'when environment is not protected' do context 'when environment is not protected' do
where(:access_level, :result) do where(:access_level, :admin_mode, :result) do
:guest | false :guest | nil | false
:reporter | false :reporter | nil | false
:developer | developer_access :developer | nil | developer_access
:maintainer | true :maintainer | nil | true
:admin | true :admin | false | false
:admin | true | true
end end
with_them do with_them do
before do before do
update_user_access(access_level, user, project) update_user_access(access_level, admin_mode, user, project)
end end
it { is_expected.to eq(result) } it { is_expected.to eq(result) }
...@@ -96,9 +102,10 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru ...@@ -96,9 +102,10 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
end end
end end
def update_user_access(access_level, user, project) def update_user_access(access_level, admin_mode, user, project)
if access_level == :admin if access_level == :admin
user.update_attribute(:admin, true) user.update_attribute(:admin, true)
enable_admin_mode!(user) if admin_mode
elsif access_level.present? elsif access_level.present?
project.add_user(user, access_level) project.add_user(user, access_level)
end end
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe Ldap::OmniauthCallbacksController, :do_not_mock_admin_mode do describe Ldap::OmniauthCallbacksController do
include_context 'Ldap::OmniauthCallbacksController' include_context 'Ldap::OmniauthCallbacksController'
it 'allows sign in' do it 'allows sign in' do
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe OmniauthCallbacksController, type: :controller, do_not_mock_admin_mode: true do describe OmniauthCallbacksController, type: :controller do
include LoginHelpers include LoginHelpers
describe 'omniauth' do describe 'omniauth' do
......
...@@ -74,13 +74,20 @@ describe Ability do ...@@ -74,13 +74,20 @@ describe Ability do
context 'using a private project' do context 'using a private project' do
let(:project) { create(:project, :private) } let(:project) { create(:project, :private) }
it 'returns users that are administrators' do it 'returns users that are administrators when admin mode is enabled', :enable_admin_mode do
user = build(:user, admin: true) user = build(:user, admin: true)
expect(described_class.users_that_can_read_project([user], project)) expect(described_class.users_that_can_read_project([user], project))
.to eq([user]) .to eq([user])
end end
it 'does not return users that are administrators when admin mode is disabled' do
user = build(:user, admin: true)
expect(described_class.users_that_can_read_project([user], project))
.to eq([])
end
it 'returns external users if they are the project owner' do it 'returns external users if they are the project owner' do
user1 = build(:user, external: true) user1 = build(:user, external: true)
user2 = build(:user, external: true) user2 = build(:user, external: true)
...@@ -145,7 +152,7 @@ describe Ability do ...@@ -145,7 +152,7 @@ describe Ability do
end end
describe '.merge_requests_readable_by_user' do describe '.merge_requests_readable_by_user' do
context 'with an admin' do context 'with an admin when admin mode is enabled', :enable_admin_mode do
it 'returns all merge requests' do it 'returns all merge requests' do
user = build(:user, admin: true) user = build(:user, admin: true)
merge_request = build(:merge_request) merge_request = build(:merge_request)
...@@ -155,6 +162,19 @@ describe Ability do ...@@ -155,6 +162,19 @@ describe Ability do
end end
end end
context 'with an admin when admin mode is disabled' do
it 'returns merge_requests that are publicly visible' do
user = build(:user, admin: true)
hidden_merge_request = build(:merge_request)
visible_merge_request = build(:merge_request, source_project: build(:project, :public))
merge_requests = described_class
.merge_requests_readable_by_user([hidden_merge_request, visible_merge_request], user)
expect(merge_requests).to eq([visible_merge_request])
end
end
context 'without a user' do context 'without a user' do
it 'returns merge_requests that are publicly visible' do it 'returns merge_requests that are publicly visible' do
hidden_merge_request = build(:merge_request) hidden_merge_request = build(:merge_request)
...@@ -217,7 +237,7 @@ describe Ability do ...@@ -217,7 +237,7 @@ describe Ability do
end end
describe '.issues_readable_by_user' do describe '.issues_readable_by_user' do
context 'with an admin user' do context 'with an admin when admin mode is enabled', :enable_admin_mode do
it 'returns all given issues' do it 'returns all given issues' do
user = build(:user, admin: true) user = build(:user, admin: true)
issue = build(:issue) issue = build(:issue)
...@@ -227,6 +247,26 @@ describe Ability do ...@@ -227,6 +247,26 @@ describe Ability do
end end
end end
context 'with an admin when admin mode is disabled' do
it 'returns the issues readable by the admin' do
user = build(:user, admin: true)
issue = build(:issue)
expect(issue).to receive(:readable_by?).with(user).and_return(true)
expect(described_class.issues_readable_by_user([issue], user))
.to eq([issue])
end
it 'returns no issues when not given access' do
user = build(:user, admin: true)
issue = build(:issue)
expect(described_class.issues_readable_by_user([issue], user))
.to be_empty
end
end
context 'with a regular user' do context 'with a regular user' do
it 'returns the issues readable by the user' do it 'returns the issues readable by the user' do
user = build(:user) user = build(:user)
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#code' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#code' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level } subject { project_level }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#issue' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#issue' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level } subject { project_level }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#plan' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#plan' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level } subject { project_level }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#production' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#production' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level } subject { project_level }
......
...@@ -5,7 +5,7 @@ require 'spec_helper' ...@@ -5,7 +5,7 @@ require 'spec_helper'
describe CycleAnalytics::ProjectLevel do describe CycleAnalytics::ProjectLevel do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:issue) { create(:issue, project: project, created_at: 2.days.ago) } let_it_be(:issue) { create(:issue, project: project, created_at: 2.days.ago) }
let_it_be(:milestone) { create(:milestone, project: project) } let_it_be(:milestone) { create(:milestone, project: project) }
let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") } let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#review' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#review' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
subject { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } subject { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#staging' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#staging' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level } subject { project_level }
......
...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#test' do ...@@ -7,7 +7,7 @@ describe 'CycleAnalytics#test' do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago } let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) } let_it_be(:user) { project.owner }
let_it_be(:issue) { create(:issue, project: project) } let_it_be(:issue) { create(:issue, project: project) }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) } let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
let!(:merge_request) { create_merge_request_closing_issue(user, project, issue) } let!(:merge_request) { create_merge_request_closing_issue(user, project, issue) }
......
...@@ -287,10 +287,18 @@ describe Event do ...@@ -287,10 +287,18 @@ describe Event do
context 'private project' do context 'private project' do
let(:project) { create(:project, :private, :repository) } let(:project) { create(:project, :private, :repository) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member, :admin) } let(:visibility) { visible_to_none_except(:member, :admin) }
end end
end end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member) }
end
end
end
end end
context 'issue event' do context 'issue event' do
...@@ -340,9 +348,17 @@ describe Event do ...@@ -340,9 +348,17 @@ describe Event do
let(:project) { private_project } let(:project) { private_project }
let(:target) { note_on_issue } let(:target) { note_on_issue }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) } let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
end end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member) }
end
end
include_examples 'visible to assignee and author', false include_examples 'visible to assignee and author', false
end end
...@@ -366,9 +382,17 @@ describe Event do ...@@ -366,9 +382,17 @@ describe Event do
context 'private project' do context 'private project' do
let(:project) { private_project } let(:project) { private_project }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member, :admin) } let(:visibility) { visible_to_none_except(:member, :admin) }
end end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member) }
end
end
include_examples 'visible to assignee', false include_examples 'visible to assignee', false
end end
...@@ -384,18 +408,34 @@ describe Event do ...@@ -384,18 +408,34 @@ describe Event do
context 'on public project with private issue tracker and merge requests' do context 'on public project with private issue tracker and merge requests' do
let(:project) { create(:project, :public, :issues_private, :merge_requests_private) } let(:project) { create(:project, :public, :issues_private, :merge_requests_private) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) } let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
end end
end end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
end
end
end
context 'on private project' do context 'on private project' do
let(:project) { create(:project, :private) } let(:project) { create(:project, :private) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) } let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
end end
end end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
end
end
end
end end
context 'wiki-page event', :aggregate_failures do context 'wiki-page event', :aggregate_failures do
...@@ -404,11 +444,19 @@ describe Event do ...@@ -404,11 +444,19 @@ describe Event do
context 'on private project', :aggregate_failures do context 'on private project', :aggregate_failures do
let(:project) { create(:project, :wiki_repo) } let(:project) { create(:project, :wiki_repo) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) } let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
end end
end end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
end
end
end
context 'wiki-page event on public project', :aggregate_failures do context 'wiki-page event on public project', :aggregate_failures do
let(:project) { create(:project, :public, :wiki_repo) } let(:project) { create(:project, :public, :wiki_repo) }
...@@ -428,9 +476,18 @@ describe Event do ...@@ -428,9 +476,18 @@ describe Event do
context 'on public project with private snippets' do context 'on public project with private snippets' do
let(:project) { create(:project, :public, :snippets_private) } let(:project) { create(:project, :public, :snippets_private) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) } let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
end end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member) }
end
end
# Normally, we'd expect the author of a comment to be able to view it. # Normally, we'd expect the author of a comment to be able to view it.
# However, this doesn't seem to be the case for comments on snippets. # However, this doesn't seem to be the case for comments on snippets.
...@@ -440,9 +497,18 @@ describe Event do ...@@ -440,9 +497,18 @@ describe Event do
context 'on private project' do context 'on private project' do
let(:project) { create(:project, :private) } let(:project) { create(:project, :private) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) } let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
end end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member) }
end
end
# Normally, we'd expect the author of a comment to be able to view it. # Normally, we'd expect the author of a comment to be able to view it.
# However, this doesn't seem to be the case for comments on snippets. # However, this doesn't seem to be the case for comments on snippets.
...@@ -470,9 +536,17 @@ describe Event do ...@@ -470,9 +536,17 @@ describe Event do
context 'on private snippet' do context 'on private snippet' do
let(:personal_snippet) { create(:personal_snippet, :private, author: author) } let(:personal_snippet) { create(:personal_snippet, :private, author: author) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:admin) } let(:visibility) { visible_to_none_except(:admin) }
end end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none }
end
end
include_examples 'visible to author', true include_examples 'visible to author', true
end end
......
...@@ -612,10 +612,17 @@ describe Issue do ...@@ -612,10 +612,17 @@ describe Issue do
context 'with an admin user' do context 'with an admin user' do
let(:user) { build(:admin) } let(:user) { build(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'issue readable by user' it_behaves_like 'issue readable by user'
it_behaves_like 'confidential issue readable by user' it_behaves_like 'confidential issue readable by user'
end end
context 'when admin mode is disabled' do
it_behaves_like 'issue not readable by user'
it_behaves_like 'confidential issue not readable by user'
end
end
context 'with an owner' do context 'with an owner' do
before do before do
project.add_maintainer(user) project.add_maintainer(user)
...@@ -732,7 +739,9 @@ describe Issue do ...@@ -732,7 +739,9 @@ describe Issue do
expect(issue.visible_to_user?(user)).to be_falsy expect(issue.visible_to_user?(user)).to be_falsy
end end
it 'does not check the external webservice for admins' do context 'with an admin' do
context 'when admin mode is enabled', :enable_admin_mode do
it 'does not check the external webservice' do
issue = build(:issue) issue = build(:issue)
user = build(:admin) user = build(:admin)
...@@ -742,6 +751,20 @@ describe Issue do ...@@ -742,6 +751,20 @@ describe Issue do
end end
end end
context 'when admin mode is disabled' do
it 'checks the external service to determine if an issue is readable by the admin' do
project = build(:project, :public,
external_authorization_classification_label: 'a-label')
issue = build(:issue, project: project)
user = build(:admin)
expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?).with(user, 'a-label') { false }
expect(issue.visible_to_user?(user)).to be_falsy
end
end
end
end
context 'when issue is moved to a private project' do context 'when issue is moved to a private project' do
let(:private_project) { build(:project, :private)} let(:private_project) { build(:project, :private)}
......
...@@ -241,11 +241,23 @@ describe Member do ...@@ -241,11 +241,23 @@ describe Member do
expect(member).to be_persisted expect(member).to be_persisted
end end
it 'sets members.created_by to the given current_user' do context 'when admin mode is enabled', :enable_admin_mode do
it 'sets members.created_by to the given admin current_user' do
member = described_class.add_user(source, user, :maintainer, current_user: admin) member = described_class.add_user(source, user, :maintainer, current_user: admin)
expect(member.created_by).to eq(admin) expect(member.created_by).to eq(admin)
end end
end
context 'when admin mode is disabled' do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
# https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit 'rejects setting members.created_by to the given admin current_user' do
member = described_class.add_user(source, user, :maintainer, current_user: admin)
expect(member.created_by).not_to be_persisted
end
end
it 'sets members.expires_at to the given expires_at' do it 'sets members.expires_at to the given expires_at' do
member = described_class.add_user(source, user, :maintainer, expires_at: Date.new(2016, 9, 22)) member = described_class.add_user(source, user, :maintainer, expires_at: Date.new(2016, 9, 22))
...@@ -353,7 +365,7 @@ describe Member do ...@@ -353,7 +365,7 @@ describe Member do
end end
end end
context 'when current_user can update member' do context 'when current_user can update member', :enable_admin_mode do
it 'creates the member' do it 'creates the member' do
expect(source.users).not_to include(user) expect(source.users).not_to include(user)
...@@ -421,7 +433,7 @@ describe Member do ...@@ -421,7 +433,7 @@ describe Member do
end end
end end
context 'when current_user can update member' do context 'when current_user can update member', :enable_admin_mode do
it 'updates the member' do it 'updates the member' do
expect(source.users).to include(user) expect(source.users).to include(user)
......
...@@ -31,27 +31,30 @@ describe ProjectFeature do ...@@ -31,27 +31,30 @@ describe ProjectFeature do
context 'when features are disabled' do context 'when features are disabled' do
it "returns false" do it "returns false" do
update_all_project_features(project, features, ProjectFeature::DISABLED)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::DISABLED) expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
expect(project.feature_available?(:issues, user)).to eq(false)
end end
end end
end end
context 'when features are enabled only for team members' do context 'when features are enabled only for team members' do
it "returns false when user is not a team member" do it "returns false when user is not a team member" do
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE) expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
expect(project.feature_available?(:issues, user)).to eq(false)
end end
end end
it "returns true when user is a team member" do it "returns true when user is a team member" do
project.add_developer(user) project.add_developer(user)
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE) expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
expect(project.feature_available?(:issues, user)).to eq(true)
end end
end end
...@@ -60,29 +63,43 @@ describe ProjectFeature do ...@@ -60,29 +63,43 @@ describe ProjectFeature do
project = create(:project, namespace: group) project = create(:project, namespace: group)
group.add_developer(user) group.add_developer(user)
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE) expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
expect(project.feature_available?(:issues, user)).to eq(true)
end end
end end
context 'when admin mode is enabled', :enable_admin_mode do
it "returns true if user is an admin" do it "returns true if user is an admin" do
user.update_attribute(:admin, true) user.update_attribute(:admin, true)
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE) expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
expect(project.feature_available?(:issues, user)).to eq(true) end
end
end
context 'when admin mode is disabled' do
it "returns false when user is an admin" do
user.update_attribute(:admin, true)
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature|
expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
end
end end
end end
end end
context 'when feature is enabled for everyone' do context 'when feature is enabled for everyone' do
it "returns true" do it "returns true" do
features.each do |feature|
expect(project.feature_available?(:issues, user)).to eq(true) expect(project.feature_available?(:issues, user)).to eq(true)
end end
end end
end
context 'when feature is disabled by a feature flag' do context 'when feature is disabled by a feature flag' do
it 'returns false' do it 'returns false' do
...@@ -117,7 +134,7 @@ describe ProjectFeature do ...@@ -117,7 +134,7 @@ describe ProjectFeature do
features.each do |feature| features.each do |feature|
field = "#{feature}_access_level".to_sym field = "#{feature}_access_level".to_sym
project_feature.update_attribute(field, ProjectFeature::ENABLED) project_feature.update_attribute(field, ProjectFeature::ENABLED)
expect(project_feature.valid?).to be_falsy expect(project_feature.valid?).to be_falsy, "#{field} failed"
end end
end end
end end
...@@ -131,7 +148,7 @@ describe ProjectFeature do ...@@ -131,7 +148,7 @@ describe ProjectFeature do
field = "#{feature}_access_level".to_sym field = "#{feature}_access_level".to_sym
project_feature.update_attribute(field, ProjectFeature::PUBLIC) project_feature.update_attribute(field, ProjectFeature::PUBLIC)
expect(project_feature.valid?).to be_falsy expect(project_feature.valid?).to be_falsy, "#{field} failed"
end end
end end
end end
...@@ -140,22 +157,24 @@ describe ProjectFeature do ...@@ -140,22 +157,24 @@ describe ProjectFeature do
let(:features) { %w(wiki builds merge_requests) } let(:features) { %w(wiki builds merge_requests) }
it "returns false when feature is disabled" do it "returns false when feature is disabled" do
update_all_project_features(project, features, ProjectFeature::DISABLED)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::DISABLED) expect(project.public_send("#{feature}_enabled?")).to eq(false), "#{feature} failed"
expect(project.public_send("#{feature}_enabled?")).to eq(false)
end end
end end
it "returns true when feature is enabled only for team members" do it "returns true when feature is enabled only for team members" do
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature| features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE) expect(project.public_send("#{feature}_enabled?")).to eq(true), "#{feature} failed"
expect(project.public_send("#{feature}_enabled?")).to eq(true)
end end
end end
it "returns true when feature is enabled for everyone" do it "returns true when feature is enabled for everyone" do
features.each do |feature| features.each do |feature|
expect(project.public_send("#{feature}_enabled?")).to eq(true) expect(project.public_send("#{feature}_enabled?")).to eq(true), "#{feature} failed"
end end
end end
end end
...@@ -198,7 +217,7 @@ describe ProjectFeature do ...@@ -198,7 +217,7 @@ describe ProjectFeature do
end end
describe '#public_pages?' do describe '#public_pages?' do
it 'returns true if Pages access controll is not enabled' do it 'returns true if Pages access control is not enabled' do
stub_config(pages: { access_control: false }) stub_config(pages: { access_control: false })
project_feature = described_class.new(pages_access_level: described_class::PRIVATE) project_feature = described_class.new(pages_access_level: described_class::PRIVATE)
...@@ -281,7 +300,7 @@ describe ProjectFeature do ...@@ -281,7 +300,7 @@ describe ProjectFeature do
it 'raises error if feature is invalid' do it 'raises error if feature is invalid' do
expect do expect do
described_class.required_minimum_access_level(:foos) described_class.required_minimum_access_level(:foos)
end.to raise_error end.to raise_error(ArgumentError)
end end
end end
...@@ -294,4 +313,9 @@ describe ProjectFeature do ...@@ -294,4 +313,9 @@ describe ProjectFeature do
expect(described_class.required_minimum_access_level_for_private_project(:issues)).to eq(Gitlab::Access::GUEST) expect(described_class.required_minimum_access_level_for_private_project(:issues)).to eq(Gitlab::Access::GUEST)
end end
end end
def update_all_project_features(project, features, value)
project_feature_attributes = features.map { |f| ["#{f}_access_level", value] }.to_h
project.project_feature.update(project_feature_attributes)
end
end end
...@@ -3777,7 +3777,7 @@ describe Project do ...@@ -3777,7 +3777,7 @@ describe Project do
end end
end end
describe '.filter_by_feature_visibility' do describe '.filter_by_feature_visibility', :enable_admin_mode do
include_context 'ProjectPolicyTable context' include_context 'ProjectPolicyTable context'
include ProjectHelpers include ProjectHelpers
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
......
...@@ -20,6 +20,7 @@ describe SpamLog do ...@@ -20,6 +20,7 @@ describe SpamLog do
expect { spam_log.remove_user(deleted_by: admin) }.to change { spam_log.user.blocked? }.to(true) expect { spam_log.remove_user(deleted_by: admin) }.to change { spam_log.user.blocked? }.to(true)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it 'removes the user', :sidekiq_might_not_need_inline do it 'removes the user', :sidekiq_might_not_need_inline do
spam_log = build(:spam_log) spam_log = build(:spam_log)
user = spam_log.user user = spam_log.user
...@@ -32,6 +33,20 @@ describe SpamLog do ...@@ -32,6 +33,20 @@ describe SpamLog do
end end
end end
context 'when admin mode is disabled' do
it 'does not allow to remove the user', :sidekiq_might_not_need_inline do
spam_log = build(:spam_log)
user = spam_log.user
perform_enqueued_jobs do
spam_log.remove_user(deleted_by: admin)
end
expect(User.exists?(user.id)).to be(true)
end
end
end
describe '.verify_recaptcha!' do describe '.verify_recaptcha!' do
let_it_be(:spam_log) { create(:spam_log, user: admin, recaptcha_verified: false) } let_it_be(:spam_log) { create(:spam_log, user: admin, recaptcha_verified: false) }
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe User, :do_not_mock_admin_mode do describe User do
include ProjectForksHelper include ProjectForksHelper
include TermsHelper include TermsHelper
include ExclusiveLeaseHelpers include ExclusiveLeaseHelpers
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe BasePolicy, :do_not_mock_admin_mode do describe BasePolicy do
include ExternalAuthorizationServiceHelpers include ExternalAuthorizationServiceHelpers
include AdminModeHelper include AdminModeHelper
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe BlobPolicy do describe BlobPolicy, :enable_admin_mode do
include_context 'ProjectPolicyTable context' include_context 'ProjectPolicyTable context'
include ProjectHelpers include ProjectHelpers
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
......
...@@ -80,9 +80,16 @@ describe Clusters::ClusterPolicy, :models do ...@@ -80,9 +80,16 @@ describe Clusters::ClusterPolicy, :models do
context 'when admin' do context 'when admin' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :update_cluster } it { expect(policy).to be_allowed :update_cluster }
it { expect(policy).to be_allowed :admin_cluster } it { expect(policy).to be_allowed :admin_cluster }
end end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :update_cluster }
it { expect(policy).to be_disallowed :admin_cluster }
end
end
end end
end end
end end
...@@ -18,11 +18,21 @@ describe Clusters::InstancePolicy do ...@@ -18,11 +18,21 @@ describe Clusters::InstancePolicy do
context 'when admin' do context 'when admin' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :read_cluster } it { expect(policy).to be_allowed :read_cluster }
it { expect(policy).to be_allowed :add_cluster } it { expect(policy).to be_allowed :add_cluster }
it { expect(policy).to be_allowed :create_cluster } it { expect(policy).to be_allowed :create_cluster }
it { expect(policy).to be_allowed :update_cluster } it { expect(policy).to be_allowed :update_cluster }
it { expect(policy).to be_allowed :admin_cluster } it { expect(policy).to be_allowed :admin_cluster }
end end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :read_cluster }
it { expect(policy).to be_disallowed :add_cluster }
it { expect(policy).to be_disallowed :create_cluster }
it { expect(policy).to be_disallowed :update_cluster }
it { expect(policy).to be_disallowed :admin_cluster }
end
end
end end
end end
...@@ -42,17 +42,29 @@ describe DeployKeyPolicy do ...@@ -42,17 +42,29 @@ describe DeployKeyPolicy do
context 'when an admin user' do context 'when an admin user' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
context ' tries to update private deploy key' do context 'tries to update private deploy key' do
let(:deploy_key) { create(:deploy_key, public: false) } let(:deploy_key) { create(:deploy_key, public: false) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_deploy_key) } it { is_expected.to be_allowed(:update_deploy_key) }
end end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:update_deploy_key) }
end
end
context 'when an admin user tries to update public deploy key' do context 'when an admin user tries to update public deploy key' do
let(:deploy_key) { create(:another_deploy_key, public: true) } let(:deploy_key) { create(:another_deploy_key, public: true) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_deploy_key) } it { is_expected.to be_allowed(:update_deploy_key) }
end end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:update_deploy_key) }
end
end
end end
end end
end end
...@@ -71,9 +71,16 @@ describe DesignManagement::DesignPolicy do ...@@ -71,9 +71,16 @@ describe DesignManagement::DesignPolicy do
context "for admins" do context "for admins" do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(*design_abilities) } it { is_expected.to be_allowed(*design_abilities) }
end end
context 'when admin mode disabled' do
it { is_expected.to be_allowed(*guest_design_abilities) }
it { is_expected.to be_disallowed(*developer_design_abilities) }
end
end
context "for maintainers" do context "for maintainers" do
let(:current_user) { maintainer } let(:current_user) { maintainer }
......
...@@ -37,9 +37,15 @@ describe EnvironmentPolicy do ...@@ -37,9 +37,15 @@ describe EnvironmentPolicy do
context 'when an admin user' do context 'when an admin user' do
let(:user) { create(:user, :admin) } let(:user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :stop_environment } it { expect(policy).to be_allowed :stop_environment }
end end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :stop_environment }
end
end
context 'with protected branch' do context 'with protected branch' do
with_them do with_them do
before do before do
...@@ -54,8 +60,14 @@ describe EnvironmentPolicy do ...@@ -54,8 +60,14 @@ describe EnvironmentPolicy do
context 'when an admin user' do context 'when an admin user' do
let(:user) { create(:user, :admin) } let(:user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :stop_environment } it { expect(policy).to be_allowed :stop_environment }
end end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :stop_environment }
end
end
end end
end end
...@@ -83,8 +95,14 @@ describe EnvironmentPolicy do ...@@ -83,8 +95,14 @@ describe EnvironmentPolicy do
context 'when an admin user' do context 'when an admin user' do
let(:user) { create(:user, :admin) } let(:user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :stop_environment } it { expect(policy).to be_allowed :stop_environment }
end end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :stop_environment }
end
end
end end
describe '#destroy_environment' do describe '#destroy_environment' do
...@@ -126,8 +144,14 @@ describe EnvironmentPolicy do ...@@ -126,8 +144,14 @@ describe EnvironmentPolicy do
environment.stop! environment.stop!
end end
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :destroy_environment } it { expect(policy).to be_allowed :destroy_environment }
end end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :destroy_environment }
end
end
end end
end end
end end
......
...@@ -118,9 +118,16 @@ describe GlobalPolicy do ...@@ -118,9 +118,16 @@ describe GlobalPolicy do
context 'admin' do context 'admin' do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_custom_attribute) } it { is_expected.to be_allowed(:read_custom_attribute) }
it { is_expected.to be_allowed(:update_custom_attribute) } it { is_expected.to be_allowed(:update_custom_attribute) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_custom_attribute) }
it { is_expected.to be_disallowed(:update_custom_attribute) }
end
end
end end
shared_examples 'access allowed when terms accepted' do |ability| shared_examples 'access allowed when terms accepted' do |ability|
...@@ -368,8 +375,14 @@ describe GlobalPolicy do ...@@ -368,8 +375,14 @@ describe GlobalPolicy do
stub_application_setting(instance_statistics_visibility_private: true) stub_application_setting(instance_statistics_visibility_private: true)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_instance_statistics) } it { is_expected.to be_allowed(:read_instance_statistics) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_instance_statistics) }
end
end
end end
context 'anonymous' do context 'anonymous' do
......
...@@ -644,9 +644,15 @@ describe GroupPolicy do ...@@ -644,9 +644,15 @@ describe GroupPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect_allowed(:update_max_artifacts_size) } it { expect_allowed(:update_max_artifacts_size) }
end end
context 'when admin mode is enabled' do
it { expect_disallowed(:update_max_artifacts_size) }
end
end
%w(guest reporter developer maintainer owner).each do |role| %w(guest reporter developer maintainer owner).each do |role|
context role do context role do
let(:current_user) { send(role) } let(:current_user) { send(role) }
......
...@@ -206,14 +206,28 @@ describe IssuePolicy do ...@@ -206,14 +206,28 @@ describe IssuePolicy do
it 'allows guests to comment' do it 'allows guests to comment' do
expect(permissions(guest, issue)).to be_allowed(:create_note) expect(permissions(guest, issue)).to be_allowed(:create_note)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows admins to view' do it 'allows admins to view' do
expect(permissions(admin, issue)).to be_allowed(:read_issue) expect(permissions(admin, issue)).to be_allowed(:read_issue)
end end
it 'allows admins to comment' do it 'allows admins to comment' do
expect(permissions(admin, issue)).to be_allowed(:create_note) expect(permissions(admin, issue)).to be_allowed(:create_note)
end end
end end
context 'when admin mode is disabled' do
it 'forbids admins to view' do
expect(permissions(admin, issue)).to be_disallowed(:read_issue)
end
it 'forbids admins to comment' do
expect(permissions(admin, issue)).to be_disallowed(:create_note)
end
end
end
context 'with confidential issues' do context 'with confidential issues' do
let(:confidential_issue) { create(:issue, :confidential, project: project, assignees: [assignee], author: author) } let(:confidential_issue) { create(:issue, :confidential, project: project, assignees: [assignee], author: author) }
let(:confidential_issue_no_assignee) { create(:issue, :confidential, project: project) } let(:confidential_issue_no_assignee) { create(:issue, :confidential, project: project) }
......
...@@ -40,6 +40,12 @@ describe NamespacePolicy do ...@@ -40,6 +40,12 @@ describe NamespacePolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(*owner_permissions) } it { is_expected.to be_allowed(*owner_permissions) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(*owner_permissions) }
end
end
end end
...@@ -295,9 +295,17 @@ describe NotePolicy do ...@@ -295,9 +295,17 @@ describe NotePolicy do
expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
end end
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows admins to read all notes and admin them' do it 'allows admins to read all notes and admin them' do
expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji) expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
end end
end
context 'when admin mode is disabled' do
it 'does not allow non members to read confidential notes and replies' do
expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
end
end
it 'allows noteable author to read and resolve all notes' do it 'allows noteable author to read and resolve all notes' do
expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji) expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji)
......
...@@ -19,8 +19,8 @@ describe PersonalSnippetPolicy do ...@@ -19,8 +19,8 @@ describe PersonalSnippetPolicy do
described_class.new(user, snippet) described_class.new(user, snippet)
end end
shared_examples 'admin access' do shared_examples 'admin access with admin mode' do
context 'admin user' do context 'admin user', :enable_admin_mode do
subject { permissions(admin_user) } subject { permissions(admin_user) }
it do it do
...@@ -68,7 +68,7 @@ describe PersonalSnippetPolicy do ...@@ -68,7 +68,7 @@ describe PersonalSnippetPolicy do
end end
end end
it_behaves_like 'admin access' it_behaves_like 'admin access with admin mode'
end end
context 'internal snippet' do context 'internal snippet' do
...@@ -118,7 +118,7 @@ describe PersonalSnippetPolicy do ...@@ -118,7 +118,7 @@ describe PersonalSnippetPolicy do
end end
end end
it_behaves_like 'admin access' it_behaves_like 'admin access with admin mode'
end end
context 'private snippet' do context 'private snippet' do
...@@ -168,6 +168,6 @@ describe PersonalSnippetPolicy do ...@@ -168,6 +168,6 @@ describe PersonalSnippetPolicy do
end end
end end
it_behaves_like 'admin access' it_behaves_like 'admin access with admin mode'
end end
end end
...@@ -275,7 +275,8 @@ describe ProjectPolicy do ...@@ -275,7 +275,8 @@ describe ProjectPolicy do
it_behaves_like 'project policies as developer' it_behaves_like 'project policies as developer'
it_behaves_like 'project policies as maintainer' it_behaves_like 'project policies as maintainer'
it_behaves_like 'project policies as owner' it_behaves_like 'project policies as owner'
it_behaves_like 'project policies as admin' it_behaves_like 'project policies as admin with admin mode'
it_behaves_like 'project policies as admin without admin mode'
context 'when a public project has merge requests allowing access' do context 'when a public project has merge requests allowing access' do
include ProjectForksHelper include ProjectForksHelper
...@@ -306,7 +307,7 @@ describe ProjectPolicy do ...@@ -306,7 +307,7 @@ describe ProjectPolicy do
expect_allowed(*maintainer_abilities) expect_allowed(*maintainer_abilities)
end end
it 'dissallows abilities to a maintainer if the merge request was closed' do it 'disallows abilities to a maintainer if the merge request was closed' do
target_project.add_developer(user) target_project.add_developer(user)
merge_request.close! merge_request.close!
...@@ -350,11 +351,25 @@ describe ProjectPolicy do ...@@ -350,11 +351,25 @@ describe ProjectPolicy do
expect(described_class.new(developer, project)).to be_allowed(:read_project) expect(described_class.new(developer, project)).to be_allowed(:read_project)
end end
it 'does not check the external service for admins and allows access' do context 'with an admin' do
context 'when admin mode is enabled', :enable_admin_mode do
it 'does not check the external service and allows access' do
expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
expect(described_class.new(admin, project)).to be_allowed(:read_project) expect(described_class.new(admin, project)).to be_allowed(:read_project)
end end
end
context 'when admin mode is disabled' do
it 'checks the external service and allows access' do
external_service_allow_access(admin, project)
expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?)
expect(described_class.new(admin, project)).to be_allowed(:read_project)
end
end
end
it 'prevents all but seeing a public project in a list when access is denied' do it 'prevents all but seeing a public project in a list when access is denied' do
[developer, owner, build(:user), nil].each do |user| [developer, owner, build(:user), nil].each do |user|
...@@ -416,9 +431,15 @@ describe ProjectPolicy do ...@@ -416,9 +431,15 @@ describe ProjectPolicy do
context 'admin' do context 'admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect_allowed(:update_max_artifacts_size) } it { expect_allowed(:update_max_artifacts_size) }
end end
context 'when admin mode is disabled' do
it { expect_disallowed(:update_max_artifacts_size) }
end
end
%w(guest reporter developer maintainer owner).each do |role| %w(guest reporter developer maintainer owner).each do |role|
context role do context role do
let(:current_user) { send(role) } let(:current_user) { send(role) }
...@@ -448,9 +469,15 @@ describe ProjectPolicy do ...@@ -448,9 +469,15 @@ describe ProjectPolicy do
context 'with admin' do context 'with admin' do
let(:current_user) { admin } let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_prometheus_alerts) } it { is_expected.to be_allowed(:read_prometheus_alerts) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_prometheus_alerts) }
end
end
context 'with owner' do context 'with owner' do
let(:current_user) { owner } let(:current_user) { owner }
......
...@@ -235,10 +235,19 @@ describe ProjectSnippetPolicy do ...@@ -235,10 +235,19 @@ describe ProjectSnippetPolicy do
let(:snippet_visibility) { :private } let(:snippet_visibility) { :private }
let(:current_user) { create(:admin) } let(:current_user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it do it do
expect_allowed(:read_snippet, :create_note) expect_allowed(:read_snippet, :create_note)
expect_allowed(*author_permissions) expect_allowed(*author_permissions)
end end
end end
context 'when admin mode is disabled' do
it do
expect_disallowed(:read_snippet, :create_note)
expect_disallowed(*author_permissions)
end
end
end
end end
end end
...@@ -26,9 +26,15 @@ describe UserPolicy do ...@@ -26,9 +26,15 @@ describe UserPolicy do
context "when an admin user tries to destroy a regular user" do context "when an admin user tries to destroy a regular user" do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(ability) } it { is_expected.to be_allowed(ability) }
end end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(ability) }
end
end
context "when an admin user tries to destroy a ghost user" do context "when an admin user tries to destroy a ghost user" do
let(:current_user) { create(:user, :admin) } let(:current_user) { create(:user, :admin) }
let(:user) { create(:user, :ghost) } let(:user) { create(:user, :ghost) }
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
describe WikiPagePolicy do describe WikiPagePolicy, :enable_admin_mode do
include_context 'ProjectPolicyTable context' include_context 'ProjectPolicyTable context'
include ProjectHelpers include ProjectHelpers
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
......
...@@ -229,26 +229,25 @@ RSpec.configure do |config| ...@@ -229,26 +229,25 @@ RSpec.configure do |config|
./ee/spec/features ./ee/spec/features
./ee/spec/finders ./ee/spec/finders
./ee/spec/lib ./ee/spec/lib
./ee/spec/models
./ee/spec/policies
./ee/spec/requests/admin ./ee/spec/requests/admin
./ee/spec/serializers ./ee/spec/serializers
./ee/spec/services ./ee/spec/services
./ee/spec/support/protected_tags ./ee/spec/support/protected_tags
./ee/spec/support/shared_examples ./ee/spec/support/shared_examples/features
./ee/spec/support/shared_examples/finders/geo
./ee/spec/support/shared_examples/graphql/geo
./ee/spec/support/shared_examples/services
./spec/features ./spec/features
./spec/finders ./spec/finders
./spec/frontend ./spec/frontend
./spec/helpers ./spec/helpers
./spec/lib ./spec/lib
./spec/models
./spec/policies
./spec/requests ./spec/requests
./spec/serializers ./spec/serializers
./spec/services ./spec/services
./spec/support/cycle_analytics_helpers
./spec/support/protected_tags ./spec/support/protected_tags
./spec/support/shared_examples ./spec/support/shared_examples/features
./spec/support/shared_examples/requests
./spec/views ./spec/views
./spec/workers ./spec/workers
) )
......
...@@ -29,6 +29,10 @@ module CycleAnalyticsHelpers ...@@ -29,6 +29,10 @@ module CycleAnalyticsHelpers
scenarios.each do |start_time_conditions, end_time_conditions| scenarios.each do |start_time_conditions, end_time_conditions|
let_it_be(:other_project) { create(:project, :repository) } let_it_be(:other_project) { create(:project, :repository) }
before do
other_project.add_developer(self.user)
end
context "start condition: #{start_time_conditions.map(&:first).to_sentence}" do context "start condition: #{start_time_conditions.map(&:first).to_sentence}" do
context "end condition: #{end_time_conditions.map(&:first).to_sentence}" do context "end condition: #{end_time_conditions.map(&:first).to_sentence}" do
it "finds the median of available durations between the two conditions", :sidekiq_might_not_need_inline do it "finds the median of available durations between the two conditions", :sidekiq_might_not_need_inline do
......
...@@ -7,6 +7,9 @@ module AdminModeHelper ...@@ -7,6 +7,9 @@ module AdminModeHelper
# mode for accessing any administrative functionality. This helper lets a user # mode for accessing any administrative functionality. This helper lets a user
# be in admin mode without requiring a second authentication step (provided # be in admin mode without requiring a second authentication step (provided
# the user is an admin) # the user is an admin)
#
# See also tag :enable_admin_mode in spec/spec_helper.rb for a spec-wide
# alternative
def enable_admin_mode!(user) def enable_admin_mode!(user)
fake_user_mode = instance_double(Gitlab::Auth::CurrentUserMode) fake_user_mode = instance_double(Gitlab::Auth::CurrentUserMode)
......
...@@ -50,9 +50,7 @@ module LoginHelpers ...@@ -50,9 +50,7 @@ module LoginHelpers
def gitlab_enable_admin_mode_sign_in(user) def gitlab_enable_admin_mode_sign_in(user)
visit new_admin_session_path visit new_admin_session_path
fill_in 'user_password', with: user.password fill_in 'user_password', with: user.password
click_button 'Enter Admin Mode' click_button 'Enter Admin Mode'
end end
......
...@@ -27,6 +27,17 @@ RSpec.shared_examples 'instance statistics availability' do ...@@ -27,6 +27,17 @@ RSpec.shared_examples 'instance statistics availability' do
context 'for admins' do context 'for admins' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
context 'when admin mode disabled' do
it 'forbids access when the feature is not available publicly' do
stub_application_setting(instance_statistics_visibility_private: true)
get :index
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when admin mode enabled', :enable_admin_mode do
it 'allows access when the feature is not available publicly' do it 'allows access when the feature is not available publicly' do
stub_application_setting(instance_statistics_visibility_private: true) stub_application_setting(instance_statistics_visibility_private: true)
...@@ -36,4 +47,5 @@ RSpec.shared_examples 'instance statistics availability' do ...@@ -36,4 +47,5 @@ RSpec.shared_examples 'instance statistics availability' do
end end
end end
end end
end
end end
...@@ -212,8 +212,8 @@ RSpec.shared_examples 'project policies as owner' do ...@@ -212,8 +212,8 @@ RSpec.shared_examples 'project policies as owner' do
end end
end end
RSpec.shared_examples 'project policies as admin' do RSpec.shared_examples 'project policies as admin with admin mode' do
context 'abilities for non-public projects' do context 'abilities for non-public projects', :enable_admin_mode do
let(:project) { create(:project, namespace: owner.namespace) } let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(admin, project) } subject { described_class.new(admin, project) }
...@@ -232,3 +232,13 @@ RSpec.shared_examples 'project policies as admin' do ...@@ -232,3 +232,13 @@ RSpec.shared_examples 'project policies as admin' do
end end
end end
end end
RSpec.shared_examples 'project policies as admin without admin mode' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(admin, project) }
it { is_expected.to be_banned }
end
end
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
RSpec.shared_examples 'model with wiki policies' do RSpec.shared_examples 'model with wiki policies' do
include ProjectHelpers include ProjectHelpers
include AdminModeHelper
let(:container) { raise NotImplementedError } let(:container) { raise NotImplementedError }
let(:user) { raise NotImplementedError } let(:user) { raise NotImplementedError }
...@@ -94,6 +95,7 @@ RSpec.shared_examples 'model with wiki policies' do ...@@ -94,6 +95,7 @@ RSpec.shared_examples 'model with wiki policies' do
before do before do
container.visibility = container_level.to_s container.visibility = container_level.to_s
set_access_level(ProjectFeature.access_level_from_str(access_level.to_s)) set_access_level(ProjectFeature.access_level_from_str(access_level.to_s))
enable_admin_mode!(user) if user&.admin?
if allowed_permissions.any? && [container_level, access_level, membership] != [:private, :private, :guest] if allowed_permissions.any? && [container_level, access_level, membership] != [:private, :private, :guest]
allowed_permissions << :download_wiki_code allowed_permissions << :download_wiki_code
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment