Commit 59056421 authored by Jan Provaznik's avatar Jan Provaznik

Merge branch 'issue_213067' into 'master'

Add confidentiality checks to epics policy

See merge request gitlab-org/gitlab!29190
parents 9f8901c3 7825ca3e
......@@ -91,6 +91,7 @@ class GroupPolicy < BasePolicy
end
rule { reporter }.policy do
enable :reporter_access
enable :read_container_image
enable :download_wiki_code
enable :admin_label
......
# frozen_string_literal: true
class EpicPolicy < BasePolicy
include CrudPolicyHelpers
delegate { @subject.group }
desc 'Epic is confidential'
condition(:confidential, scope: :subject) do
@subject.confidential?
end
rule { can?(:read_epic) }.policy do
enable :read_epic_iid
enable :read_note
......@@ -15,4 +22,13 @@ class EpicPolicy < BasePolicy
rule { can?(:create_note) }.enable :award_emoji
rule { can?(:owner_access) | can?(:maintainer_access) }.enable :admin_note
desc 'User cannot read confidential epics'
rule { confidential & ~can?(:reporter_access) }.policy do
prevent(*create_read_update_admin_destroy(:epic))
prevent :read_epic_iid
prevent :create_note
prevent :award_emoji
prevent :read_note
end
end
......@@ -28,17 +28,21 @@ describe EpicPolicy do
shared_examples 'can only read epics' do
it do
is_expected.to be_allowed(:read_epic, :read_epic_iid)
is_expected.to be_allowed(:read_epic, :read_epic_iid, :read_note)
is_expected.to be_disallowed(:update_epic, :destroy_epic, :admin_epic, :create_epic)
end
end
shared_examples 'can manage epics' do
it { is_expected.to be_allowed(:read_epic, :read_epic_iid, :update_epic, :admin_epic, :create_epic) }
it { is_expected.to be_allowed(:read_epic, :read_epic_iid, :read_note, :update_epic, :admin_epic, :create_epic) }
end
shared_examples 'all epic permissions disabled' do
it { is_expected.to be_disallowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic, :create_note, :award_emoji) }
it { is_expected.to be_disallowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic, :create_note, :award_emoji, :read_note) }
end
shared_examples 'all reporter epic permissions enabled' do
it { is_expected.to be_allowed(:read_epic, :read_epic_iid, :update_epic, :admin_epic, :create_epic, :create_note, :award_emoji, :read_note) }
end
shared_examples 'group member permissions' do
......@@ -177,5 +181,50 @@ describe EpicPolicy do
it_behaves_like 'all epic permissions disabled'
end
context 'when epic is confidential' do
let_it_be(:group) { create(:group) }
let_it_be(:epic) { create(:epic, group: group, confidential: true) }
context 'when user is not reporter' do
before do
group.add_guest(user)
end
it_behaves_like 'all epic permissions disabled'
end
context 'when user is reporter' do
before do
group.add_reporter(user)
end
it_behaves_like 'all reporter epic permissions enabled'
end
context 'when user is developer' do
before do
group.add_developer(user)
end
it_behaves_like 'all reporter epic permissions enabled'
end
context 'when user is maintainer' do
before do
group.add_maintainer(user)
end
it_behaves_like 'all reporter epic permissions enabled'
end
context 'when user is owner' do
before do
group.add_owner(user)
end
it_behaves_like 'all reporter epic permissions enabled'
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment