Commit 7ee66c95 authored by Nick Thomas's avatar Nick Thomas

Merge branch 'requirements-perms' into 'master'

Add Requirement policy

See merge request gitlab-org/gitlab!26618
parents 5ec89907 4fa45342
...@@ -125,6 +125,7 @@ class License < ApplicationRecord ...@@ -125,6 +125,7 @@ class License < ApplicationRecord
prometheus_alerts prometheus_alerts
pseudonymizer pseudonymizer
report_approver_rules report_approver_rules
requirements
sast sast
security_dashboard security_dashboard
status_page status_page
......
...@@ -33,6 +33,9 @@ module EE ...@@ -33,6 +33,9 @@ module EE
with_scope :subject with_scope :subject
condition(:packages_disabled) { !@subject.packages_enabled } condition(:packages_disabled) { !@subject.packages_enabled }
with_scope :subject
condition(:requirements_available) { @subject.feature_available?(:requirements) }
with_scope :global with_scope :global
condition(:is_development) { Rails.env.development? } condition(:is_development) { Rails.env.development? }
...@@ -359,6 +362,16 @@ module EE ...@@ -359,6 +362,16 @@ module EE
rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
rule { can?(:read_merge_request) & code_review_analytics_enabled }.enable :read_code_review_analytics rule { can?(:read_merge_request) & code_review_analytics_enabled }.enable :read_code_review_analytics
rule { can?(:read_project) & requirements_available }.enable :read_requirement
rule { requirements_available & reporter }.policy do
enable :create_requirement
enable :admin_requirement
enable :update_requirement
end
rule { requirements_available & owner }.enable :destroy_requirement
end end
override :lookup_access_level! override :lookup_access_level!
......
# frozen_string_literal: true
class RequirementPolicy < BasePolicy
delegate { @subject.resource_parent }
end
...@@ -1397,4 +1397,8 @@ describe ProjectPolicy do ...@@ -1397,4 +1397,8 @@ describe ProjectPolicy do
end end
end end
end end
it_behaves_like 'resource with requirement permissions' do
let(:resource) { project }
end
end end
# frozen_string_literal: true
require 'spec_helper'
describe RequirementPolicy do
let_it_be(:owner) { create(:user) }
let_it_be(:admin) { create(:admin) }
let_it_be(:reporter) { create(:user) }
let_it_be(:developer) { create(:user) }
let_it_be(:maintainer) { create(:user) }
let_it_be(:guest) { create(:user) }
let_it_be(:project) { create(:project, :public, namespace: owner.namespace) }
let_it_be(:resource, reload: true) { create(:requirement, project: project) }
before do
project.add_reporter(reporter)
project.add_developer(developer)
project.add_maintainer(maintainer)
project.add_guest(guest)
end
it_behaves_like 'resource with requirement permissions'
end
# frozen_string_literal: true
RSpec.shared_examples 'resource with requirement permissions' do
let(:all_permissions) { [:read_requirement, :create_requirement, :admin_requirement, :update_requirement, :destroy_requirement] }
let(:manage_permissions) { all_permissions - [:destroy_requirement] }
let(:non_read_permissions) { all_permissions - [:read_requirement] }
subject { described_class.new(current_user, resource) }
shared_examples 'user with manage permissions' do
it { is_expected.to be_allowed(*manage_permissions) }
it { is_expected.to be_disallowed(:destroy_requirement) }
end
shared_examples 'user with read only permissions' do
it { is_expected.to be_allowed(:read_requirement) }
it { is_expected.to be_disallowed(*non_read_permissions) }
end
context 'when requirements feature is enabled' do
before do
stub_licensed_features(requirements: true)
end
context 'with admin' do
let(:current_user) { admin }
it_behaves_like 'user with read only permissions'
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(*all_permissions) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it_behaves_like 'user with manage permissions'
end
context 'with developer' do
let(:current_user) { developer }
it_behaves_like 'user with manage permissions'
end
context 'with reporter' do
let(:current_user) { reporter }
it_behaves_like 'user with manage permissions'
end
context 'with guest' do
let(:current_user) { guest }
it_behaves_like 'user with read only permissions'
end
context 'with non member' do
let(:current_user) { create(:user) }
it_behaves_like 'user with read only permissions'
context 'with private resource parent' do
before do
parent = resource.is_a?(Project) ? resource : resource.resource_parent
parent.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
end
it { is_expected.to be_disallowed(*all_permissions) }
end
end
end
context 'when requirements feature is disabled' do
before do
stub_licensed_features(requirements: false)
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_disallowed(*all_permissions) }
end
context 'with admin' do
let(:current_user) { admin }
it { is_expected.to be_disallowed(*all_permissions) }
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment