Resolve "Fork relationship is not respected for certain projects"

See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/86102 Changelog: fixed

Resolve "Fork relationship is not respected for certain projects"
See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/86102 Changelog: fixed
881099bc · Sincheol (David) Kim · GitLab Release Tools Bot · f1debf96 · 881099bc · 881099bc
Commit 881099bc authored May 02, 2022 by Sincheol (David) Kim Committed by GitLab Release Tools Bot May 03, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 70 additions and 20 deletions

app/policies/project_policy.rb app/policies/project_policy.rb +1 -1

spec/policies/project_policy_spec.rb spec/policies/project_policy_spec.rb +69 -19

No files found.
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -664,7 +664,7 @@ class ProjectPolicy < BasePolicy
    enable :read_security_configuration
  end

-  rule { can?(:guest_access) & can?(:read_commit_status) }.policy do
+  rule { can?(:guest_access) & can?(:download_code) }.policy do
    enable :create_merge_request_in
  end


--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -103,39 +103,89 @@ RSpec.describe ProjectPolicy do
  end

  context 'creating_merge_request_in' do
-    context 'when project is public' do
-      let(:project) { public_project }
+    context 'when the current_user can download_code' do
+      before do
+        expect(subject).to receive(:allowed?).with(:download_code).and_return(true)
+        allow(subject).to receive(:allowed?).with(any_args).and_call_original
+      end

-      context 'when the current_user is guest' do
-        let(:current_user) { guest }
+      context 'when project is public' do
+        let(:project) { public_project }
+
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }

-        it { is_expected.to be_allowed(:create_merge_request_in) }
+          it { is_expected.to be_allowed(:create_merge_request_in) }
+        end
      end
-    end

-    context 'when project is internal' do
-      let(:project) { internal_project }
+      context 'when project is internal' do
+        let(:project) { internal_project }

-      context 'when the current_user is guest' do
-        let(:current_user) { guest }
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }

-        it { is_expected.to be_allowed(:create_merge_request_in) }
+          it { is_expected.to be_allowed(:create_merge_request_in) }
+        end
+      end
+
+      context 'when project is private' do
+        let(:project) { private_project }
+
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }
+
+          it { is_expected.not_to be_allowed(:create_merge_request_in) }
+        end
+
+        context 'when the current_user is reporter or above' do
+          let(:current_user) { reporter }
+
+          it { is_expected.to be_allowed(:create_merge_request_in) }
+        end
      end
    end

-    context 'when project is private' do
-      let(:project) { private_project }
+    context 'when the current_user can not download code' do
+      before do
+        expect(subject).to receive(:allowed?).with(:download_code).and_return(false)
+        allow(subject).to receive(:allowed?).with(any_args).and_call_original
+      end

-      context 'when the current_user is guest' do
-        let(:current_user) { guest }
+      context 'when project is public' do
+        let(:project) { public_project }
+
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }

-        it { is_expected.not_to be_allowed(:create_merge_request_in) }
+          it { is_expected.not_to be_allowed(:create_merge_request_in) }
+        end
      end

-      context 'when the current_user is reporter or above' do
-        let(:current_user) { reporter }
+      context 'when project is internal' do
+        let(:project) { internal_project }

-        it { is_expected.to be_allowed(:create_merge_request_in) }
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }
+
+          it { is_expected.not_to be_allowed(:create_merge_request_in) }
+        end
+      end
+
+      context 'when project is private' do
+        let(:project) { private_project }
+
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }
+
+          it { is_expected.not_to be_allowed(:create_merge_request_in) }
+        end
+
+        context 'when the current_user is reporter or above' do
+          let(:current_user) { reporter }
+
+          it { is_expected.not_to be_allowed(:create_merge_request_in) }
+        end
      end
    end
  end