Commit 96b14687 authored by Tomasz Maczukin's avatar Tomasz Maczukin

Introduce :read_namespace access policy for namespace and group

parent 5845dd6f
......@@ -45,6 +45,8 @@ class GroupPolicy < BasePolicy
rule { admin } .enable :read_group
rule { has_projects } .enable :read_group
rule { has_access }.enable :read_namespace
rule { developer }.enable :admin_milestones
rule { reporter }.enable :admin_label
......
......@@ -8,6 +8,7 @@ class NamespacePolicy < BasePolicy
rule { owner | admin }.policy do
enable :create_projects
enable :admin_namespace
enable :read_namespace
end
rule { personal_project & ~can_create_personal_project }.prevent :create_projects
......
......@@ -138,7 +138,7 @@ module API
def find_namespace!(id)
namespace = find_namespace(id)
if can?(current_user, :admin_namespace, namespace)
if can?(current_user, :read_namespace, namespace)
namespace
else
not_found!('Namespace')
......
......@@ -142,6 +142,7 @@ describe API::Namespaces do
describe 'GET /namespaces/:id' do
let(:owned_group) { group1 }
let(:user2) { create(:user) }
shared_examples 'can access namespace' do
it 'returns namespace details' do
......@@ -164,15 +165,33 @@ describe API::Namespaces do
context 'when namespace exists' do
context 'when requested by ID' do
let(:namespace_id) { owned_group.id }
context 'when requesting group' do
let(:namespace_id) { owned_group.id }
it_behaves_like 'can access namespace'
it_behaves_like 'can access namespace'
end
context 'when requesting personal namespace' do
let(:namespace_id) { request_actor.namespace.id }
let(:requested_namespace) { request_actor.namespace }
it_behaves_like 'can access namespace'
end
end
context 'when requested by path' do
let(:namespace_id) { owned_group.path }
context 'when requesting group' do
let(:namespace_id) { owned_group.path }
it_behaves_like 'can access namespace'
it_behaves_like 'can access namespace'
end
context 'when requesting personal namespace' do
let(:namespace_id) { request_actor.namespace.path }
let(:requested_namespace) { request_actor.namespace }
it_behaves_like 'can access namespace'
end
end
end
......@@ -197,10 +216,20 @@ describe API::Namespaces do
let(:request_actor) { user }
context 'when requested namespace is not owned by user' do
it 'returns not-found' do
get api("/namespaces/#{group2.id}", request_actor)
context 'when requesting group' do
it 'returns not-found' do
get api("/namespaces/#{group2.id}", request_actor)
expect(response).to have_gitlab_http_status(404)
expect(response).to have_gitlab_http_status(404)
end
end
context 'when requesting personal namespace' do
it 'returns not-found' do
get api("/namespaces/#{user2.namespace.id}", request_actor)
expect(response).to have_gitlab_http_status(404)
end
end
end
......@@ -213,10 +242,19 @@ describe API::Namespaces do
let(:request_actor) { admin }
context 'when requested namespace is not owned by user' do
let(:namespace_id) { group2.id }
let(:requested_namespace) { group2 }
context 'when requesting group' do
let(:namespace_id) { group2.id }
let(:requested_namespace) { group2 }
it_behaves_like 'can access namespace'
end
context 'when requesting personal namespace' do
let(:namespace_id) { user2.namespace.id }
let(:requested_namespace) { user2.namespace }
it_behaves_like 'can access namespace'
it_behaves_like 'can access namespace'
end
end
context 'when requested namespace is owned by user' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment