Add specs covering the auditor user.

All finders, policies and controllers that needed to be modified to include an `auditor` check are tested here

Add specs covering the auditor user.
All finders, policies and controllers that needed to be modified to include an `auditor` check are tested here
9a3a4a5e · Timothy Andrew · d475c369 · 9a3a4a5e · 9a3a4a5e · 9a3a4a5e
Commit 9a3a4a5e authored Jan 30, 2017 by Timothy Andrew
12 changed files
--- a/spec/controllers/admin/dashboard_controller_spec.rb
+++ b/spec/controllers/admin/dashboard_controller_spec.rb
+require 'spec_helper'
+
+describe Admin::DashboardController do
+  describe '#index' do
+    it "allows an admin user to access the page" do
+      sign_in(create(:user, :admin))
+      get :index
+
+      expect(response).to have_http_status(200)
+    end
+
+    it "does not allow an auditor user to access the page" do
+      sign_in(create(:user, :auditor))
+      get :index
+
+      expect(response).to have_http_status(404)
+    end
+
+    it "does not allow a regular user to access the page" do
+      sign_in(create(:user))
+      get :index
+
+      expect(response).to have_http_status(404)
+    end
+  end
+end
--- a/spec/controllers/groups_controller_spec.rb
+++ b/spec/controllers/groups_controller_spec.rb
@@ -126,4 +126,48 @@ describe GroupsController do
      expect(assigns(:group).path).not_to eq('new_path')
    end
  end
+
+  describe 'POST create' do
+    it 'allows creating a group' do
+      sign_in(user)
+
+      expect do
+        post :create, group: { name: 'new_group', path: "new_group" }
+      end.to change { Group.count }.by(1)
+
+      expect(response).to have_http_status(302)
+    end
+
+    context 'authorization' do
+      it 'allows an admin to create a group' do
+        sign_in(create(:admin))
+
+        expect do
+          post :create, group: { name: 'new_group', path: "new_group" }
+        end.to change { Group.count }.by(1)
+
+        expect(response).to have_http_status(302)
+      end
+
+      it 'does not allow a user with "can_create_group" set to false to create a group' do
+        sign_in(create(:user, can_create_group: false))
+
+        expect do
+          post :create, group: { name: 'new_group', path: "new_group" }
+        end.not_to change { Group.count }
+
+        expect(response).to have_http_status(404)
+      end
+
+      it 'does not allow an auditor with "can_create_group" set to true to create a group' do
+        sign_in(create(:user, :auditor, can_create_group: true))
+
+        expect do
+          post :create, group: { name: 'new_group', path: "new_group" }
+        end.not_to change { Group.count }
+
+        expect(response).to have_http_status(404)
+      end
+    end
+  end
 end
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -425,4 +425,26 @@ describe ProjectsController do
      expect(parsed_body["Commits"]).to include("123456")
    end
  end
+
+  describe 'GET edit' do
+    it 'does not allow an auditor user to access the page' do
+      sign_in(create(:user, :auditor))
+
+      get :edit,
+          namespace_id: project.namespace.path,
+          id: project.path
+
+      expect(response).to have_http_status(404)
+    end
+
+    it 'allows an admin user to access the page' do
+      sign_in(create(:user, :admin))
+
+      get :edit,
+          namespace_id: project.namespace.path,
+          id: project.path
+
+      expect(response).to have_http_status(200)
+    end
+  end
 end
--- a/spec/finders/group_projects_finder_spec.rb
+++ b/spec/finders/group_projects_finder_spec.rb
@@ -76,6 +76,44 @@ describe GroupProjectsFinder do
    end
  end

+  describe 'with an admin current user' do
+    let(:current_user) { create(:user, :admin) }
+
+    context "only shared" do
+      subject { described_class.new(group, only_shared: true).execute(current_user) }
+      it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1]) }
+    end
+
+    context "only owned" do
+      subject { described_class.new(group, only_owned: true).execute(current_user) }
+      it      { is_expected.to eq([private_project, public_project]) }
+    end
+
+    context "all" do
+      subject { described_class.new(group).execute(current_user) }
+      it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1, private_project, public_project]) }
+    end
+  end
+
+  describe 'with an auditor current user' do
+    let(:current_user) { create(:user, :auditor) }
+
+    context "only shared" do
+      subject { described_class.new(group, only_shared: true).execute(current_user) }
+      it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1]) }
+    end
+
+    context "only owned" do
+      subject { described_class.new(group, only_owned: true).execute(current_user) }
+      it      { is_expected.to eq([private_project, public_project]) }
+    end
+
+    context "all" do
+      subject { described_class.new(group).execute(current_user) }
+      it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1, private_project, public_project]) }
+    end
+  end
+
  describe "no user" do
    context "only shared" do
      subject { described_class.new(group, only_shared: true).execute(current_user) }

--- a/spec/finders/issues_finder_spec.rb
+++ b/spec/finders/issues_finder_spec.rb
@@ -258,6 +258,8 @@ describe IssuesFinder do

  describe '.not_restricted_by_confidentiality' do
    let(:authorized_user) { create(:user) }
+    let(:admin_user) { create(:user, :admin) }
+    let(:auditor_user) { create(:user, :auditor) }
    let(:project) { create(:empty_project, namespace: authorized_user.namespace) }
    let!(:public_issue) { create(:issue, project: project) }
    let!(:confidential_issue) { create(:issue, project: project, confidential: true) }
@@ -273,5 +275,13 @@ describe IssuesFinder do
    it 'returns all issues for user authorized for the issues projects' do
      expect(IssuesFinder.send(:not_restricted_by_confidentiality, authorized_user)).to include(public_issue, confidential_issue)
    end
+
+    it 'returns all issues for an admin user' do
+      expect(IssuesFinder.send(:not_restricted_by_confidentiality, admin_user)).to include(public_issue, confidential_issue)
+    end
+
+    it 'returns all issues for an auditor user' do
+      expect(IssuesFinder.send(:not_restricted_by_confidentiality, auditor_user)).to include(public_issue, confidential_issue)
+    end
  end
 end
--- a/spec/finders/snippets_finder_spec.rb
+++ b/spec/finders/snippets_finder_spec.rb
@@ -127,5 +127,17 @@ describe SnippetsFinder do
      snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1, scope: "are_private")
      expect(snippets).to include(@snippet1)
    end
+
+    it "returns all snippets for admin users" do
+      user = create(:user, :admin)
+      snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1)
+      expect(snippets).to include(@snippet1, @snippet2, @snippet3)
+    end
+
+    it "returns all snippets for auditor users" do
+      user = create(:user, :auditor)
+      snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1)
+      expect(snippets).to include(@snippet1, @snippet2, @snippet3)
+    end
  end
 end
--- a/spec/models/project_feature_spec.rb
+++ b/spec/models/project_feature_spec.rb
@@ -52,6 +52,15 @@ describe ProjectFeature do
          expect(project.feature_available?(:issues, user)).to eq(true)
        end
      end
+
+      it "returns true if user is an auditor" do
+        user.update_attribute(:auditor, true)
+
+        features.each do |feature|
+          project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
+          expect(project.feature_available?(:issues, user)).to eq(true)
+        end
+      end
    end

    context 'when feature is enabled for everyone' do

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -198,6 +198,12 @@ describe User, models: true do
        end
      end
    end
+
+    it 'does not allow a user to be both an auditor and an admin' do
+      user = build(:user, :admin, :auditor)
+
+      expect(user).to be_invalid
+    end
  end

  describe "non_ldap" do
@@ -1415,7 +1421,7 @@ describe User, models: true do

    it 'returns the projects when using an ActiveRecord relation' do
      projects = user.
-        projects_with_reporter_access_limited_to(Project.select(:id))
+                   projects_with_reporter_access_limited_to(Project.select(:id))

      expect(projects).to eq([project1])
    end

--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -6,6 +6,7 @@ describe GroupPolicy, models: true do
  let(:developer) { create(:user) }
  let(:master) { create(:user) }
  let(:owner) { create(:user) }
+  let(:auditor) { create(:user, :auditor) }
  let(:admin) { create(:admin) }
  let(:group) { create(:group) }

@@ -170,5 +171,15 @@ describe GroupPolicy, models: true do
        is_expected.to include(*owner_permissions)
      end
    end
+
+    context 'auditor' do
+      let(:current_user) { auditor }
+
+      it do
+        is_expected.to include(:read_group)
+        is_expected.not_to include(*master_permissions)
+        is_expected.not_to include(*owner_permissions)
+      end
+    end
  end
 end
--- a/spec/policies/namespace_policy_spec.rb
+++ b/spec/policies/namespace_policy_spec.rb
+require 'spec_helper'
+
+describe NamespacePolicy, models: true do
+  let(:user) { create(:user) }
+  let(:owner) { create(:user) }
+  let(:auditor) { create(:user, :auditor) }
+  let(:admin) { create(:admin) }
+  let(:namespace) { create(:namespace, owner: owner) }
+
+  let(:owner_permissions) do
+    [
+      :create_projects,
+      :admin_namespace
+    ]
+  end
+
+  let(:admin_permissions) { owner_permissions }
+
+  subject { described_class.abilities(current_user, namespace).to_set }
+
+  context 'with no user' do
+    let(:current_user) { nil }
+
+    it do
+      is_expected.to be_empty
+    end
+  end
+
+  context 'regular user' do
+    let(:current_user) { user }
+
+    it do
+      is_expected.to be_empty
+    end
+  end
+
+  context 'owner' do
+    let(:current_user) { owner }
+
+    it do
+      is_expected.to include(*owner_permissions)
+    end
+  end
+
+  context 'auditor' do
+    let(:current_user) { auditor }
+
+    it do
+      is_expected.to be_empty
+    end
+  end
+
+  context 'admin' do
+    let(:current_user) { admin }
+
+    it do
+      is_expected.to include(*owner_permissions)
+    end
+  end
+end
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -6,6 +6,7 @@ describe ProjectPolicy, models: true do
  let(:dev) { create(:user) }
  let(:master) { create(:user) }
  let(:owner) { create(:user) }
+  let(:auditor) { create(:user, :auditor) }
  let(:admin) { create(:admin) }
  let(:project) { create(:empty_project, :public, namespace: owner.namespace) }

@@ -68,6 +69,16 @@ describe ProjectPolicy, models: true do
    ]
  end

+  let(:auditor_permissions) do
+    [
+      :download_code, :download_wiki_code, :read_project, :read_board, :read_list,
+      :read_wiki, :read_issue, :read_label, :read_milestone, :read_project_snippet,
+      :read_project_member, :read_note, :read_cycle_analytics, :read_pipeline,
+      :read_build, :read_commit_status, :read_container_image, :read_environment,
+      :read_deployment, :read_merge_request, :read_pages
+    ]
+  end
+
  before do
    project.team << [guest, :guest]
    project.team << [master, :master]
@@ -207,5 +218,16 @@ describe ProjectPolicy, models: true do
        is_expected.to include(*owner_permissions)
      end
    end
+
+    context 'auditor' do
+      let(:current_user) { auditor }
+
+      it do
+        is_expected.not_to include(*developer_permissions)
+        is_expected.not_to include(*master_permissions)
+        is_expected.not_to include(*owner_permissions)
+        is_expected.to include(*auditor_permissions)
+      end
+    end
  end
 end
--- a/spec/policies/project_snippet_policy_spec.rb
+++ b/spec/policies/project_snippet_policy_spec.rb
+require 'spec_helper'
+
+describe ProjectSnippetPolicy, models: true do
+  let(:author_permissions) do
+    [
+      :update_project_snippet,
+      :admin_project_snippet
+    ]
+  end
+
+  subject { described_class.abilities(current_user, project_snippet).to_set }
+
+  context 'public snippet' do
+    let(:project_snippet) { create(:project_snippet, :public) }
+
+    context 'no user' do
+      let(:current_user) { nil }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'regular user' do
+      let(:current_user) { create(:user) }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+  end
+
+  context 'internal snippet' do
+    let(:project_snippet) { create(:project_snippet, :internal) }
+
+    context 'no user' do
+      let(:current_user) { nil }
+
+      it do
+        is_expected.not_to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'regular user' do
+      let(:current_user) { create(:user) }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'external user' do
+      let(:current_user) { create(:user, :external) }
+
+      it do
+        is_expected.not_to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+  end
+
+  context 'private snippet' do
+    let(:project_snippet) { create(:project_snippet, :private) }
+
+    context 'no user' do
+      let(:current_user) { nil }
+
+      it do
+        is_expected.not_to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'regular user' do
+      let(:current_user) { create(:user) }
+
+      it do
+        is_expected.not_to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'snippet author' do
+      let(:current_user) { create(:user) }
+      let(:project_snippet) { create(:project_snippet, :private, author: current_user) }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.to include(*author_permissions)
+      end
+    end
+
+    context 'project team member' do
+      let(:current_user) { create(:user) }
+      before { project_snippet.project.team << [current_user, :developer] }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'auditor user' do
+      let(:current_user) { create(:user, :auditor) }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'admin user' do
+      let(:current_user) { create(:user, :admin) }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.to include(*author_permissions)
+      end
+    end
+  end
+end