Skip to content

G
gitlab-ce
Commit 9a3a4a5e authored by Timothy Andrew's avatar Timothy Andrew
Browse files
Options

Add specs covering the auditor user. 

All finders, policies and controllers that needed to be modified to include an
`auditor` check are tested here
parent d475c369
Hide whitespace changes
Inline Side-by-side
Showing with 386 additions and 1 deletion
spec/controllers/admin/dashboard_controller_spec.rb 0 → 100644
View file @ 9a3a4a5e
require 'spec_helper'
describe Admin::DashboardController do
describe '#index' do
it "allows an admin user to access the page" do
sign_in(create(:user, :admin))
get :index
expect(response).to have_http_status(200)
end
it "does not allow an auditor user to access the page" do
sign_in(create(:user, :auditor))
get :index
expect(response).to have_http_status(404)
end
it "does not allow a regular user to access the page" do
sign_in(create(:user))
get :index
expect(response).to have_http_status(404)
end
end
end
spec/controllers/groups_controller_spec.rb
View file @ 9a3a4a5e
...@@ -126,4 +126,48 @@ describe GroupsController do ...@@ -126,4 +126,48 @@ describe GroupsController do
expect(assigns(:group).path).not_to eq('new_path') expect(assigns(:group).path).not_to eq('new_path')
end end
end end
describe 'POST create' do
it 'allows creating a group' do
sign_in(user)
expect do
post :create, group: { name: 'new_group', path: "new_group" }
end.to change { Group.count }.by(1)
expect(response).to have_http_status(302)
end
context 'authorization' do
it 'allows an admin to create a group' do
sign_in(create(:admin))
expect do
post :create, group: { name: 'new_group', path: "new_group" }
end.to change { Group.count }.by(1)
expect(response).to have_http_status(302)
end
it 'does not allow a user with "can_create_group" set to false to create a group' do
sign_in(create(:user, can_create_group: false))
expect do
post :create, group: { name: 'new_group', path: "new_group" }
end.not_to change { Group.count }
expect(response).to have_http_status(404)
end
it 'does not allow an auditor with "can_create_group" set to true to create a group' do
sign_in(create(:user, :auditor, can_create_group: true))
expect do
post :create, group: { name: 'new_group', path: "new_group" }
end.not_to change { Group.count }
expect(response).to have_http_status(404)
end
end
end
end end
spec/controllers/projects_controller_spec.rb
View file @ 9a3a4a5e
...@@ -425,4 +425,26 @@ describe ProjectsController do ...@@ -425,4 +425,26 @@ describe ProjectsController do
expect(parsed_body["Commits"]).to include("123456") expect(parsed_body["Commits"]).to include("123456")
end end
end end
describe 'GET edit' do
it 'does not allow an auditor user to access the page' do
sign_in(create(:user, :auditor))
get :edit,
namespace_id: project.namespace.path,
id: project.path
expect(response).to have_http_status(404)
end
it 'allows an admin user to access the page' do
sign_in(create(:user, :admin))
get :edit,
namespace_id: project.namespace.path,
id: project.path
expect(response).to have_http_status(200)
end
end
end end
spec/finders/group_projects_finder_spec.rb
View file @ 9a3a4a5e
...@@ -76,6 +76,44 @@ describe GroupProjectsFinder do ...@@ -76,6 +76,44 @@ describe GroupProjectsFinder do
end end
end end
describe 'with an admin current user' do
let(:current_user) { create(:user, :admin) }
context "only shared" do
subject { described_class.new(group, only_shared: true).execute(current_user) }
it { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1]) }
end
context "only owned" do
subject { described_class.new(group, only_owned: true).execute(current_user) }
it { is_expected.to eq([private_project, public_project]) }
end
context "all" do
subject { described_class.new(group).execute(current_user) }
it { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1, private_project, public_project]) }
end
end
describe 'with an auditor current user' do
let(:current_user) { create(:user, :auditor) }
context "only shared" do
subject { described_class.new(group, only_shared: true).execute(current_user) }
it { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1]) }
end
context "only owned" do
subject { described_class.new(group, only_owned: true).execute(current_user) }
it { is_expected.to eq([private_project, public_project]) }
end
context "all" do
subject { described_class.new(group).execute(current_user) }
it { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1, private_project, public_project]) }
end
end
describe "no user" do describe "no user" do
context "only shared" do context "only shared" do
subject { described_class.new(group, only_shared: true).execute(current_user) } subject { described_class.new(group, only_shared: true).execute(current_user) }
......
spec/finders/issues_finder_spec.rb
View file @ 9a3a4a5e
...@@ -258,6 +258,8 @@ describe IssuesFinder do ...@@ -258,6 +258,8 @@ describe IssuesFinder do
describe '.not_restricted_by_confidentiality' do describe '.not_restricted_by_confidentiality' do
let(:authorized_user) { create(:user) } let(:authorized_user) { create(:user) }
let(:admin_user) { create(:user, :admin) }
let(:auditor_user) { create(:user, :auditor) }
let(:project) { create(:empty_project, namespace: authorized_user.namespace) } let(:project) { create(:empty_project, namespace: authorized_user.namespace) }
let!(:public_issue) { create(:issue, project: project) } let!(:public_issue) { create(:issue, project: project) }
let!(:confidential_issue) { create(:issue, project: project, confidential: true) } let!(:confidential_issue) { create(:issue, project: project, confidential: true) }
...@@ -273,5 +275,13 @@ describe IssuesFinder do ...@@ -273,5 +275,13 @@ describe IssuesFinder do
it 'returns all issues for user authorized for the issues projects' do it 'returns all issues for user authorized for the issues projects' do
expect(IssuesFinder.send(:not_restricted_by_confidentiality, authorized_user)).to include(public_issue, confidential_issue) expect(IssuesFinder.send(:not_restricted_by_confidentiality, authorized_user)).to include(public_issue, confidential_issue)
end end
it 'returns all issues for an admin user' do
expect(IssuesFinder.send(:not_restricted_by_confidentiality, admin_user)).to include(public_issue, confidential_issue)
end
it 'returns all issues for an auditor user' do
expect(IssuesFinder.send(:not_restricted_by_confidentiality, auditor_user)).to include(public_issue, confidential_issue)
end
end end
end end
spec/finders/snippets_finder_spec.rb
View file @ 9a3a4a5e
...@@ -127,5 +127,17 @@ describe SnippetsFinder do ...@@ -127,5 +127,17 @@ describe SnippetsFinder do
snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1, scope: "are_private") snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1, scope: "are_private")
expect(snippets).to include(@snippet1) expect(snippets).to include(@snippet1)
end end
it "returns all snippets for admin users" do
user = create(:user, :admin)
snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1)
expect(snippets).to include(@snippet1, @snippet2, @snippet3)
end
it "returns all snippets for auditor users" do
user = create(:user, :auditor)
snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1)
expect(snippets).to include(@snippet1, @snippet2, @snippet3)
end
end end
end end
spec/models/project_feature_spec.rb
View file @ 9a3a4a5e
...@@ -52,6 +52,15 @@ describe ProjectFeature do ...@@ -52,6 +52,15 @@ describe ProjectFeature do
expect(project.feature_available?(:issues, user)).to eq(true) expect(project.feature_available?(:issues, user)).to eq(true)
end end
end end
it "returns true if user is an auditor" do
user.update_attribute(:auditor, true)
features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
expect(project.feature_available?(:issues, user)).to eq(true)
end
end
end end
context 'when feature is enabled for everyone' do context 'when feature is enabled for everyone' do
......
spec/models/user_spec.rb
View file @ 9a3a4a5e
...@@ -198,6 +198,12 @@ describe User, models: true do ...@@ -198,6 +198,12 @@ describe User, models: true do
end end
end end
end end
it 'does not allow a user to be both an auditor and an admin' do
user = build(:user, :admin, :auditor)
expect(user).to be_invalid
end
end end
describe "non_ldap" do describe "non_ldap" do
...@@ -1415,7 +1421,7 @@ describe User, models: true do ...@@ -1415,7 +1421,7 @@ describe User, models: true do
it 'returns the projects when using an ActiveRecord relation' do it 'returns the projects when using an ActiveRecord relation' do
projects = user. projects = user.
projects_with_reporter_access_limited_to(Project.select(:id)) projects_with_reporter_access_limited_to(Project.select(:id))
expect(projects).to eq([project1]) expect(projects).to eq([project1])
end end
......
spec/policies/group_policy_spec.rb
View file @ 9a3a4a5e
...@@ -6,6 +6,7 @@ describe GroupPolicy, models: true do ...@@ -6,6 +6,7 @@ describe GroupPolicy, models: true do
let(:developer) { create(:user) } let(:developer) { create(:user) }
let(:master) { create(:user) } let(:master) { create(:user) }
let(:owner) { create(:user) } let(:owner) { create(:user) }
let(:auditor) { create(:user, :auditor) }
let(:admin) { create(:admin) } let(:admin) { create(:admin) }
let(:group) { create(:group) } let(:group) { create(:group) }
...@@ -170,5 +171,15 @@ describe GroupPolicy, models: true do ...@@ -170,5 +171,15 @@ describe GroupPolicy, models: true do
is_expected.to include(*owner_permissions) is_expected.to include(*owner_permissions)
end end
end end
context 'auditor' do
let(:current_user) { auditor }
it do
is_expected.to include(:read_group)
is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions)
end
end
end end
end end
spec/policies/namespace_policy_spec.rb 0 → 100644
View file @ 9a3a4a5e
require 'spec_helper'
describe NamespacePolicy, models: true do
let(:user) { create(:user) }
let(:owner) { create(:user) }
let(:auditor) { create(:user, :auditor) }
let(:admin) { create(:admin) }
let(:namespace) { create(:namespace, owner: owner) }
let(:owner_permissions) do
[
:create_projects,
:admin_namespace
]
end
let(:admin_permissions) { owner_permissions }
subject { described_class.abilities(current_user, namespace).to_set }
context 'with no user' do
let(:current_user) { nil }
it do
is_expected.to be_empty
end
end
context 'regular user' do
let(:current_user) { user }
it do
is_expected.to be_empty
end
end
context 'owner' do
let(:current_user) { owner }
it do
is_expected.to include(*owner_permissions)
end
end
context 'auditor' do
let(:current_user) { auditor }
it do
is_expected.to be_empty
end
end
context 'admin' do
let(:current_user) { admin }
it do
is_expected.to include(*owner_permissions)
end
end
end
spec/policies/project_policy_spec.rb
View file @ 9a3a4a5e
...@@ -6,6 +6,7 @@ describe ProjectPolicy, models: true do ...@@ -6,6 +6,7 @@ describe ProjectPolicy, models: true do
let(:dev) { create(:user) } let(:dev) { create(:user) }
let(:master) { create(:user) } let(:master) { create(:user) }
let(:owner) { create(:user) } let(:owner) { create(:user) }
let(:auditor) { create(:user, :auditor) }
let(:admin) { create(:admin) } let(:admin) { create(:admin) }
let(:project) { create(:empty_project, :public, namespace: owner.namespace) } let(:project) { create(:empty_project, :public, namespace: owner.namespace) }
...@@ -68,6 +69,16 @@ describe ProjectPolicy, models: true do ...@@ -68,6 +69,16 @@ describe ProjectPolicy, models: true do
] ]
end end
let(:auditor_permissions) do
[
:download_code, :download_wiki_code, :read_project, :read_board, :read_list,
:read_wiki, :read_issue, :read_label, :read_milestone, :read_project_snippet,
:read_project_member, :read_note, :read_cycle_analytics, :read_pipeline,
:read_build, :read_commit_status, :read_container_image, :read_environment,
:read_deployment, :read_merge_request, :read_pages
]
end
before do before do
project.team << [guest, :guest] project.team << [guest, :guest]
project.team << [master, :master] project.team << [master, :master]
...@@ -207,5 +218,16 @@ describe ProjectPolicy, models: true do ...@@ -207,5 +218,16 @@ describe ProjectPolicy, models: true do
is_expected.to include(*owner_permissions) is_expected.to include(*owner_permissions)
end end
end end
context 'auditor' do
let(:current_user) { auditor }
it do
is_expected.not_to include(*developer_permissions)
is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions)
is_expected.to include(*auditor_permissions)
end
end
end end
end end
spec/policies/project_snippet_policy_spec.rb 0 → 100644
View file @ 9a3a4a5e
require 'spec_helper'
describe ProjectSnippetPolicy, models: true do
let(:author_permissions) do
[
:update_project_snippet,
:admin_project_snippet
]
end
subject { described_class.abilities(current_user, project_snippet).to_set }
context 'public snippet' do
let(:project_snippet) { create(:project_snippet, :public) }
context 'no user' do
let(:current_user) { nil }
it do
is_expected.to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'regular user' do
let(:current_user) { create(:user) }
it do
is_expected.to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
end
context 'internal snippet' do
let(:project_snippet) { create(:project_snippet, :internal) }
context 'no user' do
let(:current_user) { nil }
it do
is_expected.not_to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'regular user' do
let(:current_user) { create(:user) }
it do
is_expected.to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'external user' do
let(:current_user) { create(:user, :external) }
it do
is_expected.not_to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
end
context 'private snippet' do
let(:project_snippet) { create(:project_snippet, :private) }
context 'no user' do
let(:current_user) { nil }
it do
is_expected.not_to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'regular user' do
let(:current_user) { create(:user) }
it do
is_expected.not_to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'snippet author' do
let(:current_user) { create(:user) }
let(:project_snippet) { create(:project_snippet, :private, author: current_user) }
it do
is_expected.to include(:read_project_snippet)
is_expected.to include(*author_permissions)
end
end
context 'project team member' do
let(:current_user) { create(:user) }
before { project_snippet.project.team << [current_user, :developer] }
it do
is_expected.to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'auditor user' do
let(:current_user) { create(:user, :auditor) }
it do
is_expected.to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'admin user' do
let(:current_user) { create(:user, :admin) }
it do
is_expected.to include(:read_project_snippet)
is_expected.to include(*author_permissions)
end
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7