Add BlobPolicy and WikiPagePolicy

Link ActiveModel Blob classes to policy

Add BlobPolicy and WikiPagePolicy
Link ActiveModel Blob classes to policy
ae5801be · Mark Chao · 213fa449 · ae5801be · ae5801be · ae5801be
Commit ae5801be authored Dec 10, 2019 by Mark Chao
10 changed files
--- a/app/models/blob.rb
+++ b/app/models/blob.rb
@@ -4,6 +4,7 @@
 class Blob < SimpleDelegator
  include Presentable
  include BlobLanguageFromGitAttributes
+  include BlobActiveModel

  CACHE_TIME = 60 # Cache raw blobs referred to by a (mutable) ref for 1 minute
  CACHE_TIME_IMMUTABLE = 3600 # Cache blobs referred to by an immutable reference for 1 hour

--- a/app/models/concerns/blob_active_model.rb
+++ b/app/models/concerns/blob_active_model.rb
+# frozen_string_literal: true
+
+# To be included in blob classes which are to be
+# treated as ActiveModel.
+#
+# The blob class must respond_to `project`
+module BlobActiveModel
+  extend ActiveSupport::Concern
+
+  class_methods do
+    def declarative_policy_class
+      'BlobPolicy'
+    end
+  end
+
+  def to_ability_name
+    'blob'
+  end
+end
--- a/app/models/readme_blob.rb
+++ b/app/models/readme_blob.rb
 # frozen_string_literal: true

 class ReadmeBlob < SimpleDelegator
+  include BlobActiveModel
+
  attr_reader :repository

  def initialize(blob, repository)

--- a/app/models/wiki_page.rb
+++ b/app/models/wiki_page.rb
@@ -274,6 +274,10 @@ class WikiPage
    @attributes.merge!(attrs)
  end

+  def to_ability_name
+    'wiki_page'
+  end
+
  private

  # Process and format the title based on the user input.

--- a/app/policies/blob_policy.rb
+++ b/app/policies/blob_policy.rb
+# frozen_string_literal: true
+
+class BlobPolicy < BasePolicy
+  delegate { @subject.project }
+
+  rule { can?(:download_code) }.enable :read_blob
+end
--- a/app/policies/wiki_page_policy.rb
+++ b/app/policies/wiki_page_policy.rb
+# frozen_string_literal: true
+
+class WikiPagePolicy < BasePolicy
+  delegate { @subject.wiki.project }
+
+  rule { can?(:read_wiki) }.enable :read_wiki_page
+end
--- a/spec/models/blob_spec.rb
+++ b/spec/models/blob_spec.rb
@@ -421,4 +421,21 @@ describe Blob do
      end
    end
  end
+
+  describe 'policy' do
+    let(:project) { build(:project) }
+    subject { described_class.new(fake_blob(path: 'foo'), project) }
+
+    it 'works with policy' do
+      expect(Ability.allowed?(project.creator, :read_blob, subject)).to be_truthy
+    end
+
+    context 'when project is nil' do
+      subject { described_class.new(fake_blob(path: 'foo')) }
+
+      it 'does not err' do
+        expect(Ability.allowed?(project.creator, :read_blob, subject)).to be_falsey
+      end
+    end
+  end
 end
--- a/spec/models/readme_blob_spec.rb
+++ b/spec/models/readme_blob_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ReadmeBlob do
+  include FakeBlobHelpers
+
+  describe 'policy' do
+    let(:project) { build(:project, :repository) }
+    subject { described_class.new(fake_blob(path: 'README.md'), project.repository) }
+
+    it 'works with policy' do
+      expect(Ability.allowed?(project.creator, :read_blob, subject)).to be_truthy
+    end
+  end
+end
--- a/spec/policies/blob_policy_spec.rb
+++ b/spec/policies/blob_policy_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe BlobPolicy do
+  include_context 'ProjectPolicyTable context'
+  include ProjectHelpers
+  using RSpec::Parameterized::TableSyntax
+
+  let(:project) { create(:project, :repository, project_level) }
+  let(:user) { create_user_from_membership(project, membership) }
+  let(:blob) { project.repository.blob_at(SeedRepo::FirstCommit::ID, 'README.md') }
+
+  subject(:policy) { described_class.new(user, blob) }
+
+  where(:project_level, :feature_access_level, :membership, :expected_count) do
+    permission_table_for_guest_feature_access_and_non_private_project_only
+  end
+
+  with_them do
+    it "grants permission" do
+      update_feature_access_level(project, feature_access_level)
+
+      if expected_count == 1
+        expect(policy).to be_allowed(:read_blob)
+      else
+        expect(policy).to be_disallowed(:read_blob)
+      end
+    end
+  end
+end
--- a/spec/policies/wiki_page_policy_spec.rb
+++ b/spec/policies/wiki_page_policy_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe WikiPagePolicy do
+  include_context 'ProjectPolicyTable context'
+  include ProjectHelpers
+  using RSpec::Parameterized::TableSyntax
+
+  let(:project) { create(:project, :wiki_repo, project_level) }
+  let(:user) { create_user_from_membership(project, membership) }
+  let(:wiki_page) { create(:wiki_page, wiki: project.wiki) }
+
+  subject(:policy) { described_class.new(user, wiki_page) }
+
+  where(:project_level, :feature_access_level, :membership, :expected_count) do
+    permission_table_for_guest_feature_access
+  end
+
+  with_them do
+    it "grants permission" do
+      update_feature_access_level(project, feature_access_level)
+
+      if expected_count == 1
+        expect(policy).to be_allowed(:read_wiki_page)
+      else
+        expect(policy).to be_disallowed(:read_wiki_page)
+      end
+    end
+  end
+end