Commit c70a6991 authored by Serena Fang's avatar Serena Fang

Add specs for read and destroy tokens

parent 11d2b257
...@@ -644,6 +644,10 @@ class ProjectPolicy < BasePolicy ...@@ -644,6 +644,10 @@ class ProjectPolicy < BasePolicy
enable :create_resource_access_tokens enable :create_resource_access_tokens
end end
rule { can?(:project_bot_access) }.policy do
prevent :create_resource_access_tokens
end
rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do
enable :set_pipeline_variables enable :set_pipeline_variables
end end
......
...@@ -18,6 +18,34 @@ RSpec.shared_examples 'Self-managed Core resource access tokens' do ...@@ -18,6 +18,34 @@ RSpec.shared_examples 'Self-managed Core resource access tokens' do
it { is_expected.not_to be_allowed(:create_resource_access_tokens) } it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
end end
end end
context 'read resource access tokens' do
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:read_resource_access_tokens) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:read_resource_access_tokens) }
end
end
context 'destroy resource access tokens' do
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:destroy_resource_access_tokens) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:destroy_resource_access_tokens) }
end
end
end end
RSpec.shared_examples 'GitLab.com Core resource access tokens' do RSpec.shared_examples 'GitLab.com Core resource access tokens' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment