Add approval rule policies

Only allow updating if user can update project/MR

Add approval rule policies
Only allow updating if user can update project/MR
ccd8cb79 · Mark Chao · 08a35292 · ccd8cb79 · ccd8cb79 · ccd8cb79
Commit ccd8cb79 authored Jan 25, 2019 by Mark Chao
4 changed files
--- a/ee/app/policies/approval_merge_request_rule_policy.rb
+++ b/ee/app/policies/approval_merge_request_rule_policy.rb
+# frozen_string_literal: true
+
+class ApprovalMergeRequestRulePolicy < BasePolicy
+  delegate { @subject.merge_request }
+
+  condition(:editable) do
+    can?(:update_merge_request, @subject.merge_request)
+  end
+
+  rule { editable }.enable :edit_approval_rule
+end
--- a/ee/app/policies/approval_project_rule_policy.rb
+++ b/ee/app/policies/approval_project_rule_policy.rb
+# frozen_string_literal: true
+
+class ApprovalProjectRulePolicy < BasePolicy
+  delegate { @subject.project }
+
+  condition(:editable) do
+    can?(:admin_project, @subject.project)
+  end
+
+  rule { editable }.enable :edit_approval_rule
+end
--- a/ee/spec/policies/approval_merge_request_rule_policy_spec.rb
+++ b/ee/spec/policies/approval_merge_request_rule_policy_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ApprovalMergeRequestRulePolicy do
+  let(:merge_request) { create(:merge_request) }
+  let!(:approval_rule) { create(:approval_merge_request_rule, merge_request: merge_request) }
+
+  def permissions(user, approval_rule)
+    described_class.new(user, approval_rule)
+  end
+
+  context 'when user can update merge request' do
+    it 'allows updating approval rule' do
+      expect(permissions(merge_request.author, approval_rule)).to be_allowed(:edit_approval_rule)
+    end
+  end
+
+  context 'when user cannot update merge request' do
+    it 'disallow updating approval rule' do
+      expect(permissions(create(:user), approval_rule)).to be_disallowed(:edit_approval_rule)
+    end
+  end
+end
--- a/ee/spec/policies/approval_project_rule_policy_spec.rb
+++ b/ee/spec/policies/approval_project_rule_policy_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ApprovalProjectRulePolicy do
+  let(:project) { create(:project) }
+  let!(:approval_rule) { create(:approval_project_rule, project: project) }
+
+  def permissions(user, approval_rule)
+    described_class.new(user, approval_rule)
+  end
+
+  context 'when user can admin project' do
+    it 'allows updating approval rule' do
+      expect(permissions(project.creator, approval_rule)).to be_allowed(:edit_approval_rule)
+    end
+  end
+
+  context 'when user cannot admin project' do
+    let(:user) { create(:user) }
+
+    before do
+      project.add_developer(user)
+    end
+
+    it 'disallow updating approval rule' do
+      expect(permissions(user, approval_rule)).to be_disallowed(:edit_approval_rule)
+    end
+  end
+end