Commit edf0b602 authored by Imre Farkas's avatar Imre Farkas

Merge branch 'chore/disable-admin-mode-in-services' into 'master'

[RUN AS-IF-FOSS] Migrate services specs to consider admin mode

See merge request gitlab-org/gitlab!45988
parents fe6dfe89 afacfadf
...@@ -602,7 +602,7 @@ class Project < ApplicationRecord ...@@ -602,7 +602,7 @@ class Project < ApplicationRecord
# Returns a collection of projects that is either public or visible to the # Returns a collection of projects that is either public or visible to the
# logged in user. # logged in user.
def self.public_or_visible_to_user(user = nil, min_access_level = nil) def self.public_or_visible_to_user(user = nil, min_access_level = nil)
min_access_level = nil if user&.admin? min_access_level = nil if user&.can_read_all_resources?
return public_to_user unless user return public_to_user unless user
...@@ -628,7 +628,7 @@ class Project < ApplicationRecord ...@@ -628,7 +628,7 @@ class Project < ApplicationRecord
def self.with_feature_available_for_user(feature, user) def self.with_feature_available_for_user(feature, user)
visible = [ProjectFeature::ENABLED, ProjectFeature::PUBLIC] visible = [ProjectFeature::ENABLED, ProjectFeature::PUBLIC]
if user&.admin? if user&.can_read_all_resources?
with_feature_enabled(feature) with_feature_enabled(feature)
elsif user elsif user
min_access_level = ProjectFeature.required_minimum_access_level(feature) min_access_level = ProjectFeature.required_minimum_access_level(feature)
......
...@@ -72,6 +72,10 @@ module PolicyActor ...@@ -72,6 +72,10 @@ module PolicyActor
def try_obtain_ldap_lease def try_obtain_ldap_lease
nil nil
end end
def can_read_all_resources?
false
end
end end
PolicyActor.prepend_if_ee('EE::PolicyActor') PolicyActor.prepend_if_ee('EE::PolicyActor')
---
title: Migrate services specs to consider admin mode
merge_request: 45988
author: Diego Louzán
type: other
...@@ -4,7 +4,7 @@ require 'spec_helper' ...@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe Ci::CompareSecurityReportsService do RSpec.describe Ci::CompareSecurityReportsService do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let(:current_user) { build(:user, :admin) } let(:current_user) { project.owner }
def collect_ids(collection) def collect_ids(collection)
collection.map { |t| t['identifiers'].first['external_id'] } collection.map { |t| t['identifiers'].first['external_id'] }
......
...@@ -6,7 +6,7 @@ RSpec.describe Ci::CreatePipelineService do ...@@ -6,7 +6,7 @@ RSpec.describe Ci::CreatePipelineService do
subject(:execute) { service.execute(:push) } subject(:execute) { service.execute(:push) }
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:user) { create(:admin) } let_it_be(:user) { project.owner }
let(:service) do let(:service) do
described_class.new(project, user, { ref: 'refs/heads/master' }) described_class.new(project, user, { ref: 'refs/heads/master' })
...@@ -64,6 +64,10 @@ RSpec.describe Ci::CreatePipelineService do ...@@ -64,6 +64,10 @@ RSpec.describe Ci::CreatePipelineService do
end end
shared_examples 'mixed artifacts definitions' do shared_examples 'mixed artifacts definitions' do
before do
other_project.add_developer(user)
end
let(:other_project) { create(:project, :repository) } let(:other_project) { create(:project, :repository) }
let(:other_pipeline) do let(:other_pipeline) do
......
...@@ -7,7 +7,7 @@ RSpec.describe Ci::CreatePipelineService do ...@@ -7,7 +7,7 @@ RSpec.describe Ci::CreatePipelineService do
let_it_be(:downstream_project) { create(:project, name: 'project', namespace: create(:namespace, name: 'some')) } let_it_be(:downstream_project) { create(:project, name: 'project', namespace: create(:namespace, name: 'some')) }
let(:project) { create(:project, :repository) } let(:project) { create(:project, :repository) }
let(:user) { create(:admin) } let(:user) { project.owner }
let(:service) { described_class.new(project, user, { ref: 'refs/heads/master' }) } let(:service) { described_class.new(project, user, { ref: 'refs/heads/master' }) }
let(:config) do let(:config) do
...@@ -25,6 +25,7 @@ RSpec.describe Ci::CreatePipelineService do ...@@ -25,6 +25,7 @@ RSpec.describe Ci::CreatePipelineService do
end end
before do before do
downstream_project.add_developer(user)
stub_ci_pipeline_yaml_file(config) stub_ci_pipeline_yaml_file(config)
end end
......
...@@ -12,6 +12,13 @@ RSpec.describe Users::DestroyService do ...@@ -12,6 +12,13 @@ RSpec.describe Users::DestroyService do
subject(:operation) { service.execute(user) } subject(:operation) { service.execute(user) }
context 'when admin mode is disabled' do
it 'raises access denied' do
expect { operation }.to raise_error(::Gitlab::Access::AccessDeniedError)
end
end
context 'when admin mode is enabled', :enable_admin_mode do
it 'returns result' do it 'returns result' do
allow(user).to receive(:destroy).and_return(user) allow(user).to receive(:destroy).and_return(user)
...@@ -59,4 +66,5 @@ RSpec.describe Users::DestroyService do ...@@ -59,4 +66,5 @@ RSpec.describe Users::DestroyService do
end end
end end
end end
end
end end
...@@ -10,13 +10,22 @@ RSpec.describe Users::UpdateService do ...@@ -10,13 +10,22 @@ RSpec.describe Users::UpdateService do
shared_examples_for 'a user can update the name' do shared_examples_for 'a user can update the name' do
it 'updates the name' do it 'updates the name' do
result = described_class.new(current_user, { user: user, name: 'New Name' }).execute! result = update_user_as(current_user, user, { user: user, name: 'New Name' })
expect(result).to be_truthy expect(result).to be_truthy
expect(user.name).to eq('New Name') expect(user.name).to eq('New Name')
end end
end end
shared_examples_for 'a user cannot update the name' do
it 'does not update the name' do
result = update_user_as(current_user, user, { name: 'New Name' })
expect(result).to be_truthy
expect(user.name).not_to eq('New Name')
end
end
context 'when `disable_name_update_for_users` feature is available' do context 'when `disable_name_update_for_users` feature is available' do
before do before do
stub_licensed_features(disable_name_update_for_users: true) stub_licensed_features(disable_name_update_for_users: true)
...@@ -31,10 +40,12 @@ RSpec.describe Users::UpdateService do ...@@ -31,10 +40,12 @@ RSpec.describe Users::UpdateService do
let(:current_user) { user } let(:current_user) { user }
end end
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'a user can update the name' do it_behaves_like 'a user can update the name' do
let(:current_user) { admin } let(:current_user) { admin }
end end
end end
end
context 'when the ability to update their name is disabled for users' do context 'when the ability to update their name is disabled for users' do
before do before do
...@@ -42,18 +53,23 @@ RSpec.describe Users::UpdateService do ...@@ -42,18 +53,23 @@ RSpec.describe Users::UpdateService do
end end
context 'as a regular user' do context 'as a regular user' do
it 'does not update the name' do it_behaves_like 'a user cannot update the name' do
result = update_user(user, name: 'New Name') let(:current_user) { user }
expect(result).to be_truthy
expect(user.name).not_to eq('New Name')
end end
end end
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'a user can update the name' do it_behaves_like 'a user can update the name' do
let(:current_user) { admin } let(:current_user) { admin }
end end
end end
context 'when admin mode is disabled' do
it_behaves_like 'a user cannot update the name' do
let(:current_user) { admin }
end
end
end
end end
context 'when `disable_name_update_for_users` feature is not available' do context 'when `disable_name_update_for_users` feature is not available' do
...@@ -65,10 +81,18 @@ RSpec.describe Users::UpdateService do ...@@ -65,10 +81,18 @@ RSpec.describe Users::UpdateService do
let(:current_user) { user } let(:current_user) { user }
end end
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'a user can update the name' do it_behaves_like 'a user can update the name' do
let(:current_user) { admin } let(:current_user) { admin }
end end
end end
context 'when admin mode is disabled' do
it_behaves_like 'a user cannot update the name' do
let(:current_user) { admin }
end
end
end
end end
context 'audit events' do context 'audit events' do
...@@ -84,7 +108,7 @@ RSpec.describe Users::UpdateService do ...@@ -84,7 +108,7 @@ RSpec.describe Users::UpdateService do
expected_message = "Changed username from #{previous_username} to #{new_username}" expected_message = "Changed username from #{previous_username} to #{new_username}"
expect do expect do
update_user(user, username: new_username) update_user_as_self(user, username: new_username)
end.to change { AuditEvent.count }.by(1) end.to change { AuditEvent.count }.by(1)
expect(AuditEvent.last.present.action).to eq(expected_message) expect(AuditEvent.last.present.action).to eq(expected_message)
...@@ -97,7 +121,7 @@ RSpec.describe Users::UpdateService do ...@@ -97,7 +121,7 @@ RSpec.describe Users::UpdateService do
allow(user).to receive(:group_managed_account?).and_return(true) allow(user).to receive(:group_managed_account?).and_return(true)
expect do expect do
update_user(user, { email: 'foreign@email' }) update_user_as_self(user, { email: 'foreign@email' })
end.not_to change { user.reload.email } end.not_to change { user.reload.email }
end end
...@@ -105,7 +129,7 @@ RSpec.describe Users::UpdateService do ...@@ -105,7 +129,7 @@ RSpec.describe Users::UpdateService do
allow(user).to receive(:group_managed_account?).and_return(true) allow(user).to receive(:group_managed_account?).and_return(true)
expect do expect do
update_user(user, { commit_email: 'foreign@email' }) update_user_as_self(user, { commit_email: 'foreign@email' })
end.not_to change { user.reload.commit_email } end.not_to change { user.reload.commit_email }
end end
...@@ -113,7 +137,7 @@ RSpec.describe Users::UpdateService do ...@@ -113,7 +137,7 @@ RSpec.describe Users::UpdateService do
allow(user).to receive(:group_managed_account?).and_return(true) allow(user).to receive(:group_managed_account?).and_return(true)
expect do expect do
update_user(user, { public_email: 'foreign@email' }) update_user_as_self(user, { public_email: 'foreign@email' })
end.not_to change { user.reload.public_email } end.not_to change { user.reload.public_email }
end end
...@@ -121,7 +145,7 @@ RSpec.describe Users::UpdateService do ...@@ -121,7 +145,7 @@ RSpec.describe Users::UpdateService do
allow(user).to receive(:group_managed_account?).and_return(true) allow(user).to receive(:group_managed_account?).and_return(true)
expect do expect do
update_user(user, { notification_email: 'foreign@email' }) update_user_as_self(user, { notification_email: 'foreign@email' })
end.not_to change { user.reload.notification_email } end.not_to change { user.reload.notification_email }
end end
...@@ -142,7 +166,7 @@ RSpec.describe Users::UpdateService do ...@@ -142,7 +166,7 @@ RSpec.describe Users::UpdateService do
end end
it 'adds identity to user' do it 'adds identity to user' do
result = update_user(user, params) result = update_user_as_self(user, params)
expect(result).to be true expect(result).to be true
expect(user.identities.last.saml_provider_id).to eq(provider.id) expect(user.identities.last.saml_provider_id).to eq(provider.id)
...@@ -152,8 +176,8 @@ RSpec.describe Users::UpdateService do ...@@ -152,8 +176,8 @@ RSpec.describe Users::UpdateService do
it 'adds two different identities to user' do it 'adds two different identities to user' do
second_provider = create(:saml_provider) second_provider = create(:saml_provider)
result_one = update_user(user, { extern_uid: 'uid', provider: 'group_saml', saml_provider_id: provider.id }) result_one = update_user_as_self(user, { extern_uid: 'uid', provider: 'group_saml', saml_provider_id: provider.id })
result_two = update_user(user, { extern_uid: 'uid2', provider: 'group_saml', group_id_for_saml: second_provider.group.id } ) result_two = update_user_as_self(user, { extern_uid: 'uid2', provider: 'group_saml', group_id_for_saml: second_provider.group.id } )
expect(result_one).to be true expect(result_one).to be true
expect(result_two).to be true expect(result_two).to be true
...@@ -165,8 +189,12 @@ RSpec.describe Users::UpdateService do ...@@ -165,8 +189,12 @@ RSpec.describe Users::UpdateService do
end end
end end
def update_user(user, opts) def update_user_as(current_user, user, opts)
described_class.new(user, opts.merge(user: user)).execute! described_class.new(current_user, opts.merge(user: user)).execute!
end
def update_user_as_self(user, opts)
update_user_as(user, user, opts)
end end
end end
end end
...@@ -10,11 +10,19 @@ RSpec.describe Licenses::DestroyService do ...@@ -10,11 +10,19 @@ RSpec.describe Licenses::DestroyService do
described_class.new(license, user).execute described_class.new(license, user).execute
end end
context 'when admin mode is enabled', :enable_admin_mode do
it 'destroys a license' do it 'destroys a license' do
destroy_with(user) destroy_with(user)
expect(License.where(id: license.id)).not_to exist expect(License.where(id: license.id)).not_to exist
end end
end
context 'when admin mode is disabled' do
it 'raises not allowed error' do
expect { destroy_with(user) }.to raise_error(::Gitlab::Access::AccessDeniedError)
end
end
it 'raises an error if license is nil' do it 'raises an error if license is nil' do
expect { described_class.new(nil, user).execute }.to raise_error ActiveRecord::RecordNotFound expect { described_class.new(nil, user).execute }.to raise_error ActiveRecord::RecordNotFound
......
...@@ -29,12 +29,13 @@ RSpec.describe Search::GlobalService do ...@@ -29,12 +29,13 @@ RSpec.describe Search::GlobalService do
let!(:merge_request) { create :merge_request, target_project: project, source_project: project } let!(:merge_request) { create :merge_request, target_project: project, source_project: project }
let!(:note) { create :note, project: project, noteable: merge_request } let!(:note) { create :note, project: project, noteable: merge_request }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_reporter_feature_access permission_table_for_reporter_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
ensure_elasticsearch_index! ensure_elasticsearch_index!
...@@ -53,12 +54,13 @@ RSpec.describe Search::GlobalService do ...@@ -53,12 +54,13 @@ RSpec.describe Search::GlobalService do
let!(:project) { create(:project, project_level, :repository, namespace: group ) } let!(:project) { create(:project, project_level, :repository, namespace: group ) }
let!(:note) { create :note_on_commit, project: project } let!(:note) { create :note_on_commit, project: project }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access_and_non_private_project_only permission_table_for_guest_feature_access_and_non_private_project_only
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
ElasticCommitIndexerWorker.new.perform(project.id) ElasticCommitIndexerWorker.new.perform(project.id)
ensure_elasticsearch_index! ensure_elasticsearch_index!
...@@ -85,12 +87,13 @@ RSpec.describe Search::GlobalService do ...@@ -85,12 +87,13 @@ RSpec.describe Search::GlobalService do
let!(:issue) { create :issue, project: project } let!(:issue) { create :issue, project: project }
let!(:note) { create :note, project: project, noteable: issue } let!(:note) { create :note, project: project, noteable: issue }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access permission_table_for_guest_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
ensure_elasticsearch_index! ensure_elasticsearch_index!
...@@ -143,12 +146,13 @@ RSpec.describe Search::GlobalService do ...@@ -143,12 +146,13 @@ RSpec.describe Search::GlobalService do
context 'wiki' do context 'wiki' do
let!(:project) { create(:project, project_level, :wiki_repo) } let!(:project) { create(:project, project_level, :wiki_repo) }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access permission_table_for_guest_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
project.wiki.create_page('test.md', '# term') project.wiki.create_page('test.md', '# term')
project.wiki.index_wiki_blobs project.wiki.index_wiki_blobs
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
...@@ -164,12 +168,13 @@ RSpec.describe Search::GlobalService do ...@@ -164,12 +168,13 @@ RSpec.describe Search::GlobalService do
context 'milestone' do context 'milestone' do
let!(:milestone) { create :milestone, project: project } let!(:milestone) { create :milestone, project: project }
where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :expected_count) do where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_milestone_access permission_table_for_milestone_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
project.update!( project.update!(
'issues_access_level' => issues_access_level, 'issues_access_level' => issues_access_level,
'merge_requests_access_level' => merge_requests_access_level 'merge_requests_access_level' => merge_requests_access_level
...@@ -261,11 +266,19 @@ RSpec.describe Search::GlobalService do ...@@ -261,11 +266,19 @@ RSpec.describe Search::GlobalService do
context 'when the user is an admin' do context 'when the user is an admin' do
let(:user) { admin } let(:user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it 'returns :any' do it 'returns :any' do
expect(elastic_projects).to eq(:any) expect(elastic_projects).to eq(:any)
end end
end end
context 'when admin mode is disabled' do
it 'returns empty array' do
expect(elastic_projects).to eq([])
end
end
end
context 'when the user is not an admin' do context 'when the user is not an admin' do
let(:user) { non_admin_user } let(:user) { non_admin_user }
......
...@@ -81,12 +81,13 @@ RSpec.describe Search::GroupService, :elastic do ...@@ -81,12 +81,13 @@ RSpec.describe Search::GroupService, :elastic do
let!(:note) { create :note, project: project, noteable: merge_request } let!(:note) { create :note, project: project, noteable: merge_request }
let!(:note2) { create :note, project: project2, noteable: merge_request2, note: note.note } let!(:note2) { create :note, project: project2, noteable: merge_request2, note: note.note }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_reporter_feature_access permission_table_for_reporter_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
[project, project2].each do |project| [project, project2].each do |project|
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
end end
...@@ -107,12 +108,13 @@ RSpec.describe Search::GroupService, :elastic do ...@@ -107,12 +108,13 @@ RSpec.describe Search::GroupService, :elastic do
let!(:project) { create(:project, project_level, :repository, namespace: group ) } let!(:project) { create(:project, project_level, :repository, namespace: group ) }
let!(:note) { create :note_on_commit, project: project } let!(:note) { create :note_on_commit, project: project }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access_and_non_private_project_only permission_table_for_guest_feature_access_and_non_private_project_only
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
[project, project2].each do |project| [project, project2].each do |project|
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
ElasticCommitIndexerWorker.new.perform(project.id) ElasticCommitIndexerWorker.new.perform(project.id)
...@@ -141,12 +143,13 @@ RSpec.describe Search::GroupService, :elastic do ...@@ -141,12 +143,13 @@ RSpec.describe Search::GroupService, :elastic do
let!(:note) { create :note, project: project, noteable: issue } let!(:note) { create :note, project: project, noteable: issue }
let!(:note2) { create :note, project: project2, noteable: issue2, note: note.note } let!(:note2) { create :note, project: project2, noteable: issue2, note: note.note }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access permission_table_for_guest_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
[project, project2].each do |project| [project, project2].each do |project|
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
end end
...@@ -166,12 +169,13 @@ RSpec.describe Search::GroupService, :elastic do ...@@ -166,12 +169,13 @@ RSpec.describe Search::GroupService, :elastic do
context 'wiki' do context 'wiki' do
let!(:project) { create(:project, project_level, :wiki_repo) } let!(:project) { create(:project, project_level, :wiki_repo) }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access permission_table_for_guest_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
project.wiki.create_page('test.md', '# term') project.wiki.create_page('test.md', '# term')
project.wiki.index_wiki_blobs project.wiki.index_wiki_blobs
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
...@@ -187,12 +191,13 @@ RSpec.describe Search::GroupService, :elastic do ...@@ -187,12 +191,13 @@ RSpec.describe Search::GroupService, :elastic do
context 'milestone' do context 'milestone' do
let!(:milestone) { create :milestone, project: project } let!(:milestone) { create :milestone, project: project }
where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :expected_count) do where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_milestone_access permission_table_for_milestone_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
project.update!( project.update!(
'issues_access_level' => issues_access_level, 'issues_access_level' => issues_access_level,
'merge_requests_access_level' => merge_requests_access_level 'merge_requests_access_level' => merge_requests_access_level
......
...@@ -48,12 +48,13 @@ RSpec.describe Search::ProjectService do ...@@ -48,12 +48,13 @@ RSpec.describe Search::ProjectService do
let!(:note) { create :note, project: project, noteable: merge_request } let!(:note) { create :note, project: project, noteable: merge_request }
let!(:note2) { create :note, project: project2, noteable: merge_request2, note: note.note } let!(:note2) { create :note, project: project2, noteable: merge_request2, note: note.note }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_reporter_feature_access permission_table_for_reporter_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
[project, project2].each do |project| [project, project2].each do |project|
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
end end
...@@ -76,12 +77,13 @@ RSpec.describe Search::ProjectService do ...@@ -76,12 +77,13 @@ RSpec.describe Search::ProjectService do
let!(:note) { create :note_on_commit, project: project } let!(:note) { create :note_on_commit, project: project }
let!(:note2) { create :note_on_commit, project: project2, note: note.note } let!(:note2) { create :note_on_commit, project: project2, note: note.note }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access_and_non_private_project_only permission_table_for_guest_feature_access_and_non_private_project_only
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
[project, project2].each do |project| [project, project2].each do |project|
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
ElasticCommitIndexerWorker.new.perform(project.id) ElasticCommitIndexerWorker.new.perform(project.id)
...@@ -109,12 +111,13 @@ RSpec.describe Search::ProjectService do ...@@ -109,12 +111,13 @@ RSpec.describe Search::ProjectService do
let!(:note) { create :note, project: project, noteable: issue } let!(:note) { create :note, project: project, noteable: issue }
let!(:note2) { create :note, project: project2, noteable: issue2, note: note.note } let!(:note2) { create :note, project: project2, noteable: issue2, note: note.note }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access permission_table_for_guest_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
[project, project2].each do |project| [project, project2].each do |project|
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
end end
...@@ -134,12 +137,13 @@ RSpec.describe Search::ProjectService do ...@@ -134,12 +137,13 @@ RSpec.describe Search::ProjectService do
context 'wiki' do context 'wiki' do
let!(:project) { create(:project, project_level, :wiki_repo) } let!(:project) { create(:project, project_level, :wiki_repo) }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access permission_table_for_guest_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
project.wiki.create_page('test.md', '# term') project.wiki.create_page('test.md', '# term')
project.wiki.index_wiki_blobs project.wiki.index_wiki_blobs
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
...@@ -155,12 +159,13 @@ RSpec.describe Search::ProjectService do ...@@ -155,12 +159,13 @@ RSpec.describe Search::ProjectService do
context 'milestone' do context 'milestone' do
let!(:milestone) { create :milestone, project: project } let!(:milestone) { create :milestone, project: project }
where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :expected_count) do where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_milestone_access permission_table_for_milestone_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
project.update!( project.update!(
'issues_access_level' => issues_access_level, 'issues_access_level' => issues_access_level,
'merge_requests_access_level' => merge_requests_access_level 'merge_requests_access_level' => merge_requests_access_level
......
...@@ -5,6 +5,7 @@ require 'spec_helper' ...@@ -5,6 +5,7 @@ require 'spec_helper'
RSpec.describe Search::SnippetService do RSpec.describe Search::SnippetService do
include SearchResultHelpers include SearchResultHelpers
include ProjectHelpers include ProjectHelpers
include AdminModeHelper
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
it_behaves_like 'EE search service shared examples', ::Gitlab::SnippetSearchResults, ::Gitlab::Elastic::SnippetSearchResults do it_behaves_like 'EE search service shared examples', ::Gitlab::SnippetSearchResults, ::Gitlab::Elastic::SnippetSearchResults do
...@@ -32,11 +33,20 @@ RSpec.describe Search::SnippetService do ...@@ -32,11 +33,20 @@ RSpec.describe Search::SnippetService do
context 'project snippet' do context 'project snippet' do
let(:pendings) do let(:pendings) do
# TODO: Ignore some spec cases, non-members regular users or non-member admins without admin mode should see snippets if:
# - feature access level is enabled, and
# - project access level is public or internal, and
# - snippet access level is equal or more open than the project access level
# See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/45988#note_436009204
[ [
{ snippet_level: :public, project_level: :public, feature_access_level: :enabled, membership: :non_member, expected_count: 1 }, { snippet_level: :public, project_level: :public, feature_access_level: :enabled, membership: :admin, admin_mode: false, expected_count: 1 },
{ snippet_level: :public, project_level: :internal, feature_access_level: :enabled, membership: :non_member, expected_count: 1 }, { snippet_level: :public, project_level: :internal, feature_access_level: :enabled, membership: :admin, admin_mode: false, expected_count: 1 },
{ snippet_level: :internal, project_level: :public, feature_access_level: :enabled, membership: :non_member, expected_count: 1 }, { snippet_level: :internal, project_level: :public, feature_access_level: :enabled, membership: :admin, admin_mode: false, expected_count: 1 },
{ snippet_level: :internal, project_level: :internal, feature_access_level: :enabled, membership: :non_member, expected_count: 1 } { snippet_level: :internal, project_level: :internal, feature_access_level: :enabled, membership: :admin, admin_mode: false, expected_count: 1 },
{ snippet_level: :public, project_level: :public, feature_access_level: :enabled, membership: :non_member, admin_mode: nil, expected_count: 1 },
{ snippet_level: :public, project_level: :internal, feature_access_level: :enabled, membership: :non_member, admin_mode: nil, expected_count: 1 },
{ snippet_level: :internal, project_level: :public, feature_access_level: :enabled, membership: :non_member, admin_mode: nil, expected_count: 1 },
{ snippet_level: :internal, project_level: :internal, feature_access_level: :enabled, membership: :non_member, admin_mode: nil, expected_count: 1 }
] ]
end end
...@@ -47,6 +57,7 @@ RSpec.describe Search::SnippetService do ...@@ -47,6 +57,7 @@ RSpec.describe Search::SnippetService do
project_level: project_level, project_level: project_level,
feature_access_level: feature_access_level, feature_access_level: feature_access_level,
membership: membership, membership: membership,
admin_mode: admin_mode,
expected_count: expected_count expected_count: expected_count
} }
) )
...@@ -62,7 +73,7 @@ RSpec.describe Search::SnippetService do ...@@ -62,7 +73,7 @@ RSpec.describe Search::SnippetService do
let_it_be(:snippet) { create(:project_snippet, :public, project: project, author: snippet_author, title: 'foobar') } let_it_be(:snippet) { create(:project_snippet, :public, project: project, author: snippet_author, title: 'foobar') }
where(:snippet_level, :project_level, :feature_access_level, :membership, :expected_count) do where(:snippet_level, :project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_project_snippet_access permission_table_for_project_snippet_access
end end
...@@ -75,6 +86,7 @@ RSpec.describe Search::SnippetService do ...@@ -75,6 +86,7 @@ RSpec.describe Search::SnippetService do
expected_objects = expected_count == 0 ? [] : [snippet] expected_objects = expected_count == 0 ? [] : [snippet]
search_user = user_from_membership(membership) search_user = user_from_membership(membership)
enable_admin_mode!(search_user) if admin_mode
expect_search_results(search_user, 'snippet_titles', expected_objects: expected_objects, pending: pending?) do |user| expect_search_results(search_user, 'snippet_titles', expected_objects: expected_objects, pending: pending?) do |user|
described_class.new(user, search: snippet.title).execute described_class.new(user, search: snippet.title).execute
...@@ -98,7 +110,7 @@ RSpec.describe Search::SnippetService do ...@@ -98,7 +110,7 @@ RSpec.describe Search::SnippetService do
let(:snippet) { snippets[snippet_level] } let(:snippet) { snippets[snippet_level] }
where(:snippet_level, :membership, :expected_count) do where(:snippet_level, :membership, :admin_mode, :expected_count) do
permission_table_for_personal_snippet_access permission_table_for_personal_snippet_access
end end
...@@ -111,6 +123,7 @@ RSpec.describe Search::SnippetService do ...@@ -111,6 +123,7 @@ RSpec.describe Search::SnippetService do
expected_objects = expected_count == 0 ? [] : [snippet] expected_objects = expected_count == 0 ? [] : [snippet]
search_user = user_from_membership(membership) search_user = user_from_membership(membership)
enable_admin_mode!(search_user) if admin_mode
expect_search_results(search_user, 'snippet_titles', expected_objects: expected_objects) do |user| expect_search_results(search_user, 'snippet_titles', expected_objects: expected_objects) do |user|
described_class.new(user, search: snippet.title).execute described_class.new(user, search: snippet.title).execute
......
...@@ -51,7 +51,12 @@ RSpec.describe Vulnerabilities::ConfirmService do ...@@ -51,7 +51,12 @@ RSpec.describe Vulnerabilities::ConfirmService do
end end
describe 'permissions' do describe 'permissions' do
context 'when admin mode is enabled', :enable_admin_mode do
it { expect { confirm_vulnerability }.to be_allowed_for(:admin) } it { expect { confirm_vulnerability }.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { expect { confirm_vulnerability }.to be_denied_for(:admin) }
end
it { expect { confirm_vulnerability }.to be_allowed_for(:owner).of(project) } it { expect { confirm_vulnerability }.to be_allowed_for(:owner).of(project) }
it { expect { confirm_vulnerability }.to be_allowed_for(:maintainer).of(project) } it { expect { confirm_vulnerability }.to be_allowed_for(:maintainer).of(project) }
it { expect { confirm_vulnerability }.to be_allowed_for(:developer).of(project) } it { expect { confirm_vulnerability }.to be_allowed_for(:developer).of(project) }
......
...@@ -103,7 +103,12 @@ RSpec.describe Vulnerabilities::DismissService do ...@@ -103,7 +103,12 @@ RSpec.describe Vulnerabilities::DismissService do
end end
describe 'permissions' do describe 'permissions' do
context 'when admin mode is enabled', :enable_admin_mode do
it { expect { dismiss_vulnerability }.to be_allowed_for(:admin) } it { expect { dismiss_vulnerability }.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { expect { dismiss_vulnerability }.to be_denied_for(:admin) }
end
it { expect { dismiss_vulnerability }.to be_allowed_for(:owner).of(project) } it { expect { dismiss_vulnerability }.to be_allowed_for(:owner).of(project) }
it { expect { dismiss_vulnerability }.to be_allowed_for(:maintainer).of(project) } it { expect { dismiss_vulnerability }.to be_allowed_for(:maintainer).of(project) }
it { expect { dismiss_vulnerability }.to be_allowed_for(:developer).of(project) } it { expect { dismiss_vulnerability }.to be_allowed_for(:developer).of(project) }
......
...@@ -51,7 +51,12 @@ RSpec.describe Vulnerabilities::ResolveService do ...@@ -51,7 +51,12 @@ RSpec.describe Vulnerabilities::ResolveService do
end end
describe 'permissions' do describe 'permissions' do
context 'when admin mode is enabled', :enable_admin_mode do
it { expect { resolve_vulnerability }.to be_allowed_for(:admin) } it { expect { resolve_vulnerability }.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { expect { resolve_vulnerability }.to be_denied_for(:admin) }
end
it { expect { resolve_vulnerability }.to be_allowed_for(:owner).of(project) } it { expect { resolve_vulnerability }.to be_allowed_for(:owner).of(project) }
it { expect { resolve_vulnerability }.to be_allowed_for(:maintainer).of(project) } it { expect { resolve_vulnerability }.to be_allowed_for(:maintainer).of(project) }
it { expect { resolve_vulnerability }.to be_allowed_for(:developer).of(project) } it { expect { resolve_vulnerability }.to be_allowed_for(:developer).of(project) }
......
...@@ -71,7 +71,12 @@ RSpec.describe Vulnerabilities::RevertToDetectedService do ...@@ -71,7 +71,12 @@ RSpec.describe Vulnerabilities::RevertToDetectedService do
end end
describe 'permissions' do describe 'permissions' do
context 'when admin mode is enabled', :enable_admin_mode do
it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:admin) } it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { expect { revert_vulnerability_to_detected }.to be_denied_for(:admin) }
end
it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:owner).of(project) } it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:owner).of(project) }
it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:maintainer).of(project) } it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:maintainer).of(project) }
it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:developer).of(project) } it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:developer).of(project) }
......
...@@ -117,7 +117,12 @@ RSpec.describe VulnerabilityIssueLinks::CreateService do ...@@ -117,7 +117,12 @@ RSpec.describe VulnerabilityIssueLinks::CreateService do
end end
describe 'permissions' do describe 'permissions' do
context 'when admin mode enabled', :enable_admin_mode do
it { expect { create_issue_link }.to be_allowed_for(:admin) } it { expect { create_issue_link }.to be_allowed_for(:admin) }
end
context 'when admin mode disabled' do
it { expect { create_issue_link }.to be_denied_for(:admin) }
end
it { expect { create_issue_link }.to be_allowed_for(:owner).of(project) } it { expect { create_issue_link }.to be_allowed_for(:owner).of(project) }
it { expect { create_issue_link }.to be_allowed_for(:maintainer).of(project) } it { expect { create_issue_link }.to be_allowed_for(:maintainer).of(project) }
it { expect { create_issue_link }.to be_allowed_for(:developer).of(project) } it { expect { create_issue_link }.to be_allowed_for(:developer).of(project) }
......
...@@ -46,7 +46,12 @@ RSpec.describe VulnerabilityIssueLinks::DeleteService do ...@@ -46,7 +46,12 @@ RSpec.describe VulnerabilityIssueLinks::DeleteService do
end end
describe 'permissions' do describe 'permissions' do
context 'when admin mode is enabled', :enable_admin_mode do
it { expect { delete_issue_link }.to be_allowed_for(:admin) } it { expect { delete_issue_link }.to be_allowed_for(:admin) }
end
context 'when admin mode is disabled' do
it { expect { delete_issue_link }.to be_denied_for(:admin) }
end
it { expect { delete_issue_link }.to be_allowed_for(:owner).of(project) } it { expect { delete_issue_link }.to be_allowed_for(:owner).of(project) }
it { expect { delete_issue_link }.to be_allowed_for(:maintainer).of(project) } it { expect { delete_issue_link }.to be_allowed_for(:maintainer).of(project) }
it { expect { delete_issue_link }.to be_allowed_for(:developer).of(project) } it { expect { delete_issue_link }.to be_allowed_for(:developer).of(project) }
......
...@@ -5,6 +5,7 @@ require 'spec_helper' ...@@ -5,6 +5,7 @@ require 'spec_helper'
RSpec.describe Gitlab::GitAccessSnippet do RSpec.describe Gitlab::GitAccessSnippet do
include ProjectHelpers include ProjectHelpers
include TermsHelper include TermsHelper
include AdminModeHelper
include_context 'ProjectPolicyTable context' include_context 'ProjectPolicyTable context'
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
...@@ -207,12 +208,13 @@ RSpec.describe Gitlab::GitAccessSnippet do ...@@ -207,12 +208,13 @@ RSpec.describe Gitlab::GitAccessSnippet do
let(:snippet) { create(:personal_snippet, snippet_level, :repository) } let(:snippet) { create(:personal_snippet, snippet_level, :repository) }
let(:user) { membership == :author ? snippet.author : create_user_from_membership(nil, membership) } let(:user) { membership == :author ? snippet.author : create_user_from_membership(nil, membership) }
where(:snippet_level, :membership, :_expected_count) do where(:snippet_level, :membership, :admin_mode, :_expected_count) do
permission_table_for_personal_snippet_access permission_table_for_personal_snippet_access
end end
with_them do with_them do
it "respects accessibility" do it "respects accessibility" do
enable_admin_mode!(user) if admin_mode
error_class = described_class::ForbiddenError error_class = described_class::ForbiddenError
if Ability.allowed?(user, :update_snippet, snippet) if Ability.allowed?(user, :update_snippet, snippet)
......
...@@ -3996,10 +3996,18 @@ RSpec.describe Project, factory_default: :keep do ...@@ -3996,10 +3996,18 @@ RSpec.describe Project, factory_default: :keep do
context 'when feature is private' do context 'when feature is private' do
let(:project) { create(:project, :public, :merge_requests_private) } let(:project) { create(:project, :public, :merge_requests_private) }
context 'when admin mode is enabled', :enable_admin_mode do
it 'returns projects with the project feature private' do it 'returns projects with the project feature private' do
is_expected.to include(project) is_expected.to include(project)
end end
end end
context 'when admin mode is disabled' do
it 'does not return projects with the project feature private' do
is_expected.not_to include(project)
end
end
end
end end
context 'without user' do context 'without user' do
...@@ -4020,7 +4028,7 @@ RSpec.describe Project, factory_default: :keep do ...@@ -4020,7 +4028,7 @@ RSpec.describe Project, factory_default: :keep do
end end
end end
describe '.filter_by_feature_visibility', :enable_admin_mode do describe '.filter_by_feature_visibility' do
include_context 'ProjectPolicyTable context' include_context 'ProjectPolicyTable context'
include ProjectHelpers include ProjectHelpers
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
...@@ -4032,12 +4040,13 @@ RSpec.describe Project, factory_default: :keep do ...@@ -4032,12 +4040,13 @@ RSpec.describe Project, factory_default: :keep do
context 'reporter level access' do context 'reporter level access' do
let(:feature) { MergeRequest } let(:feature) { MergeRequest }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_reporter_feature_access permission_table_for_reporter_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
expected_objects = expected_count == 1 ? [project] : [] expected_objects = expected_count == 1 ? [project] : []
...@@ -4052,12 +4061,13 @@ RSpec.describe Project, factory_default: :keep do ...@@ -4052,12 +4061,13 @@ RSpec.describe Project, factory_default: :keep do
context 'issues' do context 'issues' do
let(:feature) { Issue } let(:feature) { Issue }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access permission_table_for_guest_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
expected_objects = expected_count == 1 ? [project] : [] expected_objects = expected_count == 1 ? [project] : []
...@@ -4072,12 +4082,13 @@ RSpec.describe Project, factory_default: :keep do ...@@ -4072,12 +4082,13 @@ RSpec.describe Project, factory_default: :keep do
context 'wiki' do context 'wiki' do
let(:feature) { :wiki } let(:feature) { :wiki }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access permission_table_for_guest_feature_access
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
expected_objects = expected_count == 1 ? [project] : [] expected_objects = expected_count == 1 ? [project] : []
...@@ -4092,12 +4103,13 @@ RSpec.describe Project, factory_default: :keep do ...@@ -4092,12 +4103,13 @@ RSpec.describe Project, factory_default: :keep do
context 'code' do context 'code' do
let(:feature) { :repository } let(:feature) { :repository }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access_and_non_private_project_only permission_table_for_guest_feature_access_and_non_private_project_only
end end
with_them do with_them do
it "respects visibility" do it "respects visibility" do
enable_admin_mode!(user) if admin_mode
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
expected_objects = expected_count == 1 ? [project] : [] expected_objects = expected_count == 1 ? [project] : []
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe BlobPolicy, :enable_admin_mode do RSpec.describe BlobPolicy do
include_context 'ProjectPolicyTable context' include_context 'ProjectPolicyTable context'
include ProjectHelpers include ProjectHelpers
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
...@@ -13,12 +13,13 @@ RSpec.describe BlobPolicy, :enable_admin_mode do ...@@ -13,12 +13,13 @@ RSpec.describe BlobPolicy, :enable_admin_mode do
subject(:policy) { described_class.new(user, blob) } subject(:policy) { described_class.new(user, blob) }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access_and_non_private_project_only permission_table_for_guest_feature_access_and_non_private_project_only
end end
with_them do with_them do
it "grants permission" do it "grants permission" do
enable_admin_mode!(user) if admin_mode
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
if expected_count == 1 if expected_count == 1
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe WikiPagePolicy, :enable_admin_mode do RSpec.describe WikiPagePolicy do
include_context 'ProjectPolicyTable context' include_context 'ProjectPolicyTable context'
include ProjectHelpers include ProjectHelpers
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
...@@ -13,12 +13,13 @@ RSpec.describe WikiPagePolicy, :enable_admin_mode do ...@@ -13,12 +13,13 @@ RSpec.describe WikiPagePolicy, :enable_admin_mode do
subject(:policy) { described_class.new(user, wiki_page) } subject(:policy) { described_class.new(user, wiki_page) }
where(:project_level, :feature_access_level, :membership, :expected_count) do where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
permission_table_for_guest_feature_access permission_table_for_guest_feature_access
end end
with_them do with_them do
it "grants permission" do it "grants permission" do
enable_admin_mode!(user) if admin_mode
update_feature_access_level(project, feature_access_level) update_feature_access_level(project, feature_access_level)
if expected_count == 1 if expected_count == 1
......
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe Auth::ContainerRegistryAuthenticationService do RSpec.describe Auth::ContainerRegistryAuthenticationService do
include AdminModeHelper
let(:current_project) { nil } let(:current_project) { nil }
let(:current_user) { nil } let(:current_user) { nil }
let(:current_params) { {} } let(:current_params) { {} }
...@@ -696,6 +698,10 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do ...@@ -696,6 +698,10 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
context 'user has access to all projects' do context 'user has access to all projects' do
let_it_be(:current_user) { create(:user, :admin) } let_it_be(:current_user) { create(:user, :admin) }
before do
enable_admin_mode!(current_user)
end
it_behaves_like 'a browsable' do it_behaves_like 'a browsable' do
let(:access) do let(:access) do
[ [
......
...@@ -4,13 +4,13 @@ require 'spec_helper' ...@@ -4,13 +4,13 @@ require 'spec_helper'
RSpec.describe Ci::CreatePipelineService do RSpec.describe Ci::CreatePipelineService do
context 'cache' do context 'cache' do
let(:user) { create(:admin) } let(:project) { create(:project, :custom_repo, files: files) }
let(:user) { project.owner }
let(:ref) { 'refs/heads/master' } let(:ref) { 'refs/heads/master' }
let(:source) { :push } let(:source) { :push }
let(:service) { described_class.new(project, user, { ref: ref }) } let(:service) { described_class.new(project, user, { ref: ref }) }
let(:pipeline) { service.execute(source) } let(:pipeline) { service.execute(source) }
let(:job) { pipeline.builds.find_by(name: 'job') } let(:job) { pipeline.builds.find_by(name: 'job') }
let(:project) { create(:project, :custom_repo, files: files) }
before do before do
stub_ci_pipeline_yaml_file(config) stub_ci_pipeline_yaml_file(config)
......
...@@ -4,8 +4,8 @@ require 'spec_helper' ...@@ -4,8 +4,8 @@ require 'spec_helper'
RSpec.describe Ci::CreatePipelineService do RSpec.describe Ci::CreatePipelineService do
describe 'creation errors and warnings' do describe 'creation errors and warnings' do
let_it_be(:user) { create(:admin) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:project) { create(:project, :repository, creator: user) } let_it_be(:user) { project.owner }
let(:ref) { 'refs/heads/master' } let(:ref) { 'refs/heads/master' }
let(:source) { :push } let(:source) { :push }
......
...@@ -3,7 +3,7 @@ require 'spec_helper' ...@@ -3,7 +3,7 @@ require 'spec_helper'
RSpec.describe Ci::CreatePipelineService do RSpec.describe Ci::CreatePipelineService do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:user) { create(:admin) } let_it_be(:user) { project.owner }
let(:ref) { 'refs/heads/master' } let(:ref) { 'refs/heads/master' }
let(:service) { described_class.new(project, user, { ref: ref }) } let(:service) { described_class.new(project, user, { ref: ref }) }
......
...@@ -4,7 +4,7 @@ require 'spec_helper' ...@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe Ci::CreatePipelineService do RSpec.describe Ci::CreatePipelineService do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:user) { create(:admin) } let_it_be(:user) { project.owner }
let(:ref) { 'refs/heads/master' } let(:ref) { 'refs/heads/master' }
let(:service) { described_class.new(project, user, { ref: ref }) } let(:service) { described_class.new(project, user, { ref: ref }) }
......
...@@ -4,8 +4,8 @@ require 'spec_helper' ...@@ -4,8 +4,8 @@ require 'spec_helper'
RSpec.describe Ci::CreatePipelineService do RSpec.describe Ci::CreatePipelineService do
context 'needs' do context 'needs' do
let_it_be(:user) { create(:admin) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:project) { create(:project, :repository, creator: user) } let_it_be(:user) { project.owner }
let(:ref) { 'refs/heads/master' } let(:ref) { 'refs/heads/master' }
let(:source) { :push } let(:source) { :push }
...@@ -14,6 +14,7 @@ RSpec.describe Ci::CreatePipelineService do ...@@ -14,6 +14,7 @@ RSpec.describe Ci::CreatePipelineService do
before do before do
stub_ci_pipeline_yaml_file(config) stub_ci_pipeline_yaml_file(config)
project.add_developer(user)
end end
context 'with a valid config' do context 'with a valid config' do
......
...@@ -4,7 +4,7 @@ require 'spec_helper' ...@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe Ci::CreatePipelineService do RSpec.describe Ci::CreatePipelineService do
let_it_be(:project) { create(:project, :repository) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:user) { create(:admin) } let_it_be(:user) { project.owner }
let(:service) { described_class.new(project, user, { ref: 'refs/heads/master' }) } let(:service) { described_class.new(project, user, { ref: 'refs/heads/master' }) }
let(:content) do let(:content) do
<<~EOY <<~EOY
......
...@@ -3,8 +3,8 @@ require 'spec_helper' ...@@ -3,8 +3,8 @@ require 'spec_helper'
RSpec.describe Ci::CreatePipelineService do RSpec.describe Ci::CreatePipelineService do
describe '.pre/.post stages' do describe '.pre/.post stages' do
let_it_be(:user) { create(:admin) } let_it_be(:project) { create(:project, :repository) }
let_it_be(:project) { create(:project, :repository, creator: user) } let_it_be(:user) { project.owner }
let(:source) { :push } let(:source) { :push }
let(:service) { described_class.new(project, user, { ref: ref }) } let(:service) { described_class.new(project, user, { ref: ref }) }
......
...@@ -2,10 +2,10 @@ ...@@ -2,10 +2,10 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe Ci::CreatePipelineService do RSpec.describe Ci::CreatePipelineService do
let(:user) { create(:admin) } let(:project) { create(:project, :repository) }
let(:user) { project.owner }
let(:ref) { 'refs/heads/master' } let(:ref) { 'refs/heads/master' }
let(:source) { :push } let(:source) { :push }
let(:project) { create(:project, :repository) }
let(:service) { described_class.new(project, user, { ref: ref }) } let(:service) { described_class.new(project, user, { ref: ref }) }
let(:pipeline) { service.execute(source) } let(:pipeline) { service.execute(source) }
let(:build_names) { pipeline.builds.pluck(:name) } let(:build_names) { pipeline.builds.pluck(:name) }
......
...@@ -6,7 +6,7 @@ RSpec.describe Ci::CreatePipelineService do ...@@ -6,7 +6,7 @@ RSpec.describe Ci::CreatePipelineService do
include ProjectForksHelper include ProjectForksHelper
let_it_be(:project, reload: true) { create(:project, :repository) } let_it_be(:project, reload: true) { create(:project, :repository) }
let(:user) { create(:admin) } let_it_be(:user, reload: true) { project.owner }
let(:ref_name) { 'refs/heads/master' } let(:ref_name) { 'refs/heads/master' }
before do before do
...@@ -155,6 +155,11 @@ RSpec.describe Ci::CreatePipelineService do ...@@ -155,6 +155,11 @@ RSpec.describe Ci::CreatePipelineService do
context 'when merge request target project is different from source project' do context 'when merge request target project is different from source project' do
let!(:project) { fork_project(target_project, nil, repository: true) } let!(:project) { fork_project(target_project, nil, repository: true) }
let!(:target_project) { create(:project, :repository) } let!(:target_project) { create(:project, :repository) }
let!(:user) { create(:user) }
before do
project.add_developer(user)
end
it 'updates head pipeline for merge request', :sidekiq_might_not_need_inline do it 'updates head pipeline for merge request', :sidekiq_might_not_need_inline do
merge_request = create(:merge_request, source_branch: 'feature', merge_request = create(:merge_request, source_branch: 'feature',
...@@ -1442,6 +1447,11 @@ RSpec.describe Ci::CreatePipelineService do ...@@ -1442,6 +1447,11 @@ RSpec.describe Ci::CreatePipelineService do
let(:ref_name) { 'refs/heads/feature' } let(:ref_name) { 'refs/heads/feature' }
let!(:project) { fork_project(target_project, nil, repository: true) } let!(:project) { fork_project(target_project, nil, repository: true) }
let!(:target_project) { create(:project, :repository) } let!(:target_project) { create(:project, :repository) }
let!(:user) { create(:user) }
before do
project.add_developer(user)
end
it 'creates a legacy detached merge request pipeline in the forked project', :sidekiq_might_not_need_inline do it 'creates a legacy detached merge request pipeline in the forked project', :sidekiq_might_not_need_inline do
expect(pipeline).to be_persisted expect(pipeline).to be_persisted
......
...@@ -321,10 +321,13 @@ RSpec.describe Issues::MoveService do ...@@ -321,10 +321,13 @@ RSpec.describe Issues::MoveService do
before do before do
authorized_project.add_developer(user) authorized_project.add_developer(user)
authorized_project.add_developer(admin)
authorized_project2.add_developer(user) authorized_project2.add_developer(user)
authorized_project2.add_developer(admin)
end end
context 'multiple related issues' do context 'multiple related issues' do
context 'when admin mode is enabled', :enable_admin_mode do
it 'moves all related issues and retains permissions' do it 'moves all related issues and retains permissions' do
new_issue = move_service.execute(old_issue, new_project) new_issue = move_service.execute(old_issue, new_project)
...@@ -338,6 +341,22 @@ RSpec.describe Issues::MoveService do ...@@ -338,6 +341,22 @@ RSpec.describe Issues::MoveService do
.to match_array([new_issue]) .to match_array([new_issue])
end end
end end
context 'when admin mode is disabled' do
it 'moves all related issues and retains permissions' do
new_issue = move_service.execute(old_issue, new_project)
expect(new_issue.related_issues(admin))
.to match_array([authorized_issue_b, authorized_issue_c, authorized_issue_d])
expect(new_issue.related_issues(user))
.to match_array([authorized_issue_b, authorized_issue_c, authorized_issue_d])
expect(authorized_issue_d.related_issues(user))
.to match_array([new_issue])
end
end
end
end end
context 'updating sent notifications' do context 'updating sent notifications' do
......
...@@ -74,11 +74,19 @@ RSpec.describe Issues::RelatedBranchesService do ...@@ -74,11 +74,19 @@ RSpec.describe Issues::RelatedBranchesService do
context 'the user has access to otherwise unreadable pipelines' do context 'the user has access to otherwise unreadable pipelines' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it 'returns info a developer could not see' do it 'returns info a developer could not see' do
expect(branch_info.pluck(:pipeline_status)).to include(an_instance_of(Gitlab::Ci::Status::Running)) expect(branch_info.pluck(:pipeline_status)).to include(an_instance_of(Gitlab::Ci::Status::Running))
end end
end end
context 'when admin mode is disabled' do
it 'does not return info a developer could not see' do
expect(branch_info.pluck(:pipeline_status)).not_to include(an_instance_of(Gitlab::Ci::Status::Running))
end
end
end
it 'excludes branches referenced in merge requests' do it 'excludes branches referenced in merge requests' do
merge_request = create(:merge_request, { description: "Closes #{issue.to_reference}", merge_request = create(:merge_request, { description: "Closes #{issue.to_reference}",
source_project: issue.project, source_project: issue.project,
......
...@@ -4,7 +4,7 @@ require 'spec_helper' ...@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe Labels::TransferService do RSpec.describe Labels::TransferService do
describe '#execute' do describe '#execute' do
let_it_be(:user) { create(:admin) } let_it_be(:user) { create(:user) }
let_it_be(:old_group_ancestor) { create(:group) } let_it_be(:old_group_ancestor) { create(:group) }
let_it_be(:old_group) { create(:group, parent: old_group_ancestor) } let_it_be(:old_group) { create(:group, parent: old_group_ancestor) }
...@@ -15,6 +15,11 @@ RSpec.describe Labels::TransferService do ...@@ -15,6 +15,11 @@ RSpec.describe Labels::TransferService do
subject(:service) { described_class.new(user, old_group, project) } subject(:service) { described_class.new(user, old_group, project) }
before do
old_group_ancestor.add_developer(user)
new_group.add_developer(user)
end
it 'recreates missing group labels at project level and assigns them to the issuables' do it 'recreates missing group labels at project level and assigns them to the issuables' do
old_group_label_1 = create(:group_label, group: old_group) old_group_label_1 = create(:group_label, group: old_group)
old_group_label_2 = create(:group_label, group: old_group) old_group_label_2 = create(:group_label, group: old_group)
......
...@@ -12,11 +12,21 @@ RSpec.describe MergeRequests::AddContextService do ...@@ -12,11 +12,21 @@ RSpec.describe MergeRequests::AddContextService do
subject(:service) { described_class.new(project, admin, merge_request: merge_request, commits: commits) } subject(:service) { described_class.new(project, admin, merge_request: merge_request, commits: commits) }
describe "#execute" do describe "#execute" do
context "when admin mode is enabled", :enable_admin_mode do
it "adds context commit" do it "adds context commit" do
service.execute service.execute
expect(merge_request.merge_request_context_commit_diff_files.length).to eq(2) expect(merge_request.merge_request_context_commit_diff_files.length).to eq(2)
end end
end
context "when admin mode is disabled" do
it "doesn't add context commit" do
subject.execute
expect(merge_request.merge_request_context_commit_diff_files.length).to eq(0)
end
end
context "when user doesn't have permission to update merge request" do context "when user doesn't have permission to update merge request" do
let(:user) { create(:user) } let(:user) { create(:user) }
......
...@@ -3099,14 +3099,28 @@ RSpec.describe NotificationService, :mailer do ...@@ -3099,14 +3099,28 @@ RSpec.describe NotificationService, :mailer do
subject.new_issue(issue, member) subject.new_issue(issue, member)
end end
it 'still delivers email to admins' do context 'with admin user' do
before do
member.update!(admin: true) member.update!(admin: true)
end
context 'when admin mode is enabled', :enable_admin_mode do
it 'still delivers email to admins' do
expect(Notify).to receive(:new_issue_email).at_least(:once).with(member.id, issue.id, nil).and_call_original expect(Notify).to receive(:new_issue_email).at_least(:once).with(member.id, issue.id, nil).and_call_original
subject.new_issue(issue, member) subject.new_issue(issue, member)
end end
end end
context 'when admin mode is disabled' do
it 'does not send an email' do
expect(Notify).not_to receive(:new_issue_email)
subject.new_issue(issue, member)
end
end
end
end
end end
describe '#prometheus_alerts_fired' do describe '#prometheus_alerts_fired' do
......
...@@ -38,9 +38,15 @@ RSpec.describe PersonalAccessTokens::CreateService do ...@@ -38,9 +38,15 @@ RSpec.describe PersonalAccessTokens::CreateService do
context 'when current_user is an administrator' do context 'when current_user is an administrator' do
let(:current_user) { create(:admin) } let(:current_user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'a successfully created token' it_behaves_like 'a successfully created token'
end end
context 'when admin mode is disabled' do
it_behaves_like 'an unsuccessfully created token'
end
end
context 'when current_user is not an administrator' do context 'when current_user is not an administrator' do
context 'target_user is not the same as current_user' do context 'target_user is not the same as current_user' do
it_behaves_like 'an unsuccessfully created token' it_behaves_like 'an unsuccessfully created token'
......
...@@ -24,12 +24,21 @@ RSpec.describe PersonalAccessTokens::RevokeService do ...@@ -24,12 +24,21 @@ RSpec.describe PersonalAccessTokens::RevokeService do
let(:service) { described_class.new(current_user, token: token) } let(:service) { described_class.new(current_user, token: token) }
context 'when current_user is an administrator' do context 'when current_user is an administrator' do
context 'when admin mode is enabled', :enable_admin_mode do
let_it_be(:current_user) { create(:admin) } let_it_be(:current_user) { create(:admin) }
let_it_be(:token) { create(:personal_access_token) } let_it_be(:token) { create(:personal_access_token) }
it_behaves_like 'a successfully revoked token' it_behaves_like 'a successfully revoked token'
end end
context 'when admin mode is disabled' do
let_it_be(:current_user) { create(:admin) }
let_it_be(:token) { create(:personal_access_token) }
it_behaves_like 'an unsuccessfully revoked token'
end
end
context 'when current_user is not an administrator' do context 'when current_user is not an administrator' do
let_it_be(:current_user) { create(:user) } let_it_be(:current_user) { create(:user) }
......
...@@ -79,7 +79,8 @@ RSpec.describe Projects::AutocompleteService do ...@@ -79,7 +79,8 @@ RSpec.describe Projects::AutocompleteService do
expect(issues.count).to eq 3 expect(issues.count).to eq 3
end end
it 'lists all project issues for admin' do context 'when admin mode is enabled', :enable_admin_mode do
it 'lists all project issues for admin', :enable_admin_mode do
autocomplete = described_class.new(project, admin) autocomplete = described_class.new(project, admin)
issues = autocomplete.issues.map(&:iid) issues = autocomplete.issues.map(&:iid)
...@@ -89,6 +90,19 @@ RSpec.describe Projects::AutocompleteService do ...@@ -89,6 +90,19 @@ RSpec.describe Projects::AutocompleteService do
expect(issues.count).to eq 3 expect(issues.count).to eq 3
end end
end end
context 'when admin mode is disabled' do
it 'does not list project confidential issues for admin' do
autocomplete = described_class.new(project, admin)
issues = autocomplete.issues.map(&:iid)
expect(issues).to include issue.iid
expect(issues).not_to include security_issue_1.iid
expect(issues).not_to include security_issue_2.iid
expect(issues.count).to eq 1
end
end
end
end end
describe '#milestones' do describe '#milestones' do
......
...@@ -72,6 +72,7 @@ RSpec.describe Projects::CreateService, '#execute' do ...@@ -72,6 +72,7 @@ RSpec.describe Projects::CreateService, '#execute' do
end end
context "admin creates project with other user's namespace_id" do context "admin creates project with other user's namespace_id" do
context 'when admin mode is enabled', :enable_admin_mode do
it 'sets the correct permissions' do it 'sets the correct permissions' do
admin = create(:admin) admin = create(:admin)
project = create_project(admin, opts) project = create_project(admin, opts)
...@@ -83,6 +84,16 @@ RSpec.describe Projects::CreateService, '#execute' do ...@@ -83,6 +84,16 @@ RSpec.describe Projects::CreateService, '#execute' do
end end
end end
context 'when admin mode is disabled' do
it 'is not allowed' do
admin = create(:admin)
project = create_project(admin, opts)
expect(project).not_to be_persisted
end
end
end
context 'group namespace' do context 'group namespace' do
let(:group) do let(:group) do
create(:group).tap do |group| create(:group).tap do |group|
...@@ -336,7 +347,15 @@ RSpec.describe Projects::CreateService, '#execute' do ...@@ -336,7 +347,15 @@ RSpec.describe Projects::CreateService, '#execute' do
) )
end end
it 'allows a restricted visibility level for admins' do it 'does not allow a restricted visibility level for admins when admin mode is disabled' do
admin = create(:admin)
project = create_project(admin, opts)
expect(project.errors.any?).to be(true)
expect(project.saved?).to be_falsey
end
it 'allows a restricted visibility level for admins when admin mode is enabled', :enable_admin_mode do
admin = create(:admin) admin = create(:admin)
project = create_project(admin, opts) project = create_project(admin, opts)
......
...@@ -127,6 +127,7 @@ RSpec.describe Projects::UpdateService do ...@@ -127,6 +127,7 @@ RSpec.describe Projects::UpdateService do
end end
context 'when updated by an admin' do context 'when updated by an admin' do
context 'when admin mode is enabled', :enable_admin_mode do
it 'updates the project to public' do it 'updates the project to public' do
result = update_project(project, admin, visibility_level: Gitlab::VisibilityLevel::PUBLIC) result = update_project(project, admin, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
...@@ -134,6 +135,16 @@ RSpec.describe Projects::UpdateService do ...@@ -134,6 +135,16 @@ RSpec.describe Projects::UpdateService do
expect(project).to be_public expect(project).to be_public
end end
end end
context 'when admin mode is disabled' do
it 'does not update the project to public' do
result = update_project(project, admin, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
expect(project).to be_private
end
end
end
end end
end end
...@@ -144,7 +155,7 @@ RSpec.describe Projects::UpdateService do ...@@ -144,7 +155,7 @@ RSpec.describe Projects::UpdateService do
project.update!(namespace: group, visibility_level: group.visibility_level) project.update!(namespace: group, visibility_level: group.visibility_level)
end end
it 'does not update project visibility level' do it 'does not update project visibility level even if admin', :enable_admin_mode do
result = update_project(project, admin, visibility_level: Gitlab::VisibilityLevel::PUBLIC) result = update_project(project, admin, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
expect(result).to eq({ status: :error, message: 'Visibility level public is not allowed in a internal group.' }) expect(result).to eq({ status: :error, message: 'Visibility level public is not allowed in a internal group.' })
...@@ -181,6 +192,7 @@ RSpec.describe Projects::UpdateService do ...@@ -181,6 +192,7 @@ RSpec.describe Projects::UpdateService do
describe 'when updating project that has forks' do describe 'when updating project that has forks' do
let(:project) { create(:project, :internal) } let(:project) { create(:project, :internal) }
let(:user) { project.owner }
let(:forked_project) { fork_project(project) } let(:forked_project) { fork_project(project) }
context 'and unlink forks feature flag is off' do context 'and unlink forks feature flag is off' do
...@@ -194,7 +206,7 @@ RSpec.describe Projects::UpdateService do ...@@ -194,7 +206,7 @@ RSpec.describe Projects::UpdateService do
expect(project).to be_internal expect(project).to be_internal
expect(forked_project).to be_internal expect(forked_project).to be_internal
expect(update_project(project, admin, opts)).to eq({ status: :success }) expect(update_project(project, user, opts)).to eq({ status: :success })
expect(project).to be_private expect(project).to be_private
expect(forked_project.reload).to be_private expect(forked_project.reload).to be_private
...@@ -206,7 +218,7 @@ RSpec.describe Projects::UpdateService do ...@@ -206,7 +218,7 @@ RSpec.describe Projects::UpdateService do
expect(project).to be_internal expect(project).to be_internal
expect(forked_project).to be_internal expect(forked_project).to be_internal
expect(update_project(project, admin, opts)).to eq({ status: :success }) expect(update_project(project, user, opts)).to eq({ status: :success })
expect(project).to be_public expect(project).to be_public
expect(forked_project.reload).to be_internal expect(forked_project.reload).to be_internal
...@@ -220,7 +232,7 @@ RSpec.describe Projects::UpdateService do ...@@ -220,7 +232,7 @@ RSpec.describe Projects::UpdateService do
expect(project).to be_internal expect(project).to be_internal
expect(forked_project).to be_internal expect(forked_project).to be_internal
expect(update_project(project, admin, opts)).to eq({ status: :success }) expect(update_project(project, user, opts)).to eq({ status: :success })
expect(project).to be_private expect(project).to be_private
expect(forked_project.reload).to be_internal expect(forked_project.reload).to be_internal
...@@ -576,6 +588,7 @@ RSpec.describe Projects::UpdateService do ...@@ -576,6 +588,7 @@ RSpec.describe Projects::UpdateService do
context 'authenticated as admin' do context 'authenticated as admin' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it 'schedules the transfer of the repository to the new storage and locks the project' do it 'schedules the transfer of the repository to the new storage and locks the project' do
update_project(project, admin, opts) update_project(project, admin, opts)
...@@ -586,6 +599,11 @@ RSpec.describe Projects::UpdateService do ...@@ -586,6 +599,11 @@ RSpec.describe Projects::UpdateService do
destination_storage_name: 'test_second_storage' destination_storage_name: 'test_second_storage'
) )
end end
end
context 'when admin mode is disabled' do
it_behaves_like 'the transfer was not scheduled'
end
context 'the repository is read-only' do context 'the repository is read-only' do
let(:repository_read_only) { true } let(:repository_read_only) { true }
......
...@@ -46,8 +46,18 @@ RSpec.describe ResourceAccessTokens::CreateService do ...@@ -46,8 +46,18 @@ RSpec.describe ResourceAccessTokens::CreateService do
end end
context 'when created by an admin' do context 'when created by an admin' do
it_behaves_like 'creates a user that has their email confirmed' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'creates a user that has their email confirmed'
end
context 'when admin mode is disabled' do
it 'returns error' do
response = subject
expect(response.error?).to be true
end
end end
end end
......
...@@ -49,6 +49,7 @@ RSpec.describe Search::SnippetService do ...@@ -49,6 +49,7 @@ RSpec.describe Search::SnippetService do
expect(results.objects('snippet_titles')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet] expect(results.objects('snippet_titles')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet]
end end
context 'when admin mode is enabled', :enable_admin_mode do
it 'returns all snippets when user is admin' do it 'returns all snippets when user is admin' do
admin = create(:admin) admin = create(:admin)
search = described_class.new(admin, search: 'bar') search = described_class.new(admin, search: 'bar')
...@@ -57,6 +58,17 @@ RSpec.describe Search::SnippetService do ...@@ -57,6 +58,17 @@ RSpec.describe Search::SnippetService do
expect(results.objects('snippet_titles')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet, project_private_snippet] expect(results.objects('snippet_titles')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
end end
end end
context 'when admin mode is disabled' do
it 'returns only public & internal snippets when user is admin' do
admin = create(:admin)
search = described_class.new(admin, search: 'bar')
results = search.execute
expect(results.objects('snippet_titles')).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet]
end
end
end
end end
describe '#scope' do describe '#scope' do
......
...@@ -150,7 +150,7 @@ RSpec.describe TodoService do ...@@ -150,7 +150,7 @@ RSpec.describe TodoService do
service.new_issue(issue, author) service.new_issue(issue, author)
should_create_todo(user: member, target: issue, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: member, target: issue, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: admin, target: issue, action: Todo::MENTIONED) should_not_create_todo(user: admin, target: issue, action: Todo::MENTIONED)
should_create_todo(user: guest, target: issue, action: Todo::MENTIONED) should_create_todo(user: guest, target: issue, action: Todo::MENTIONED)
end end
...@@ -160,7 +160,7 @@ RSpec.describe TodoService do ...@@ -160,7 +160,7 @@ RSpec.describe TodoService do
should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::ASSIGNED) should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::ASSIGNED)
should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::MENTIONED) should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::MENTIONED) should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
should_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED) should_not_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::MENTIONED) should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::MENTIONED) should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
end end
...@@ -171,7 +171,7 @@ RSpec.describe TodoService do ...@@ -171,7 +171,7 @@ RSpec.describe TodoService do
should_create_todo(user: assignee, target: addressed_confident_issue, author: john_doe, action: Todo::ASSIGNED) should_create_todo(user: assignee, target: addressed_confident_issue, author: john_doe, action: Todo::ASSIGNED)
should_create_todo(user: author, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: author, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: member, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: member, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: admin, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED) should_not_create_todo(user: admin, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
should_not_create_todo(user: guest, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED) should_not_create_todo(user: guest, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: john_doe, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: john_doe, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
end end
...@@ -228,7 +228,7 @@ RSpec.describe TodoService do ...@@ -228,7 +228,7 @@ RSpec.describe TodoService do
should_create_todo(user: member, target: issue, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: member, target: issue, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: guest, target: issue, action: Todo::MENTIONED) should_create_todo(user: guest, target: issue, action: Todo::MENTIONED)
should_create_todo(user: admin, target: issue, action: Todo::MENTIONED) should_not_create_todo(user: admin, target: issue, action: Todo::MENTIONED)
should_not_create_todo(user: skipped, target: issue) should_not_create_todo(user: skipped, target: issue)
end end
...@@ -273,7 +273,7 @@ RSpec.describe TodoService do ...@@ -273,7 +273,7 @@ RSpec.describe TodoService do
should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::MENTIONED) should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::MENTIONED) should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::MENTIONED) should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
should_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED) should_not_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::MENTIONED) should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::MENTIONED) should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
end end
...@@ -284,7 +284,7 @@ RSpec.describe TodoService do ...@@ -284,7 +284,7 @@ RSpec.describe TodoService do
should_create_todo(user: author, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: author, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: assignee, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: assignee, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: member, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: member, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: admin, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED) should_not_create_todo(user: admin, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
should_not_create_todo(user: guest, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED) should_not_create_todo(user: guest, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: john_doe, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: john_doe, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
end end
...@@ -432,7 +432,7 @@ RSpec.describe TodoService do ...@@ -432,7 +432,7 @@ RSpec.describe TodoService do
service.new_note(note, john_doe) service.new_note(note, john_doe)
should_create_todo(user: member, target: issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: note) should_create_todo(user: member, target: issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: note)
should_create_todo(user: admin, target: issue, author: john_doe, action: Todo::MENTIONED, note: note) should_not_create_todo(user: admin, target: issue, author: john_doe, action: Todo::MENTIONED, note: note)
should_create_todo(user: guest, target: issue, author: john_doe, action: Todo::MENTIONED, note: note) should_create_todo(user: guest, target: issue, author: john_doe, action: Todo::MENTIONED, note: note)
end end
...@@ -452,7 +452,7 @@ RSpec.describe TodoService do ...@@ -452,7 +452,7 @@ RSpec.describe TodoService do
should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue) should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue) should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue) should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
should_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue) should_not_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue) should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue) should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
end end
...@@ -463,7 +463,7 @@ RSpec.describe TodoService do ...@@ -463,7 +463,7 @@ RSpec.describe TodoService do
should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue) should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue) should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue) should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
should_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue) should_not_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue) should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue) should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
end end
...@@ -699,7 +699,7 @@ RSpec.describe TodoService do ...@@ -699,7 +699,7 @@ RSpec.describe TodoService do
service.new_merge_request(mr_assigned, author) service.new_merge_request(mr_assigned, author)
should_create_todo(user: member, target: mr_assigned, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: member, target: mr_assigned, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: admin, target: mr_assigned, action: Todo::MENTIONED) should_not_create_todo(user: admin, target: mr_assigned, action: Todo::MENTIONED)
end end
it 'creates a directly addressed todo for each valid addressed user' do it 'creates a directly addressed todo for each valid addressed user' do
...@@ -731,7 +731,7 @@ RSpec.describe TodoService do ...@@ -731,7 +731,7 @@ RSpec.describe TodoService do
service.update_merge_request(mr_assigned, author, skip_users) service.update_merge_request(mr_assigned, author, skip_users)
should_create_todo(user: member, target: mr_assigned, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: member, target: mr_assigned, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: admin, target: mr_assigned, action: Todo::MENTIONED) should_not_create_todo(user: admin, target: mr_assigned, action: Todo::MENTIONED)
should_not_create_todo(user: skipped, target: mr_assigned) should_not_create_todo(user: skipped, target: mr_assigned)
end end
...@@ -997,7 +997,7 @@ RSpec.describe TodoService do ...@@ -997,7 +997,7 @@ RSpec.describe TodoService do
should_create_todo(user: member, target: noteable, action: Todo::DIRECTLY_ADDRESSED) should_create_todo(user: member, target: noteable, action: Todo::DIRECTLY_ADDRESSED)
should_create_todo(user: guest, target: noteable, action: Todo::MENTIONED) should_create_todo(user: guest, target: noteable, action: Todo::MENTIONED)
should_create_todo(user: admin, target: noteable, action: Todo::MENTIONED) should_not_create_todo(user: admin, target: noteable, action: Todo::MENTIONED)
should_not_create_todo(user: skipped, target: noteable) should_not_create_todo(user: skipped, target: noteable)
end end
......
...@@ -85,7 +85,7 @@ RSpec.describe TwoFactor::DestroyService do ...@@ -85,7 +85,7 @@ RSpec.describe TwoFactor::DestroyService do
it_behaves_like 'disables two-factor authentication' it_behaves_like 'disables two-factor authentication'
end end
context 'admin disables the two-factor authentication of another user' do context 'admin disables the two-factor authentication of another user', :enable_admin_mode do
let(:current_user) { create(:admin) } let(:current_user) { create(:admin) }
let(:user) { create(:user, :two_factor) } let(:user) { create(:user, :two_factor) }
......
...@@ -19,6 +19,14 @@ RSpec.describe Users::ApproveService do ...@@ -19,6 +19,14 @@ RSpec.describe Users::ApproveService do
end end
end end
context 'when the executor user is an admin not in admin mode' do
it 'returns error result' do
expect(subject[:status]).to eq(:error)
expect(subject[:message]).to match(/You are not allowed to approve a user/)
end
end
context 'when the executor user is an admin in admin mode', :enable_admin_mode do
context 'when user is not in pending approval state' do context 'when user is not in pending approval state' do
let(:user) { create(:user, state: 'active') } let(:user) { create(:user, state: 'active') }
...@@ -44,8 +52,10 @@ RSpec.describe Users::ApproveService do ...@@ -44,8 +52,10 @@ RSpec.describe Users::ApproveService do
end end
end end
end end
end
context 'success' do context 'success' do
context 'when the executor user is an admin in admin mode', :enable_admin_mode do
it 'activates the user' do it 'activates the user' do
expect(subject[:status]).to eq(:success) expect(subject[:status]).to eq(:success)
expect(user.reload).to be_active expect(user.reload).to be_active
...@@ -69,7 +79,7 @@ RSpec.describe Users::ApproveService do ...@@ -69,7 +79,7 @@ RSpec.describe Users::ApproveService do
end end
end end
context 'pending invitiations' do context 'pending invitations' do
let!(:project_member_invite) { create(:project_member, :invited, invite_email: user.email) } let!(:project_member_invite) { create(:project_member, :invited, invite_email: user.email) }
let!(:group_member_invite) { create(:group_member, :invited, invite_email: user.email) } let!(:group_member_invite) { create(:group_member, :invited, invite_email: user.email) }
...@@ -103,4 +113,5 @@ RSpec.describe Users::ApproveService do ...@@ -103,4 +113,5 @@ RSpec.describe Users::ApproveService do
end end
end end
end end
end
end end
...@@ -3,7 +3,6 @@ ...@@ -3,7 +3,6 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe Users::DestroyService do RSpec.describe Users::DestroyService do
describe "Deletes a user and all their personal projects" do
let!(:user) { create(:user) } let!(:user) { create(:user) }
let!(:admin) { create(:admin) } let!(:admin) { create(:admin) }
let!(:namespace) { user.namespace } let!(:namespace) { user.namespace }
...@@ -11,6 +10,7 @@ RSpec.describe Users::DestroyService do ...@@ -11,6 +10,7 @@ RSpec.describe Users::DestroyService do
let(:service) { described_class.new(admin) } let(:service) { described_class.new(admin) }
let(:gitlab_shell) { Gitlab::Shell.new } let(:gitlab_shell) { Gitlab::Shell.new }
describe "Deletes a user and all their personal projects", :enable_admin_mode do
context 'no options are given' do context 'no options are given' do
it 'deletes the user' do it 'deletes the user' do
user_data = service.execute(user) user_data = service.execute(user)
...@@ -215,35 +215,6 @@ RSpec.describe Users::DestroyService do ...@@ -215,35 +215,6 @@ RSpec.describe Users::DestroyService do
end end
end end
context "deletion permission checks" do
it 'does not delete the user when user is not an admin' do
other_user = create(:user)
expect { described_class.new(other_user).execute(user) }.to raise_error(Gitlab::Access::AccessDeniedError)
expect(User.exists?(user.id)).to be(true)
end
it 'allows admins to delete anyone' do
described_class.new(admin).execute(user)
expect(User.exists?(user.id)).to be(false)
end
it 'allows users to delete their own account' do
described_class.new(user).execute(user)
expect(User.exists?(user.id)).to be(false)
end
it 'allows user to be deleted if skip_authorization: true' do
other_user = create(:user)
described_class.new(user).execute(other_user, skip_authorization: true)
expect(User.exists?(other_user.id)).to be(false)
end
end
context "migrating associated records" do context "migrating associated records" do
let!(:issue) { create(:issue, author: user) } let!(:issue) { create(:issue, author: user) }
...@@ -320,4 +291,43 @@ RSpec.describe Users::DestroyService do ...@@ -320,4 +291,43 @@ RSpec.describe Users::DestroyService do
end end
end end
end end
describe "Deletion permission checks" do
it 'does not delete the user when user is not an admin' do
other_user = create(:user)
expect { described_class.new(other_user).execute(user) }.to raise_error(Gitlab::Access::AccessDeniedError)
expect(User.exists?(user.id)).to be(true)
end
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows admins to delete anyone' do
described_class.new(admin).execute(user)
expect(User.exists?(user.id)).to be(false)
end
end
context 'when admin mode is disabled' do
it 'disallows admins to delete anyone' do
expect { described_class.new(admin).execute(user) }.to raise_error(Gitlab::Access::AccessDeniedError)
expect(User.exists?(user.id)).to be(true)
end
end
it 'allows users to delete their own account' do
described_class.new(user).execute(user)
expect(User.exists?(user.id)).to be(false)
end
it 'allows user to be deleted if skip_authorization: true' do
other_user = create(:user)
described_class.new(user).execute(other_user, skip_authorization: true)
expect(User.exists?(other_user.id)).to be(false)
end
end
end end
...@@ -52,7 +52,7 @@ RSpec.describe Users::SetStatusService do ...@@ -52,7 +52,7 @@ RSpec.describe Users::SetStatusService do
{ emoji: 'taurus', message: 'a random status', user: target_user } { emoji: 'taurus', message: 'a random status', user: target_user }
end end
context 'the current user is admin' do context 'the current user is admin', :enable_admin_mode do
let(:current_user) { create(:admin) } let(:current_user) { create(:admin) }
it 'changes the status when the current user is allowed to do that' do it 'changes the status when the current user is allowed to do that' do
......
...@@ -283,12 +283,10 @@ RSpec.configure do |config| ...@@ -283,12 +283,10 @@ RSpec.configure do |config|
./ee/spec/lib ./ee/spec/lib
./ee/spec/requests/admin ./ee/spec/requests/admin
./ee/spec/serializers ./ee/spec/serializers
./ee/spec/services
./ee/spec/support/protected_tags ./ee/spec/support/protected_tags
./ee/spec/support/shared_examples/features ./ee/spec/support/shared_examples/features
./ee/spec/support/shared_examples/finders/geo ./ee/spec/support/shared_examples/finders/geo
./ee/spec/support/shared_examples/graphql/geo ./ee/spec/support/shared_examples/graphql/geo
./ee/spec/support/shared_examples/services
./spec/features ./spec/features
./spec/finders ./spec/finders
./spec/frontend ./spec/frontend
...@@ -296,7 +294,6 @@ RSpec.configure do |config| ...@@ -296,7 +294,6 @@ RSpec.configure do |config|
./spec/lib ./spec/lib
./spec/requests ./spec/requests
./spec/serializers ./spec/serializers
./spec/services
./spec/support/protected_tags ./spec/support/protected_tags
./spec/support/shared_examples/features ./spec/support/shared_examples/features
./spec/support/shared_examples/requests ./spec/support/shared_examples/requests
......
...@@ -13,6 +13,8 @@ module AdminModeHelper ...@@ -13,6 +13,8 @@ module AdminModeHelper
def enable_admin_mode!(user) def enable_admin_mode!(user)
fake_user_mode = instance_double(Gitlab::Auth::CurrentUserMode) fake_user_mode = instance_double(Gitlab::Auth::CurrentUserMode)
allow(Gitlab::Auth::CurrentUserMode).to receive(:new).and_call_original
allow(Gitlab::Auth::CurrentUserMode).to receive(:new).with(user).and_return(fake_user_mode) allow(Gitlab::Auth::CurrentUserMode).to receive(:new).with(user).and_return(fake_user_mode)
allow(fake_user_mode).to receive(:admin_mode?).and_return(user&.admin?) allow(fake_user_mode).to receive(:admin_mode?).and_return(user&.admin?)
end end
......
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
RSpec.shared_context 'ProjectPolicyTable context' do RSpec.shared_context 'ProjectPolicyTable context' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
include AdminModeHelper
let(:pendings) { {} } let(:pendings) { {} }
let(:pending?) do let(:pending?) do
pendings.include?( pendings.include?(
...@@ -10,106 +12,117 @@ RSpec.shared_context 'ProjectPolicyTable context' do ...@@ -10,106 +12,117 @@ RSpec.shared_context 'ProjectPolicyTable context' do
project_level: project_level, project_level: project_level,
feature_access_level: feature_access_level, feature_access_level: feature_access_level,
membership: membership, membership: membership,
admin_mode: admin_mode,
expected_count: expected_count expected_count: expected_count
} }
) )
end end
# rubocop:disable Metrics/AbcSize # rubocop:disable Metrics/AbcSize
# project_level, :feature_access_level, :membership, :expected_count # project_level, :feature_access_level, :membership, :admin_mode, :expected_count
def permission_table_for_reporter_feature_access def permission_table_for_reporter_feature_access
:public | :enabled | :admin | 1 :public | :enabled | :admin | true | 1
:public | :enabled | :reporter | 1 :public | :enabled | :admin | false | 1
:public | :enabled | :guest | 1 :public | :enabled | :reporter | nil | 1
:public | :enabled | :non_member | 1 :public | :enabled | :guest | nil | 1
:public | :enabled | :anonymous | 1 :public | :enabled | :non_member | nil | 1
:public | :enabled | :anonymous | nil | 1
:public | :private | :admin | 1
:public | :private | :reporter | 1 :public | :private | :admin | true | 1
:public | :private | :guest | 0 :public | :private | :admin | false | 0
:public | :private | :non_member | 0 :public | :private | :reporter | nil | 1
:public | :private | :anonymous | 0 :public | :private | :guest | nil | 0
:public | :private | :non_member | nil | 0
:public | :disabled | :reporter | 0 :public | :private | :anonymous | nil | 0
:public | :disabled | :guest | 0
:public | :disabled | :non_member | 0 :public | :disabled | :reporter | nil | 0
:public | :disabled | :anonymous | 0 :public | :disabled | :guest | nil | 0
:public | :disabled | :non_member | nil | 0
:internal | :enabled | :admin | 1 :public | :disabled | :anonymous | nil | 0
:internal | :enabled | :reporter | 1
:internal | :enabled | :guest | 1 :internal | :enabled | :admin | true | 1
:internal | :enabled | :non_member | 1 :internal | :enabled | :admin | false | 1
:internal | :enabled | :anonymous | 0 :internal | :enabled | :reporter | nil | 1
:internal | :enabled | :guest | nil | 1
:internal | :private | :admin | 1 :internal | :enabled | :non_member | nil | 1
:internal | :private | :reporter | 1 :internal | :enabled | :anonymous | nil | 0
:internal | :private | :guest | 0
:internal | :private | :non_member | 0 :internal | :private | :admin | true | 1
:internal | :private | :anonymous | 0 :internal | :private | :admin | false | 0
:internal | :private | :reporter | nil | 1
:internal | :disabled | :reporter | 0 :internal | :private | :guest | nil | 0
:internal | :disabled | :guest | 0 :internal | :private | :non_member | nil | 0
:internal | :disabled | :non_member | 0 :internal | :private | :anonymous | nil | 0
:internal | :disabled | :anonymous | 0
:internal | :disabled | :reporter | nil | 0
:private | :private | :admin | 1 :internal | :disabled | :guest | nil | 0
:private | :private | :reporter | 1 :internal | :disabled | :non_member | nil | 0
:private | :private | :guest | 0 :internal | :disabled | :anonymous | nil | 0
:private | :private | :non_member | 0
:private | :private | :anonymous | 0 :private | :private | :admin | true | 1
:private | :private | :admin | false | 0
:private | :disabled | :reporter | 0 :private | :private | :reporter | nil | 1
:private | :disabled | :guest | 0 :private | :private | :guest | nil | 0
:private | :disabled | :non_member | 0 :private | :private | :non_member | nil | 0
:private | :disabled | :anonymous | 0 :private | :private | :anonymous | nil | 0
:private | :disabled | :reporter | nil | 0
:private | :disabled | :guest | nil | 0
:private | :disabled | :non_member | nil | 0
:private | :disabled | :anonymous | nil | 0
end end
# project_level, :feature_access_level, :membership, :expected_count # project_level, :feature_access_level, :membership, :admin_mode, :expected_count
def permission_table_for_guest_feature_access def permission_table_for_guest_feature_access
:public | :enabled | :admin | 1 :public | :enabled | :admin | true | 1
:public | :enabled | :reporter | 1 :public | :enabled | :admin | false | 1
:public | :enabled | :guest | 1 :public | :enabled | :reporter | nil | 1
:public | :enabled | :non_member | 1 :public | :enabled | :guest | nil | 1
:public | :enabled | :anonymous | 1 :public | :enabled | :non_member | nil | 1
:public | :enabled | :anonymous | nil | 1
:public | :private | :admin | 1
:public | :private | :reporter | 1 :public | :private | :admin | true | 1
:public | :private | :guest | 1 :public | :private | :admin | false | 0
:public | :private | :non_member | 0 :public | :private | :reporter | nil | 1
:public | :private | :anonymous | 0 :public | :private | :guest | nil | 1
:public | :private | :non_member | nil | 0
:public | :disabled | :reporter | 0 :public | :private | :anonymous | nil | 0
:public | :disabled | :guest | 0
:public | :disabled | :non_member | 0 :public | :disabled | :reporter | nil | 0
:public | :disabled | :anonymous | 0 :public | :disabled | :guest | nil | 0
:public | :disabled | :non_member | nil | 0
:internal | :enabled | :admin | 1 :public | :disabled | :anonymous | nil | 0
:internal | :enabled | :reporter | 1
:internal | :enabled | :guest | 1 :internal | :enabled | :admin | true | 1
:internal | :enabled | :non_member | 1 :internal | :enabled | :admin | false | 1
:internal | :enabled | :anonymous | 0 :internal | :enabled | :reporter | nil | 1
:internal | :enabled | :guest | nil | 1
:internal | :private | :admin | 1 :internal | :enabled | :non_member | nil | 1
:internal | :private | :reporter | 1 :internal | :enabled | :anonymous | nil | 0
:internal | :private | :guest | 1
:internal | :private | :non_member | 0 :internal | :private | :admin | true | 1
:internal | :private | :anonymous | 0 :internal | :private | :admin | false | 0
:internal | :private | :reporter | nil | 1
:internal | :disabled | :reporter | 0 :internal | :private | :guest | nil | 1
:internal | :disabled | :guest | 0 :internal | :private | :non_member | nil | 0
:internal | :disabled | :non_member | 0 :internal | :private | :anonymous | nil | 0
:internal | :disabled | :anonymous | 0
:internal | :disabled | :reporter | nil | 0
:private | :private | :admin | 1 :internal | :disabled | :guest | nil | 0
:private | :private | :reporter | 1 :internal | :disabled | :non_member | nil | 0
:private | :private | :guest | 1 :internal | :disabled | :anonymous | nil | 0
:private | :private | :non_member | 0
:private | :private | :anonymous | 0 :private | :private | :admin | true | 1
:private | :private | :admin | false | 0
:private | :disabled | :reporter | 0 :private | :private | :reporter | nil | 1
:private | :disabled | :guest | 0 :private | :private | :guest | nil | 1
:private | :disabled | :non_member | 0 :private | :private | :non_member | nil | 0
:private | :disabled | :anonymous | 0 :private | :private | :anonymous | nil | 0
:private | :disabled | :reporter | nil | 0
:private | :disabled | :guest | nil | 0
:private | :disabled | :non_member | nil | 0
:private | :disabled | :anonymous | nil | 0
end end
# This table is based on permission_table_for_guest_feature_access, # This table is based on permission_table_for_guest_feature_access,
...@@ -121,184 +134,208 @@ RSpec.shared_context 'ProjectPolicyTable context' do ...@@ -121,184 +134,208 @@ RSpec.shared_context 'ProjectPolicyTable context' do
# e.g. `repository` feature has minimum requirement of GUEST, # e.g. `repository` feature has minimum requirement of GUEST,
# but a GUEST are prohibited from reading code if project is private. # but a GUEST are prohibited from reading code if project is private.
# #
# project_level, :feature_access_level, :membership, :expected_count # project_level, :feature_access_level, :membership, :admin_mode, :expected_count
def permission_table_for_guest_feature_access_and_non_private_project_only def permission_table_for_guest_feature_access_and_non_private_project_only
:public | :enabled | :admin | 1 :public | :enabled | :admin | true | 1
:public | :enabled | :reporter | 1 :public | :enabled | :admin | false | 1
:public | :enabled | :guest | 1 :public | :enabled | :reporter | nil | 1
:public | :enabled | :non_member | 1 :public | :enabled | :guest | nil | 1
:public | :enabled | :anonymous | 1 :public | :enabled | :non_member | nil | 1
:public | :enabled | :anonymous | nil | 1
:public | :private | :admin | 1
:public | :private | :reporter | 1 :public | :private | :admin | true | 1
:public | :private | :guest | 1 :public | :private | :admin | false | 0
:public | :private | :non_member | 0 :public | :private | :reporter | nil | 1
:public | :private | :anonymous | 0 :public | :private | :guest | nil | 1
:public | :private | :non_member | nil | 0
:public | :disabled | :reporter | 0 :public | :private | :anonymous | nil | 0
:public | :disabled | :guest | 0
:public | :disabled | :non_member | 0 :public | :disabled | :reporter | nil | 0
:public | :disabled | :anonymous | 0 :public | :disabled | :guest | nil | 0
:public | :disabled | :non_member | nil | 0
:internal | :enabled | :admin | 1 :public | :disabled | :anonymous | nil | 0
:internal | :enabled | :reporter | 1
:internal | :enabled | :guest | 1 :internal | :enabled | :admin | true | 1
:internal | :enabled | :non_member | 1 :internal | :enabled | :admin | false | 1
:internal | :enabled | :anonymous | 0 :internal | :enabled | :reporter | nil | 1
:internal | :enabled | :guest | nil | 1
:internal | :private | :admin | 1 :internal | :enabled | :non_member | nil | 1
:internal | :private | :reporter | 1 :internal | :enabled | :anonymous | nil | 0
:internal | :private | :guest | 1
:internal | :private | :non_member | 0 :internal | :private | :admin | true | 1
:internal | :private | :anonymous | 0 :internal | :private | :admin | false | 0
:internal | :private | :reporter | nil | 1
:internal | :disabled | :reporter | 0 :internal | :private | :guest | nil | 1
:internal | :disabled | :guest | 0 :internal | :private | :non_member | nil | 0
:internal | :disabled | :non_member | 0 :internal | :private | :anonymous | nil | 0
:internal | :disabled | :anonymous | 0
:internal | :disabled | :reporter | nil | 0
:private | :private | :admin | 1 :internal | :disabled | :guest | nil | 0
:private | :private | :reporter | 1 :internal | :disabled | :non_member | nil | 0
:private | :private | :guest | 0 :internal | :disabled | :anonymous | nil | 0
:private | :private | :non_member | 0
:private | :private | :anonymous | 0 :private | :private | :admin | true | 1
:private | :private | :admin | false | 0
:private | :disabled | :reporter | 0 :private | :private | :reporter | nil | 1
:private | :disabled | :guest | 0 :private | :private | :guest | nil | 0
:private | :disabled | :non_member | 0 :private | :private | :non_member | nil | 0
:private | :disabled | :anonymous | 0 :private | :private | :anonymous | nil | 0
:private | :disabled | :reporter | nil | 0
:private | :disabled | :guest | nil | 0
:private | :disabled | :non_member | nil | 0
:private | :disabled | :anonymous | nil | 0
end end
# :project_level, :issues_access_level, :merge_requests_access_level, :membership, :expected_count # :project_level, :issues_access_level, :merge_requests_access_level, :membership, :admin_mode, :expected_count
def permission_table_for_milestone_access def permission_table_for_milestone_access
:public | :enabled | :enabled | :admin | 1 :public | :enabled | :enabled | :admin | true | 1
:public | :enabled | :enabled | :reporter | 1 :public | :enabled | :enabled | :admin | false | 1
:public | :enabled | :enabled | :guest | 1 :public | :enabled | :enabled | :reporter | nil | 1
:public | :enabled | :enabled | :non_member | 1 :public | :enabled | :enabled | :guest | nil | 1
:public | :enabled | :enabled | :anonymous | 1 :public | :enabled | :enabled | :non_member | nil | 1
:public | :enabled | :enabled | :anonymous | nil | 1
:public | :enabled | :private | :admin | 1
:public | :enabled | :private | :reporter | 1 :public | :enabled | :private | :admin | true | 1
:public | :enabled | :private | :guest | 1 :public | :enabled | :private | :admin | false | 1
:public | :enabled | :private | :non_member | 1 :public | :enabled | :private | :reporter | nil | 1
:public | :enabled | :private | :anonymous | 1 :public | :enabled | :private | :guest | nil | 1
:public | :enabled | :private | :non_member | nil | 1
:public | :enabled | :disabled | :admin | 1 :public | :enabled | :private | :anonymous | nil | 1
:public | :enabled | :disabled | :reporter | 1
:public | :enabled | :disabled | :guest | 1 :public | :enabled | :disabled | :admin | true | 1
:public | :enabled | :disabled | :non_member | 1 :public | :enabled | :disabled | :admin | false | 1
:public | :enabled | :disabled | :anonymous | 1 :public | :enabled | :disabled | :reporter | nil | 1
:public | :enabled | :disabled | :guest | nil | 1
:public | :private | :enabled | :admin | 1 :public | :enabled | :disabled | :non_member | nil | 1
:public | :private | :enabled | :reporter | 1 :public | :enabled | :disabled | :anonymous | nil | 1
:public | :private | :enabled | :guest | 1
:public | :private | :enabled | :non_member | 1 :public | :private | :enabled | :admin | true | 1
:public | :private | :enabled | :anonymous | 1 :public | :private | :enabled | :admin | false | 1
:public | :private | :enabled | :reporter | nil | 1
:public | :private | :private | :admin | 1 :public | :private | :enabled | :guest | nil | 1
:public | :private | :private | :reporter | 1 :public | :private | :enabled | :non_member | nil | 1
:public | :private | :private | :guest | 1 :public | :private | :enabled | :anonymous | nil | 1
:public | :private | :private | :non_member | 0
:public | :private | :private | :anonymous | 0 :public | :private | :private | :admin | true | 1
:public | :private | :private | :admin | false | 0
:public | :private | :disabled | :admin | 1 :public | :private | :private | :reporter | nil | 1
:public | :private | :disabled | :reporter | 1 :public | :private | :private | :guest | nil | 1
:public | :private | :disabled | :guest | 1 :public | :private | :private | :non_member | nil | 0
:public | :private | :disabled | :non_member | 0 :public | :private | :private | :anonymous | nil | 0
:public | :private | :disabled | :anonymous | 0
:public | :private | :disabled | :admin | true | 1
:public | :disabled | :enabled | :admin | 1 :public | :private | :disabled | :admin | false | 0
:public | :disabled | :enabled | :reporter | 1 :public | :private | :disabled | :reporter | nil | 1
:public | :disabled | :enabled | :guest | 1 :public | :private | :disabled | :guest | nil | 1
:public | :disabled | :enabled | :non_member | 1 :public | :private | :disabled | :non_member | nil | 0
:public | :disabled | :enabled | :anonymous | 1 :public | :private | :disabled | :anonymous | nil | 0
:public | :disabled | :private | :admin | 1 :public | :disabled | :enabled | :admin | true | 1
:public | :disabled | :private | :reporter | 1 :public | :disabled | :enabled | :admin | false | 1
:public | :disabled | :private | :guest | 0 :public | :disabled | :enabled | :reporter | nil | 1
:public | :disabled | :private | :non_member | 0 :public | :disabled | :enabled | :guest | nil | 1
:public | :disabled | :private | :anonymous | 0 :public | :disabled | :enabled | :non_member | nil | 1
:public | :disabled | :enabled | :anonymous | nil | 1
:public | :disabled | :disabled | :reporter | 0
:public | :disabled | :disabled | :guest | 0 :public | :disabled | :private | :admin | true | 1
:public | :disabled | :disabled | :non_member | 0 :public | :disabled | :private | :admin | false | 0
:public | :disabled | :disabled | :anonymous | 0 :public | :disabled | :private | :reporter | nil | 1
:public | :disabled | :private | :guest | nil | 0
:internal | :enabled | :enabled | :admin | 1 :public | :disabled | :private | :non_member | nil | 0
:internal | :enabled | :enabled | :reporter | 1 :public | :disabled | :private | :anonymous | nil | 0
:internal | :enabled | :enabled | :guest | 1
:internal | :enabled | :enabled | :non_member | 1 :public | :disabled | :disabled | :reporter | nil | 0
:internal | :enabled | :enabled | :anonymous | 0 :public | :disabled | :disabled | :guest | nil | 0
:public | :disabled | :disabled | :non_member | nil | 0
:internal | :enabled | :private | :admin | 1 :public | :disabled | :disabled | :anonymous | nil | 0
:internal | :enabled | :private | :reporter | 1
:internal | :enabled | :private | :guest | 1 :internal | :enabled | :enabled | :admin | true | 1
:internal | :enabled | :private | :non_member | 1 :internal | :enabled | :enabled | :admin | false | 1
:internal | :enabled | :private | :anonymous | 0 :internal | :enabled | :enabled | :reporter | nil | 1
:internal | :enabled | :enabled | :guest | nil | 1
:internal | :enabled | :disabled | :admin | 1 :internal | :enabled | :enabled | :non_member | nil | 1
:internal | :enabled | :disabled | :reporter | 1 :internal | :enabled | :enabled | :anonymous | nil | 0
:internal | :enabled | :disabled | :guest | 1
:internal | :enabled | :disabled | :non_member | 1 :internal | :enabled | :private | :admin | true | 1
:internal | :enabled | :disabled | :anonymous | 0 :internal | :enabled | :private | :admin | false | 1
:internal | :enabled | :private | :reporter | nil | 1
:internal | :private | :enabled | :admin | 1 :internal | :enabled | :private | :guest | nil | 1
:internal | :private | :enabled | :reporter | 1 :internal | :enabled | :private | :non_member | nil | 1
:internal | :private | :enabled | :guest | 1 :internal | :enabled | :private | :anonymous | nil | 0
:internal | :private | :enabled | :non_member | 1
:internal | :private | :enabled | :anonymous | 0 :internal | :enabled | :disabled | :admin | true | 1
:internal | :enabled | :disabled | :admin | false | 1
:internal | :private | :private | :admin | 1 :internal | :enabled | :disabled | :reporter | nil | 1
:internal | :private | :private | :reporter | 1 :internal | :enabled | :disabled | :guest | nil | 1
:internal | :private | :private | :guest | 1 :internal | :enabled | :disabled | :non_member | nil | 1
:internal | :private | :private | :non_member | 0 :internal | :enabled | :disabled | :anonymous | nil | 0
:internal | :private | :private | :anonymous | 0
:internal | :private | :enabled | :admin | true | 1
:internal | :private | :disabled | :admin | 1 :internal | :private | :enabled | :admin | false | 1
:internal | :private | :disabled | :reporter | 1 :internal | :private | :enabled | :reporter | nil | 1
:internal | :private | :disabled | :guest | 1 :internal | :private | :enabled | :guest | nil | 1
:internal | :private | :disabled | :non_member | 0 :internal | :private | :enabled | :non_member | nil | 1
:internal | :private | :disabled | :anonymous | 0 :internal | :private | :enabled | :anonymous | nil | 0
:internal | :disabled | :enabled | :admin | 1 :internal | :private | :private | :admin | true | 1
:internal | :disabled | :enabled | :reporter | 1 :internal | :private | :private | :admin | false | 0
:internal | :disabled | :enabled | :guest | 1 :internal | :private | :private | :reporter | nil | 1
:internal | :disabled | :enabled | :non_member | 1 :internal | :private | :private | :guest | nil | 1
:internal | :disabled | :enabled | :anonymous | 0 :internal | :private | :private | :non_member | nil | 0
:internal | :private | :private | :anonymous | nil | 0
:internal | :disabled | :private | :admin | 1
:internal | :disabled | :private | :reporter | 1 :internal | :private | :disabled | :admin | true | 1
:internal | :disabled | :private | :guest | 0 :internal | :private | :disabled | :admin | false | 0
:internal | :disabled | :private | :non_member | 0 :internal | :private | :disabled | :reporter | nil | 1
:internal | :disabled | :private | :anonymous | 0 :internal | :private | :disabled | :guest | nil | 1
:internal | :private | :disabled | :non_member | nil | 0
:internal | :disabled | :disabled | :reporter | 0 :internal | :private | :disabled | :anonymous | nil | 0
:internal | :disabled | :disabled | :guest | 0
:internal | :disabled | :disabled | :non_member | 0 :internal | :disabled | :enabled | :admin | true | 1
:internal | :disabled | :disabled | :anonymous | 0 :internal | :disabled | :enabled | :admin | false | 1
:internal | :disabled | :enabled | :reporter | nil | 1
:private | :private | :private | :admin | 1 :internal | :disabled | :enabled | :guest | nil | 1
:private | :private | :private | :reporter | 1 :internal | :disabled | :enabled | :non_member | nil | 1
:private | :private | :private | :guest | 1 :internal | :disabled | :enabled | :anonymous | nil | 0
:private | :private | :private | :non_member | 0
:private | :private | :private | :anonymous | 0 :internal | :disabled | :private | :admin | true | 1
:internal | :disabled | :private | :admin | false | 0
:private | :private | :disabled | :admin | 1 :internal | :disabled | :private | :reporter | nil | 1
:private | :private | :disabled | :reporter | 1 :internal | :disabled | :private | :guest | nil | 0
:private | :private | :disabled | :guest | 1 :internal | :disabled | :private | :non_member | nil | 0
:private | :private | :disabled | :non_member | 0 :internal | :disabled | :private | :anonymous | nil | 0
:private | :private | :disabled | :anonymous | 0
:internal | :disabled | :disabled | :reporter | nil | 0
:private | :disabled | :private | :admin | 1 :internal | :disabled | :disabled | :guest | nil | 0
:private | :disabled | :private | :reporter | 1 :internal | :disabled | :disabled | :non_member | nil | 0
:private | :disabled | :private | :guest | 0 :internal | :disabled | :disabled | :anonymous | nil | 0
:private | :disabled | :private | :non_member | 0
:private | :disabled | :private | :anonymous | 0 :private | :private | :private | :admin | true | 1
:private | :private | :private | :admin | false | 0
:private | :disabled | :disabled | :reporter | 0 :private | :private | :private | :reporter | nil | 1
:private | :disabled | :disabled | :guest | 0 :private | :private | :private | :guest | nil | 1
:private | :disabled | :disabled | :non_member | 0 :private | :private | :private | :non_member | nil | 0
:private | :disabled | :disabled | :anonymous | 0 :private | :private | :private | :anonymous | nil | 0
:private | :private | :disabled | :admin | true | 1
:private | :private | :disabled | :admin | false | 0
:private | :private | :disabled | :reporter | nil | 1
:private | :private | :disabled | :guest | nil | 1
:private | :private | :disabled | :non_member | nil | 0
:private | :private | :disabled | :anonymous | nil | 0
:private | :disabled | :private | :admin | true | 1
:private | :disabled | :private | :admin | false | 0
:private | :disabled | :private | :reporter | nil | 1
:private | :disabled | :private | :guest | nil | 0
:private | :disabled | :private | :non_member | nil | 0
:private | :disabled | :private | :anonymous | nil | 0
:private | :disabled | :disabled | :reporter | nil | 0
:private | :disabled | :disabled | :guest | nil | 0
:private | :disabled | :disabled | :non_member | nil | 0
:private | :disabled | :disabled | :anonymous | nil | 0
end end
# :project_level, :membership, :expected_count # :project_level, :membership, :expected_count
...@@ -321,166 +358,192 @@ RSpec.shared_context 'ProjectPolicyTable context' do ...@@ -321,166 +358,192 @@ RSpec.shared_context 'ProjectPolicyTable context' do
# :snippet_level, :project_level, :feature_access_level, :membership, :expected_count # :snippet_level, :project_level, :feature_access_level, :membership, :expected_count
def permission_table_for_project_snippet_access def permission_table_for_project_snippet_access
:public | :public | :enabled | :admin | 1 :public | :public | :enabled | :admin | true | 1
:public | :public | :enabled | :reporter | 1 :public | :public | :enabled | :admin | false | 1
:public | :public | :enabled | :guest | 1 :public | :public | :enabled | :reporter | nil | 1
:public | :public | :enabled | :non_member | 1 :public | :public | :enabled | :guest | nil | 1
:public | :public | :enabled | :anonymous | 1 :public | :public | :enabled | :non_member | nil | 1
:public | :public | :enabled | :anonymous | nil | 1
:public | :public | :private | :admin | 1
:public | :public | :private | :reporter | 1 :public | :public | :private | :admin | true | 1
:public | :public | :private | :guest | 1 :public | :public | :private | :admin | false | 0
:public | :public | :private | :non_member | 0 :public | :public | :private | :reporter | nil | 1
:public | :public | :private | :anonymous | 0 :public | :public | :private | :guest | nil | 1
:public | :public | :private | :non_member | nil | 0
:public | :public | :disabled | :admin | 1 :public | :public | :private | :anonymous | nil | 0
:public | :public | :disabled | :reporter | 0
:public | :public | :disabled | :guest | 0 :public | :public | :disabled | :admin | true | 1
:public | :public | :disabled | :non_member | 0 :public | :public | :disabled | :admin | false | 0
:public | :public | :disabled | :anonymous | 0 :public | :public | :disabled | :reporter | nil | 0
:public | :public | :disabled | :guest | nil | 0
:public | :internal | :enabled | :admin | 1 :public | :public | :disabled | :non_member | nil | 0
:public | :internal | :enabled | :reporter | 1 :public | :public | :disabled | :anonymous | nil | 0
:public | :internal | :enabled | :guest | 1
:public | :internal | :enabled | :non_member | 1 :public | :internal | :enabled | :admin | true | 1
:public | :internal | :enabled | :anonymous | 0 :public | :internal | :enabled | :admin | false | 1
:public | :internal | :enabled | :reporter | nil | 1
:public | :internal | :private | :admin | 1 :public | :internal | :enabled | :guest | nil | 1
:public | :internal | :private | :reporter | 1 :public | :internal | :enabled | :non_member | nil | 1
:public | :internal | :private | :guest | 1 :public | :internal | :enabled | :anonymous | nil | 0
:public | :internal | :private | :non_member | 0
:public | :internal | :private | :anonymous | 0 :public | :internal | :private | :admin | true | 1
:public | :internal | :private | :admin | false | 0
:public | :internal | :disabled | :admin | 1 :public | :internal | :private | :reporter | nil | 1
:public | :internal | :disabled | :reporter | 0 :public | :internal | :private | :guest | nil | 1
:public | :internal | :disabled | :guest | 0 :public | :internal | :private | :non_member | nil | 0
:public | :internal | :disabled | :non_member | 0 :public | :internal | :private | :anonymous | nil | 0
:public | :internal | :disabled | :anonymous | 0
:public | :internal | :disabled | :admin | true | 1
:public | :private | :private | :admin | 1 :public | :internal | :disabled | :admin | false | 0
:public | :private | :private | :reporter | 1 :public | :internal | :disabled | :reporter | nil | 0
:public | :private | :private | :guest | 1 :public | :internal | :disabled | :guest | nil | 0
:public | :private | :private | :non_member | 0 :public | :internal | :disabled | :non_member | nil | 0
:public | :private | :private | :anonymous | 0 :public | :internal | :disabled | :anonymous | nil | 0
:public | :private | :disabled | :reporter | 0 :public | :private | :private | :admin | true | 1
:public | :private | :disabled | :guest | 0 :public | :private | :private | :admin | false | 0
:public | :private | :disabled | :non_member | 0 :public | :private | :private | :reporter | nil | 1
:public | :private | :disabled | :anonymous | 0 :public | :private | :private | :guest | nil | 1
:public | :private | :private | :non_member | nil | 0
:internal | :public | :enabled | :admin | 1 :public | :private | :private | :anonymous | nil | 0
:internal | :public | :enabled | :reporter | 1
:internal | :public | :enabled | :guest | 1 :public | :private | :disabled | :reporter | nil | 0
:internal | :public | :enabled | :non_member | 1 :public | :private | :disabled | :guest | nil | 0
:internal | :public | :enabled | :anonymous | 0 :public | :private | :disabled | :non_member | nil | 0
:public | :private | :disabled | :anonymous | nil | 0
:internal | :public | :private | :admin | 1
:internal | :public | :private | :reporter | 1 :internal | :public | :enabled | :admin | true | 1
:internal | :public | :private | :guest | 1 :internal | :public | :enabled | :admin | false | 1
:internal | :public | :private | :non_member | 0 :internal | :public | :enabled | :reporter | nil | 1
:internal | :public | :private | :anonymous | 0 :internal | :public | :enabled | :guest | nil | 1
:internal | :public | :enabled | :non_member | nil | 1
:internal | :public | :disabled | :admin | 1 :internal | :public | :enabled | :anonymous | nil | 0
:internal | :public | :disabled | :reporter | 0
:internal | :public | :disabled | :guest | 0 :internal | :public | :private | :admin | true | 1
:internal | :public | :disabled | :non_member | 0 :internal | :public | :private | :admin | false | 0
:internal | :public | :disabled | :anonymous | 0 :internal | :public | :private | :reporter | nil | 1
:internal | :public | :private | :guest | nil | 1
:internal | :internal | :enabled | :admin | 1 :internal | :public | :private | :non_member | nil | 0
:internal | :internal | :enabled | :reporter | 1 :internal | :public | :private | :anonymous | nil | 0
:internal | :internal | :enabled | :guest | 1
:internal | :internal | :enabled | :non_member | 1 :internal | :public | :disabled | :admin | true | 1
:internal | :internal | :enabled | :anonymous | 0 :internal | :public | :disabled | :admin | false | 0
:internal | :public | :disabled | :reporter | nil | 0
:internal | :internal | :private | :admin | 1 :internal | :public | :disabled | :guest | nil | 0
:internal | :internal | :private | :reporter | 1 :internal | :public | :disabled | :non_member | nil | 0
:internal | :internal | :private | :guest | 1 :internal | :public | :disabled | :anonymous | nil | 0
:internal | :internal | :private | :non_member | 0
:internal | :internal | :private | :anonymous | 0 :internal | :internal | :enabled | :admin | true | 1
:internal | :internal | :enabled | :admin | false | 1
:internal | :internal | :disabled | :admin | 1 :internal | :internal | :enabled | :reporter | nil | 1
:internal | :internal | :disabled | :reporter | 0 :internal | :internal | :enabled | :guest | nil | 1
:internal | :internal | :disabled | :guest | 0 :internal | :internal | :enabled | :non_member | nil | 1
:internal | :internal | :disabled | :non_member | 0 :internal | :internal | :enabled | :anonymous | nil | 0
:internal | :internal | :disabled | :anonymous | 0
:internal | :internal | :private | :admin | true | 1
:internal | :private | :private | :admin | 1 :internal | :internal | :private | :admin | false | 0
:internal | :private | :private | :reporter | 1 :internal | :internal | :private | :reporter | nil | 1
:internal | :private | :private | :guest | 1 :internal | :internal | :private | :guest | nil | 1
:internal | :private | :private | :non_member | 0 :internal | :internal | :private | :non_member | nil | 0
:internal | :private | :private | :anonymous | 0 :internal | :internal | :private | :anonymous | nil | 0
:internal | :private | :disabled | :admin | 1 :internal | :internal | :disabled | :admin | true | 1
:internal | :private | :disabled | :reporter | 0 :internal | :internal | :disabled | :admin | false | 0
:internal | :private | :disabled | :guest | 0 :internal | :internal | :disabled | :reporter | nil | 0
:internal | :private | :disabled | :non_member | 0 :internal | :internal | :disabled | :guest | nil | 0
:internal | :private | :disabled | :anonymous | 0 :internal | :internal | :disabled | :non_member | nil | 0
:internal | :internal | :disabled | :anonymous | nil | 0
:private | :public | :enabled | :admin | 1
:private | :public | :enabled | :reporter | 1 :internal | :private | :private | :admin | true | 1
:private | :public | :enabled | :guest | 1 :internal | :private | :private | :admin | false | 0
:private | :public | :enabled | :non_member | 0 :internal | :private | :private | :reporter | nil | 1
:private | :public | :enabled | :anonymous | 0 :internal | :private | :private | :guest | nil | 1
:internal | :private | :private | :non_member | nil | 0
:private | :public | :private | :admin | 1 :internal | :private | :private | :anonymous | nil | 0
:private | :public | :private | :reporter | 1
:private | :public | :private | :guest | 1 :internal | :private | :disabled | :admin | true | 1
:private | :public | :private | :non_member | 0 :internal | :private | :disabled | :admin | false | 0
:private | :public | :private | :anonymous | 0 :internal | :private | :disabled | :reporter | nil | 0
:internal | :private | :disabled | :guest | nil | 0
:private | :public | :disabled | :admin | 1 :internal | :private | :disabled | :non_member | nil | 0
:private | :public | :disabled | :reporter | 0 :internal | :private | :disabled | :anonymous | nil | 0
:private | :public | :disabled | :guest | 0
:private | :public | :disabled | :non_member | 0 :private | :public | :enabled | :admin | true | 1
:private | :public | :disabled | :anonymous | 0 :private | :public | :enabled | :admin | false | 0
:private | :public | :enabled | :reporter | nil | 1
:private | :internal | :enabled | :admin | 1 :private | :public | :enabled | :guest | nil | 1
:private | :internal | :enabled | :reporter | 1 :private | :public | :enabled | :non_member | nil | 0
:private | :internal | :enabled | :guest | 1 :private | :public | :enabled | :anonymous | nil | 0
:private | :internal | :enabled | :non_member | 0
:private | :internal | :enabled | :anonymous | 0 :private | :public | :private | :admin | true | 1
:private | :public | :private | :admin | false | 0
:private | :internal | :private | :admin | 1 :private | :public | :private | :reporter | nil | 1
:private | :internal | :private | :reporter | 1 :private | :public | :private | :guest | nil | 1
:private | :internal | :private | :guest | 1 :private | :public | :private | :non_member | nil | 0
:private | :internal | :private | :non_member | 0 :private | :public | :private | :anonymous | nil | 0
:private | :internal | :private | :anonymous | 0
:private | :public | :disabled | :admin | true | 1
:private | :internal | :disabled | :admin | 1 :private | :public | :disabled | :admin | false | 0
:private | :internal | :disabled | :reporter | 0 :private | :public | :disabled | :reporter | nil | 0
:private | :internal | :disabled | :guest | 0 :private | :public | :disabled | :guest | nil | 0
:private | :internal | :disabled | :non_member | 0 :private | :public | :disabled | :non_member | nil | 0
:private | :internal | :disabled | :anonymous | 0 :private | :public | :disabled | :anonymous | nil | 0
:private | :private | :private | :admin | 1 :private | :internal | :enabled | :admin | true | 1
:private | :private | :private | :reporter | 1 :private | :internal | :enabled | :admin | false | 0
:private | :private | :private | :guest | 1 :private | :internal | :enabled | :reporter | nil | 1
:private | :private | :private | :non_member | 0 :private | :internal | :enabled | :guest | nil | 1
:private | :private | :private | :anonymous | 0 :private | :internal | :enabled | :non_member | nil | 0
:private | :internal | :enabled | :anonymous | nil | 0
:private | :private | :disabled | :admin | 1
:private | :private | :disabled | :reporter | 0 :private | :internal | :private | :admin | true | 1
:private | :private | :disabled | :guest | 0 :private | :internal | :private | :admin | false | 0
:private | :private | :disabled | :non_member | 0 :private | :internal | :private | :reporter | nil | 1
:private | :private | :disabled | :anonymous | 0 :private | :internal | :private | :guest | nil | 1
:private | :internal | :private | :non_member | nil | 0
:private | :internal | :private | :anonymous | nil | 0
:private | :internal | :disabled | :admin | true | 1
:private | :internal | :disabled | :admin | false | 0
:private | :internal | :disabled | :reporter | nil | 0
:private | :internal | :disabled | :guest | nil | 0
:private | :internal | :disabled | :non_member | nil | 0
:private | :internal | :disabled | :anonymous | nil | 0
:private | :private | :private | :admin | true | 1
:private | :private | :private | :admin | false | 0
:private | :private | :private | :reporter | nil | 1
:private | :private | :private | :guest | nil | 1
:private | :private | :private | :non_member | nil | 0
:private | :private | :private | :anonymous | nil | 0
:private | :private | :disabled | :admin | true | 1
:private | :private | :disabled | :admin | false | 0
:private | :private | :disabled | :reporter | nil | 0
:private | :private | :disabled | :guest | nil | 0
:private | :private | :disabled | :non_member | nil | 0
:private | :private | :disabled | :anonymous | nil | 0
end end
# :snippet_level, :membership, :expected_count # :snippet_level, :membership, :expected_count
def permission_table_for_personal_snippet_access def permission_table_for_personal_snippet_access
:public | :admin | 1 :public | :admin | true | 1
:public | :author | 1 :public | :admin | false | 1
:public | :non_member | 1 :public | :author | nil | 1
:public | :anonymous | 1 :public | :non_member | nil | 1
:public | :anonymous | nil | 1
:internal | :admin | 1
:internal | :author | 1 :internal | :admin | true | 1
:internal | :non_member | 1 :internal | :admin | false | 1
:internal | :anonymous | 0 :internal | :author | nil | 1
:internal | :non_member | nil | 1
:private | :admin | 1 :internal | :anonymous | nil | 0
:private | :author | 1
:private | :non_member | 0 :private | :admin | true | 1
:private | :anonymous | 0 :private | :admin | false | 0
:private | :author | nil | 1
:private | :non_member | nil | 0
:private | :anonymous | nil | 0
end end
# rubocop:enable Metrics/AbcSize # rubocop:enable Metrics/AbcSize
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment