Prohibit linking\unlinking for group managed accounts

Users with group managed accounts should not be able to link\unlink to any 3rd party authorization

Prohibit linking\unlinking for group managed accounts
Users with group managed accounts should not be able to link\unlink to any 3rd party authorization
f27f035c · Pavel Shutsin · c5bdb212 · f27f035c · f27f035c · f27f035c
Commit f27f035c authored Mar 14, 2019 by Pavel Shutsin
4 changed files
--- a/ee/app/policies/ee/identity_provider_policy.rb
+++ b/ee/app/policies/ee/identity_provider_policy.rb
+# frozen_string_literal: true
+
+module EE
+  module IdentityProviderPolicy
+    extend ActiveSupport::Concern
+
+    prepended do
+      desc "User account is managed by group SAML"
+      condition(:group_managed_account, scope: :user) { @user.group_managed_account? }
+
+      rule { group_managed_account }.prevent_all
+    end
+  end
+end
--- a/ee/spec/factories/users.rb
+++ b/ee/spec/factories/users.rb
@@ -5,6 +5,10 @@ FactoryBot.modify do
    trait :auditor do
      auditor true
    end
+
+    trait :group_managed do
+      association :managing_group, factory: :group
+    end
  end

  factory :omniauth_user do

--- a/ee/spec/models/ee/user_spec.rb
+++ b/ee/spec/models/ee/user_spec.rb
@@ -402,8 +402,8 @@ describe EE::User do
      end

      it 'does not require password to be present' do
-        expect(user).not_to  validate_presence_of(:password)
-        expect(user).not_to  validate_presence_of(:password_confirmation)
+        expect(user).not_to validate_presence_of(:password)
+        expect(user).not_to validate_presence_of(:password_confirmation)
      end
    end
  end

--- a/ee/spec/policies/identity_provider_policy_spec.rb
+++ b/ee/spec/policies/identity_provider_policy_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+
+describe IdentityProviderPolicy do
+  subject(:policy) { described_class.new(user, :a_provider) }
+
+  describe '#rules' do
+    context 'when user is group managed' do
+      let(:user) { build_stubbed(:user, :group_managed) }
+
+      it { is_expected.not_to be_allowed(:link) }
+      it { is_expected.not_to be_allowed(:unlink) }
+    end
+  end
+end