Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
f539b03a
Commit
f539b03a
authored
Mar 09, 2021
by
Diego Louzán
Committed by
Bob Van Landuyt
Mar 09, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Use policies framework for determining admin access to groups
parent
3c0902c7
Changes
33
Show whitespace changes
Inline
Side-by-side
Showing
33 changed files
with
615 additions
and
201 deletions
+615
-201
app/models/group.rb
app/models/group.rb
+1
-1
app/models/user.rb
app/models/user.rb
+4
-0
app/policies/base_policy.rb
app/policies/base_policy.rb
+7
-4
changelogs/unreleased/refactor-use-policies-framework-for-admin.yml
.../unreleased/refactor-use-policies-framework-for-admin.yml
+5
-0
ee/spec/controllers/groups/clusters_controller_spec.rb
ee/spec/controllers/groups/clusters_controller_spec.rb
+12
-2
ee/spec/features/security/group/private_access_spec.rb
ee/spec/features/security/group/private_access_spec.rb
+6
-1
ee/spec/models/ee/event_spec.rb
ee/spec/models/ee/event_spec.rb
+1
-3
ee/spec/models/ee/user_spec.rb
ee/spec/models/ee/user_spec.rb
+8
-0
ee/spec/policies/base_policy_spec.rb
ee/spec/policies/base_policy_spec.rb
+6
-0
ee/spec/policies/group_policy_spec.rb
ee/spec/policies/group_policy_spec.rb
+197
-80
ee/spec/services/epics/transfer_service_spec.rb
ee/spec/services/epics/transfer_service_spec.rb
+6
-1
ee/spec/services/todo_service_spec.rb
ee/spec/services/todo_service_spec.rb
+2
-2
ee/spec/views/groups/compliance_frameworks/edit.html.haml_spec.rb
...views/groups/compliance_frameworks/edit.html.haml_spec.rb
+1
-0
ee/spec/views/groups/compliance_frameworks/new.html.haml_spec.rb
.../views/groups/compliance_frameworks/new.html.haml_spec.rb
+1
-0
lib/declarative_policy/policy_dsl.rb
lib/declarative_policy/policy_dsl.rb
+1
-1
spec/controllers/groups/clusters/applications_controller_spec.rb
...ntrollers/groups/clusters/applications_controller_spec.rb
+2
-1
spec/controllers/groups/clusters_controller_spec.rb
spec/controllers/groups/clusters_controller_spec.rb
+22
-11
spec/controllers/groups_controller_spec.rb
spec/controllers/groups_controller_spec.rb
+22
-6
spec/features/groups_spec.rb
spec/features/groups_spec.rb
+15
-7
spec/features/projects/new_project_spec.rb
spec/features/projects/new_project_spec.rb
+34
-12
spec/features/security/group/internal_access_spec.rb
spec/features/security/group/internal_access_spec.rb
+30
-5
spec/features/security/group/private_access_spec.rb
spec/features/security/group/private_access_spec.rb
+36
-6
spec/features/security/group/public_access_spec.rb
spec/features/security/group/public_access_spec.rb
+30
-5
spec/helpers/namespaces_helper_spec.rb
spec/helpers/namespaces_helper_spec.rb
+26
-10
spec/lib/gitlab/import_export/project/tree_saver_spec.rb
spec/lib/gitlab/import_export/project/tree_saver_spec.rb
+14
-6
spec/models/group_spec.rb
spec/models/group_spec.rb
+10
-2
spec/models/member_spec.rb
spec/models/member_spec.rb
+2
-4
spec/models/user_spec.rb
spec/models/user_spec.rb
+31
-0
spec/policies/base_policy_spec.rb
spec/policies/base_policy_spec.rb
+5
-1
spec/policies/group_policy_spec.rb
spec/policies/group_policy_spec.rb
+29
-9
spec/presenters/projects/import_export/project_export_presenter_spec.rb
...s/projects/import_export/project_export_presenter_spec.rb
+14
-6
spec/services/groups/import_export/import_service_spec.rb
spec/services/groups/import_export/import_service_spec.rb
+21
-7
spec/workers/purge_dependency_proxy_cache_worker_spec.rb
spec/workers/purge_dependency_proxy_cache_worker_spec.rb
+14
-8
No files found.
app/models/group.rb
View file @
f539b03a
...
...
@@ -505,7 +505,7 @@ class Group < Namespace
# @param only_concrete_membership [Bool] whether require admin concrete membership status
def
max_member_access_for_user
(
user
,
only_concrete_membership:
false
)
return
GroupMember
::
NO_ACCESS
unless
user
return
GroupMember
::
OWNER
if
user
.
admin
?
&&
!
only_concrete_membership
return
GroupMember
::
OWNER
if
user
.
can_admin_all_resources
?
&&
!
only_concrete_membership
max_member_access
=
members_with_parents
.
where
(
user_id:
user
)
.
reorder
(
access_level: :desc
)
...
...
app/models/user.rb
View file @
f539b03a
...
...
@@ -1704,6 +1704,10 @@ class User < ApplicationRecord
can?
(
:read_all_resources
)
end
def
can_admin_all_resources?
can?
(
:admin_all_resources
)
end
def
update_two_factor_requirement
periods
=
expanded_groups_requiring_two_factor_authentication
.
pluck
(
:two_factor_grace_period
)
...
...
app/policies/base_policy.rb
View file @
f539b03a
...
...
@@ -55,14 +55,17 @@ class BasePolicy < DeclarativePolicy::Base
prevent
:read_cross_project
end
rule
{
admin
}.
policy
do
# Only for actual administrator accounts, behaviour affected by admin mode application setting
enable
:admin_all_resources
# Policy extended in EE to also enable auditors
rule
{
admin
}.
enable
:read_all_resources
enable
:read_all_resources
enable
:change_repository_storage
end
rule
{
default
}.
enable
:read_cross_project
condition
(
:is_gitlab_com
)
{
::
Gitlab
.
dev_env_or_com?
}
rule
{
admin
}.
enable
:change_repository_storage
end
BasePolicy
.
prepend_if_ee
(
'EE::BasePolicy'
)
changelogs/unreleased/refactor-use-policies-framework-for-admin.yml
0 → 100644
View file @
f539b03a
---
title
:
Use policies for group access rights as admin
merge_request
:
55349
author
:
Diego Louzán
type
:
changed
ee/spec/controllers/groups/clusters_controller_spec.rb
View file @
f539b03a
...
...
@@ -41,7 +41,12 @@ RSpec.describe Groups::ClustersController do
allow
(
controller
).
to
receive
(
:prometheus_adapter
).
and_return
(
prometheus_adapter
)
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
end
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
clusterable
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
clusterable
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
clusterable
)
}
...
...
@@ -78,7 +83,12 @@ RSpec.describe Groups::ClustersController do
end
describe
'security'
do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
expect
{
get_cluster_environments
}.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
expect
{
get_cluster_environments
}.
to
be_denied_for
(
:admin
)
}
end
it
{
expect
{
get_cluster_environments
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
get_cluster_environments
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
get_cluster_environments
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
ee/spec/features/security/group/private_access_spec.rb
View file @
f539b03a
...
...
@@ -20,7 +20,12 @@ RSpec.describe '[EE] Private Group access' do
subject
{
group_insights_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:auditor
)
}
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
...
...
ee/spec/models/ee/event_spec.rb
View file @
f539b03a
...
...
@@ -75,9 +75,7 @@ RSpec.describe Event do
end
context
'when admin mode disabled'
do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
# See https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit
'is not visible to admin'
,
:aggregate_failures
do
it
'is not visible to admin'
,
:aggregate_failures
do
expect
(
event
).
not_to
be_visible_to
(
admin
)
end
end
...
...
ee/spec/models/ee/user_spec.rb
View file @
f539b03a
...
...
@@ -265,6 +265,14 @@ RSpec.describe User do
end
end
describe
'#can_admin_all_resources?'
do
it
'returns false for auditor user'
do
user
=
build
(
:user
,
:auditor
)
expect
(
user
.
can_admin_all_resources?
).
to
be_falsy
end
end
describe
'#forget_me!'
do
subject
{
create
(
:user
,
remember_created_at:
Time
.
current
)
}
...
...
ee/spec/policies/base_policy_spec.rb
View file @
f539b03a
...
...
@@ -26,4 +26,10 @@ RSpec.describe BasePolicy do
is_expected
.
to
be_allowed
(
:read_all_resources
)
end
end
describe
'admin all resources'
do
it
'forbids auditors'
do
is_expected
.
to
be_disallowed
(
:admin_all_resources
)
end
end
end
ee/spec/policies/group_policy_spec.rb
View file @
f539b03a
...
...
@@ -3,6 +3,8 @@
require
'spec_helper'
RSpec
.
describe
GroupPolicy
do
include
AdminModeHelper
include_context
'GroupPolicy context'
let
(
:epic_rules
)
do
...
...
@@ -31,9 +33,15 @@ RSpec.describe GroupPolicy do
context
'when user is admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
*
epic_rules
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
*
epic_rules
)
}
end
end
context
'when user is maintainer'
do
let
(
:current_user
)
{
maintainer
}
...
...
@@ -273,7 +281,7 @@ RSpec.describe GroupPolicy do
end
context
'when group repository analytics is not available'
do
let
(
:current_user
)
{
admin
}
let
(
:current_user
)
{
maintainer
}
before
do
stub_licensed_features
(
group_repository_analytics:
false
)
...
...
@@ -290,9 +298,15 @@ RSpec.describe GroupPolicy do
context
'admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:read_group_timelogs
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:read_group_timelogs
)
}
end
end
context
'with owner'
do
let
(
:current_user
)
{
owner
}
...
...
@@ -337,7 +351,9 @@ RSpec.describe GroupPolicy do
stub_licensed_features
(
group_timelogs:
false
)
end
it
{
is_expected
.
to
be_disallowed
(
:read_group_timelogs
)
}
it
'is disallowed even with admin mode'
,
:enable_admin_mode
do
is_expected
.
to
be_disallowed
(
:read_group_timelogs
)
end
end
describe
'per group SAML'
do
...
...
@@ -396,7 +412,9 @@ RSpec.describe GroupPolicy do
context
'admin'
do
let
(
:current_user
)
{
admin
}
it
{
is_expected
.
to
be_disallowed
(
:admin_saml_group_links
)
}
it
'is disallowed even with admin mode'
,
:enable_admin_mode
do
is_expected
.
to
be_disallowed
(
:admin_saml_group_links
)
end
end
end
end
...
...
@@ -430,9 +448,16 @@ RSpec.describe GroupPolicy do
context
'admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:admin_group_saml
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_saml_group_links
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:admin_group_saml
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_saml_group_links
)
}
end
end
end
context
'with an enabled SAML provider'
do
...
...
@@ -453,9 +478,15 @@ RSpec.describe GroupPolicy do
context
'admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:admin_saml_group_links
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:admin_saml_group_links
)
}
end
end
context
'when the group is a subgroup'
do
let_it_be
(
:subgroup
)
{
create
(
:group
,
:private
,
parent:
group
)
}
let
(
:current_user
)
{
owner
}
...
...
@@ -503,11 +534,19 @@ RSpec.describe GroupPolicy do
context
'as an admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'allows access without a SAML session'
do
is_expected
.
to
allow_action
(
:read_group
)
end
end
context
'when admin mode is disabled'
do
it
'prevents access without a SAML session'
do
is_expected
.
not_to
allow_action
(
:read_group
)
end
end
end
context
'as an auditor'
do
let
(
:current_user
)
{
create
(
:user
,
:auditor
)
}
...
...
@@ -598,10 +637,18 @@ RSpec.describe GroupPolicy do
context
'admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_disallowed
(
:override_group_member
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_links
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_settings
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:override_group_member
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_ldap_group_links
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_ldap_group_settings
)
}
end
end
end
context
'when LDAP sync is enabled'
do
...
...
@@ -670,11 +717,19 @@ RSpec.describe GroupPolicy do
context
'admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:override_group_member
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_links
)
}
it
{
is_expected
.
to
be_allowed
(
:admin_ldap_group_settings
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:override_group_member
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_ldap_group_links
)
}
it
{
is_expected
.
to
be_disallowed
(
:admin_ldap_group_settings
)
}
end
end
context
'when memberships locked to LDAP'
do
before
do
stub_application_setting
(
allow_group_owners_to_manage_ldap:
true
)
...
...
@@ -756,9 +811,15 @@ RSpec.describe GroupPolicy do
context
'with admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:read_group_credentials_inventory
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:read_group_credentials_inventory
)
}
end
end
context
'with owner'
do
let
(
:current_user
)
{
owner
}
...
...
@@ -860,9 +921,15 @@ RSpec.describe GroupPolicy do
context
'with admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
*
abilities
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
*
abilities
)
}
end
end
context
'with owner'
do
let
(
:current_user
)
{
owner
}
...
...
@@ -1070,10 +1137,22 @@ RSpec.describe GroupPolicy do
end
end
%w[
admin
owner maintainer developer reporter]
.
each
do
|
role
|
%w[owner maintainer developer reporter]
.
each
do
|
role
|
include_examples
'policy by role'
,
role
end
context
'admin'
do
let
(
:current_user
)
{
admin
}
it
'is allowed when admin mode is enabled'
,
:enable_admin_mode
do
is_expected
.
to
be_allowed
(
action
)
end
it
'is not allowed when admin mode is disabled'
do
is_expected
.
to
be_disallowed
(
action
)
end
end
context
'guest'
do
let
(
:current_user
)
{
guest
}
...
...
@@ -1131,9 +1210,15 @@ RSpec.describe GroupPolicy do
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
true
)
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:update_default_branch_protection
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:update_default_branch_protection
)
}
end
end
context
'when the setting `group_owners_can_manage_default_branch_protection` is disabled'
do
before
do
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
false
)
...
...
@@ -1159,16 +1244,28 @@ RSpec.describe GroupPolicy do
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
true
)
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:update_default_branch_protection
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:update_default_branch_protection
)
}
end
end
context
'when the setting `group_owners_can_manage_default_branch_protection` is disabled'
do
before
do
stub_ee_application_setting
(
group_owners_can_manage_default_branch_protection:
false
)
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:update_default_branch_protection
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:update_default_branch_protection
)
}
end
end
end
end
...
...
@@ -1226,18 +1323,23 @@ RSpec.describe GroupPolicy do
let
(
:policy
)
{
:read_ci_minutes_quota
}
where
(
:role
,
:allowed
)
do
:guest
|
false
:reporter
|
false
:developer
|
true
:maintainer
|
true
:owner
|
true
:admin
|
true
where
(
:role
,
:admin_mode
,
:allowed
)
do
:guest
|
nil
|
false
:reporter
|
nil
|
false
:developer
|
nil
|
true
:maintainer
|
nil
|
true
:owner
|
nil
|
true
:admin
|
true
|
true
:admin
|
false
|
false
end
with_them
do
let
(
:current_user
)
{
public_send
(
role
)
}
before
do
enable_admin_mode!
(
current_user
)
if
admin_mode
end
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
end
end
...
...
@@ -1247,18 +1349,23 @@ RSpec.describe GroupPolicy do
let
(
:policy
)
{
:read_group_audit_events
}
where
(
:role
,
:allowed
)
do
:guest
|
false
:reporter
|
false
:developer
|
true
:maintainer
|
true
:owner
|
true
:admin
|
true
where
(
:role
,
:admin_mode
,
:allowed
)
do
:guest
|
nil
|
false
:reporter
|
nil
|
false
:developer
|
nil
|
true
:maintainer
|
nil
|
true
:owner
|
nil
|
true
:admin
|
true
|
true
:admin
|
false
|
false
end
with_them
do
let
(
:current_user
)
{
public_send
(
role
)
}
before
do
enable_admin_mode!
(
current_user
)
if
admin_mode
end
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
end
end
...
...
@@ -1397,19 +1504,21 @@ RSpec.describe GroupPolicy do
let
(
:policy
)
{
:admin_merge_request_approval_settings
}
where
(
:role
,
:licensed
,
:allowed
)
do
:guest
|
true
|
false
:guest
|
false
|
false
:reporter
|
true
|
false
:reporter
|
false
|
false
:developer
|
true
|
false
:developer
|
false
|
false
:maintainer
|
true
|
false
:maintainer
|
false
|
false
:owner
|
true
|
true
:owner
|
false
|
false
:admin
|
true
|
true
:admin
|
false
|
false
where
(
:role
,
:licensed
,
:admin_mode
,
:allowed
)
do
:guest
|
true
|
nil
|
false
:guest
|
false
|
nil
|
false
:reporter
|
true
|
nil
|
false
:reporter
|
false
|
nil
|
false
:developer
|
true
|
nil
|
false
:developer
|
false
|
nil
|
false
:maintainer
|
true
|
nil
|
false
:maintainer
|
false
|
nil
|
false
:owner
|
true
|
nil
|
true
:owner
|
false
|
nil
|
false
:admin
|
true
|
true
|
true
:admin
|
false
|
true
|
false
:admin
|
true
|
false
|
false
:admin
|
false
|
false
|
false
end
with_them
do
...
...
@@ -1417,6 +1526,7 @@ RSpec.describe GroupPolicy do
before
do
stub_licensed_features
(
group_merge_request_approval_settings:
licensed
)
enable_admin_mode!
(
current_user
)
if
admin_mode
end
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
...
...
@@ -1428,19 +1538,21 @@ RSpec.describe GroupPolicy do
let
(
:policy
)
{
:start_trial
}
where
(
:role
,
:eligible_for_trial
,
:allowed
)
do
:guest
|
true
|
false
:guest
|
false
|
false
:reporter
|
true
|
false
:reporter
|
false
|
false
:developer
|
true
|
false
:developer
|
false
|
false
:maintainer
|
true
|
true
:maintainer
|
false
|
false
:owner
|
true
|
true
:owner
|
false
|
false
:admin
|
true
|
true
:admin
|
false
|
false
where
(
:role
,
:eligible_for_trial
,
:admin_mode
,
:allowed
)
do
:guest
|
true
|
nil
|
false
:guest
|
false
|
nil
|
false
:reporter
|
true
|
nil
|
false
:reporter
|
false
|
nil
|
false
:developer
|
true
|
nil
|
false
:developer
|
false
|
nil
|
false
:maintainer
|
true
|
nil
|
true
:maintainer
|
false
|
nil
|
false
:owner
|
true
|
nil
|
true
:owner
|
false
|
nil
|
false
:admin
|
true
|
true
|
true
:admin
|
false
|
true
|
false
:admin
|
true
|
false
|
false
:admin
|
false
|
false
|
false
end
with_them
do
...
...
@@ -1448,6 +1560,7 @@ RSpec.describe GroupPolicy do
before
do
allow
(
group
).
to
receive
(
:eligible_for_trial?
).
and_return
(
eligible_for_trial
)
enable_admin_mode!
(
current_user
)
if
admin_mode
end
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
...
...
@@ -1459,16 +1572,17 @@ RSpec.describe GroupPolicy do
shared_context
'compliance framework permissions'
do
using
RSpec
::
Parameterized
::
TableSyntax
where
(
:role
,
:licensed
,
:feature_flag
,
:allowed
)
do
:owner
|
true
|
true
|
true
:owner
|
true
|
false
|
false
:owner
|
false
|
true
|
false
:owner
|
false
|
false
|
false
:admin
|
true
|
true
|
true
:maintainer
|
true
|
true
|
false
:developer
|
true
|
true
|
false
:reporter
|
true
|
true
|
false
:guest
|
true
|
true
|
false
where
(
:role
,
:licensed
,
:feature_flag
,
:admin_mode
,
:allowed
)
do
:owner
|
true
|
true
|
nil
|
true
:owner
|
true
|
false
|
nil
|
false
:owner
|
false
|
true
|
nil
|
false
:owner
|
false
|
false
|
nil
|
false
:admin
|
true
|
true
|
true
|
true
:admin
|
true
|
true
|
false
|
false
:maintainer
|
true
|
true
|
nil
|
false
:developer
|
true
|
true
|
nil
|
false
:reporter
|
true
|
true
|
nil
|
false
:guest
|
true
|
true
|
nil
|
false
end
with_them
do
...
...
@@ -1477,6 +1591,7 @@ RSpec.describe GroupPolicy do
before
do
stub_licensed_features
(
licensed_feature
=>
licensed
)
stub_feature_flags
(
ff_custom_compliance_frameworks:
feature_flag
)
enable_admin_mode!
(
current_user
)
if
admin_mode
end
it
{
is_expected
.
to
(
allowed
?
be_allowed
(
policy
)
:
be_disallowed
(
policy
))
}
...
...
@@ -1522,19 +1637,21 @@ RSpec.describe GroupPolicy do
context
'when feature is enabled and license include the feature'
do
using
RSpec
::
Parameterized
::
TableSyntax
where
(
:role
,
:allowed
)
do
:admin
|
true
:owner
|
true
:maintainer
|
true
:developer
|
true
:reporter
|
true
:guest
|
false
:non_group_member
|
false
where
(
:role
,
:admin_mode
,
:allowed
)
do
:admin
|
true
|
true
:admin
|
false
|
false
:owner
|
nil
|
true
:maintainer
|
nil
|
true
:developer
|
nil
|
true
:reporter
|
nil
|
true
:guest
|
nil
|
false
:non_group_member
|
nil
|
false
end
before
do
stub_feature_flags
(
group_devops_adoption:
true
)
stub_licensed_features
(
group_level_devops_adoption:
true
)
enable_admin_mode!
(
current_user
)
if
admin_mode
end
with_them
do
...
...
ee/spec/services/epics/transfer_service_spec.rb
View file @
f539b03a
...
...
@@ -4,9 +4,14 @@ require 'spec_helper'
RSpec
.
describe
Epics
::
TransferService
do
describe
'#execute'
do
let_it_be
(
:user
)
{
create
(
:
admin
)
}
let_it_be
(
:user
)
{
create
(
:
user
)
}
let_it_be
(
:new_group
,
refind:
true
)
{
create
(
:group
)
}
let_it_be
(
:old_group
,
refind:
true
)
{
create
(
:group
)
}
before
do
old_group
.
add_maintainer
(
user
)
if
old_group
end
subject
(
:service
)
{
described_class
.
new
(
user
,
old_group
,
project
)
}
context
'when old_group is present'
do
...
...
ee/spec/services/todo_service_spec.rb
View file @
f539b03a
...
...
@@ -114,7 +114,7 @@ RSpec.describe TodoService do
context
'for mentioned users'
do
let
(
:todo_params
)
{
{
action:
Todo
::
MENTIONED
}
}
let
(
:todos_for
)
{
[
member
,
author
,
guest
,
admin
]
}
let
(
:todos_for
)
{
[
member
,
author
,
guest
]
}
let
(
:todos_not_for
)
{
[
non_member
,
john_doe
,
skipped
]
}
include_examples
'todos creation'
...
...
@@ -126,7 +126,7 @@ RSpec.describe TodoService do
end
let
(
:todo_params
)
{
{
action:
Todo
::
DIRECTLY_ADDRESSED
}
}
let
(
:todos_for
)
{
[
member
,
author
,
guest
,
admin
]
}
let
(
:todos_for
)
{
[
member
,
author
,
guest
]
}
let
(
:todos_not_for
)
{
[
non_member
,
john_doe
,
skipped
]
}
include_examples
'todos creation'
...
...
ee/spec/views/groups/compliance_frameworks/edit.html.haml_spec.rb
View file @
f539b03a
...
...
@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/edit.html.haml' do
assign
(
:group
,
group
)
allow
(
view
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
user
).
to
receive
(
:can_admin_all_resources?
).
and_return
(
false
)
allow
(
user
).
to
receive
(
:can?
).
with
(
:admin_compliance_pipeline_configuration
,
group
).
and_return
(
true
)
allow
(
view
).
to
receive
(
:params
).
and_return
(
id:
1
)
end
...
...
ee/spec/views/groups/compliance_frameworks/new.html.haml_spec.rb
View file @
f539b03a
...
...
@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/new.html.haml' do
assign
(
:group
,
group
)
allow
(
view
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
user
).
to
receive
(
:can_admin_all_resources?
).
and_return
(
false
)
allow
(
user
).
to
receive
(
:can?
).
with
(
:admin_compliance_pipeline_configuration
,
group
).
and_return
(
true
)
end
...
...
lib/declarative_policy/policy_dsl.rb
View file @
f539b03a
...
...
@@ -6,7 +6,7 @@ module DeclarativePolicy
# Policy class (context_class here). See Base.rule
#
# Note that the #policy method just performs an #instance_eval,
# which is useful for multiple #enable or #prevent calls
e
.
# which is useful for multiple #enable or #prevent calls.
#
# Also provides a #method_missing proxy to the context
# class's class methods, so that helper methods can be
...
...
spec/controllers/groups/clusters/applications_controller_spec.rb
View file @
f539b03a
...
...
@@ -10,7 +10,8 @@ RSpec.describe Groups::Clusters::ApplicationsController do
end
shared_examples
'a secure endpoint'
do
it
{
expect
{
subject
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
subject
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
subject
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
subject
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
subject
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
subject
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
spec/controllers/groups/clusters_controller_spec.rb
View file @
f539b03a
...
...
@@ -99,7 +99,8 @@ RSpec.describe Groups::ClustersController do
describe
'security'
do
let
(
:cluster
)
{
create
(
:cluster
,
:provided_by_gcp
,
cluster_type: :group_type
,
groups:
[
group
])
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
@@ -183,7 +184,8 @@ RSpec.describe Groups::ClustersController do
include_examples
'GET new cluster shared examples'
describe
'security'
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
@@ -316,7 +318,8 @@ RSpec.describe Groups::ClustersController do
allow
(
WaitForClusterCreationWorker
).
to
receive
(
:perform_in
).
and_return
(
nil
)
end
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
@@ -418,7 +421,8 @@ RSpec.describe Groups::ClustersController do
end
describe
'security'
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
@@ -486,7 +490,8 @@ RSpec.describe Groups::ClustersController do
allow
(
WaitForClusterCreationWorker
).
to
receive
(
:perform_in
)
end
it
{
expect
{
post_create_aws
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
post_create_aws
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
post_create_aws
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
post_create_aws
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
post_create_aws
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
post_create_aws
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
@@ -544,7 +549,8 @@ RSpec.describe Groups::ClustersController do
end
end
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
@@ -580,7 +586,8 @@ RSpec.describe Groups::ClustersController do
end
describe
'security'
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
@@ -619,7 +626,8 @@ RSpec.describe Groups::ClustersController do
end
describe
'security'
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
@@ -651,7 +659,8 @@ RSpec.describe Groups::ClustersController do
end
describe
'security'
do
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
@@ -759,7 +768,8 @@ RSpec.describe Groups::ClustersController do
describe
'security'
do
let_it_be
(
:cluster
)
{
create
(
:cluster
,
:provided_by_gcp
,
cluster_type: :group_type
,
groups:
[
group
])
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
@@ -827,7 +837,8 @@ RSpec.describe Groups::ClustersController do
describe
'security'
do
let_it_be
(
:cluster
)
{
create
(
:cluster
,
:provided_by_gcp
,
:production_environment
,
cluster_type: :group_type
,
groups:
[
group
])
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is allowed for admin when admin mode is enabled'
,
:enable_admin_mode
)
{
expect
{
go
}.
to
be_allowed_for
(
:admin
)
}
it
(
'is denied for admin when admin mode is disabled'
)
{
expect
{
go
}.
to
be_denied_for
(
:admin
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
expect
{
go
}.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
spec/controllers/groups_controller_spec.rb
View file @
f539b03a
...
...
@@ -4,17 +4,23 @@ require 'spec_helper'
RSpec
.
describe
GroupsController
,
factory_default: :keep
do
include
ExternalAuthorizationServiceHelpers
include
AdminModeHelper
let_it_be_with_refind
(
:group
)
{
create_default
(
:group
,
:public
)
}
let_it_be_with_refind
(
:project
)
{
create
(
:project
,
namespace:
group
)
}
let_it_be
(
:user
)
{
create
(
:user
)
}
let_it_be
(
:admin
)
{
create
(
:admin
)
}
let_it_be
(
:admin_with_admin_mode
)
{
create
(
:admin
)
}
let_it_be
(
:admin_without_admin_mode
)
{
create
(
:admin
)
}
let_it_be
(
:group_member
)
{
create
(
:group_member
,
group:
group
,
user:
user
)
}
let_it_be
(
:owner
)
{
group
.
add_owner
(
create
(
:user
)).
user
}
let_it_be
(
:maintainer
)
{
group
.
add_maintainer
(
create
(
:user
)).
user
}
let_it_be
(
:developer
)
{
group
.
add_developer
(
create
(
:user
)).
user
}
let_it_be
(
:guest
)
{
group
.
add_guest
(
create
(
:user
)).
user
}
before
do
enable_admin_mode!
(
admin_with_admin_mode
)
end
shared_examples
'member with ability to create subgroups'
do
it
'renders the new page'
do
sign_in
(
member
)
...
...
@@ -105,10 +111,10 @@ RSpec.describe GroupsController, factory_default: :keep do
[
true
,
false
].
each
do
|
can_create_group_status
|
context
"and can_create_group is
#{
can_create_group_status
}
"
do
before
do
User
.
where
(
id:
[
admin
,
owner
,
maintainer
,
developer
,
guest
]).
update_all
(
can_create_group:
can_create_group_status
)
User
.
where
(
id:
[
admin
_with_admin_mode
,
admin_without_admin_mode
,
owner
,
maintainer
,
developer
,
guest
]).
update_all
(
can_create_group:
can_create_group_status
)
end
[
:admin
,
:owner
,
:maintainer
].
each
do
|
member_type
|
[
:admin
_with_admin_mode
,
:owner
,
:maintainer
].
each
do
|
member_type
|
context
"and logged in as
#{
member_type
.
capitalize
}
"
do
it_behaves_like
'member with ability to create subgroups'
do
let
(
:member
)
{
send
(
member_type
)
}
...
...
@@ -116,7 +122,7 @@ RSpec.describe GroupsController, factory_default: :keep do
end
end
[
:guest
,
:developer
].
each
do
|
member_type
|
[
:guest
,
:developer
,
:admin_without_admin_mode
].
each
do
|
member_type
|
context
"and logged in as
#{
member_type
.
capitalize
}
"
do
it_behaves_like
'member without ability to create subgroups'
do
let
(
:member
)
{
send
(
member_type
)
}
...
...
@@ -856,6 +862,12 @@ RSpec.describe GroupsController, factory_default: :keep do
end
describe
'POST #export'
do
let
(
:admin
)
{
create
(
:admin
)
}
before
do
enable_admin_mode!
(
admin
)
end
context
'when the group export feature flag is not enabled'
do
before
do
sign_in
(
admin
)
...
...
@@ -918,6 +930,12 @@ RSpec.describe GroupsController, factory_default: :keep do
end
describe
'GET #download_export'
do
let
(
:admin
)
{
create
(
:admin
)
}
before
do
enable_admin_mode!
(
admin
)
end
context
'when there is a file available to download'
do
let
(
:export_file
)
{
fixture_file_upload
(
'spec/fixtures/group_export.tar.gz'
)
}
...
...
@@ -934,8 +952,6 @@ RSpec.describe GroupsController, factory_default: :keep do
end
context
'when there is no file available to download'
do
let
(
:admin
)
{
create
(
:admin
)
}
before
do
sign_in
(
admin
)
end
...
...
spec/features/groups_spec.rb
View file @
f539b03a
...
...
@@ -143,7 +143,7 @@ RSpec.describe 'Group' do
end
end
describe
'create a nested group'
,
:js
do
describe
'create a nested group'
do
let_it_be
(
:group
)
{
create
(
:group
,
path:
'foo'
)
}
context
'as admin'
do
...
...
@@ -153,6 +153,7 @@ RSpec.describe 'Group' do
visit
new_group_path
(
group
,
parent_id:
group
.
id
)
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'creates a nested group'
do
fill_in
'Group name'
,
with:
'bar'
fill_in
'Group URL'
,
with:
'bar'
...
...
@@ -163,6 +164,13 @@ RSpec.describe 'Group' do
end
end
context
'when admin mode is disabled'
do
it
'is not allowed'
do
expect
(
page
).
to
have_gitlab_http_status
(
:not_found
)
end
end
end
context
'as group owner'
do
it
'creates a nested group'
do
user
=
create
(
:user
)
...
...
spec/features/projects/new_project_spec.rb
View file @
f539b03a
...
...
@@ -95,12 +95,14 @@ RSpec.describe 'New project', :js do
end
context
'when group visibility is private but default is internal'
do
let_it_be
(
:group
)
{
create
(
:group
,
visibility_level:
Gitlab
::
VisibilityLevel
::
PRIVATE
)
}
before
do
stub_application_setting
(
default_project_visibility:
Gitlab
::
VisibilityLevel
::
INTERNAL
)
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'has private selected'
do
group
=
create
(
:group
,
visibility_level:
Gitlab
::
VisibilityLevel
::
PRIVATE
)
visit
new_project_path
(
namespace_id:
group
.
id
)
find
(
'[data-qa-selector="blank_project_link"]'
).
click
...
...
@@ -110,13 +112,24 @@ RSpec.describe 'New project', :js do
end
end
context
'when admin mode is disabled'
do
it
'is not allowed'
do
visit
new_project_path
(
namespace_id:
group
.
id
)
expect
(
page
).
to
have_content
(
'Not Found'
)
end
end
end
context
'when group visibility is public but user requests private'
do
let_it_be
(
:group
)
{
create
(
:group
,
visibility_level:
Gitlab
::
VisibilityLevel
::
PUBLIC
)
}
before
do
stub_application_setting
(
default_project_visibility:
Gitlab
::
VisibilityLevel
::
INTERNAL
)
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'has private selected'
do
group
=
create
(
:group
,
visibility_level:
Gitlab
::
VisibilityLevel
::
PUBLIC
)
visit
new_project_path
(
namespace_id:
group
.
id
,
project:
{
visibility_level:
Gitlab
::
VisibilityLevel
::
PRIVATE
})
find
(
'[data-qa-selector="blank_project_link"]'
).
click
...
...
@@ -125,6 +138,15 @@ RSpec.describe 'New project', :js do
end
end
end
context
'when admin mode is disabled'
do
it
'is not allowed'
do
visit
new_project_path
(
namespace_id:
group
.
id
,
project:
{
visibility_level:
Gitlab
::
VisibilityLevel
::
PRIVATE
})
expect
(
page
).
to
have_content
(
'Not Found'
)
end
end
end
end
context
'Readme selector'
do
...
...
spec/features/security/group/internal_access_spec.rb
View file @
f539b03a
...
...
@@ -24,7 +24,12 @@ RSpec.describe 'Internal Group access' do
describe
'GET /groups/:path'
do
subject
{
group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -39,7 +44,12 @@ RSpec.describe 'Internal Group access' do
describe
'GET /groups/:path/-/issues'
do
subject
{
issues_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -56,7 +66,12 @@ RSpec.describe 'Internal Group access' do
subject
{
merge_requests_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -71,7 +86,12 @@ RSpec.describe 'Internal Group access' do
describe
'GET /groups/:path/-/group_members'
do
subject
{
group_group_members_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -86,7 +106,12 @@ RSpec.describe 'Internal Group access' do
describe
'GET /groups/:path/-/edit'
do
subject
{
edit_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
spec/features/security/group/private_access_spec.rb
View file @
f539b03a
...
...
@@ -24,7 +24,12 @@ RSpec.describe 'Private Group access' do
describe
'GET /groups/:path'
do
subject
{
group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -39,7 +44,12 @@ RSpec.describe 'Private Group access' do
describe
'GET /groups/:path/-/issues'
do
subject
{
issues_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -56,7 +66,12 @@ RSpec.describe 'Private Group access' do
subject
{
merge_requests_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -71,7 +86,12 @@ RSpec.describe 'Private Group access' do
describe
'GET /groups/:path/-/group_members'
do
subject
{
group_group_members_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -86,7 +106,12 @@ RSpec.describe 'Private Group access' do
describe
'GET /groups/:path/-/edit'
do
subject
{
edit_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
@@ -107,7 +132,12 @@ RSpec.describe 'Private Group access' do
subject
{
group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
spec/features/security/group/public_access_spec.rb
View file @
f539b03a
...
...
@@ -24,7 +24,12 @@ RSpec.describe 'Public Group access' do
describe
'GET /groups/:path'
do
subject
{
group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -39,7 +44,12 @@ RSpec.describe 'Public Group access' do
describe
'GET /groups/:path/-/issues'
do
subject
{
issues_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -56,7 +66,12 @@ RSpec.describe 'Public Group access' do
subject
{
merge_requests_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -71,7 +86,12 @@ RSpec.describe 'Public Group access' do
describe
'GET /groups/:path/-/group_members'
do
subject
{
group_group_members_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
group
)
}
...
...
@@ -86,7 +106,12 @@ RSpec.describe 'Public Group access' do
describe
'GET /groups/:path/-/edit'
do
subject
{
edit_group_path
(
group
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed_for
(
:admin
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_denied_for
(
:admin
)
}
end
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:maintainer
).
of
(
group
)
}
it
{
is_expected
.
to
be_denied_for
(
:developer
).
of
(
group
)
}
...
...
spec/helpers/namespaces_helper_spec.rb
View file @
f539b03a
...
...
@@ -46,6 +46,7 @@ RSpec.describe NamespacesHelper do
end
describe
'#namespaces_options'
do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'returns groups without being a member for admin'
do
allow
(
helper
).
to
receive
(
:current_user
).
and_return
(
admin
)
...
...
@@ -54,6 +55,18 @@ RSpec.describe NamespacesHelper do
expect
(
options
).
to
include
(
admin_group
.
name
)
expect
(
options
).
to
include
(
user_group
.
name
)
end
end
context
'when admin mode is disabled'
do
it
'returns only allowed namespaces for admin'
do
allow
(
helper
).
to
receive
(
:current_user
).
and_return
(
admin
)
options
=
helper
.
namespaces_options
(
user_group
.
id
,
display_path:
true
,
extra_group:
user_group
.
id
)
expect
(
options
).
to
include
(
admin_group
.
name
)
expect
(
options
).
not_to
include
(
user_group
.
name
)
end
end
it
'returns only allowed namespaces for user'
do
allow
(
helper
).
to
receive
(
:current_user
).
and_return
(
user
)
...
...
@@ -74,14 +87,17 @@ RSpec.describe NamespacesHelper do
expect
(
options
).
to
include
(
admin_group
.
name
)
end
context
'when admin mode is disabled'
do
it
'selects existing group'
do
allow
(
helper
).
to
receive
(
:current_user
).
and_return
(
admin
)
user_group
.
add_owner
(
admin
)
options
=
helper
.
namespaces_options
(
:extra_group
,
display_path:
true
,
extra_group:
user_group
)
expect
(
options
).
to
include
(
"selected=
\"
selected
\"
value=
\"
#{
user_group
.
id
}
\"
"
)
expect
(
options
).
to
include
(
admin_group
.
name
)
end
end
it
'selects the new group by default'
do
# Ensure we don't select a group with the same name
...
...
spec/lib/gitlab/import_export/project/tree_saver_spec.rb
View file @
f539b03a
...
...
@@ -349,6 +349,7 @@ RSpec.describe Gitlab::ImportExport::Project::TreeSaver do
project_tree_saver
.
save
end
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'exports group members as admin'
do
expect
(
member_emails
).
to
include
(
'group@member.com'
)
end
...
...
@@ -359,6 +360,13 @@ RSpec.describe Gitlab::ImportExport::Project::TreeSaver do
expect
(
member_types
).
to
all
(
eq
(
'Project'
))
end
end
context
'when admin mode is disabled'
do
it
'does not export group members'
do
expect
(
member_emails
).
not_to
include
(
'group@member.com'
)
end
end
end
end
context
'with description override'
do
...
...
spec/models/group_spec.rb
View file @
f539b03a
...
...
@@ -781,9 +781,17 @@ RSpec.describe Group do
context
'evaluating admin access level'
do
let_it_be
(
:admin
)
{
create
(
:admin
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'returns OWNER by default'
do
expect
(
group
.
max_member_access_for_user
(
admin
)).
to
eq
(
Gitlab
::
Access
::
OWNER
)
end
end
context
'when admin mode is disabled'
do
it
'returns NO_ACCESS'
do
expect
(
group
.
max_member_access_for_user
(
admin
)).
to
eq
(
Gitlab
::
Access
::
NO_ACCESS
)
end
end
it
'returns NO_ACCESS when only concrete membership should be considered'
do
expect
(
group
.
max_member_access_for_user
(
admin
,
only_concrete_membership:
true
))
...
...
spec/models/member_spec.rb
View file @
f539b03a
...
...
@@ -425,12 +425,10 @@ RSpec.describe Member do
end
context
'when admin mode is disabled'
do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
# https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit
'rejects setting members.created_by to the given admin current_user'
do
it
'rejects setting members.created_by to the given admin current_user'
do
member
=
described_class
.
add_user
(
source
,
user
,
:maintainer
,
current_user:
admin
)
expect
(
member
.
created_by
).
not_to
be_persisted
expect
(
member
.
created_by
).
to
be_nil
end
end
...
...
spec/models/user_spec.rb
View file @
f539b03a
...
...
@@ -3961,6 +3961,37 @@ RSpec.describe User do
end
end
describe
'#can_admin_all_resources?'
,
:request_store
do
it
'returns false for regular user'
do
user
=
build_stubbed
(
:user
)
expect
(
user
.
can_admin_all_resources?
).
to
be_falsy
end
context
'for admin user'
do
include_context
'custom session'
let
(
:user
)
{
build_stubbed
(
:user
,
:admin
)
}
context
'when admin mode is disabled'
do
it
'returns false'
do
expect
(
user
.
can_admin_all_resources?
).
to
be_falsy
end
end
context
'when admin mode is enabled'
do
before
do
Gitlab
::
Auth
::
CurrentUserMode
.
new
(
user
).
request_admin_mode!
Gitlab
::
Auth
::
CurrentUserMode
.
new
(
user
).
enable_admin_mode!
(
password:
user
.
password
)
end
it
'returns true'
do
expect
(
user
.
can_admin_all_resources?
).
to
be_truthy
end
end
end
end
describe
'.ghost'
do
it
"creates a ghost user if one isn't already present"
do
ghost
=
described_class
.
ghost
...
...
spec/policies/base_policy_spec.rb
View file @
f539b03a
...
...
@@ -73,10 +73,14 @@ RSpec.describe BasePolicy do
end
end
describe
'full private access'
do
describe
'full private access
: read_all_resources
'
do
it_behaves_like
'admin only access'
,
:read_all_resources
end
describe
'full private access: admin_all_resources'
do
it_behaves_like
'admin only access'
,
:admin_all_resources
end
describe
'change_repository_storage'
do
it_behaves_like
'admin only access'
,
:change_repository_storage
end
...
...
spec/policies/group_policy_spec.rb
View file @
f539b03a
...
...
@@ -192,6 +192,16 @@ RSpec.describe GroupPolicy do
context
'admin'
do
let
(
:current_user
)
{
admin
}
specify
do
expect_disallowed
(
*
read_group_permissions
)
expect_disallowed
(
*
guest_permissions
)
expect_disallowed
(
*
reporter_permissions
)
expect_disallowed
(
*
developer_permissions
)
expect_disallowed
(
*
maintainer_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
context
'with admin mode'
,
:enable_admin_mode
do
specify
do
expect_allowed
(
*
read_group_permissions
)
expect_allowed
(
*
guest_permissions
)
...
...
@@ -199,10 +209,8 @@ RSpec.describe GroupPolicy do
expect_allowed
(
*
developer_permissions
)
expect_allowed
(
*
maintainer_permissions
)
expect_allowed
(
*
owner_permissions
)
expect_allowed
(
*
admin_permissions
)
end
context
'with admin mode'
,
:enable_admin_mode
do
specify
{
expect_allowed
(
*
admin_permissions
)
}
end
it_behaves_like
'deploy token does not get confused with user'
do
...
...
@@ -773,9 +781,15 @@ RSpec.describe GroupPolicy do
context
'admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:create_jira_connect_subscription
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:create_jira_connect_subscription
)
}
end
end
context
'with owner'
do
let
(
:current_user
)
{
owner
}
...
...
@@ -817,9 +831,15 @@ RSpec.describe GroupPolicy do
context
'admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
{
is_expected
.
to
be_allowed
(
:read_package
)
}
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:read_package
)
}
end
end
context
'with owner'
do
let
(
:current_user
)
{
owner
}
...
...
spec/presenters/projects/import_export/project_export_presenter_spec.rb
View file @
f539b03a
...
...
@@ -86,6 +86,7 @@ RSpec.describe Projects::ImportExport::ProjectExportPresenter do
context
'as admin'
do
let
(
:user
)
{
create
(
:admin
)
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it
'exports group members as admin'
do
expect
(
member_emails
).
to
include
(
'group@member.com'
)
end
...
...
@@ -96,5 +97,12 @@ RSpec.describe Projects::ImportExport::ProjectExportPresenter do
expect
(
member_types
).
to
all
(
eq
(
'Project'
))
end
end
context
'when admin mode is disabled'
do
it
'does not export group members'
do
expect
(
member_emails
).
not_to
include
(
'group@member.com'
)
end
end
end
end
end
spec/services/groups/import_export/import_service_spec.rb
View file @
f539b03a
...
...
@@ -54,7 +54,7 @@ RSpec.describe Groups::ImportExport::ImportService do
end
context
'with group_import_ndjson feature flag disabled'
do
let
(
:user
)
{
create
(
:
admin
)
}
let
(
:user
)
{
create
(
:
user
)
}
let
(
:group
)
{
create
(
:group
)
}
let
(
:import_logger
)
{
instance_double
(
Gitlab
::
Import
::
Logger
)
}
...
...
@@ -63,6 +63,8 @@ RSpec.describe Groups::ImportExport::ImportService do
before
do
stub_feature_flags
(
group_import_ndjson:
false
)
group
.
add_owner
(
user
)
ImportExportUpload
.
create!
(
group:
group
,
import_file:
import_file
)
allow
(
Gitlab
::
Import
::
Logger
).
to
receive
(
:build
).
and_return
(
import_logger
)
...
...
@@ -95,7 +97,7 @@ RSpec.describe Groups::ImportExport::ImportService do
end
context
'when importing a ndjson export'
do
let
(
:user
)
{
create
(
:
admin
)
}
let
(
:user
)
{
create
(
:
user
)
}
let
(
:group
)
{
create
(
:group
)
}
let
(
:service
)
{
described_class
.
new
(
group:
group
,
user:
user
)
}
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/group_export.tar.gz'
)
}
...
...
@@ -115,6 +117,10 @@ RSpec.describe Groups::ImportExport::ImportService do
end
context
'when user has correct permissions'
do
before
do
group
.
add_owner
(
user
)
end
it
'imports group structure successfully'
do
expect
(
subject
).
to
be_truthy
end
...
...
@@ -147,8 +153,6 @@ RSpec.describe Groups::ImportExport::ImportService do
end
context
'when user does not have correct permissions'
do
let
(
:user
)
{
create
(
:user
)
}
it
'logs the error and raises an exception'
do
expect
(
import_logger
).
to
receive
(
:error
).
with
(
group_id:
group
.
id
,
...
...
@@ -188,6 +192,10 @@ RSpec.describe Groups::ImportExport::ImportService do
context
'when there are errors with the sub-relations'
do
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/group_export_invalid_subrelations.tar.gz'
)
}
before
do
group
.
add_owner
(
user
)
end
it
'successfully imports the group'
do
expect
(
subject
).
to
be_truthy
end
...
...
@@ -207,7 +215,7 @@ RSpec.describe Groups::ImportExport::ImportService do
end
context
'when importing a json export'
do
let
(
:user
)
{
create
(
:
admin
)
}
let
(
:user
)
{
create
(
:
user
)
}
let
(
:group
)
{
create
(
:group
)
}
let
(
:service
)
{
described_class
.
new
(
group:
group
,
user:
user
)
}
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/legacy_group_export.tar.gz'
)
}
...
...
@@ -227,6 +235,10 @@ RSpec.describe Groups::ImportExport::ImportService do
end
context
'when user has correct permissions'
do
before
do
group
.
add_owner
(
user
)
end
it
'imports group structure successfully'
do
expect
(
subject
).
to
be_truthy
end
...
...
@@ -259,8 +271,6 @@ RSpec.describe Groups::ImportExport::ImportService do
end
context
'when user does not have correct permissions'
do
let
(
:user
)
{
create
(
:user
)
}
it
'logs the error and raises an exception'
do
expect
(
import_logger
).
to
receive
(
:error
).
with
(
group_id:
group
.
id
,
...
...
@@ -300,6 +310,10 @@ RSpec.describe Groups::ImportExport::ImportService do
context
'when there are errors with the sub-relations'
do
let
(
:import_file
)
{
fixture_file_upload
(
'spec/fixtures/legacy_group_export_invalid_subrelations.tar.gz'
)
}
before
do
group
.
add_owner
(
user
)
end
it
'successfully imports the group'
do
expect
(
subject
).
to
be_truthy
end
...
...
spec/workers/purge_dependency_proxy_cache_worker_spec.rb
View file @
f539b03a
...
...
@@ -26,6 +26,7 @@ RSpec.describe PurgeDependencyProxyCacheWorker do
end
context
'an admin user'
do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
include_examples
'an idempotent worker'
do
let
(
:job_args
)
{
[
user
.
id
,
group_id
]
}
...
...
@@ -41,6 +42,11 @@ RSpec.describe PurgeDependencyProxyCacheWorker do
end
end
context
'when admin mode is disabled'
do
it_behaves_like
'returns nil'
end
end
context
'a non-admin user'
do
let
(
:user
)
{
create
(
:user
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment