Commit fa73571b authored by Diego Louzán's avatar Diego Louzán

Migrate models and policies specs to consider admin mode

parent b5511297
......@@ -359,7 +359,7 @@ class Issue < ApplicationRecord
# for performance reasons, check commit: 002ad215818450d2cbbc5fa065850a953dc7ada8
# Make sure to sync this method with issue_policy.rb
def readable_by?(user)
if user.admin?
if user.can_read_all_resources?
true
elsif project.owner == user
true
......
---
title: Migrate models and policies specs to consider admin mode
merge_request: 30430
author: Diego Louzán
type: other
......@@ -3,10 +3,10 @@
require 'spec_helper'
describe Analytics::CycleAnalytics::GroupLevel do
let_it_be(:group) { create(:group)}
let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, :repository, namespace: group) }
let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) }
let_it_be(:user) { create(:user) }
let(:issue) { create(:issue, project: project, created_at: 2.days.ago) }
let_it_be(:milestone) { create(:milestone, project: project) }
let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") }
......@@ -18,6 +18,12 @@ describe Analytics::CycleAnalytics::GroupLevel do
subject { described_class.new(group: group, options: { from: from_date, current_user: user }) }
before do
# Cannot set the owner directly when calling `create(:group)`
# See spec/factories/groups.rb#after(:create)
group.add_owner(user)
end
describe '#permissions' do
it 'returns true for all stages' do
expect(subject.permissions.values.uniq).to eq([true])
......
......@@ -152,8 +152,8 @@ describe Note, :elastic do
expect(Note.elastic_search('term', options: options).total_count).to eq(1)
end
[:admin, :auditor].each do |user_type|
it "finds note for #{user_type}", :sidekiq_might_not_need_inline do
shared_examples 'notes finder' do |user_type, no_of_notes|
it "finds #{no_of_notes} notes for #{user_type}", :sidekiq_might_not_need_inline do
superuser = create(user_type)
issue = create(:issue, :confidential, author: create(:user))
......@@ -164,10 +164,18 @@ describe Note, :elastic do
options = { project_ids: [issue.project.id], current_user: superuser }
expect(Note.elastic_search('term', options: options).total_count).to eq(1)
expect(Note.elastic_search('term', options: options).total_count).to eq(no_of_notes)
end
end
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'notes finder', :admin, 1
end
it_behaves_like 'notes finder', :admin, 0
it_behaves_like 'notes finder', :auditor, 1
it "return notes with matching content for project members", :sidekiq_might_not_need_inline do
user = create :user
issue = create :issue, :confidential, author: user
......
......@@ -66,10 +66,23 @@ describe Event do
expect(event).to be_visible_to(member)
expect(event).to be_visible_to(guest)
end
context 'when admin mode enabled', :enable_admin_mode do
it 'is visible to admin', :aggregate_failures do
expect(event).to be_visible_to(admin)
end
end
context 'when admin mode disabled' do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
# See https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit 'is not visible to admin', :aggregate_failures do
expect(event).not_to be_visible_to(admin)
end
end
end
shared_examples 'visible to everybody' do
it 'is visible to other users', :aggregate_failures do
expect(users).to all(have_access_to(event))
......
......@@ -240,7 +240,7 @@ describe Issue do
describe 'when a user cannot read cross project' do
it 'only returns issues within the same project' do
expect(Ability).to receive(:allowed?).with(user, :read_all_resources, :global).and_call_original
expect(Ability).to receive(:allowed?).with(user, :read_all_resources, :global).at_least(:once).and_call_original
expect(Ability).to receive(:allowed?).with(user, :read_cross_project).and_return(false)
expect(authorized_issue_a.related_issues(user))
......
......@@ -6,13 +6,16 @@ describe ProductivityAnalytics do
describe 'metrics data' do
subject(:analytics) { described_class.new(merge_requests: finder_mrs, sort: custom_sort) }
let(:finder_mrs) { ProductivityAnalyticsFinder.new(create(:admin), finder_options).execute }
let(:project) { create(:project) }
let(:user) { project.owner }
let(:finder_mrs) { ProductivityAnalyticsFinder.new(user, finder_options).execute }
let(:finder_options) { { state: 'merged' } }
let(:custom_sort) { nil }
let(:label_a) { create(:label) }
let(:label_b) { create(:label) }
let(:label_a) { create(:label, project: project) }
let(:label_b) { create(:label, project: project) }
let(:long_mr) do
metrics_data = {
......@@ -25,6 +28,7 @@ describe ProductivityAnalytics do
}
create(:labeled_merge_request, :merged, :with_productivity_metrics,
labels: [label_a, label_b],
source_project: project,
created_at: 31.days.ago,
metrics_data: metrics_data)
end
......@@ -40,6 +44,7 @@ describe ProductivityAnalytics do
}
create(:labeled_merge_request, :merged, :with_productivity_metrics,
source_project: project,
created_at: 15.days.ago,
metrics_data: metrics_data)
end
......@@ -56,6 +61,7 @@ describe ProductivityAnalytics do
create(:labeled_merge_request, :merged, :with_productivity_metrics,
labels: [label_a, label_b],
source_project: project,
created_at: 31.days.ago,
metrics_data: metrics_data)
end
......@@ -72,6 +78,7 @@ describe ProductivityAnalytics do
create(:labeled_merge_request, :merged, :with_productivity_metrics,
labels: [label_a, label_b],
source_project: project,
created_at: 31.days.ago,
metrics_data: metrics_data)
end
......
......@@ -2,7 +2,7 @@
require 'spec_helper'
describe BasePolicy, :do_not_mock_admin_mode do
describe BasePolicy do
include ExternalAuthorizationServiceHelpers
let(:auditor) { build(:auditor) }
......
......@@ -74,7 +74,13 @@ describe Ci::BuildPolicy do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { expect_allowed(*build_permissions) }
end
context 'when admin mode disabled' do
it { expect_disallowed(*build_permissions) }
end
context 'when build is not from a webide pipeline' do
let(:pipeline) { create(:ci_empty_pipeline, project: project, source: :chat) }
......@@ -87,10 +93,17 @@ describe Ci::BuildPolicy do
allow(build).to receive(:has_terminal?).and_return(false)
end
context 'when admin mode enabled', :enable_admin_mode do
it { expect_allowed(:read_web_ide_terminal, :update_web_ide_terminal) }
it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) }
end
context 'when admin mode disabled' do
it { expect_disallowed(:read_web_ide_terminal, :update_web_ide_terminal) }
it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) }
end
end
context 'feature flag "build_service_proxy" is disabled' do
before do
stub_feature_flags(build_service_proxy: false)
......
......@@ -2,7 +2,7 @@
require 'spec_helper'
describe Clusters::InstancePolicy do
describe Clusters::InstancePolicy, :enable_admin_mode do
let(:user) { build(:admin) }
let(:instance) { Clusters::Instance.new }
......
......@@ -10,11 +10,19 @@ describe Geo::RegistryPolicy do
context 'when the user is an admin' do
let(:current_user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows read_geo_registry for any registry' do
expect(policy).to be_allowed(:read_geo_registry)
end
end
context 'when admin mode is disabled' do
it 'disallows read_geo_registry for any registry' do
expect(policy).to be_disallowed(:read_geo_registry)
end
end
end
context 'when the user is not an admin' do
let(:current_user) { create(:user) }
......
......@@ -10,11 +10,19 @@ describe GeoNodePolicy do
context 'when the user is an admin' do
let(:current_user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows read_geo_node for any GeoNode' do
expect(policy).to be_allowed(:read_geo_node)
end
end
context 'when admin mode is disabled' do
it 'disallows read_geo_node for any GeoNode' do
expect(policy).to be_disallowed(:read_geo_node)
end
end
end
context 'when the user is not an admin' do
let(:current_user) { create(:user) }
......
......@@ -5,6 +5,8 @@ require 'spec_helper'
describe GlobalPolicy do
include ExternalAuthorizationServiceHelpers
let_it_be(:admin) { create(:admin) }
let(:current_user) { create(:user) }
let(:user) { create(:user) }
......@@ -38,9 +40,17 @@ describe GlobalPolicy do
it { is_expected.to be_disallowed(:destroy_licenses) }
it { is_expected.to be_disallowed(:read_all_geo) }
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:read_licenses) }
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:destroy_licenses) }
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:read_all_geo) }
context 'when admin mode enabled', :enable_admin_mode do
it { expect(described_class.new(admin, [user])).to be_allowed(:read_licenses) }
it { expect(described_class.new(admin, [user])).to be_allowed(:destroy_licenses) }
it { expect(described_class.new(admin, [user])).to be_allowed(:read_all_geo) }
end
context 'when admin mode disabled' do
it { expect(described_class.new(admin, [user])).to be_disallowed(:read_licenses) }
it { expect(described_class.new(admin, [user])).to be_disallowed(:destroy_licenses) }
it { expect(described_class.new(admin, [user])).to be_disallowed(:read_all_geo) }
end
shared_examples 'analytics policy' do |action|
context 'anonymous user' do
......@@ -69,15 +79,22 @@ describe GlobalPolicy do
end
it { is_expected.to be_disallowed(:update_max_pages_size) }
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:update_max_pages_size) }
context 'when admin mode enabled', :enable_admin_mode do
it { expect(described_class.new(admin, [user])).to be_allowed(:update_max_pages_size) }
end
context 'when admin mode disabled' do
it { expect(described_class.new(admin, [user])).to be_disallowed(:update_max_pages_size) }
end
end
it { expect(described_class.new(create(:admin), [user])).to be_disallowed(:update_max_pages_size) }
it { expect(described_class.new(admin, [user])).to be_disallowed(:update_max_pages_size) }
end
describe 'create_group_with_default_branch_protection' do
context 'for an admin' do
let(:current_user) { create(:admin) }
let(:current_user) { admin }
context 'when the `default_branch_protection_restriction_in_groups` feature is available' do
before do
......@@ -97,8 +114,14 @@ describe GlobalPolicy do
stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false)
end
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:create_group_with_default_branch_protection) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:create_group_with_default_branch_protection) }
end
end
end
context 'when the `default_branch_protection_restriction_in_groups` feature is not available' do
......
......@@ -418,10 +418,17 @@ describe GroupPolicy do
context 'admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:override_group_member) }
it { is_expected.to be_allowed(:update_group_member) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:override_group_member) }
it { is_expected.to be_disallowed(:update_group_member) }
end
end
context 'owner' do
let(:current_user) { owner }
......@@ -801,8 +808,14 @@ describe GroupPolicy do
stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false)
end
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_default_branch_protection) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:update_default_branch_protection) }
end
end
end
context 'when the `default_branch_protection_restriction_in_groups` feature is not available' do
......
......@@ -27,9 +27,15 @@ describe NamespacePolicy do
context 'admin' do
let(:current_user) { build_stubbed(:admin) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:create_jira_connect_subscription) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
end
end
context 'owner' do
let(:current_user) { owner }
......
......@@ -4,6 +4,7 @@ require 'spec_helper'
describe ProjectPolicy do
include ExternalAuthorizationServiceHelpers
include AdminModeHelper
let_it_be(:owner) { create(:user) }
let_it_be(:admin) { create(:admin) }
......@@ -62,7 +63,8 @@ describe ProjectPolicy do
it_behaves_like 'project policies as developer'
it_behaves_like 'project policies as maintainer'
it_behaves_like 'project policies as owner'
it_behaves_like 'project policies as admin'
it_behaves_like 'project policies as admin with admin mode'
it_behaves_like 'project policies as admin without admin mode'
context 'auditor' do
let(:current_user) { create(:user, :auditor) }
......@@ -211,9 +213,15 @@ describe ProjectPolicy do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:admin_mirror) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:admin_mirror) }
end
end
context 'with owner' do
let(:current_user) { owner }
......@@ -235,9 +243,15 @@ describe ProjectPolicy do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:admin_mirror) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:admin_mirror) }
end
end
context 'with owner' do
let(:current_user) { owner }
......@@ -271,9 +285,15 @@ describe ProjectPolicy do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:admin_mirror) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:admin_mirror) }
end
end
context 'with owner' do
let(:current_user) { owner }
......@@ -327,11 +347,19 @@ describe ProjectPolicy do
context 'as an admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it 'allows access' do
is_expected.to allow_action(:read_project)
end
end
context 'when admin mode disabled' do
it 'does not allow access' do
is_expected.not_to allow_action(:read_project)
end
end
end
context 'as a group owner' do
before do
group.add_owner(current_user)
......@@ -375,6 +403,7 @@ describe ProjectPolicy do
before do
allow(Gitlab::IpAddressState).to receive(:current).and_return('192.168.0.2')
stub_licensed_features(group_ip_restriction: true)
group.add_developer(current_user)
end
context 'group without restriction' do
......@@ -421,9 +450,15 @@ describe ProjectPolicy do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(permission) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(permission) }
end
end
context 'with owner' do
let(:current_user) { owner }
......@@ -506,7 +541,7 @@ describe ProjectPolicy do
end
context 'with developer or higher role' do
where(role: %w[admin owner maintainer developer])
where(role: %w[owner maintainer developer])
with_them do
let(:current_user) { public_send(role) }
......@@ -515,6 +550,18 @@ describe ProjectPolicy do
end
end
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_threat_monitoring) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:read_threat_monitoring) }
end
end
context 'with less than developer role' do
where(role: %w[reporter guest])
......@@ -617,12 +664,18 @@ describe ProjectPolicy do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:remove_project) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:remove_project) }
end
context 'who owns the project' do
let(:project) { create(:project, :public, namespace: admin.namespace) }
it { is_expected.to be_allowed(:remove_project) }
it { is_expected.to be_disallowed(:remove_project) }
end
end
......@@ -673,9 +726,15 @@ describe ProjectPolicy do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:admin_software_license_policy) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:admin_software_license_policy) }
end
end
context 'with owner' do
let(:current_user) { owner }
......@@ -759,9 +818,15 @@ describe ProjectPolicy do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_dependencies) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:read_dependencies) }
end
end
context 'with owner' do
let(:current_user) { owner }
......@@ -826,7 +891,7 @@ describe ProjectPolicy do
context 'with private project' do
let(:project) { create(:project, :private, namespace: owner.namespace) }
where(role: %w[admin owner maintainer developer reporter])
where(role: %w[owner maintainer developer reporter])
with_them do
let(:current_user) { public_send(role) }
......@@ -834,6 +899,18 @@ describe ProjectPolicy do
it { is_expected.to be_allowed(:read_licenses) }
end
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_licenses) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:read_licenses) }
end
end
context 'with guest' do
let(:current_user) { guest }
......@@ -883,9 +960,15 @@ describe ProjectPolicy do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:create_web_ide_terminal) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:create_web_ide_terminal) }
end
end
context 'with owner' do
let(:current_user) { owner }
......@@ -937,14 +1020,15 @@ describe ProjectPolicy do
context 'when feature is available' do
using RSpec::Parameterized::TableSyntax
where(:role, :allowed) do
:anonymous | false
:guest | false
:reporter | false
:developer | true
:maintainer | true
:owner | true
:admin | true
where(:role, :admin_mode, :allowed) do
:anonymous | nil | false
:guest | nil | false
:reporter | nil | false
:developer | nil | true
:maintainer | nil | true
:owner | nil | true
:admin | false | false
:admin | true | true
end
with_them do
......@@ -953,6 +1037,7 @@ describe ProjectPolicy do
before do
stub_feature_flags(feature => true)
stub_licensed_features(feature => true)
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
......@@ -1082,9 +1167,15 @@ describe ProjectPolicy do
context 'admin' do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_group_timelogs) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:read_group_timelogs) }
end
end
context 'with owner' do
let(:current_user) { owner }
......@@ -1137,13 +1228,14 @@ describe ProjectPolicy do
using RSpec::Parameterized::TableSyntax
where(:role, :allowed) do
:guest | false
:reporter | true
:developer | true
:maintainer | true
:owner | true
:admin | true
where(:role, :admin_mode, :allowed) do
:guest | nil | false
:reporter | nil | true
:developer | nil | true
:maintainer | nil | true
:owner | nil | true
:admin | false | false
:admin | true | true
end
with_them do
......@@ -1151,6 +1243,7 @@ describe ProjectPolicy do
before do
stub_licensed_features(code_review_analytics: true)
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(:read_code_review_analytics) : be_disallowed(:read_code_review_analytics)) }
......@@ -1214,16 +1307,18 @@ describe ProjectPolicy do
using RSpec::Parameterized::TableSyntax
context 'with merge request approvers rules available in license' do
where(:role, :setting, :allowed) do
:guest | true | false
:reporter | true | false
:developer | true | false
:maintainer | false | true
:maintainer | true | false
:owner | false | true
:owner | true | false
:admin | false | true
:admin | true | true
where(:role, :setting, :admin_mode, :allowed) do
:guest | true | nil | false
:reporter | true | nil | false
:developer | true | nil | false
:maintainer | false | nil | true
:maintainer | true | nil | false
:owner | false | nil | true
:owner | true | nil | false
:admin | false | false | false
:admin | false | true | true
:admin | true | false | false
:admin | true | true | true
end
with_them do
......@@ -1232,6 +1327,7 @@ describe ProjectPolicy do
before do
stub_licensed_features(admin_merge_request_approvers_rules: true)
stub_application_setting(setting_name => setting)
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
......@@ -1239,16 +1335,18 @@ describe ProjectPolicy do
end
context 'with merge request approvers not available in license' do
where(:role, :setting, :allowed) do
:guest | true | false
:reporter | true | false
:developer | true | false
:maintainer | false | true
:maintainer | true | true
:owner | false | true
:owner | true | true
:admin | true | true
:admin | false | true
where(:role, :setting, :admin_mode, :allowed) do
:guest | true | nil | false
:reporter | true | nil | false
:developer | true | nil | false
:maintainer | false | nil | true
:maintainer | true | nil | true
:owner | false | nil | true
:owner | true | nil | true
:admin | false | false | false
:admin | false | true | true
:admin | true | false | false
:admin | true | true | true
end
with_them do
......@@ -1257,6 +1355,7 @@ describe ProjectPolicy do
before do
stub_licensed_features(admin_merge_request_approvers_rules: false)
stub_application_setting(setting_name => setting)
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
......@@ -1291,17 +1390,20 @@ describe ProjectPolicy do
let(:project) { create(:project, namespace: owner.namespace) }
using RSpec::Parameterized::TableSyntax
context 'with merge request approvers rules available in license' do
where(:role, :setting, :allowed) do
:guest | true | false
:reporter | true | false
:developer | true | false
:maintainer | false | true
:maintainer | true | false
:owner | false | true
:owner | true | false
:admin | false | true
:admin | true | true
where(:role, :setting, :admin_mode, :allowed) do
:guest | true | nil | false
:reporter | true | nil | false
:developer | true | nil | false
:maintainer | false | nil | true
:maintainer | true | nil | false
:owner | false | nil | true
:owner | true | nil | false
:admin | false | false | false
:admin | false | true | true
:admin | true | false | false
:admin | true | true | true
end
with_them do
......@@ -1310,6 +1412,7 @@ describe ProjectPolicy do
before do
stub_licensed_features(admin_merge_request_approvers_rules: true)
stub_application_setting(setting_name => setting)
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
......@@ -1317,16 +1420,18 @@ describe ProjectPolicy do
end
context 'with merge request approvers not available in license' do
where(:role, :setting, :allowed) do
:guest | true | false
:reporter | true | false
:developer | true | false
:maintainer | false | true
:maintainer | true | true
:owner | false | true
:owner | true | true
:admin | true | true
:admin | false | true
where(:role, :setting, :admin_mode, :allowed) do
:guest | true | nil | false
:reporter | true | nil | false
:developer | true | nil | false
:maintainer | false | nil | true
:maintainer | true | nil | true
:owner | false | nil | true
:owner | true | nil | true
:admin | false | false | false
:admin | false | true | true
:admin | true | false | false
:admin | true | true | true
end
with_them do
......@@ -1335,6 +1440,7 @@ describe ProjectPolicy do
before do
stub_licensed_features(admin_merge_request_approvers_rules: false)
stub_application_setting(setting_name => setting)
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
......@@ -1351,19 +1457,21 @@ describe ProjectPolicy do
let(:policy) { :admin_compliance_framework }
where(:role, :feature_enabled, :allowed) do
:guest | false | false
:guest | true | false
:reporter | false | false
:reporter | true | false
:developer | false | false
:developer | true | false
:maintainer | false | false
:maintainer | true | true
:owner | false | false
:owner | true | true
:admin | false | false
:admin | true | true
where(:role, :feature_enabled, :admin_mode, :allowed) do
:guest | false | nil | false
:guest | true | nil | false
:reporter | false | nil | false
:reporter | true | nil | false
:developer | false | nil | false
:developer | true | nil | false
:maintainer | false | nil | false
:maintainer | true | nil | true
:owner | false | nil | false
:owner | true | nil | true
:admin | false | false | false
:admin | false | true | false
:admin | true | false | false
:admin | true | true | true
end
with_them do
......@@ -1371,6 +1479,7 @@ describe ProjectPolicy do
before do
stub_licensed_features(compliance_framework: feature_enabled)
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
......@@ -1382,18 +1491,23 @@ describe ProjectPolicy do
let(:policy) { :read_ci_minutes_quota }
where(:role, :allowed) do
:guest | false
:reporter | false
:developer | true
:maintainer | true
:owner | true
:admin | true
where(:role, :admin_mode, :allowed) do
:guest | nil | false
:reporter | nil | false
:developer | nil | true
:maintainer | nil | true
:owner | nil | true
:admin | false | false
:admin | true | true
end
with_them do
let(:current_user) { public_send(role) }
before do
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
end
end
......
......@@ -22,16 +22,28 @@ describe UserPolicy do
context 'when an admin user tries to update a regular user' do
let(:current_user) { create(:user, :admin) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(ability) }
end
context 'when admin mode disabled' do
it { is_expected.not_to be_allowed(ability) }
end
end
context 'when an admin user tries to update a ghost user' do
let(:current_user) { create(:user, :admin) }
let(:user) { create(:user, :ghost) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.not_to be_allowed(ability) }
end
context 'when admin mode disabled' do
it { is_expected.not_to be_allowed(ability) }
end
end
end
describe "updating a user's name" do
context 'when `disable_name_update_for_users` feature is available' do
......@@ -65,8 +77,14 @@ describe UserPolicy do
context 'for an admin user' do
let(:current_user) { create(:admin) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_name) }
end
context 'when admin mode disabled' do
it { is_expected.not_to be_allowed(:update_name) }
end
end
end
end
......
......@@ -3,6 +3,8 @@
RSpec.shared_examples 'protected environments access' do |developer_access = true|
using RSpec::Parameterized::TableSyntax
include AdminModeHelper
before do
allow(License).to receive(:feature_available?).and_call_original
allow(License).to receive(:feature_available?).with(:protected_environments).and_return(feature_available)
......@@ -11,19 +13,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
context 'when Protected Environments feature is not available in the project' do
let(:feature_available) { false }
where(:access_level, :result) do
:guest | false
:reporter | false
:developer | developer_access
:maintainer | true
:admin | true
where(:access_level, :admin_mode, :result) do
:guest | nil | false
:reporter | nil | false
:developer | nil | developer_access
:maintainer | nil | true
:admin | false | false
:admin | true | true
end
with_them do
before do
environment
update_user_access(access_level, user, project)
update_user_access(access_level, admin_mode, user, project)
end
it { is_expected.to eq(result) }
......@@ -37,19 +40,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
let(:protected_environment) { create(:protected_environment, name: environment.name, project: project) }
context 'when user does not have access to the environment' do
where(:access_level, :result) do
:guest | false
:reporter | false
:developer | false
:maintainer | false
:admin | true
where(:access_level, :admin_mode, :result) do
:guest | nil | false
:reporter | nil | false
:developer | nil | false
:maintainer | nil | false
:admin | false | false
:admin | true | true
end
with_them do
before do
protected_environment
update_user_access(access_level, user, project)
update_user_access(access_level, admin_mode, user, project)
end
it { is_expected.to eq(result) }
......@@ -57,19 +61,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
end
context 'when user has access to the environment' do
where(:access_level, :result) do
:guest | false
:reporter | false
:developer | developer_access
:maintainer | true
:admin | true
where(:access_level, :admin_mode, :result) do
:guest | nil | false
:reporter | nil | false
:developer | nil | developer_access
:maintainer | nil | true
:admin | false | false
:admin | true | true
end
with_them do
before do
protected_environment.deploy_access_levels.create(user: user)
update_user_access(access_level, user, project)
update_user_access(access_level, admin_mode, user, project)
end
it { is_expected.to eq(result) }
......@@ -78,17 +83,18 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
end
context 'when environment is not protected' do
where(:access_level, :result) do
:guest | false
:reporter | false
:developer | developer_access
:maintainer | true
:admin | true
where(:access_level, :admin_mode, :result) do
:guest | nil | false
:reporter | nil | false
:developer | nil | developer_access
:maintainer | nil | true
:admin | false | false
:admin | true | true
end
with_them do
before do
update_user_access(access_level, user, project)
update_user_access(access_level, admin_mode, user, project)
end
it { is_expected.to eq(result) }
......@@ -96,9 +102,10 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
end
end
def update_user_access(access_level, user, project)
def update_user_access(access_level, admin_mode, user, project)
if access_level == :admin
user.update_attribute(:admin, true)
enable_admin_mode!(user) if admin_mode
elsif access_level.present?
project.add_user(user, access_level)
end
......
......@@ -2,7 +2,7 @@
require 'spec_helper'
describe Ldap::OmniauthCallbacksController, :do_not_mock_admin_mode do
describe Ldap::OmniauthCallbacksController do
include_context 'Ldap::OmniauthCallbacksController'
it 'allows sign in' do
......
......@@ -2,7 +2,7 @@
require 'spec_helper'
describe OmniauthCallbacksController, type: :controller, do_not_mock_admin_mode: true do
describe OmniauthCallbacksController, type: :controller do
include LoginHelpers
describe 'omniauth' do
......
......@@ -74,13 +74,20 @@ describe Ability do
context 'using a private project' do
let(:project) { create(:project, :private) }
it 'returns users that are administrators' do
it 'returns users that are administrators when admin mode is enabled', :enable_admin_mode do
user = build(:user, admin: true)
expect(described_class.users_that_can_read_project([user], project))
.to eq([user])
end
it 'does not return users that are administrators when admin mode is disabled' do
user = build(:user, admin: true)
expect(described_class.users_that_can_read_project([user], project))
.to eq([])
end
it 'returns external users if they are the project owner' do
user1 = build(:user, external: true)
user2 = build(:user, external: true)
......@@ -145,7 +152,7 @@ describe Ability do
end
describe '.merge_requests_readable_by_user' do
context 'with an admin' do
context 'with an admin when admin mode is enabled', :enable_admin_mode do
it 'returns all merge requests' do
user = build(:user, admin: true)
merge_request = build(:merge_request)
......@@ -155,6 +162,19 @@ describe Ability do
end
end
context 'with an admin when admin mode is disabled' do
it 'returns merge_requests that are publicly visible' do
user = build(:user, admin: true)
hidden_merge_request = build(:merge_request)
visible_merge_request = build(:merge_request, source_project: build(:project, :public))
merge_requests = described_class
.merge_requests_readable_by_user([hidden_merge_request, visible_merge_request], user)
expect(merge_requests).to eq([visible_merge_request])
end
end
context 'without a user' do
it 'returns merge_requests that are publicly visible' do
hidden_merge_request = build(:merge_request)
......@@ -217,7 +237,7 @@ describe Ability do
end
describe '.issues_readable_by_user' do
context 'with an admin user' do
context 'with an admin when admin mode is enabled', :enable_admin_mode do
it 'returns all given issues' do
user = build(:user, admin: true)
issue = build(:issue)
......@@ -227,6 +247,26 @@ describe Ability do
end
end
context 'with an admin when admin mode is disabled' do
it 'returns the issues readable by the admin' do
user = build(:user, admin: true)
issue = build(:issue)
expect(issue).to receive(:readable_by?).with(user).and_return(true)
expect(described_class.issues_readable_by_user([issue], user))
.to eq([issue])
end
it 'returns no issues when not given access' do
user = build(:user, admin: true)
issue = build(:issue)
expect(described_class.issues_readable_by_user([issue], user))
.to be_empty
end
end
context 'with a regular user' do
it 'returns the issues readable by the user' do
user = build(:user)
......
......@@ -7,7 +7,7 @@ describe 'CycleAnalytics#code' do
let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) }
let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level }
......
......@@ -7,7 +7,7 @@ describe 'CycleAnalytics#issue' do
let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) }
let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level }
......
......@@ -7,7 +7,7 @@ describe 'CycleAnalytics#plan' do
let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) }
let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level }
......
......@@ -7,7 +7,7 @@ describe 'CycleAnalytics#production' do
let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) }
let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level }
......
......@@ -5,7 +5,7 @@ require 'spec_helper'
describe CycleAnalytics::ProjectLevel do
let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) }
let_it_be(:user) { project.owner }
let_it_be(:issue) { create(:issue, project: project, created_at: 2.days.ago) }
let_it_be(:milestone) { create(:milestone, project: project) }
let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") }
......
......@@ -7,7 +7,7 @@ describe 'CycleAnalytics#review' do
let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) }
let_it_be(:user) { project.owner }
subject { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
......
......@@ -7,7 +7,7 @@ describe 'CycleAnalytics#staging' do
let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) }
let_it_be(:user) { project.owner }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
subject { project_level }
......
......@@ -7,7 +7,7 @@ describe 'CycleAnalytics#test' do
let_it_be(:project) { create(:project, :repository) }
let_it_be(:from_date) { 10.days.ago }
let_it_be(:user) { create(:user, :admin) }
let_it_be(:user) { project.owner }
let_it_be(:issue) { create(:issue, project: project) }
let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
let!(:merge_request) { create_merge_request_closing_issue(user, project, issue) }
......
......@@ -287,10 +287,18 @@ describe Event do
context 'private project' do
let(:project) { create(:project, :private, :repository) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member, :admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member) }
end
end
end
end
context 'issue event' do
......@@ -340,9 +348,17 @@ describe Event do
let(:project) { private_project }
let(:target) { note_on_issue }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member) }
end
end
include_examples 'visible to assignee and author', false
end
......@@ -366,9 +382,17 @@ describe Event do
context 'private project' do
let(:project) { private_project }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member, :admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member) }
end
end
include_examples 'visible to assignee', false
end
......@@ -384,18 +408,34 @@ describe Event do
context 'on public project with private issue tracker and merge requests' do
let(:project) { create(:project, :public, :issues_private, :merge_requests_private) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
end
end
end
context 'on private project' do
let(:project) { create(:project, :private) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
end
end
end
end
context 'wiki-page event', :aggregate_failures do
......@@ -404,11 +444,19 @@ describe Event do
context 'on private project', :aggregate_failures do
let(:project) { create(:project, :wiki_repo) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
end
end
end
context 'wiki-page event on public project', :aggregate_failures do
let(:project) { create(:project, :public, :wiki_repo) }
......@@ -428,9 +476,18 @@ describe Event do
context 'on public project with private snippets' do
let(:project) { create(:project, :public, :snippets_private) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member) }
end
end
# Normally, we'd expect the author of a comment to be able to view it.
# However, this doesn't seem to be the case for comments on snippets.
......@@ -440,9 +497,18 @@ describe Event do
context 'on private project' do
let(:project) { create(:project, :private) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:guest, :member) }
end
end
# Normally, we'd expect the author of a comment to be able to view it.
# However, this doesn't seem to be the case for comments on snippets.
......@@ -470,9 +536,17 @@ describe Event do
context 'on private snippet' do
let(:personal_snippet) { create(:personal_snippet, :private, author: author) }
context 'when admin mode enabled', :enable_admin_mode do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:admin) }
end
end
context 'when admin mode disabled' do
include_examples 'visibility examples' do
let(:visibility) { visible_to_none }
end
end
include_examples 'visible to author', true
end
......
......@@ -612,10 +612,17 @@ describe Issue do
context 'with an admin user' do
let(:user) { build(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'issue readable by user'
it_behaves_like 'confidential issue readable by user'
end
context 'when admin mode is disabled' do
it_behaves_like 'issue not readable by user'
it_behaves_like 'confidential issue not readable by user'
end
end
context 'with an owner' do
before do
project.add_maintainer(user)
......@@ -732,7 +739,9 @@ describe Issue do
expect(issue.visible_to_user?(user)).to be_falsy
end
it 'does not check the external webservice for admins' do
context 'with an admin' do
context 'when admin mode is enabled', :enable_admin_mode do
it 'does not check the external webservice' do
issue = build(:issue)
user = build(:admin)
......@@ -742,6 +751,20 @@ describe Issue do
end
end
context 'when admin mode is disabled' do
it 'checks the external service to determine if an issue is readable by the admin' do
project = build(:project, :public,
external_authorization_classification_label: 'a-label')
issue = build(:issue, project: project)
user = build(:admin)
expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?).with(user, 'a-label') { false }
expect(issue.visible_to_user?(user)).to be_falsy
end
end
end
end
context 'when issue is moved to a private project' do
let(:private_project) { build(:project, :private)}
......
......@@ -241,11 +241,23 @@ describe Member do
expect(member).to be_persisted
end
it 'sets members.created_by to the given current_user' do
context 'when admin mode is enabled', :enable_admin_mode do
it 'sets members.created_by to the given admin current_user' do
member = described_class.add_user(source, user, :maintainer, current_user: admin)
expect(member.created_by).to eq(admin)
end
end
context 'when admin mode is disabled' do
# Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
# https://gitlab.com/gitlab-org/gitlab/-/issues/207950
xit 'rejects setting members.created_by to the given admin current_user' do
member = described_class.add_user(source, user, :maintainer, current_user: admin)
expect(member.created_by).not_to be_persisted
end
end
it 'sets members.expires_at to the given expires_at' do
member = described_class.add_user(source, user, :maintainer, expires_at: Date.new(2016, 9, 22))
......@@ -353,7 +365,7 @@ describe Member do
end
end
context 'when current_user can update member' do
context 'when current_user can update member', :enable_admin_mode do
it 'creates the member' do
expect(source.users).not_to include(user)
......@@ -421,7 +433,7 @@ describe Member do
end
end
context 'when current_user can update member' do
context 'when current_user can update member', :enable_admin_mode do
it 'updates the member' do
expect(source.users).to include(user)
......
......@@ -31,27 +31,30 @@ describe ProjectFeature do
context 'when features are disabled' do
it "returns false" do
update_all_project_features(project, features, ProjectFeature::DISABLED)
features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::DISABLED)
expect(project.feature_available?(:issues, user)).to eq(false)
expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
end
end
end
context 'when features are enabled only for team members' do
it "returns false when user is not a team member" do
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
expect(project.feature_available?(:issues, user)).to eq(false)
expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
end
end
it "returns true when user is a team member" do
project.add_developer(user)
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
expect(project.feature_available?(:issues, user)).to eq(true)
expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
end
end
......@@ -60,29 +63,43 @@ describe ProjectFeature do
project = create(:project, namespace: group)
group.add_developer(user)
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
expect(project.feature_available?(:issues, user)).to eq(true)
expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
end
end
context 'when admin mode is enabled', :enable_admin_mode do
it "returns true if user is an admin" do
user.update_attribute(:admin, true)
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
expect(project.feature_available?(:issues, user)).to eq(true)
expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
end
end
end
context 'when admin mode is disabled' do
it "returns false when user is an admin" do
user.update_attribute(:admin, true)
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature|
expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
end
end
end
end
context 'when feature is enabled for everyone' do
it "returns true" do
features.each do |feature|
expect(project.feature_available?(:issues, user)).to eq(true)
end
end
end
context 'when feature is disabled by a feature flag' do
it 'returns false' do
......@@ -117,7 +134,7 @@ describe ProjectFeature do
features.each do |feature|
field = "#{feature}_access_level".to_sym
project_feature.update_attribute(field, ProjectFeature::ENABLED)
expect(project_feature.valid?).to be_falsy
expect(project_feature.valid?).to be_falsy, "#{field} failed"
end
end
end
......@@ -131,7 +148,7 @@ describe ProjectFeature do
field = "#{feature}_access_level".to_sym
project_feature.update_attribute(field, ProjectFeature::PUBLIC)
expect(project_feature.valid?).to be_falsy
expect(project_feature.valid?).to be_falsy, "#{field} failed"
end
end
end
......@@ -140,22 +157,24 @@ describe ProjectFeature do
let(:features) { %w(wiki builds merge_requests) }
it "returns false when feature is disabled" do
update_all_project_features(project, features, ProjectFeature::DISABLED)
features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::DISABLED)
expect(project.public_send("#{feature}_enabled?")).to eq(false)
expect(project.public_send("#{feature}_enabled?")).to eq(false), "#{feature} failed"
end
end
it "returns true when feature is enabled only for team members" do
update_all_project_features(project, features, ProjectFeature::PRIVATE)
features.each do |feature|
project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
expect(project.public_send("#{feature}_enabled?")).to eq(true)
expect(project.public_send("#{feature}_enabled?")).to eq(true), "#{feature} failed"
end
end
it "returns true when feature is enabled for everyone" do
features.each do |feature|
expect(project.public_send("#{feature}_enabled?")).to eq(true)
expect(project.public_send("#{feature}_enabled?")).to eq(true), "#{feature} failed"
end
end
end
......@@ -198,7 +217,7 @@ describe ProjectFeature do
end
describe '#public_pages?' do
it 'returns true if Pages access controll is not enabled' do
it 'returns true if Pages access control is not enabled' do
stub_config(pages: { access_control: false })
project_feature = described_class.new(pages_access_level: described_class::PRIVATE)
......@@ -281,7 +300,7 @@ describe ProjectFeature do
it 'raises error if feature is invalid' do
expect do
described_class.required_minimum_access_level(:foos)
end.to raise_error
end.to raise_error(ArgumentError)
end
end
......@@ -294,4 +313,9 @@ describe ProjectFeature do
expect(described_class.required_minimum_access_level_for_private_project(:issues)).to eq(Gitlab::Access::GUEST)
end
end
def update_all_project_features(project, features, value)
project_feature_attributes = features.map { |f| ["#{f}_access_level", value] }.to_h
project.project_feature.update(project_feature_attributes)
end
end
......@@ -3777,7 +3777,7 @@ describe Project do
end
end
describe '.filter_by_feature_visibility' do
describe '.filter_by_feature_visibility', :enable_admin_mode do
include_context 'ProjectPolicyTable context'
include ProjectHelpers
using RSpec::Parameterized::TableSyntax
......
......@@ -20,6 +20,7 @@ describe SpamLog do
expect { spam_log.remove_user(deleted_by: admin) }.to change { spam_log.user.blocked? }.to(true)
end
context 'when admin mode is enabled', :enable_admin_mode do
it 'removes the user', :sidekiq_might_not_need_inline do
spam_log = build(:spam_log)
user = spam_log.user
......@@ -32,6 +33,20 @@ describe SpamLog do
end
end
context 'when admin mode is disabled' do
it 'does not allow to remove the user', :sidekiq_might_not_need_inline do
spam_log = build(:spam_log)
user = spam_log.user
perform_enqueued_jobs do
spam_log.remove_user(deleted_by: admin)
end
expect(User.exists?(user.id)).to be(true)
end
end
end
describe '.verify_recaptcha!' do
let_it_be(:spam_log) { create(:spam_log, user: admin, recaptcha_verified: false) }
......
......@@ -2,7 +2,7 @@
require 'spec_helper'
describe User, :do_not_mock_admin_mode do
describe User do
include ProjectForksHelper
include TermsHelper
include ExclusiveLeaseHelpers
......
......@@ -2,7 +2,7 @@
require 'spec_helper'
describe BasePolicy, :do_not_mock_admin_mode do
describe BasePolicy do
include ExternalAuthorizationServiceHelpers
include AdminModeHelper
......
......@@ -2,7 +2,7 @@
require 'spec_helper'
describe BlobPolicy do
describe BlobPolicy, :enable_admin_mode do
include_context 'ProjectPolicyTable context'
include ProjectHelpers
using RSpec::Parameterized::TableSyntax
......
......@@ -80,9 +80,16 @@ describe Clusters::ClusterPolicy, :models do
context 'when admin' do
let(:user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :update_cluster }
it { expect(policy).to be_allowed :admin_cluster }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :update_cluster }
it { expect(policy).to be_disallowed :admin_cluster }
end
end
end
end
end
......@@ -18,11 +18,21 @@ describe Clusters::InstancePolicy do
context 'when admin' do
let(:user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :read_cluster }
it { expect(policy).to be_allowed :add_cluster }
it { expect(policy).to be_allowed :create_cluster }
it { expect(policy).to be_allowed :update_cluster }
it { expect(policy).to be_allowed :admin_cluster }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :read_cluster }
it { expect(policy).to be_disallowed :add_cluster }
it { expect(policy).to be_disallowed :create_cluster }
it { expect(policy).to be_disallowed :update_cluster }
it { expect(policy).to be_disallowed :admin_cluster }
end
end
end
end
......@@ -42,17 +42,29 @@ describe DeployKeyPolicy do
context 'when an admin user' do
let(:current_user) { create(:user, :admin) }
context ' tries to update private deploy key' do
context 'tries to update private deploy key' do
let(:deploy_key) { create(:deploy_key, public: false) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_deploy_key) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:update_deploy_key) }
end
end
context 'when an admin user tries to update public deploy key' do
let(:deploy_key) { create(:another_deploy_key, public: true) }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:update_deploy_key) }
end
context 'when admin mode disabled' do
it { is_expected.to be_disallowed(:update_deploy_key) }
end
end
end
end
end
......@@ -71,9 +71,16 @@ describe DesignManagement::DesignPolicy do
context "for admins" do
let(:current_user) { admin }
context 'when admin mode enabled', :enable_admin_mode do
it { is_expected.to be_allowed(*design_abilities) }
end
context 'when admin mode disabled' do
it { is_expected.to be_allowed(*guest_design_abilities) }
it { is_expected.to be_disallowed(*developer_design_abilities) }
end
end
context "for maintainers" do
let(:current_user) { maintainer }
......
......@@ -37,9 +37,15 @@ describe EnvironmentPolicy do
context 'when an admin user' do
let(:user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :stop_environment }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :stop_environment }
end
end
context 'with protected branch' do
with_them do
before do
......@@ -54,8 +60,14 @@ describe EnvironmentPolicy do
context 'when an admin user' do
let(:user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :stop_environment }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :stop_environment }
end
end
end
end
......@@ -83,8 +95,14 @@ describe EnvironmentPolicy do
context 'when an admin user' do
let(:user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :stop_environment }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :stop_environment }
end
end
end
describe '#destroy_environment' do
......@@ -126,8 +144,14 @@ describe EnvironmentPolicy do
environment.stop!
end
context 'when admin mode is enabled', :enable_admin_mode do
it { expect(policy).to be_allowed :destroy_environment }
end
context 'when admin mode is disabled' do
it { expect(policy).to be_disallowed :destroy_environment }
end
end
end
end
end
......
......@@ -118,9 +118,16 @@ describe GlobalPolicy do
context 'admin' do
let(:current_user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_custom_attribute) }
it { is_expected.to be_allowed(:update_custom_attribute) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_custom_attribute) }
it { is_expected.to be_disallowed(:update_custom_attribute) }
end
end
end
shared_examples 'access allowed when terms accepted' do |ability|
......@@ -368,8 +375,14 @@ describe GlobalPolicy do
stub_application_setting(instance_statistics_visibility_private: true)
end
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_instance_statistics) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_instance_statistics) }
end
end
end
context 'anonymous' do
......
......@@ -644,9 +644,15 @@ describe GroupPolicy do
context 'admin' do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect_allowed(:update_max_artifacts_size) }
end
context 'when admin mode is enabled' do
it { expect_disallowed(:update_max_artifacts_size) }
end
end
%w(guest reporter developer maintainer owner).each do |role|
context role do
let(:current_user) { send(role) }
......
......@@ -206,14 +206,28 @@ describe IssuePolicy do
it 'allows guests to comment' do
expect(permissions(guest, issue)).to be_allowed(:create_note)
end
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows admins to view' do
expect(permissions(admin, issue)).to be_allowed(:read_issue)
end
it 'allows admins to comment' do
expect(permissions(admin, issue)).to be_allowed(:create_note)
end
end
context 'when admin mode is disabled' do
it 'forbids admins to view' do
expect(permissions(admin, issue)).to be_disallowed(:read_issue)
end
it 'forbids admins to comment' do
expect(permissions(admin, issue)).to be_disallowed(:create_note)
end
end
end
context 'with confidential issues' do
let(:confidential_issue) { create(:issue, :confidential, project: project, assignees: [assignee], author: author) }
let(:confidential_issue_no_assignee) { create(:issue, :confidential, project: project) }
......
......@@ -40,6 +40,12 @@ describe NamespacePolicy do
context 'admin' do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(*owner_permissions) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(*owner_permissions) }
end
end
end
......@@ -295,9 +295,17 @@ describe NotePolicy do
expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
end
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows admins to read all notes and admin them' do
expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
end
end
context 'when admin mode is disabled' do
it 'does not allow non members to read confidential notes and replies' do
expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
end
end
it 'allows noteable author to read and resolve all notes' do
expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji)
......
......@@ -19,8 +19,8 @@ describe PersonalSnippetPolicy do
described_class.new(user, snippet)
end
shared_examples 'admin access' do
context 'admin user' do
shared_examples 'admin access with admin mode' do
context 'admin user', :enable_admin_mode do
subject { permissions(admin_user) }
it do
......@@ -68,7 +68,7 @@ describe PersonalSnippetPolicy do
end
end
it_behaves_like 'admin access'
it_behaves_like 'admin access with admin mode'
end
context 'internal snippet' do
......@@ -118,7 +118,7 @@ describe PersonalSnippetPolicy do
end
end
it_behaves_like 'admin access'
it_behaves_like 'admin access with admin mode'
end
context 'private snippet' do
......@@ -168,6 +168,6 @@ describe PersonalSnippetPolicy do
end
end
it_behaves_like 'admin access'
it_behaves_like 'admin access with admin mode'
end
end
......@@ -275,7 +275,8 @@ describe ProjectPolicy do
it_behaves_like 'project policies as developer'
it_behaves_like 'project policies as maintainer'
it_behaves_like 'project policies as owner'
it_behaves_like 'project policies as admin'
it_behaves_like 'project policies as admin with admin mode'
it_behaves_like 'project policies as admin without admin mode'
context 'when a public project has merge requests allowing access' do
include ProjectForksHelper
......@@ -306,7 +307,7 @@ describe ProjectPolicy do
expect_allowed(*maintainer_abilities)
end
it 'dissallows abilities to a maintainer if the merge request was closed' do
it 'disallows abilities to a maintainer if the merge request was closed' do
target_project.add_developer(user)
merge_request.close!
......@@ -350,11 +351,25 @@ describe ProjectPolicy do
expect(described_class.new(developer, project)).to be_allowed(:read_project)
end
it 'does not check the external service for admins and allows access' do
context 'with an admin' do
context 'when admin mode is enabled', :enable_admin_mode do
it 'does not check the external service and allows access' do
expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
expect(described_class.new(admin, project)).to be_allowed(:read_project)
end
end
context 'when admin mode is disabled' do
it 'checks the external service and allows access' do
external_service_allow_access(admin, project)
expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?)
expect(described_class.new(admin, project)).to be_allowed(:read_project)
end
end
end
it 'prevents all but seeing a public project in a list when access is denied' do
[developer, owner, build(:user), nil].each do |user|
......@@ -416,9 +431,15 @@ describe ProjectPolicy do
context 'admin' do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { expect_allowed(:update_max_artifacts_size) }
end
context 'when admin mode is disabled' do
it { expect_disallowed(:update_max_artifacts_size) }
end
end
%w(guest reporter developer maintainer owner).each do |role|
context role do
let(:current_user) { send(role) }
......@@ -448,9 +469,15 @@ describe ProjectPolicy do
context 'with admin' do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:read_prometheus_alerts) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:read_prometheus_alerts) }
end
end
context 'with owner' do
let(:current_user) { owner }
......
......@@ -235,10 +235,19 @@ describe ProjectSnippetPolicy do
let(:snippet_visibility) { :private }
let(:current_user) { create(:admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it do
expect_allowed(:read_snippet, :create_note)
expect_allowed(*author_permissions)
end
end
context 'when admin mode is disabled' do
it do
expect_disallowed(:read_snippet, :create_note)
expect_disallowed(*author_permissions)
end
end
end
end
end
......@@ -26,9 +26,15 @@ describe UserPolicy do
context "when an admin user tries to destroy a regular user" do
let(:current_user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(ability) }
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(ability) }
end
end
context "when an admin user tries to destroy a ghost user" do
let(:current_user) { create(:user, :admin) }
let(:user) { create(:user, :ghost) }
......
......@@ -2,7 +2,7 @@
require 'spec_helper'
describe WikiPagePolicy do
describe WikiPagePolicy, :enable_admin_mode do
include_context 'ProjectPolicyTable context'
include ProjectHelpers
using RSpec::Parameterized::TableSyntax
......
......@@ -229,26 +229,25 @@ RSpec.configure do |config|
./ee/spec/features
./ee/spec/finders
./ee/spec/lib
./ee/spec/models
./ee/spec/policies
./ee/spec/requests/admin
./ee/spec/serializers
./ee/spec/services
./ee/spec/support/protected_tags
./ee/spec/support/shared_examples
./ee/spec/support/shared_examples/features
./ee/spec/support/shared_examples/finders/geo
./ee/spec/support/shared_examples/graphql/geo
./ee/spec/support/shared_examples/services
./spec/features
./spec/finders
./spec/frontend
./spec/helpers
./spec/lib
./spec/models
./spec/policies
./spec/requests
./spec/serializers
./spec/services
./spec/support/cycle_analytics_helpers
./spec/support/protected_tags
./spec/support/shared_examples
./spec/support/shared_examples/features
./spec/support/shared_examples/requests
./spec/views
./spec/workers
)
......
......@@ -29,6 +29,10 @@ module CycleAnalyticsHelpers
scenarios.each do |start_time_conditions, end_time_conditions|
let_it_be(:other_project) { create(:project, :repository) }
before do
other_project.add_developer(self.user)
end
context "start condition: #{start_time_conditions.map(&:first).to_sentence}" do
context "end condition: #{end_time_conditions.map(&:first).to_sentence}" do
it "finds the median of available durations between the two conditions", :sidekiq_might_not_need_inline do
......
......@@ -7,6 +7,9 @@ module AdminModeHelper
# mode for accessing any administrative functionality. This helper lets a user
# be in admin mode without requiring a second authentication step (provided
# the user is an admin)
#
# See also tag :enable_admin_mode in spec/spec_helper.rb for a spec-wide
# alternative
def enable_admin_mode!(user)
fake_user_mode = instance_double(Gitlab::Auth::CurrentUserMode)
......
......@@ -50,9 +50,7 @@ module LoginHelpers
def gitlab_enable_admin_mode_sign_in(user)
visit new_admin_session_path
fill_in 'user_password', with: user.password
click_button 'Enter Admin Mode'
end
......
......@@ -27,6 +27,17 @@ RSpec.shared_examples 'instance statistics availability' do
context 'for admins' do
let(:user) { create(:admin) }
context 'when admin mode disabled' do
it 'forbids access when the feature is not available publicly' do
stub_application_setting(instance_statistics_visibility_private: true)
get :index
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when admin mode enabled', :enable_admin_mode do
it 'allows access when the feature is not available publicly' do
stub_application_setting(instance_statistics_visibility_private: true)
......@@ -36,4 +47,5 @@ RSpec.shared_examples 'instance statistics availability' do
end
end
end
end
end
......@@ -212,8 +212,8 @@ RSpec.shared_examples 'project policies as owner' do
end
end
RSpec.shared_examples 'project policies as admin' do
context 'abilities for non-public projects' do
RSpec.shared_examples 'project policies as admin with admin mode' do
context 'abilities for non-public projects', :enable_admin_mode do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(admin, project) }
......@@ -232,3 +232,13 @@ RSpec.shared_examples 'project policies as admin' do
end
end
end
RSpec.shared_examples 'project policies as admin without admin mode' do
context 'abilities for non-public projects' do
let(:project) { create(:project, namespace: owner.namespace) }
subject { described_class.new(admin, project) }
it { is_expected.to be_banned }
end
end
......@@ -2,6 +2,7 @@
RSpec.shared_examples 'model with wiki policies' do
include ProjectHelpers
include AdminModeHelper
let(:container) { raise NotImplementedError }
let(:user) { raise NotImplementedError }
......@@ -94,6 +95,7 @@ RSpec.shared_examples 'model with wiki policies' do
before do
container.visibility = container_level.to_s
set_access_level(ProjectFeature.access_level_from_str(access_level.to_s))
enable_admin_mode!(user) if user&.admin?
if allowed_permissions.any? && [container_level, access_level, membership] != [:private, :private, :guest]
allowed_permissions << :download_wiki_code
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment