Commit 0ff8f002 authored by Sean McGivern's avatar Sean McGivern

Merge branch 'zj-guest-reads-public-builds' into 'master'

Guests can read builds if those are public

See merge request !6842
parents 532c0319 10960400
module Ci module Ci
class BuildPolicy < CommitStatusPolicy class BuildPolicy < CommitStatusPolicy
def rules def rules
can! :read_build if @subject.project.public_builds?
super super
# If we can't read build we should also not have that # If we can't read build we should also not have that
......
...@@ -12,9 +12,6 @@ class ProjectPolicy < BasePolicy ...@@ -12,9 +12,6 @@ class ProjectPolicy < BasePolicy
guest_access! guest_access!
public_access! public_access!
# Allow to read builds for internal projects
can! :read_build if project.public_builds?
if project.request_access_enabled && if project.request_access_enabled &&
!(owner || user.admin? || project.team.member?(user) || project_group_member?(user)) !(owner || user.admin? || project.team.member?(user) || project_group_member?(user))
can! :request_access can! :request_access
...@@ -46,6 +43,11 @@ class ProjectPolicy < BasePolicy ...@@ -46,6 +43,11 @@ class ProjectPolicy < BasePolicy
can! :create_note can! :create_note
can! :upload_file can! :upload_file
can! :read_cycle_analytics can! :read_cycle_analytics
if project.public_builds?
can! :read_pipeline
can! :read_build
end
end end
def reporter_access! def reporter_access!
......
---
title: Guests can read builds when public
merge_request: 6842
author:
...@@ -9,7 +9,7 @@ module SharedProject ...@@ -9,7 +9,7 @@ module SharedProject
step "project exists in some group namespace" do step "project exists in some group namespace" do
@group = create(:group, name: 'some group') @group = create(:group, name: 'some group')
@project = create(:project, namespace: @group) @project = create(:project, namespace: @group, public_builds: false)
end end
# Create a specific project called "Shop" # Create a specific project called "Shop"
......
require 'spec_helper' require 'spec_helper'
describe "Guest navigation menu" do describe "Guest navigation menu" do
let(:project) { create :empty_project, :private } let(:project) { create(:empty_project, :private, public_builds: false) }
let(:guest) { create :user } let(:guest) { create(:user) }
before do before do
project.team << [guest, :guest] project.team << [guest, :guest]
......
...@@ -3,7 +3,7 @@ require 'spec_helper' ...@@ -3,7 +3,7 @@ require 'spec_helper'
describe "Private Project Access", feature: true do describe "Private Project Access", feature: true do
include AccessMatchers include AccessMatchers
let(:project) { create(:project, :private) } let(:project) { create(:project, :private, public_builds: false) }
describe "Project should be private" do describe "Project should be private" do
describe '#private?' do describe '#private?' do
...@@ -260,6 +260,18 @@ describe "Private Project Access", feature: true do ...@@ -260,6 +260,18 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_denied_for(:user) } it { is_expected.to be_denied_for(:user) }
it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:external) }
it { is_expected.to be_denied_for(:visitor) } it { is_expected.to be_denied_for(:visitor) }
context 'when public builds is enabled' do
before do
project.update(public_builds: true)
end
it { is_expected.to be_allowed_for(:guest).of(project) }
end
context 'when public buils are disabled' do
it { is_expected.to be_denied_for(:guest).of(project) }
end
end end
describe "GET /:project_path/pipelines/:id" do describe "GET /:project_path/pipelines/:id" do
...@@ -275,6 +287,18 @@ describe "Private Project Access", feature: true do ...@@ -275,6 +287,18 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_denied_for(:user) } it { is_expected.to be_denied_for(:user) }
it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:external) }
it { is_expected.to be_denied_for(:visitor) } it { is_expected.to be_denied_for(:visitor) }
context 'when public builds is enabled' do
before do
project.update(public_builds: true)
end
it { is_expected.to be_allowed_for(:guest).of(project) }
end
context 'when public buils are disabled' do
it { is_expected.to be_denied_for(:guest).of(project) }
end
end end
describe "GET /:project_path/builds" do describe "GET /:project_path/builds" do
...@@ -289,6 +313,18 @@ describe "Private Project Access", feature: true do ...@@ -289,6 +313,18 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_denied_for(:user) } it { is_expected.to be_denied_for(:user) }
it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:external) }
it { is_expected.to be_denied_for(:visitor) } it { is_expected.to be_denied_for(:visitor) }
context 'when public builds is enabled' do
before do
project.update(public_builds: true)
end
it { is_expected.to be_allowed_for(:guest).of(project) }
end
context 'when public buils are disabled' do
it { is_expected.to be_denied_for(:guest).of(project) }
end
end end
describe "GET /:project_path/builds/:id" do describe "GET /:project_path/builds/:id" do
...@@ -305,6 +341,23 @@ describe "Private Project Access", feature: true do ...@@ -305,6 +341,23 @@ describe "Private Project Access", feature: true do
it { is_expected.to be_denied_for(:user) } it { is_expected.to be_denied_for(:user) }
it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:external) }
it { is_expected.to be_denied_for(:visitor) } it { is_expected.to be_denied_for(:visitor) }
context 'when public builds is enabled' do
before do
project.update(public_builds: true)
end
it { is_expected.to be_allowed_for(:guest).of(project) }
end
context 'when public buils are disabled' do
before do
project.public_builds = false
project.save
end
it { is_expected.to be_denied_for(:guest).of(project) }
end
end end
describe "GET /:project_path/environments" do describe "GET /:project_path/environments" do
......
require 'spec_helper' require 'spec_helper'
describe Gitlab::CycleAnalytics::Permissions do describe Gitlab::CycleAnalytics::Permissions do
let(:project) { create(:empty_project) } let(:project) { create(:empty_project, public_builds: false) }
let(:user) { create(:user) } let(:user) { create(:user) }
subject { described_class.get(user: user, project: project) } subject { described_class.get(user: user, project: project) }
......
...@@ -111,14 +111,36 @@ describe ProjectPolicy, models: true do ...@@ -111,14 +111,36 @@ describe ProjectPolicy, models: true do
context 'guests' do context 'guests' do
let(:current_user) { guest } let(:current_user) { guest }
let(:reporter_public_build_permissions) do
reporter_permissions - [:read_build, :read_pipeline]
end
it do it do
is_expected.to include(*guest_permissions) is_expected.to include(*guest_permissions)
is_expected.not_to include(*reporter_permissions) is_expected.not_to include(*reporter_public_build_permissions)
is_expected.not_to include(*team_member_reporter_permissions) is_expected.not_to include(*team_member_reporter_permissions)
is_expected.not_to include(*developer_permissions) is_expected.not_to include(*developer_permissions)
is_expected.not_to include(*master_permissions) is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions) is_expected.not_to include(*owner_permissions)
end end
context 'public builds enabled' do
it do
is_expected.to include(*guest_permissions)
is_expected.to include(:read_build, :read_pipeline)
end
end
context 'public builds disabled' do
before do
project.update(public_builds: false)
end
it do
is_expected.to include(*guest_permissions)
is_expected.not_to include(:read_build, :read_pipeline)
end
end
end end
context 'reporter' do context 'reporter' do
......
...@@ -5,7 +5,7 @@ describe API::Builds, api: true do ...@@ -5,7 +5,7 @@ describe API::Builds, api: true do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:api_user) { user } let(:api_user) { user }
let!(:project) { create(:project, creator_id: user.id) } let!(:project) { create(:project, creator_id: user.id, public_builds: false) }
let!(:developer) { create(:project_member, :developer, user: user, project: project) } let!(:developer) { create(:project_member, :developer, user: user, project: project) }
let(:reporter) { create(:project_member, :reporter, project: project) } let(:reporter) { create(:project_member, :reporter, project: project) }
let(:guest) { create(:project_member, :guest, project: project) } let(:guest) { create(:project_member, :guest, project: project) }
......
...@@ -2,7 +2,7 @@ require 'spec_helper' ...@@ -2,7 +2,7 @@ require 'spec_helper'
describe 'cycle analytics events' do describe 'cycle analytics events' do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:project) { create(:project) } let(:project) { create(:project, public_builds: false) }
let(:issue) { create(:issue, project: project, created_at: 2.days.ago) } let(:issue) { create(:issue, project: project, created_at: 2.days.ago) }
describe 'GET /:namespace/:project/cycle_analytics/events/issues' do describe 'GET /:namespace/:project/cycle_analytics/events/issues' do
......
...@@ -11,7 +11,7 @@ describe PipelineNotificationWorker do ...@@ -11,7 +11,7 @@ describe PipelineNotificationWorker do
status: status) status: status)
end end
let(:project) { create(:project) } let(:project) { create(:project, public_builds: false) }
let(:user) { create(:user) } let(:user) { create(:user) }
let(:pusher) { user } let(:pusher) { user }
let(:watcher) { pusher } let(:watcher) { pusher }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment