Commit 46dff691 authored by Douwe Maan's avatar Douwe Maan

More backport

parent 426680de
*.erb *.erb
lib/gitlab/sanitizers/svg/whitelist.rb lib/gitlab/sanitizers/svg/whitelist.rb
lib/gitlab/diff/position_tracer.rb lib/gitlab/diff/position_tracer.rb
app/policies/project_policy.rb
...@@ -11,18 +11,27 @@ ...@@ -11,18 +11,27 @@
.form-group .form-group
= f.label :access_level, class: 'control-label' = f.label :access_level, class: 'control-label'
.col-sm-10 .col-sm-10
= f.radio_button :access_level, :regular, disabled: (current_user == @user && @user.is_admin?) - editing_current_user = (current_user == @user)
= f.radio_button :access_level, :regular, disabled: editing_current_user
= label_tag :regular do = label_tag :regular do
Regular Regular
%p.light %p.light
Regular users have access to their groups and projects Regular users have access to their groups and projects
= f.radio_button :access_level, :admin
= f.radio_button :access_level, :admin, disabled: editing_current_user
= label_tag :admin do = label_tag :admin do
Admin Admin
%p.light %p.light
Administrators have access to all groups, projects and users and can manage all features in this installation Administrators have access to all groups, projects and users and can manage all features in this installation
- if editing_current_user
%p.light
You cannot remove your own admin rights.
.form-group .form-group
= f.label :external, class: 'control-label' = f.label :external, class: 'control-label'
.col-sm-10= f.check_box :external .col-sm-10
.col-sm-10 External users cannot see internal or private projects unless access is explicitly granted. Also, external users cannot create projects or groups. = f.check_box :external do
External
%p.light
External users cannot see internal or private projects unless access is explicitly granted. Also, external users cannot create projects or groups.
...@@ -1422,4 +1422,37 @@ def add_user(access) ...@@ -1422,4 +1422,37 @@ def add_user(access)
expect(user.project_authorizations.where(access_level: Gitlab::Access::REPORTER).exists?).to eq(true) expect(user.project_authorizations.where(access_level: Gitlab::Access::REPORTER).exists?).to eq(true)
end end
end end
describe '#access_level=' do
let(:user) { build(:user) }
it 'does nothing for an invalid access level' do
user.access_level = :invalid_access_level
expect(user.access_level).to eq(:regular)
expect(user.admin).to be false
end
it "assigns the 'admin' access level" do
user.access_level = :admin
expect(user.access_level).to eq(:admin)
expect(user.admin).to be true
end
it "doesn't clear existing access levels when an invalid access level is passed in" do
user.access_level = :admin
user.access_level = :invalid_access_level
expect(user.access_level).to eq(:admin)
expect(user.admin).to be true
end
it "accepts string values in addition to symbols" do
user.access_level = 'admin'
expect(user.access_level).to eq(:admin)
expect(user.admin).to be true
end
end
end end
...@@ -10,61 +10,59 @@ ...@@ -10,61 +10,59 @@
let(:project) { create(:empty_project, :public, namespace: owner.namespace) } let(:project) { create(:empty_project, :public, namespace: owner.namespace) }
let(:guest_permissions) do let(:guest_permissions) do
[ %i[
:read_project, :read_board, :read_list, :read_wiki, :read_issue, :read_label, read_project read_board read_list read_wiki read_issue read_label
:read_milestone, :read_project_snippet, :read_project_member, read_milestone read_project_snippet read_project_member
:read_note, :create_project, :create_issue, :create_note, read_note create_project create_issue create_note
:upload_file upload_file
] ]
end end
let(:reporter_permissions) do let(:reporter_permissions) do
[ %i[
:download_code, :fork_project, :create_project_snippet, :update_issue, download_code fork_project create_project_snippet update_issue
:admin_issue, :admin_label, :admin_list, :read_commit_status, :read_build, admin_issue admin_label admin_list read_commit_status read_build
:read_container_image, :read_pipeline, :read_environment, :read_deployment, read_container_image read_pipeline read_environment read_deployment
:read_merge_request, :download_wiki_code read_merge_request download_wiki_code
] ]
end end
let(:team_member_reporter_permissions) do let(:team_member_reporter_permissions) do
[ %i[build_download_code build_read_container_image]
:build_download_code, :build_read_container_image
]
end end
let(:developer_permissions) do let(:developer_permissions) do
[ %i[
:admin_merge_request, :update_merge_request, :create_commit_status, admin_merge_request update_merge_request create_commit_status
:update_commit_status, :create_build, :update_build, :create_pipeline, update_commit_status create_build update_build create_pipeline
:update_pipeline, :create_merge_request, :create_wiki, :push_code, update_pipeline create_merge_request create_wiki push_code
:resolve_note, :create_container_image, :update_container_image, resolve_note create_container_image update_container_image
:create_environment, :create_deployment create_environment create_deployment
] ]
end end
let(:master_permissions) do let(:master_permissions) do
[ %i[
:push_code_to_protected_branches, :update_project_snippet, :update_environment, push_code_to_protected_branches update_project_snippet update_environment
:update_deployment, :admin_milestone, :admin_project_snippet, update_deployment admin_milestone admin_project_snippet
:admin_project_member, :admin_note, :admin_wiki, :admin_project, admin_project_member admin_note admin_wiki admin_project
:admin_commit_status, :admin_build, :admin_container_image, admin_commit_status admin_build admin_container_image
:admin_pipeline, :admin_environment, :admin_deployment admin_pipeline admin_environment admin_deployment
] ]
end end
let(:public_permissions) do let(:public_permissions) do
[ %i[
:download_code, :fork_project, :read_commit_status, :read_pipeline, download_code fork_project read_commit_status read_pipeline
:read_container_image, :build_download_code, :build_read_container_image, read_container_image build_download_code build_read_container_image
:download_wiki_code download_wiki_code
] ]
end end
let(:owner_permissions) do let(:owner_permissions) do
[ %i[
:change_namespace, :change_visibility_level, :rename_project, :remove_project, change_namespace change_visibility_level rename_project remove_project
:archive_project, :remove_fork_project, :destroy_merge_request, :destroy_issue archive_project remove_fork_project destroy_merge_request destroy_issue
] ]
end end
......
require 'spec_helper'
describe ProjectSnippetPolicy, models: true do
let(:current_user) { create(:user) }
let(:author_permissions) do
[
:update_project_snippet,
:admin_project_snippet
]
end
subject { described_class.abilities(current_user, project_snippet).to_set }
context 'public snippet' do
let(:project_snippet) { create(:project_snippet, :public) }
context 'no user' do
let(:current_user) { nil }
it do
is_expected.to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'regular user' do
it do
is_expected.to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
end
context 'internal snippet' do
let(:project_snippet) { create(:project_snippet, :internal) }
context 'no user' do
let(:current_user) { nil }
it do
is_expected.not_to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'regular user' do
it do
is_expected.to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
end
context 'private snippet' do
let(:project_snippet) { create(:project_snippet, :private) }
context 'no user' do
let(:current_user) { nil }
it do
is_expected.not_to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'regular user' do
it do
is_expected.not_to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'snippet author' do
let(:project_snippet) { create(:project_snippet, :private, author: current_user) }
it do
is_expected.to include(:read_project_snippet)
is_expected.to include(*author_permissions)
end
end
context 'project team member' do
before { project_snippet.project.team << [current_user, :developer] }
it do
is_expected.to include(:read_project_snippet)
is_expected.not_to include(*author_permissions)
end
end
context 'admin user' do
let(:current_user) { create(:admin) }
it do
is_expected.to include(:read_project_snippet)
is_expected.to include(*author_permissions)
end
end
end
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment