group_policy_spec.rb 11.9 KB
Newer Older
1 2
require 'spec_helper'

3
describe GroupPolicy do
4 5 6
  let(:guest) { create(:user) }
  let(:reporter) { create(:user) }
  let(:developer) { create(:user) }
7
  let(:maintainer) { create(:user) }
8 9
  let(:owner) { create(:user) }
  let(:admin) { create(:admin) }
10
  let(:group) { create(:group, :private) }
11

12 13 14 15 16
  let(:guest_permissions) do
    [:read_label, :read_group, :upload_file, :read_namespace, :read_group_activity,
     :read_group_issues, :read_group_boards, :read_group_labels, :read_group_milestones,
     :read_group_merge_requests]
  end
17

18 19
  let(:reporter_permissions) { [:admin_label] }

20
  let(:developer_permissions) { [:admin_milestone] }
21

22
  let(:maintainer_permissions) do
23
    [
24 25 26 27
      :create_projects,
      :read_cluster,
      :create_cluster,
      :update_cluster,
28 29
      :admin_cluster,
      :add_cluster
30 31 32 33 34 35 36 37
    ]
  end

  let(:owner_permissions) do
    [
      :admin_group,
      :admin_namespace,
      :admin_group_member,
38
      :change_visibility_level,
39
      :set_note_created_at,
40 41
      (Gitlab::Database.postgresql? ? :create_subgroup : nil)
    ].compact
42 43 44 45 46 47
  end

  before do
    group.add_guest(guest)
    group.add_reporter(reporter)
    group.add_developer(developer)
48
    group.add_maintainer(maintainer)
49 50 51
    group.add_owner(owner)
  end

52 53 54 55 56 57 58 59 60
  subject { described_class.new(current_user, group) }

  def expect_allowed(*permissions)
    permissions.each { |p| is_expected.to be_allowed(p) }
  end

  def expect_disallowed(*permissions)
    permissions.each { |p| is_expected.not_to be_allowed(p) }
  end
61 62

  context 'with no user' do
63
    let(:group) { create(:group, :public) }
64 65 66
    let(:current_user) { nil }

    it do
67
      expect_allowed(:read_group)
68
      expect_disallowed(:upload_file)
69
      expect_disallowed(*reporter_permissions)
70
      expect_disallowed(*developer_permissions)
71
      expect_disallowed(*maintainer_permissions)
72
      expect_disallowed(*owner_permissions)
73
      expect_disallowed(:read_namespace)
74 75 76
    end
  end

77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108
  context 'with no user and public project' do
    let(:project) { create(:project, :public) }
    let(:user) { create(:user) }
    let(:current_user) { nil }

    before do
      Projects::GroupLinks::CreateService.new(
        project,
        user,
        link_group_access: ProjectGroupLink::DEVELOPER
      ).execute(group)
    end

    it { expect_disallowed(:read_group) }
  end

  context 'with foreign user and public project' do
    let(:project) { create(:project, :public) }
    let(:user) { create(:user) }
    let(:current_user) { create(:user) }

    before do
      Projects::GroupLinks::CreateService.new(
        project,
        user,
        link_group_access: ProjectGroupLink::DEVELOPER
      ).execute(group)
    end

    it { expect_disallowed(:read_group) }
  end

109 110 111 112 113 114 115 116
  context 'has projects' do
    let(:current_user) { create(:user) }
    let(:project) { create(:project, namespace: group) }

    before do
      project.add_developer(current_user)
    end

117
    it { expect_allowed(:read_label) }
118 119 120 121 122

    context 'in subgroups', :nested_groups do
      let(:subgroup) { create(:group, :private, parent: group) }
      let(:project) { create(:project, namespace: subgroup) }

123
      it { expect_allowed(:read_label) }
124 125 126
    end
  end

127 128 129 130
  context 'guests' do
    let(:current_user) { guest }

    it do
131
      expect_allowed(*guest_permissions)
132
      expect_disallowed(*reporter_permissions)
133
      expect_disallowed(*developer_permissions)
134
      expect_disallowed(*maintainer_permissions)
135
      expect_disallowed(*owner_permissions)
136 137 138 139 140 141 142
    end
  end

  context 'reporter' do
    let(:current_user) { reporter }

    it do
143
      expect_allowed(*guest_permissions)
144
      expect_allowed(*reporter_permissions)
145
      expect_disallowed(*developer_permissions)
146
      expect_disallowed(*maintainer_permissions)
147
      expect_disallowed(*owner_permissions)
148 149 150 151 152 153 154
    end
  end

  context 'developer' do
    let(:current_user) { developer }

    it do
155
      expect_allowed(*guest_permissions)
156
      expect_allowed(*reporter_permissions)
157
      expect_allowed(*developer_permissions)
158
      expect_disallowed(*maintainer_permissions)
159
      expect_disallowed(*owner_permissions)
160 161 162
    end
  end

163 164
  context 'maintainer' do
    let(:current_user) { maintainer }
165 166

    it do
167
      expect_allowed(*guest_permissions)
168
      expect_allowed(*reporter_permissions)
169
      expect_allowed(*developer_permissions)
170
      expect_allowed(*maintainer_permissions)
171
      expect_disallowed(*owner_permissions)
172 173 174 175 176 177 178
    end
  end

  context 'owner' do
    let(:current_user) { owner }

    it do
179
      allow(Group).to receive(:supports_nested_objects?).and_return(true)
180

181
      expect_allowed(*guest_permissions)
182
      expect_allowed(*reporter_permissions)
183
      expect_allowed(*developer_permissions)
184
      expect_allowed(*maintainer_permissions)
185
      expect_allowed(*owner_permissions)
186 187 188 189 190 191 192
    end
  end

  context 'admin' do
    let(:current_user) { admin }

    it do
193
      allow(Group).to receive(:supports_nested_objects?).and_return(true)
194

195
      expect_allowed(*guest_permissions)
196
      expect_allowed(*reporter_permissions)
197
      expect_allowed(*developer_permissions)
198
      expect_allowed(*maintainer_permissions)
199
      expect_allowed(*owner_permissions)
200 201
    end
  end
202

203 204
  describe 'when nested group support feature is disabled' do
    before do
205
      allow(Group).to receive(:supports_nested_objects?).and_return(false)
206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232
    end

    context 'admin' do
      let(:current_user) { admin }

      it 'allows every owner permission except creating subgroups' do
        create_subgroup_permission = [:create_subgroup]
        updated_owner_permissions = owner_permissions - create_subgroup_permission

        expect_disallowed(*create_subgroup_permission)
        expect_allowed(*updated_owner_permissions)
      end
    end

    context 'owner' do
      let(:current_user) { owner }

      it 'allows every owner permission except creating subgroups' do
        create_subgroup_permission = [:create_subgroup]
        updated_owner_permissions = owner_permissions - create_subgroup_permission

        expect_disallowed(*create_subgroup_permission)
        expect_allowed(*updated_owner_permissions)
      end
    end
  end

233
  describe 'private nested group use the highest access level from the group and inherited permissions', :nested_groups do
234 235
    let(:nested_group) { create(:group, :private, parent: group) }

236 237 238 239
    before do
      nested_group.add_guest(guest)
      nested_group.add_guest(reporter)
      nested_group.add_guest(developer)
240
      nested_group.add_guest(maintainer)
241

242
      group.owners.destroy_all # rubocop: disable DestroyAll
243 244 245 246 247

      group.add_guest(owner)
      nested_group.add_owner(owner)
    end

248
    subject { described_class.new(current_user, nested_group) }
249 250 251 252 253

    context 'with no user' do
      let(:current_user) { nil }

      it do
254
        expect_disallowed(*guest_permissions)
255
        expect_disallowed(*reporter_permissions)
256
        expect_disallowed(*developer_permissions)
257
        expect_disallowed(*maintainer_permissions)
258
        expect_disallowed(*owner_permissions)
259 260 261 262 263 264 265
      end
    end

    context 'guests' do
      let(:current_user) { guest }

      it do
266
        expect_allowed(*guest_permissions)
267
        expect_disallowed(*reporter_permissions)
268
        expect_disallowed(*developer_permissions)
269
        expect_disallowed(*maintainer_permissions)
270
        expect_disallowed(*owner_permissions)
271 272 273 274 275 276 277
      end
    end

    context 'reporter' do
      let(:current_user) { reporter }

      it do
278
        expect_allowed(*guest_permissions)
279
        expect_allowed(*reporter_permissions)
280
        expect_disallowed(*developer_permissions)
281
        expect_disallowed(*maintainer_permissions)
282
        expect_disallowed(*owner_permissions)
283 284 285 286 287 288 289
      end
    end

    context 'developer' do
      let(:current_user) { developer }

      it do
290
        expect_allowed(*guest_permissions)
291
        expect_allowed(*reporter_permissions)
292
        expect_allowed(*developer_permissions)
293
        expect_disallowed(*maintainer_permissions)
294
        expect_disallowed(*owner_permissions)
295 296 297
      end
    end

298 299
    context 'maintainer' do
      let(:current_user) { maintainer }
300 301

      it do
302
        expect_allowed(*guest_permissions)
303
        expect_allowed(*reporter_permissions)
304
        expect_allowed(*developer_permissions)
305
        expect_allowed(*maintainer_permissions)
306
        expect_disallowed(*owner_permissions)
307 308 309 310 311 312 313
      end
    end

    context 'owner' do
      let(:current_user) { owner }

      it do
314
        allow(Group).to receive(:supports_nested_objects?).and_return(true)
315

316
        expect_allowed(*guest_permissions)
317
        expect_allowed(*reporter_permissions)
318
        expect_allowed(*developer_permissions)
319
        expect_allowed(*maintainer_permissions)
320
        expect_allowed(*owner_permissions)
321 322 323
      end
    end
  end
324 325

  describe 'change_share_with_group_lock' do
326 327
    context 'when the current_user owns the group' do
      let(:current_user) { owner }
328

329 330
      context 'when the group share_with_group_lock is enabled' do
        let(:group) { create(:group, share_with_group_lock: true, parent: parent) }
331

332 333 334
        context 'when the parent group share_with_group_lock is enabled' do
          context 'when the group has a grandparent' do
            let(:parent) { create(:group, share_with_group_lock: true, parent: grandparent) }
335

336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354
            context 'when the grandparent share_with_group_lock is enabled' do
              let(:grandparent) { create(:group, share_with_group_lock: true) }

              context 'when the current_user owns the parent' do
                before do
                  parent.add_owner(current_user)
                end

                context 'when the current_user owns the grandparent' do
                  before do
                    grandparent.add_owner(current_user)
                  end

                  it { expect_allowed(:change_share_with_group_lock) }
                end

                context 'when the current_user does not own the grandparent' do
                  it { expect_disallowed(:change_share_with_group_lock) }
                end
355 356
              end

357 358 359
              context 'when the current_user does not own the parent' do
                it { expect_disallowed(:change_share_with_group_lock) }
              end
360 361
            end

362 363 364 365 366 367 368 369 370
            context 'when the grandparent share_with_group_lock is disabled' do
              let(:grandparent) { create(:group) }

              context 'when the current_user owns the parent' do
                before do
                  parent.add_owner(current_user)
                end

                it { expect_allowed(:change_share_with_group_lock) }
371 372
              end

373 374 375
              context 'when the current_user does not own the parent' do
                it { expect_disallowed(:change_share_with_group_lock) }
              end
376 377
            end
          end
378

379 380
          context 'when the group does not have a grandparent' do
            let(:parent) { create(:group, share_with_group_lock: true) }
381

382 383 384 385
            context 'when the current_user owns the parent' do
              before do
                parent.add_owner(current_user)
              end
386

387 388
              it { expect_allowed(:change_share_with_group_lock) }
            end
389

390 391 392
            context 'when the current_user does not own the parent' do
              it { expect_disallowed(:change_share_with_group_lock) }
            end
393
          end
394 395
        end

396 397
        context 'when the parent group share_with_group_lock is disabled' do
          let(:parent) { create(:group) }
398 399 400

          it { expect_allowed(:change_share_with_group_lock) }
        end
401
      end
402

403 404
      context 'when the group share_with_group_lock is disabled' do
        it { expect_allowed(:change_share_with_group_lock) }
405 406 407
      end
    end

408 409
    context 'when the current_user does not own the group' do
      let(:current_user) { create(:user) }
410

411
      it { expect_disallowed(:change_share_with_group_lock) }
412 413
    end
  end
414 415 416 417 418 419 420 421 422 423

  it_behaves_like 'clusterable policies' do
    let(:clusterable) { create(:group) }
    let(:cluster) do
      create(:cluster,
             :provided_by_gcp,
             :group,
             groups: [clusterable])
    end
  end
424
end