2019-12-04 20:38:33 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
require 'spec_helper'
|
|
|
|
|
2020-07-28 23:09:34 +05:30
|
|
|
RSpec.describe Gitlab::ProjectAuthorizations do
|
2017-09-10 17:25:29 +05:30
|
|
|
def map_access_levels(rows)
|
|
|
|
rows.each_with_object({}) do |row, hash|
|
|
|
|
hash[row.project_id] = row.access_level
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-12-26 22:10:19 +05:30
|
|
|
subject(:authorizations) do
|
2019-10-12 21:52:04 +05:30
|
|
|
described_class.new(user).calculate
|
2017-09-10 17:25:29 +05:30
|
|
|
end
|
|
|
|
|
2019-12-26 22:10:19 +05:30
|
|
|
context 'user added to group and project' do
|
|
|
|
let(:group) { create(:group) }
|
|
|
|
let!(:other_project) { create(:project) }
|
|
|
|
let!(:group_project) { create(:project, namespace: group) }
|
|
|
|
let!(:owned_project) { create(:project) }
|
|
|
|
let(:user) { owned_project.namespace.owner }
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2019-12-26 22:10:19 +05:30
|
|
|
before do
|
|
|
|
other_project.add_reporter(user)
|
|
|
|
group.add_developer(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns the correct number of authorizations' do
|
|
|
|
expect(authorizations.length).to eq(3)
|
|
|
|
end
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2019-12-26 22:10:19 +05:30
|
|
|
it 'includes the correct projects' do
|
|
|
|
expect(authorizations.pluck(:project_id))
|
|
|
|
.to include(owned_project.id, other_project.id, group_project.id)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'includes the correct access levels' do
|
|
|
|
mapping = map_access_levels(authorizations)
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2019-12-26 22:10:19 +05:30
|
|
|
expect(mapping[owned_project.id]).to eq(Gitlab::Access::MAINTAINER)
|
|
|
|
expect(mapping[other_project.id]).to eq(Gitlab::Access::REPORTER)
|
|
|
|
expect(mapping[group_project.id]).to eq(Gitlab::Access::DEVELOPER)
|
|
|
|
end
|
2017-09-10 17:25:29 +05:30
|
|
|
end
|
|
|
|
|
2020-04-08 14:13:33 +05:30
|
|
|
context 'unapproved access request' do
|
|
|
|
let_it_be(:group) { create(:group) }
|
|
|
|
let_it_be(:user) { create(:user) }
|
|
|
|
|
|
|
|
subject(:mapping) { map_access_levels(authorizations) }
|
|
|
|
|
|
|
|
context 'group membership' do
|
|
|
|
let!(:group_project) { create(:project, namespace: group) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
create(:group_member, :developer, :access_request, user: user, group: group)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not create authorization' do
|
|
|
|
expect(mapping[group_project.id]).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'inherited group membership' do
|
|
|
|
let!(:sub_group) { create(:group, parent: group) }
|
|
|
|
let!(:sub_group_project) { create(:project, namespace: sub_group) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
create(:group_member, :developer, :access_request, user: user, group: group)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not create authorization' do
|
|
|
|
expect(mapping[sub_group_project.id]).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'project membership' do
|
|
|
|
let!(:group_project) { create(:project, namespace: group) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
create(:project_member, :developer, :access_request, user: user, project: group_project)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not create authorization' do
|
|
|
|
expect(mapping[group_project.id]).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'shared group' do
|
|
|
|
let!(:shared_group) { create(:group) }
|
|
|
|
let!(:shared_group_project) { create(:project, namespace: shared_group) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
create(:group_group_link, shared_group: shared_group, shared_with_group: group)
|
|
|
|
create(:group_member, :developer, :access_request, user: user, group: group)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not create authorization' do
|
|
|
|
expect(mapping[shared_group_project.id]).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'shared project' do
|
|
|
|
let!(:another_group) { create(:group) }
|
|
|
|
let!(:shared_project) { create(:project, namespace: another_group) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
create(:project_group_link, group: group, project: shared_project)
|
|
|
|
create(:group_member, :developer, :access_request, user: user, group: group)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not create authorization' do
|
|
|
|
expect(mapping[shared_project.id]).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
context 'with nested groups' do
|
2019-12-26 22:10:19 +05:30
|
|
|
let(:group) { create(:group) }
|
2019-10-12 21:52:04 +05:30
|
|
|
let!(:nested_group) { create(:group, parent: group) }
|
|
|
|
let!(:nested_project) { create(:project, namespace: nested_group) }
|
2019-12-26 22:10:19 +05:30
|
|
|
let(:user) { create(:user) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
group.add_developer(user)
|
|
|
|
end
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
it 'includes nested groups' do
|
|
|
|
expect(authorizations.pluck(:project_id)).to include(nested_project.id)
|
|
|
|
end
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
it 'inherits access levels when the user is not a member of a nested group' do
|
|
|
|
mapping = map_access_levels(authorizations)
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
expect(mapping[nested_project.id]).to eq(Gitlab::Access::DEVELOPER)
|
|
|
|
end
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
it 'uses the greatest access level when a user is a member of a nested group' do
|
|
|
|
nested_group.add_maintainer(user)
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
mapping = map_access_levels(authorizations)
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
expect(mapping[nested_project.id]).to eq(Gitlab::Access::MAINTAINER)
|
2017-09-10 17:25:29 +05:30
|
|
|
end
|
|
|
|
end
|
2019-12-26 22:10:19 +05:30
|
|
|
|
|
|
|
context 'with shared groups' do
|
|
|
|
let(:parent_group_user) { create(:user) }
|
|
|
|
let(:group_user) { create(:user) }
|
|
|
|
let(:child_group_user) { create(:user) }
|
|
|
|
|
|
|
|
let_it_be(:group_parent) { create(:group, :private) }
|
|
|
|
let_it_be(:group) { create(:group, :private, parent: group_parent) }
|
|
|
|
let_it_be(:group_child) { create(:group, :private, parent: group) }
|
|
|
|
|
|
|
|
let_it_be(:shared_group_parent) { create(:group, :private) }
|
|
|
|
let_it_be(:shared_group) { create(:group, :private, parent: shared_group_parent) }
|
|
|
|
let_it_be(:shared_group_child) { create(:group, :private, parent: shared_group) }
|
|
|
|
|
|
|
|
let_it_be(:project_parent) { create(:project, group: shared_group_parent) }
|
|
|
|
let_it_be(:project) { create(:project, group: shared_group) }
|
|
|
|
let_it_be(:project_child) { create(:project, group: shared_group_child) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
group_parent.add_owner(parent_group_user)
|
|
|
|
group.add_owner(group_user)
|
|
|
|
group_child.add_owner(child_group_user)
|
|
|
|
|
|
|
|
create(:group_group_link, shared_group: shared_group, shared_with_group: group)
|
|
|
|
end
|
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
context 'group user' do
|
|
|
|
let(:user) { group_user }
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
it 'creates proper authorizations' do
|
|
|
|
mapping = map_access_levels(authorizations)
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
expect(mapping[project_parent.id]).to be_nil
|
|
|
|
expect(mapping[project.id]).to eq(Gitlab::Access::DEVELOPER)
|
|
|
|
expect(mapping[project_child.id]).to eq(Gitlab::Access::DEVELOPER)
|
2019-12-26 22:10:19 +05:30
|
|
|
end
|
2020-02-15 18:32:13 +05:30
|
|
|
end
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-03-07 23:17:34 +05:30
|
|
|
context 'with lower group access level than max access level for share' do
|
|
|
|
let(:user) { create(:user) }
|
|
|
|
|
|
|
|
it 'creates proper authorizations' do
|
|
|
|
group.add_reporter(user)
|
|
|
|
|
|
|
|
mapping = map_access_levels(authorizations)
|
|
|
|
|
|
|
|
expect(mapping[project_parent.id]).to be_nil
|
|
|
|
expect(mapping[project.id]).to eq(Gitlab::Access::REPORTER)
|
|
|
|
expect(mapping[project_child.id]).to eq(Gitlab::Access::REPORTER)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
context 'parent group user' do
|
|
|
|
let(:user) { parent_group_user }
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
it 'creates proper authorizations' do
|
|
|
|
mapping = map_access_levels(authorizations)
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
expect(mapping[project_parent.id]).to be_nil
|
|
|
|
expect(mapping[project.id]).to be_nil
|
|
|
|
expect(mapping[project_child.id]).to be_nil
|
2019-12-26 22:10:19 +05:30
|
|
|
end
|
2020-02-15 18:32:13 +05:30
|
|
|
end
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
context 'child group user' do
|
|
|
|
let(:user) { child_group_user }
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
it 'creates proper authorizations' do
|
|
|
|
mapping = map_access_levels(authorizations)
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
expect(mapping[project_parent.id]).to be_nil
|
|
|
|
expect(mapping[project.id]).to be_nil
|
|
|
|
expect(mapping[project_child.id]).to be_nil
|
2019-12-26 22:10:19 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
context 'user without accepted access request' do
|
|
|
|
let!(:user) { create(:user) }
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
it 'does not have access to group and its projects' do
|
|
|
|
create(:group_member, :developer, :access_request, user: user, group: group)
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
mapping = map_access_levels(authorizations)
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
expect(mapping[project_parent.id]).to be_nil
|
|
|
|
expect(mapping[project.id]).to be_nil
|
|
|
|
expect(mapping[project_child.id]).to be_nil
|
2019-12-26 22:10:19 +05:30
|
|
|
end
|
2020-02-15 18:32:13 +05:30
|
|
|
end
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
context 'unrelated project owner' do
|
2020-04-22 19:07:51 +05:30
|
|
|
let(:common_id) { non_existing_record_id }
|
2020-02-15 18:32:13 +05:30
|
|
|
let!(:group) { create(:group, id: common_id) }
|
|
|
|
let!(:unrelated_project) { create(:project, id: common_id) }
|
|
|
|
let(:user) { unrelated_project.owner }
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
it 'does not have access to group and its projects' do
|
|
|
|
mapping = map_access_levels(authorizations)
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-02-15 18:32:13 +05:30
|
|
|
expect(mapping[project_parent.id]).to be_nil
|
|
|
|
expect(mapping[project.id]).to be_nil
|
|
|
|
expect(mapping[project_child.id]).to be_nil
|
2019-12-26 22:10:19 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2017-09-10 17:25:29 +05:30
|
|
|
end
|