debian-mirror-gitlab/spec/controllers/projects/project_members_controller_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

564 lines
18 KiB
Ruby
Raw Normal View History

2019-07-31 22:56:46 +05:30
# frozen_string_literal: true
2016-06-02 11:05:42 +05:30
require('spec_helper')
2020-06-23 00:09:42 +05:30
RSpec.describe Projects::ProjectMembersController do
2021-09-04 01:27:46 +05:30
let_it_be(:user) { create(:user) }
let_it_be(:group) { create(:group, :public) }
2022-10-11 01:57:18 +05:30
let_it_be(:sub_group) { create(:group, parent: group) }
2021-09-04 01:27:46 +05:30
let_it_be(:project, reload: true) { create(:project, :public) }
2023-04-23 21:23:45 +05:30
shared_examples_for 'controller actions' do
before do
travel_to DateTime.new(2019, 4, 1)
end
2021-04-29 21:17:54 +05:30
2023-04-23 21:23:45 +05:30
after do
travel_back
end
2021-02-11 23:33:58 +05:30
2023-04-23 21:23:45 +05:30
describe 'GET index' do
it 'has the project_members address with a 200 status code' do
get :index, params: { namespace_id: project.namespace, project_id: project }
2023-04-23 21:23:45 +05:30
expect(response).to have_gitlab_http_status(:ok)
end
2020-01-01 13:55:28 +05:30
2023-04-23 21:23:45 +05:30
context 'project members' do
context 'when project belongs to group' do
let_it_be(:user_in_group) { create(:user) }
let_it_be(:project_in_group) { create(:project, :public, group: group) }
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
before do
group.add_owner(user_in_group)
project_in_group.add_maintainer(user)
sign_in(user)
end
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
it 'lists inherited project members by default' do
get :index, params: { namespace_id: project_in_group.namespace, project_id: project_in_group }
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
expect(assigns(:project_members).map(&:user_id)).to contain_exactly(user.id, user_in_group.id)
end
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
it 'lists direct project members only' do
get :index, params: { namespace_id: project_in_group.namespace, project_id: project_in_group, with_inherited_permissions: 'exclude' }
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
expect(assigns(:project_members).map(&:user_id)).to contain_exactly(user.id)
end
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
it 'lists inherited project members only' do
get :index, params: { namespace_id: project_in_group.namespace, project_id: project_in_group, with_inherited_permissions: 'only' }
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
expect(assigns(:project_members).map(&:user_id)).to contain_exactly(user_in_group.id)
end
2021-03-08 18:12:59 +05:30
end
2023-04-23 21:23:45 +05:30
context 'when project belongs to a sub-group' do
let_it_be(:user_in_group) { create(:user) }
let_it_be(:project_in_group) { create(:project, :public, group: sub_group) }
2022-10-11 01:57:18 +05:30
2023-04-23 21:23:45 +05:30
before do
group.add_owner(user_in_group)
project_in_group.add_maintainer(user)
sign_in(user)
end
2022-10-11 01:57:18 +05:30
2023-04-23 21:23:45 +05:30
it 'lists inherited project members by default' do
get :index, params: { namespace_id: project_in_group.namespace, project_id: project_in_group }
2022-10-11 01:57:18 +05:30
2023-04-23 21:23:45 +05:30
expect(assigns(:project_members).map(&:user_id)).to contain_exactly(user.id, user_in_group.id)
end
2022-10-11 01:57:18 +05:30
2023-04-23 21:23:45 +05:30
it 'lists direct project members only' do
get :index, params: { namespace_id: project_in_group.namespace, project_id: project_in_group, with_inherited_permissions: 'exclude' }
2022-10-11 01:57:18 +05:30
2023-04-23 21:23:45 +05:30
expect(assigns(:project_members).map(&:user_id)).to contain_exactly(user.id)
end
2022-10-11 01:57:18 +05:30
2023-04-23 21:23:45 +05:30
it 'lists inherited project members only' do
get :index, params: { namespace_id: project_in_group.namespace, project_id: project_in_group, with_inherited_permissions: 'only' }
2022-10-11 01:57:18 +05:30
2023-04-23 21:23:45 +05:30
expect(assigns(:project_members).map(&:user_id)).to contain_exactly(user_in_group.id)
end
2022-10-11 01:57:18 +05:30
end
2023-04-23 21:23:45 +05:30
context 'when invited project members are present' do
let!(:invited_member) { create(:project_member, :invited, project: project) }
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
before do
project.add_maintainer(user)
sign_in(user)
end
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
it 'excludes the invited members from project members list' do
get :index, params: { namespace_id: project.namespace, project_id: project }
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
expect(assigns(:project_members).map(&:invite_email)).not_to contain_exactly(invited_member.invite_email)
end
2021-03-08 18:12:59 +05:30
end
end
2020-01-01 13:55:28 +05:30
2023-04-23 21:23:45 +05:30
context 'invited members' do
let_it_be(:invited_member) { create(:project_member, :invited, project: project) }
2020-01-01 13:55:28 +05:30
2021-03-08 18:12:59 +05:30
before do
2023-04-23 21:23:45 +05:30
sign_in(user)
2021-03-08 18:12:59 +05:30
end
2023-04-23 21:23:45 +05:30
context 'when user has `admin_project_member` permissions' do
before do
project.add_maintainer(user)
end
it 'lists invited members' do
get :index, params: { namespace_id: project.namespace, project_id: project }
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
expect(assigns(:invited_members).map(&:invite_email)).to contain_exactly(invited_member.invite_email)
end
2021-03-08 18:12:59 +05:30
end
2023-04-23 21:23:45 +05:30
context 'when user does not have `admin_project_member` permissions' do
it 'does not list invited members' do
get :index, params: { namespace_id: project.namespace, project_id: project }
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
expect(assigns(:invited_members)).to be_nil
end
2021-03-08 18:12:59 +05:30
end
2020-01-01 13:55:28 +05:30
end
2023-04-23 21:23:45 +05:30
context 'access requests' do
let_it_be(:access_requester_user) { create(:user) }
2020-01-01 13:55:28 +05:30
2021-03-08 18:12:59 +05:30
before do
2023-04-23 21:23:45 +05:30
project.request_access(access_requester_user)
sign_in(user)
2021-03-08 18:12:59 +05:30
end
2023-04-23 21:23:45 +05:30
context 'when user has `admin_project_member` permissions' do
before do
project.add_maintainer(user)
end
it 'lists access requests' do
get :index, params: { namespace_id: project.namespace, project_id: project }
2021-03-08 18:12:59 +05:30
2023-04-23 21:23:45 +05:30
expect(assigns(:requesters).map(&:user_id)).to contain_exactly(access_requester_user.id)
end
2021-03-08 18:12:59 +05:30
end
2023-04-23 21:23:45 +05:30
context 'when user does not have `admin_project_member` permissions' do
it 'does not list access requests' do
get :index, params: { namespace_id: project.namespace, project_id: project }
2020-01-01 13:55:28 +05:30
2023-04-23 21:23:45 +05:30
expect(assigns(:requesters)).to be_nil
end
2021-03-08 18:12:59 +05:30
end
2020-01-01 13:55:28 +05:30
end
end
2018-03-17 18:26:18 +05:30
2023-04-23 21:23:45 +05:30
describe 'PUT update' do
let_it_be(:requester) { create(:project_member, :access_request, project: project) }
2020-10-04 03:57:07 +05:30
2023-04-23 21:23:45 +05:30
before do
project.add_maintainer(user)
sign_in(user)
2020-10-04 03:57:07 +05:30
end
2022-07-23 23:45:48 +05:30
2023-04-23 21:23:45 +05:30
context 'access level' do
Gitlab::Access.options.each do |label, value|
it "can change the access level to #{label}" do
2022-07-23 23:45:48 +05:30
params = {
2023-04-23 21:23:45 +05:30
project_member: { access_level: value },
2022-07-23 23:45:48 +05:30
namespace_id: project.namespace,
project_id: project,
id: requester
}
put :update, params: params, xhr: true
2023-04-23 21:23:45 +05:30
expect(requester.reload.human_access).to eq(label)
2022-07-23 23:45:48 +05:30
end
end
2023-04-23 21:23:45 +05:30
describe 'managing project direct owners' do
context 'when a Maintainer tries to elevate another user to OWNER' do
it 'does not allow the operation' do
params = {
project_member: { access_level: Gitlab::Access::OWNER },
namespace_id: project.namespace,
project_id: project,
id: requester
}
2022-07-23 23:45:48 +05:30
2023-04-23 21:23:45 +05:30
put :update, params: params, xhr: true
expect(response).to have_gitlab_http_status(:forbidden)
end
2022-07-23 23:45:48 +05:30
end
2023-04-23 21:23:45 +05:30
context 'when a user with OWNER access tries to elevate another user to OWNER' do
# inherited owner role via personal project association
let(:user) { project.first_owner }
2022-07-23 23:45:48 +05:30
2023-04-23 21:23:45 +05:30
before do
sign_in(user)
end
it 'returns success' do
params = {
project_member: { access_level: Gitlab::Access::OWNER },
namespace_id: project.namespace,
project_id: project,
id: requester
}
put :update, params: params, xhr: true
2022-07-23 23:45:48 +05:30
2023-04-23 21:23:45 +05:30
expect(response).to have_gitlab_http_status(:ok)
expect(requester.reload.access_level).to eq(Gitlab::Access::OWNER)
end
2022-07-23 23:45:48 +05:30
end
end
end
2020-10-04 03:57:07 +05:30
2023-04-23 21:23:45 +05:30
context 'access expiry date' do
subject do
put :update, xhr: true, params: {
project_member: {
expires_at: expires_at
},
namespace_id: project.namespace,
project_id: project,
id: requester
}
end
2020-10-04 03:57:07 +05:30
2023-04-23 21:23:45 +05:30
context 'when set to a date in the past' do
let(:expires_at) { 2.days.ago }
2020-10-04 03:57:07 +05:30
2023-04-23 21:23:45 +05:30
it 'does not update the member' do
subject
2020-10-04 03:57:07 +05:30
2023-04-23 21:23:45 +05:30
expect(requester.reload.expires_at).not_to eq(expires_at.to_date)
end
2021-03-11 19:13:27 +05:30
2023-04-23 21:23:45 +05:30
it 'returns error status' do
subject
2021-03-11 19:13:27 +05:30
2023-04-23 21:23:45 +05:30
expect(response).to have_gitlab_http_status(:unprocessable_entity)
end
2021-03-11 19:13:27 +05:30
2023-04-23 21:23:45 +05:30
it 'returns error message' do
subject
2021-03-11 19:13:27 +05:30
2023-04-23 21:23:45 +05:30
expect(json_response).to eq({ 'message' => 'Expires at cannot be a date in the past' })
end
2021-03-11 19:13:27 +05:30
end
2020-10-04 03:57:07 +05:30
2023-04-23 21:23:45 +05:30
context 'when set to a date in the future' do
let(:expires_at) { 5.days.from_now }
2020-10-04 03:57:07 +05:30
2023-04-23 21:23:45 +05:30
it 'updates the member' do
subject
2020-10-04 03:57:07 +05:30
2023-04-23 21:23:45 +05:30
expect(requester.reload.expires_at).to eq(expires_at.to_date)
end
2020-10-04 03:57:07 +05:30
end
2018-03-17 18:26:18 +05:30
end
2021-01-03 14:25:43 +05:30
2023-04-23 21:23:45 +05:30
context 'expiration date' do
let(:expiry_date) { 1.month.from_now.to_date }
2021-01-03 14:25:43 +05:30
2023-04-23 21:23:45 +05:30
before do
travel_to Time.now.utc.beginning_of_day
put(
:update,
params: {
project_member: { expires_at: expiry_date },
namespace_id: project.namespace,
project_id: project,
id: requester
},
format: :json
)
end
2021-01-03 14:25:43 +05:30
2023-04-23 21:23:45 +05:30
context 'when `expires_at` is set' do
it 'returns correct json response' do
expect(json_response).to eq({
"expires_soon" => false,
"expires_at_formatted" => expiry_date.to_time.in_time_zone.to_s(:medium)
})
end
2021-01-03 14:25:43 +05:30
end
2023-04-23 21:23:45 +05:30
context 'when `expires_at` is not set' do
let(:expiry_date) { nil }
2021-01-03 14:25:43 +05:30
2023-04-23 21:23:45 +05:30
it 'returns empty json response' do
expect(json_response).to be_empty
end
2021-01-03 14:25:43 +05:30
end
end
end
2018-03-17 18:26:18 +05:30
2023-04-23 21:23:45 +05:30
describe 'DELETE destroy' do
let_it_be(:member) { create(:project_member, :developer, project: project) }
2017-08-17 22:00:37 +05:30
2023-04-23 21:23:45 +05:30
before do
sign_in(user)
end
2023-04-23 21:23:45 +05:30
context 'when member is not found' do
it 'returns 404' do
delete :destroy, params: {
namespace_id: project.namespace,
project_id: project,
id: 42
}
2023-04-23 21:23:45 +05:30
expect(response).to have_gitlab_http_status(:not_found)
end
end
2023-04-23 21:23:45 +05:30
context 'when member is found' do
context 'when user does not have enough rights' do
context 'when user does not have rights to manage other members' do
before do
project.add_developer(user)
end
it 'returns 404', :aggregate_failures do
delete :destroy, params: {
namespace_id: project.namespace,
project_id: project,
id: member
}
expect(response).to have_gitlab_http_status(:not_found)
expect(project.members).to include member
end
2022-07-23 23:45:48 +05:30
end
2023-04-23 21:23:45 +05:30
context 'when user does not have rights to manage Owner members' do
let_it_be(:member) { create(:project_member, project: project, access_level: Gitlab::Access::OWNER) }
2022-07-23 23:45:48 +05:30
2023-04-23 21:23:45 +05:30
before do
project.add_maintainer(user)
end
it 'returns 403', :aggregate_failures do
delete :destroy, params: {
namespace_id: project.namespace,
project_id: project,
id: member
}
expect(response).to have_gitlab_http_status(:forbidden)
expect(project.members).to include member
end
2022-07-23 23:45:48 +05:30
end
2017-09-10 17:25:29 +05:30
end
2023-04-23 21:23:45 +05:30
context 'when user has enough rights' do
2022-07-23 23:45:48 +05:30
before do
project.add_maintainer(user)
end
2023-04-23 21:23:45 +05:30
it '[HTML] removes user from members', :aggregate_failures do
delete :destroy, params: {
namespace_id: project.namespace,
project_id: project,
id: member
}
expect(response).to redirect_to(
project_project_members_path(project)
)
expect(project.members).not_to include member
end
it '[JS] removes user from members', :aggregate_failures do
2022-07-23 23:45:48 +05:30
delete :destroy, params: {
namespace_id: project.namespace,
project_id: project,
id: member
2023-04-23 21:23:45 +05:30
}, xhr: true
2022-07-23 23:45:48 +05:30
2023-04-23 21:23:45 +05:30
expect(response).to be_successful
expect(project.members).not_to include member
2022-07-23 23:45:48 +05:30
end
end
end
2017-09-10 17:25:29 +05:30
end
2023-04-23 21:23:45 +05:30
describe 'DELETE leave' do
before do
sign_in(user)
end
2023-04-23 21:23:45 +05:30
context 'when member is not found' do
it 'returns 404' do
2019-02-15 15:39:39 +05:30
delete :leave, params: {
namespace_id: project.namespace,
project_id: project
}
2023-04-23 21:23:45 +05:30
expect(response).to have_gitlab_http_status(:not_found)
end
end
2023-04-23 21:23:45 +05:30
context 'when member is found' do
context 'and is not an owner' do
before do
project.add_developer(user)
end
it 'removes user from members', :aggregate_failures do
delete :leave, params: {
namespace_id: project.namespace,
project_id: project
}
2017-08-17 22:00:37 +05:30
2023-04-23 21:23:45 +05:30
expect(controller).to set_flash.to "You left the \"#{project.human_name}\" project."
expect(response).to redirect_to(dashboard_projects_path)
expect(project.users).not_to include user
end
2017-09-10 17:25:29 +05:30
end
2023-04-23 21:23:45 +05:30
context 'and is an owner' do
let(:project) { create(:project, namespace: user.namespace) }
2023-04-23 21:23:45 +05:30
before do
project.add_maintainer(user)
end
2023-04-23 21:23:45 +05:30
it 'cannot remove themselves from the project' do
delete :leave, params: {
namespace_id: project.namespace,
project_id: project
}
expect(response).to have_gitlab_http_status(:forbidden)
end
2017-09-10 17:25:29 +05:30
end
2023-04-23 21:23:45 +05:30
context 'and is a requester' do
before do
project.request_access(user)
end
it 'removes user from members', :aggregate_failures do
delete :leave, params: {
namespace_id: project.namespace,
project_id: project
}
2023-04-23 21:23:45 +05:30
expect(controller).to set_flash.to 'Your access request to the project has been withdrawn.'
expect(response).to redirect_to(project_path(project))
expect(project.requesters).to be_empty
expect(project.users).not_to include user
end
end
end
end
2023-04-23 21:23:45 +05:30
describe 'POST request_access' do
before do
sign_in(user)
end
2023-04-23 21:23:45 +05:30
it 'creates a new ProjectMember that is not a team member', :aggregate_failures do
post :request_access, params: {
namespace_id: project.namespace,
project_id: project
}
2017-08-17 22:00:37 +05:30
2023-04-23 21:23:45 +05:30
expect(controller).to set_flash.to 'Your request for access has been queued for review.'
expect(response).to redirect_to(
project_path(project)
)
expect(project.requesters.exists?(user_id: user)).to be_truthy
expect(project.users).not_to include user
end
2017-09-10 17:25:29 +05:30
end
2023-04-23 21:23:45 +05:30
describe 'POST approve' do
let_it_be(:member) { create(:project_member, :access_request, project: project) }
2023-04-23 21:23:45 +05:30
before do
sign_in(user)
end
2023-04-23 21:23:45 +05:30
context 'when member is not found' do
it 'returns 404' do
2019-02-15 15:39:39 +05:30
post :approve_access_request, params: {
namespace_id: project.namespace,
project_id: project,
2023-04-23 21:23:45 +05:30
id: 42
2019-02-15 15:39:39 +05:30
}
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:not_found)
end
end
2023-04-23 21:23:45 +05:30
context 'when member is found' do
context 'when user does not have rights to manage other members' do
before do
project.add_developer(user)
end
it 'returns 404', :aggregate_failures do
post :approve_access_request, params: {
namespace_id: project.namespace,
project_id: project,
id: member
}
expect(response).to have_gitlab_http_status(:not_found)
expect(project.members).not_to include member
end
2017-09-10 17:25:29 +05:30
end
2023-04-23 21:23:45 +05:30
context 'when user has enough rights' do
before do
project.add_maintainer(user)
end
2023-04-23 21:23:45 +05:30
it 'adds user to members', :aggregate_failures do
post :approve_access_request, params: {
namespace_id: project.namespace,
project_id: project,
id: member
}
expect(response).to redirect_to(
project_project_members_path(project)
)
expect(project.members).to include member
end
end
end
end
2016-11-03 12:29:30 +05:30
2023-04-23 21:23:45 +05:30
describe 'POST resend_invite' do
let_it_be(:member) { create(:project_member, project: project) }
2021-01-03 14:25:43 +05:30
2023-04-23 21:23:45 +05:30
before do
project.add_maintainer(user)
sign_in(user)
end
it 'is successful' do
post :resend_invite, params: { namespace_id: project.namespace, project_id: project, id: member }
expect(response).to have_gitlab_http_status(:found)
end
2021-01-03 14:25:43 +05:30
end
2023-04-23 21:23:45 +05:30
end
2021-01-03 14:25:43 +05:30
2023-04-23 21:23:45 +05:30
it_behaves_like 'controller actions'
2016-06-02 11:05:42 +05:30
end