Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
d4c72147
Commit
d4c72147
authored
Jan 28, 2019
by
Kamil Trzciński
Committed by
Yorick Peterse
Jan 31, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[master] Pipelines section is available to unauthorized users
parent
4b868ba8
Changes
35
Show whitespace changes
Inline
Side-by-side
Showing
35 changed files
with
324 additions
and
95 deletions
+324
-95
app/controllers/projects/merge_requests/application_controller.rb
...rollers/projects/merge_requests/application_controller.rb
+6
-3
app/controllers/projects/pipelines_controller.rb
app/controllers/projects/pipelines_controller.rb
+1
-0
app/helpers/projects_helper.rb
app/helpers/projects_helper.rb
+2
-1
app/models/commit.rb
app/models/commit.rb
+4
-1
app/models/project.rb
app/models/project.rb
+8
-0
app/policies/ci/pipeline_policy.rb
app/policies/ci/pipeline_policy.rb
+9
-0
app/policies/project_policy.rb
app/policies/project_policy.rb
+16
-4
app/presenters/commit_presenter.rb
app/presenters/commit_presenter.rb
+13
-0
app/presenters/merge_request_presenter.rb
app/presenters/merge_request_presenter.rb
+4
-0
app/serializers/merge_request_widget_entity.rb
app/serializers/merge_request_widget_entity.rb
+1
-1
app/views/projects/commit/_ci_menu.html.haml
app/views/projects/commit/_ci_menu.html.haml
+3
-1
app/views/projects/commit/_commit_box.html.haml
app/views/projects/commit/_commit_box.html.haml
+2
-2
app/views/projects/commit/show.html.haml
app/views/projects/commit/show.html.haml
+1
-4
app/views/projects/commits/_commit.html.haml
app/views/projects/commits/_commit.html.haml
+3
-2
app/views/projects/issues/_merge_requests.html.haml
app/views/projects/issues/_merge_requests.html.haml
+2
-1
app/views/projects/issues/_related_branches.html.haml
app/views/projects/issues/_related_branches.html.haml
+1
-1
app/views/projects/merge_requests/_merge_request.html.haml
app/views/projects/merge_requests/_merge_request.html.haml
+1
-1
app/views/projects/pipelines/_info.html.haml
app/views/projects/pipelines/_info.html.haml
+16
-17
changelogs/unreleased/test-permissions.yml
changelogs/unreleased/test-permissions.yml
+5
-0
lib/api/pipelines.rb
lib/api/pipelines.rb
+3
-3
spec/controllers/projects/pipeline_schedules_controller_spec.rb
...ontrollers/projects/pipeline_schedules_controller_spec.rb
+10
-1
spec/controllers/projects/pipelines_controller_spec.rb
spec/controllers/projects/pipelines_controller_spec.rb
+32
-15
spec/features/security/project/internal_access_spec.rb
spec/features/security/project/internal_access_spec.rb
+3
-3
spec/features/security/project/private_access_spec.rb
spec/features/security/project/private_access_spec.rb
+1
-1
spec/features/security/project/public_access_spec.rb
spec/features/security/project/public_access_spec.rb
+5
-5
spec/helpers/projects_helper_spec.rb
spec/helpers/projects_helper_spec.rb
+14
-2
spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
+2
-2
spec/models/commit_spec.rb
spec/models/commit_spec.rb
+1
-0
spec/models/project_spec.rb
spec/models/project_spec.rb
+24
-0
spec/policies/ci/pipeline_policy_spec.rb
spec/policies/ci/pipeline_policy_spec.rb
+8
-0
spec/policies/project_policy_spec.rb
spec/policies/project_policy_spec.rb
+32
-12
spec/presenters/commit_presenter_spec.rb
spec/presenters/commit_presenter_spec.rb
+54
-0
spec/serializers/merge_request_widget_entity_spec.rb
spec/serializers/merge_request_widget_entity_spec.rb
+28
-11
spec/views/projects/commit/_commit_box.html.haml_spec.rb
spec/views/projects/commit/_commit_box.html.haml_spec.rb
+5
-1
spec/views/projects/issues/_related_branches.html.haml_spec.rb
...views/projects/issues/_related_branches.html.haml_spec.rb
+4
-0
No files found.
app/controllers/projects/merge_requests/application_controller.rb
View file @
d4c72147
...
...
@@ -39,8 +39,11 @@ class Projects::MergeRequests::ApplicationController < Projects::ApplicationCont
end
def
set_pipeline_variables
@pipelines
=
@merge_request
.
all_pipelines
@pipeline
=
@merge_request
.
head_pipeline
@statuses_count
=
@pipeline
.
present?
?
@pipeline
.
statuses
.
relevant
.
count
:
0
@pipelines
=
if
can?
(
current_user
,
:read_pipeline
,
@project
)
@merge_request
.
all_pipelines
else
Ci
::
Pipeline
.
none
end
end
end
app/controllers/projects/pipelines_controller.rb
View file @
d4c72147
...
...
@@ -4,6 +4,7 @@ class Projects::PipelinesController < Projects::ApplicationController
before_action
:whitelist_query_limiting
,
only:
[
:create
,
:retry
]
before_action
:pipeline
,
except:
[
:index
,
:new
,
:create
,
:charts
]
before_action
:authorize_read_pipeline!
before_action
:authorize_read_build!
,
only:
[
:index
]
before_action
:authorize_create_pipeline!
,
only:
[
:new
,
:create
]
before_action
:authorize_update_pipeline!
,
only:
[
:retry
,
:cancel
]
...
...
app/helpers/projects_helper.rb
View file @
d4c72147
...
...
@@ -305,7 +305,8 @@ module ProjectsHelper
nav_tabs
<<
:container_registry
end
if
project
.
builds_enabled?
&&
can?
(
current_user
,
:read_pipeline
,
project
)
# Pipelines feature is tied to presence of builds
if
can?
(
current_user
,
:read_build
,
project
)
nav_tabs
<<
:pipelines
end
...
...
app/models/commit.rb
View file @
d4c72147
...
...
@@ -11,6 +11,7 @@ class Commit
include
Mentionable
include
Referable
include
StaticModel
include
Presentable
include
::
Gitlab
::
Utils
::
StrongMemoize
attr_mentionable
:safe_message
,
pipeline: :single_line
...
...
@@ -304,7 +305,9 @@ class Commit
end
def
last_pipeline
@last_pipeline
||=
pipelines
.
last
strong_memoize
(
:last_pipeline
)
do
pipelines
.
last
end
end
def
status
(
ref
=
nil
)
...
...
app/models/project.rb
View file @
d4c72147
...
...
@@ -578,6 +578,14 @@ class Project < ActiveRecord::Base
end
end
def
all_pipelines
if
builds_enabled?
super
else
super
.
external
end
end
# returns all ancestor-groups upto but excluding the given namespace
# when no namespace is given, all ancestors upto the top are returned
def
ancestors_upto
(
top
=
nil
,
hierarchy_order:
nil
)
...
...
app/policies/ci/pipeline_policy.rb
View file @
d4c72147
...
...
@@ -10,6 +10,15 @@ module Ci
@subject
.
project
.
branch_allows_collaboration?
(
@user
,
@subject
.
ref
)
end
condition
(
:external_pipeline
,
scope: :subject
,
score:
0
)
do
@subject
.
external?
end
# Disallow users without permissions from accessing internal pipelines
rule
{
~
can?
(
:read_build
)
&
~
external_pipeline
}.
policy
do
prevent
:read_pipeline
end
rule
{
protected_ref
}.
prevent
:update_pipeline
rule
{
can?
(
:public_access
)
&
branch_allows_collaboration
}.
policy
do
...
...
app/policies/project_policy.rb
View file @
d4c72147
...
...
@@ -108,6 +108,10 @@ class ProjectPolicy < BasePolicy
condition
(
:has_clusters
,
scope: :subject
)
{
clusterable_has_clusters?
}
condition
(
:can_have_multiple_clusters
)
{
multiple_clusters_available?
}
condition
(
:internal_builds_disabled
)
do
!
@subject
.
builds_enabled?
end
features
=
%w[
merge_requests
issues
...
...
@@ -196,7 +200,6 @@ class ProjectPolicy < BasePolicy
enable
:read_build
enable
:read_container_image
enable
:read_pipeline
enable
:read_pipeline_schedule
enable
:read_environment
enable
:read_deployment
enable
:read_merge_request
...
...
@@ -235,6 +238,7 @@ class ProjectPolicy < BasePolicy
enable
:update_build
enable
:create_pipeline
enable
:update_pipeline
enable
:read_pipeline_schedule
enable
:create_pipeline_schedule
enable
:create_merge_request_from
enable
:create_wiki
...
...
@@ -320,7 +324,6 @@ class ProjectPolicy < BasePolicy
end
rule
{
builds_disabled
|
repository_disabled
}.
policy
do
prevent
(
*
create_update_admin_destroy
(
:pipeline
))
prevent
(
*
create_read_update_admin_destroy
(
:build
))
prevent
(
*
create_read_update_admin_destroy
(
:pipeline_schedule
))
prevent
(
*
create_read_update_admin_destroy
(
:environment
))
...
...
@@ -328,11 +331,22 @@ class ProjectPolicy < BasePolicy
prevent
(
*
create_read_update_admin_destroy
(
:deployment
))
end
# There's two separate cases when builds_disabled is true:
# 1. When internal CI is disabled - builds_disabled && internal_builds_disabled
# - We do not prevent the user from accessing Pipelines to allow him to access external CI
# 2. When the user is not allowed to access CI - builds_disabled && ~internal_builds_disabled
# - We prevent the user from accessing Pipelines
rule
{
(
builds_disabled
&
~
internal_builds_disabled
)
|
repository_disabled
}.
policy
do
prevent
(
*
create_read_update_admin_destroy
(
:pipeline
))
prevent
(
*
create_read_update_admin_destroy
(
:commit_status
))
end
rule
{
repository_disabled
}.
policy
do
prevent
:push_code
prevent
:download_code
prevent
:fork_project
prevent
:read_commit_status
prevent
:read_pipeline
prevent
(
*
create_read_update_admin_destroy
(
:release
))
end
...
...
@@ -359,7 +373,6 @@ class ProjectPolicy < BasePolicy
enable
:read_merge_request
enable
:read_note
enable
:read_pipeline
enable
:read_pipeline_schedule
enable
:read_commit_status
enable
:read_container_image
enable
:download_code
...
...
@@ -378,7 +391,6 @@ class ProjectPolicy < BasePolicy
rule
{
public_builds
&
can?
(
:guest_access
)
}.
policy
do
enable
:read_pipeline
enable
:read_pipeline_schedule
end
# These rules are included to allow maintainers of projects to push to certain
...
...
app/presenters/commit_presenter.rb
0 → 100644
View file @
d4c72147
# frozen_string_literal: true
class
CommitPresenter
<
Gitlab
::
View
::
Presenter
::
Simple
presents
:commit
def
status_for
(
ref
)
can?
(
current_user
,
:read_commit_status
,
commit
.
project
)
&&
commit
.
status
(
ref
)
end
def
any_pipelines?
can?
(
current_user
,
:read_pipeline
,
commit
.
project
)
&&
commit
.
pipelines
.
any?
end
end
app/presenters/merge_request_presenter.rb
View file @
d4c72147
...
...
@@ -170,6 +170,10 @@ class MergeRequestPresenter < Gitlab::View::Presenter::Delegated
source_branch_exists?
&&
merge_request
.
can_remove_source_branch?
(
current_user
)
end
def
can_read_pipeline?
pipeline
&&
can?
(
current_user
,
:read_pipeline
,
pipeline
)
end
def
mergeable_discussions_state
# This avoids calling MergeRequest#mergeable_discussions_state without
# considering the state of the MR first. If a MR isn't mergeable, we can
...
...
app/serializers/merge_request_widget_entity.rb
View file @
d4c72147
...
...
@@ -57,7 +57,7 @@ class MergeRequestWidgetEntity < IssuableEntity
end
expose
:merge_commit_message
expose
:actual_head_pipeline
,
with:
PipelineDetailsEntity
,
as: :pipeline
expose
:actual_head_pipeline
,
with:
PipelineDetailsEntity
,
as: :pipeline
,
if:
->
(
mr
,
_
)
{
presenter
(
mr
).
can_read_pipeline?
}
expose
:merge_pipeline
,
with:
PipelineDetailsEntity
,
if:
->
(
mr
,
_
)
{
mr
.
merged?
&&
can?
(
request
.
current_user
,
:read_pipeline
,
mr
.
target_project
)}
# Booleans
...
...
app/views/projects/commit/_ci_menu.html.haml
View file @
d4c72147
-
any_pipelines
=
@commit
.
present
(
current_user:
current_user
).
any_pipelines?
%ul
.nav-links.no-top.no-bottom.commit-ci-menu.nav.nav-tabs
=
nav_link
(
path:
'commit#show'
)
do
=
link_to
project_commit_path
(
@project
,
@commit
.
id
)
do
Changes
%span
.badge.badge-pill
=
@diffs
.
size
-
if
can?
(
current_user
,
:read_pipeline
,
@project
)
-
if
any_pipelines
=
nav_link
(
path:
'commit#pipelines'
)
do
=
link_to
pipelines_project_commit_path
(
@project
,
@commit
.
id
)
do
Pipelines
...
...
app/views/projects/commit/_commit_box.html.haml
View file @
d4c72147
...
...
@@ -74,8 +74,8 @@
%span
.commit-info.merge-requests
{
'data-project-commit-path'
=>
merge_requests_project_commit_path
(
@project
,
@commit
.
id
,
format: :json
)
}
=
icon
(
'spinner spin'
)
-
if
@commit
.
last_pipeline
-
last_pipeline
=
@commit
.
last_pipeline
-
if
can?
(
current_user
,
:read_pipeline
,
last_pipeline
)
.well-segment.pipeline-info
.status-icon-container
=
link_to
project_pipeline_path
(
@project
,
last_pipeline
.
id
),
class:
"ci-status-icon-
#{
last_pipeline
.
status
}
"
do
...
...
app/views/projects/commit/show.html.haml
View file @
d4c72147
...
...
@@ -9,10 +9,7 @@
.container-fluid
{
class:
[
limited_container_width
,
container_class
]
}
=
render
"commit_box"
-
if
@commit
.
status
=
render
"ci_menu"
-
else
.block-connector
=
render
"projects/diffs/diffs"
,
diffs:
@diffs
,
environment:
@environment
,
is_commit:
true
.limited-width-notes
...
...
app/views/projects/commits/_commit.html.haml
View file @
d4c72147
...
...
@@ -6,6 +6,7 @@
-
merge_request
=
local_assigns
.
fetch
(
:merge_request
,
nil
)
-
project
=
local_assigns
.
fetch
(
:project
)
{
merge_request
&
.
project
}
-
ref
=
local_assigns
.
fetch
(
:ref
)
{
merge_request
&
.
source_branch
}
-
commit_status
=
commit
.
present
(
current_user:
current_user
).
status_for
(
ref
)
-
link
=
commit_path
(
project
,
commit
,
merge_request:
merge_request
)
%li
.commit.flex-row.js-toggle-container
{
id:
"commit-#{commit.short_id}"
}
...
...
@@ -22,7 +23,7 @@
%span
.commit-row-message.d-block.d-sm-none
·
=
commit
.
short_id
-
if
commit
.
status
(
ref
)
-
if
commit
_status
.d-block.d-sm-none
=
render_commit_status
(
commit
,
ref:
ref
)
-
if
commit
.
description?
...
...
@@ -45,7 +46,7 @@
-
else
=
render
partial:
'projects/commit/ajax_signature'
,
locals:
{
commit:
commit
}
-
if
commit
.
status
(
ref
)
-
if
commit
_status
=
render_commit_status
(
commit
,
ref:
ref
)
.js-commit-pipeline-status
{
data:
{
endpoint:
pipelines_project_commit_path
(
project
,
commit
.
id
,
ref:
ref
)
}
}
...
...
app/views/projects/issues/_merge_requests.html.haml
View file @
d4c72147
...
...
@@ -12,6 +12,7 @@
%ul
.content-list.related-items-list
-
has_any_head_pipeline
=
@merge_requests
.
any?
(
&
:head_pipeline_id
)
-
@merge_requests
.
each
do
|
merge_request
|
-
merge_request
=
merge_request
.
present
(
current_user:
current_user
)
%li
.list-item.py-0.px-0
.item-body.issuable-info-container.py-lg-3.px-lg-3.pl-md-3
.item-contents
...
...
@@ -25,7 +26,7 @@
=
merge_request
.
target_project
.
full_path
=
merge_request
.
to_reference
%span
.mr-ci-status.flex-md-grow-1.justify-content-end.d-flex.ml-md-2
-
if
merge_request
.
head_pipeline
-
if
merge_request
.
can_read_pipeline?
=
render_pipeline_status
(
merge_request
.
head_pipeline
,
tooltip_placement:
'bottom'
)
-
elsif
has_any_head_pipeline
=
icon
(
'blank fw'
)
...
...
app/views/projects/issues/_related_branches.html.haml
View file @
d4c72147
...
...
@@ -6,7 +6,7 @@
%li
-
target
=
@project
.
repository
.
find_branch
(
branch
).
dereferenced_target
-
pipeline
=
@project
.
pipeline_for
(
branch
,
target
.
sha
)
if
target
-
if
pipeline
-
if
can?
(
current_user
,
:read_pipeline
,
pipeline
)
%span
.related-branch-ci-status
=
render_pipeline_status
(
pipeline
)
%span
.related-branch-info
...
...
app/views/projects/merge_requests/_merge_request.html.haml
View file @
d4c72147
...
...
@@ -46,7 +46,7 @@
%li
.issuable-status.d-none.d-sm-inline-block
=
icon
(
'ban'
)
CLOSED
-
if
merge_request
.
head_pipeline
-
if
can?
(
current_user
,
:read_pipeline
,
merge_request
.
head_pipeline
)
%li
.issuable-pipeline-status.d-none.d-sm-inline-block
=
render_pipeline_status
(
merge_request
.
head_pipeline
)
-
if
merge_request
.
open?
&&
merge_request
.
broken?
...
...
app/views/projects/pipelines/_info.html.haml
View file @
d4c72147
...
...
@@ -6,7 +6,6 @@
=
preserve
(
markdown
(
commit
.
description
,
pipeline: :single_line
))
.info-well
-
if
commit
.
status
.well-segment.pipeline-info
.icon-container
=
icon
(
'clock-o'
)
...
...
changelogs/unreleased/test-permissions.yml
0 → 100644
View file @
d4c72147
---
title
:
Disallows unauthorized users from accessing the pipelines section.
merge_request
:
author
:
type
:
security
lib/api/pipelines.rb
View file @
d4c72147
...
...
@@ -76,7 +76,7 @@ module API
requires
:pipeline_id
,
type:
Integer
,
desc:
'The pipeline ID'
end
get
':id/pipelines/:pipeline_id'
do
authorize!
:read_pipeline
,
user_project
authorize!
:read_pipeline
,
pipeline
present
pipeline
,
with:
Entities
::
Pipeline
end
...
...
@@ -104,7 +104,7 @@ module API
requires
:pipeline_id
,
type:
Integer
,
desc:
'The pipeline ID'
end
post
':id/pipelines/:pipeline_id/retry'
do
authorize!
:update_pipeline
,
user_project
authorize!
:update_pipeline
,
pipeline
pipeline
.
retry_failed
(
current_user
)
...
...
@@ -119,7 +119,7 @@ module API
requires
:pipeline_id
,
type:
Integer
,
desc:
'The pipeline ID'
end
post
':id/pipelines/:pipeline_id/cancel'
do
authorize!
:update_pipeline
,
user_project
authorize!
:update_pipeline
,
pipeline
pipeline
.
cancel_running
...
...
spec/controllers/projects/pipeline_schedules_controller_spec.rb
View file @
d4c72147
...
...
@@ -3,9 +3,14 @@ require 'spec_helper'
describe
Projects
::
PipelineSchedulesController
do
include
AccessMatchersForController
set
(
:user
)
{
create
(
:user
)
}
set
(
:project
)
{
create
(
:project
,
:public
,
:repository
)
}
set
(
:pipeline_schedule
)
{
create
(
:ci_pipeline_schedule
,
project:
project
)
}
before
do
project
.
add_developer
(
user
)
end
describe
'GET #index'
do
render_views
...
...
@@ -14,6 +19,10 @@ describe Projects::PipelineSchedulesController do
create
(
:ci_pipeline_schedule
,
:inactive
,
project:
project
)
end
before
do
sign_in
(
user
)
end
it
'renders the index view'
do
visit_pipelines_schedules
...
...
@@ -21,7 +30,7 @@ describe Projects::PipelineSchedulesController do
expect
(
response
).
to
render_template
(
:index
)
end
it
'avoids N + 1 queries'
do
it
'avoids N + 1 queries'
,
:request_store
do
control_count
=
ActiveRecord
::
QueryRecorder
.
new
{
visit_pipelines_schedules
}.
count
create_list
(
:ci_pipeline_schedule
,
2
,
project:
project
)
...
...
spec/controllers/projects/pipelines_controller_spec.rb
View file @
d4c72147
...
...
@@ -5,7 +5,7 @@ describe Projects::PipelinesController do
set
(
:user
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:project
,
:public
,
:repository
)
}
let
(
:feature
)
{
ProjectFeature
::
DIS
ABLED
}
let
(
:feature
)
{
ProjectFeature
::
EN
ABLED
}
before
do
stub_not_protect_default_branch
...
...
@@ -186,6 +186,27 @@ describe Projects::PipelinesController do
end
end
context
'when builds are disabled'
do
let
(
:feature
)
{
ProjectFeature
::
DISABLED
}
it
'users can not see internal pipelines'
do
get_pipeline_json
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
context
'when pipeline is external'
do
let
(
:pipeline
)
{
create
(
:ci_pipeline
,
source: :external
,
project:
project
)
}
it
'users can see the external pipeline'
do
get_pipeline_json
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
json_response
[
'id'
]).
to
be
(
pipeline
.
id
)
end
end
end
def
get_pipeline_json
get
:show
,
params:
{
namespace_id:
project
.
namespace
,
project_id:
project
,
id:
pipeline
},
format: :json
end
...
...
@@ -326,16 +347,14 @@ describe Projects::PipelinesController do
format: :json
end
context
'when builds are enabled'
do
let
(
:feature
)
{
ProjectFeature
::
ENABLED
}
it
'retries a pipeline without returning any content'
do
expect
(
response
).
to
have_gitlab_http_status
(
:no_content
)
expect
(
build
.
reload
).
to
be_retried
end
end
context
'when builds are disabled'
do
let
(
:feature
)
{
ProjectFeature
::
DISABLED
}
it
'fails to retry pipeline'
do
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
...
...
@@ -355,16 +374,14 @@ describe Projects::PipelinesController do
format: :json
end
context
'when builds are enabled'
do
let
(
:feature
)
{
ProjectFeature
::
ENABLED
}
it
'cancels a pipeline without returning any content'
do
expect
(
response
).
to
have_gitlab_http_status
(
:no_content
)
expect
(
pipeline
.
reload
).
to
be_canceled
end
end
context
'when builds are disabled'
do
let
(
:feature
)
{
ProjectFeature
::
DISABLED
}
it
'fails to retry pipeline'
do
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
...
...
spec/features/security/project/internal_access_spec.rb
View file @
d4c72147
...
...
@@ -452,9 +452,9 @@ describe "Internal Project Access" do
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
project
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
project
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
project
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
:reporter
).
of
(
project
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
:guest
).
of
(
project
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
:user
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
:reporter
).
of
(
project
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
:guest
).
of
(
project
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
it
{
is_expected
.
to
be_denied_for
(
:visitor
)
}
end
...
...
spec/features/security/project/private_access_spec.rb
View file @
d4c72147
...
...
@@ -485,7 +485,7 @@ describe "Private Project Access" do
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
project
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
project
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
project
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
:reporter
).
of
(
project
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
:reporter
).
of
(
project
)
}
it
{
is_expected
.
to
be_denied_for
(
:guest
).
of
(
project
)
}
it
{
is_expected
.
to
be_denied_for
(
:user
)
}
it
{
is_expected
.
to
be_denied_for
(
:external
)
}
...
...
spec/features/security/project/public_access_spec.rb
View file @
d4c72147
...
...
@@ -272,11 +272,11 @@ describe "Public Project Access" do
it
{
is_expected
.
to
be_allowed_for
(
:owner
).
of
(
project
)
}
it
{
is_expected
.
to
be_allowed_for
(
:maintainer
).
of
(
project
)
}
it
{
is_expected
.
to
be_allowed_for
(
:developer
).
of
(
project
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
:reporter
).
of
(
project
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
:guest
).
of
(
project
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
:user
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
:external
)
}
it
{
is_expected
.
to
be_
allow
ed_for
(
:visitor
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
:reporter
).
of
(
project
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
:guest
).
of
(
project
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
:user
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
:external
)
}
it
{
is_expected
.
to
be_
deni
ed_for
(
:visitor
)
}
end
describe
"GET /:project_path/environments"
do
...
...
spec/helpers/projects_helper_spec.rb
View file @
d4c72147
...
...
@@ -354,10 +354,22 @@ describe ProjectsHelper do
allow
(
project
).
to
receive
(
:builds_enabled?
).
and_return
(
false
)
end
it
"do not include pipelines tab"
do
context
'when user has access to builds'
do
it
"does include pipelines tab"
do
is_expected
.
to
include
(
:pipelines
)
end
end
context
'when user does not have access to builds'
do
before
do
allow
(
helper
).
to
receive
(
:can?
)
{
false
}
end
it
"does not include pipelines tab"
do
is_expected
.
not_to
include
(
:pipelines
)
end
end
end
context
'when project has external wiki'
do
before
do
...
...
spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
View file @
d4c72147
...
...
@@ -12,7 +12,7 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
]
RSpec
::
Mocks
.
with_temporary_scope
do
@project
=
create
(
:project
,
:builds_
dis
abled
,
:issues_disabled
,
name:
'project'
,
path:
'project'
)
@project
=
create
(
:project
,
:builds_
en
abled
,
:issues_disabled
,
name:
'project'
,
path:
'project'
)
@shared
=
@project
.
import_export_shared
allow
(
@shared
).
to
receive
(
:export_path
).
and_return
(
'spec/lib/gitlab/import_export/'
)
...
...
@@ -40,7 +40,7 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
project
=
Project
.
find_by_path
(
'project'
)
expect
(
project
.
project_feature
.
issues_access_level
).
to
eq
(
ProjectFeature
::
DISABLED
)
expect
(
project
.
project_feature
.
builds_access_level
).
to
eq
(
ProjectFeature
::
DIS
ABLED
)
expect
(
project
.
project_feature
.
builds_access_level
).
to
eq
(
ProjectFeature
::
EN
ABLED
)
expect
(
project
.
project_feature
.
snippets_access_level
).
to
eq
(
ProjectFeature
::
ENABLED
)
expect
(
project
.
project_feature
.
wiki_access_level
).
to
eq
(
ProjectFeature
::
ENABLED
)
expect
(
project
.
project_feature
.
merge_requests_access_level
).
to
eq
(
ProjectFeature
::
ENABLED
)
...
...
spec/models/commit_spec.rb
View file @
d4c72147
...
...
@@ -11,6 +11,7 @@ describe Commit do
it
{
is_expected
.
to
include_module
(
Participable
)
}
it
{
is_expected
.
to
include_module
(
Referable
)
}
it
{
is_expected
.
to
include_module
(
StaticModel
)
}
it
{
is_expected
.
to
include_module
(
Presentable
)
}
end
describe
'.lazy'
do
...
...
spec/models/project_spec.rb
View file @
d4c72147
...
...
@@ -405,6 +405,30 @@ describe Project do
end
end
describe
'#all_pipelines'
do
let
(
:project
)
{
create
(
:project
)
}
before
do
create
(
:ci_pipeline
,
project:
project
,
ref:
'master'
,
source: :web
)
create
(
:ci_pipeline
,
project:
project
,
ref:
'master'
,
source: :external
)
end
it
'has all pipelines'
do
expect
(
project
.
all_pipelines
.
size
).
to
eq
(
2
)
end
context
'when builds are disabled'
do
before
do
project
.
project_feature
.
update_attribute
(
:builds_access_level
,
ProjectFeature
::
DISABLED
)
end
it
'should return .external pipelines'
do
expect
(
project
.
all_pipelines
).
to
all
(
have_attributes
(
source:
'external'
))
expect
(
project
.
all_pipelines
.
size
).
to
eq
(
1
)
end
end
end
describe
'project token'
do
it
'sets an random token if none provided'
do
project
=
FactoryBot
.
create
(
:project
,
runners_token:
''
)
...
...
spec/policies/ci/pipeline_policy_spec.rb
View file @
d4c72147
...
...
@@ -75,6 +75,14 @@ describe Ci::PipelinePolicy, :models do
end
end
context
'when user does not have access to internal CI'
do
let
(
:project
)
{
create
(
:project
,
:builds_disabled
,
:public
)
}
it
'disallows the user from reading the pipeline'
do
expect
(
policy
).
to
be_disallowed
:read_pipeline
end
end
describe
'destroy_pipeline'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
...
...
spec/policies/project_policy_spec.rb
View file @
d4c72147
...
...
@@ -175,17 +175,19 @@ describe ProjectPolicy do
end
context
'builds feature'
do
context
'when builds are disabled'
do
subject
{
described_class
.
new
(
owner
,
project
)
}
it
'disallows all permissions when the feature is disabled'
do
before
do
project
.
project_feature
.
update
(
builds_access_level:
ProjectFeature
::
DISABLED
)
end
it
'disallows all permissions except pipeline when the feature is disabled'
do
builds_permissions
=
[
:create_pipeline
,
:update_pipeline
,
:admin_pipeline
,
:destroy_pipeline
,
:create_build
,
:read_build
,
:update_build
,
:admin_build
,
:destroy_build
,
:create_pipeline_schedule
,
:read_pipeline_schedule
,
:update_pipeline_schedule
,
:admin_pipeline_schedule
,
:destroy_pipeline_schedule
,
:create_environment
,
:read_environment
,
:update_environment
,
:admin_environment
,
:destroy_environment
,
:create_cluster
,
:read_cluster
,
:update_cluster
,
:admin
_cluster
,
:create_cluster
,
:read_cluster
,
:update_cluster
,
:admin_cluster
,
:destroy
_cluster
,
:create_deployment
,
:read_deployment
,
:update_deployment
,
:admin_deployment
,
:destroy_deployment
]
...
...
@@ -193,6 +195,24 @@ describe ProjectPolicy do
end
end
context
'when builds are disabled only for some users'
do
subject
{
described_class
.
new
(
guest
,
project
)
}
before
do
project
.
project_feature
.
update
(
builds_access_level:
ProjectFeature
::
PRIVATE
)
end
it
'disallows pipeline and commit_status permissions'
do
builds_permissions
=
[
:create_pipeline
,
:update_pipeline
,
:admin_pipeline
,
:destroy_pipeline
,
:create_commit_status
,
:update_commit_status
,
:admin_commit_status
,
:destroy_commit_status
]
expect_disallowed
(
*
builds_permissions
)
end
end
end
context
'repository feature'
do
subject
{
described_class
.
new
(
owner
,
project
)
}
...
...
spec/presenters/commit_presenter_spec.rb
0 → 100644
View file @
d4c72147
# frozen_string_literal: true
require
'spec_helper'
describe
CommitPresenter
do
let
(
:project
)
{
create
(
:project
,
:repository
)
}
let
(
:commit
)
{
project
.
commit
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:presenter
)
{
described_class
.
new
(
commit
,
current_user:
user
)
}
describe
'#status_for'
do
subject
{
presenter
.
status_for
(
'ref'
)
}
context
'when user can read_commit_status'
do
before
do
allow
(
presenter
).
to
receive
(
:can?
).
with
(
user
,
:read_commit_status
,
project
).
and_return
(
true
)
end
it
'returns commit status for ref'
do
expect
(
commit
).
to
receive
(
:status
).
with
(
'ref'
).
and_return
(
'test'
)
expect
(
subject
).
to
eq
(
'test'
)
end
end
context
'when user can not read_commit_status'
do
it
'is false'
do
is_expected
.
to
eq
(
false
)
end
end
end
describe
'#any_pipelines?'
do
subject
{
presenter
.
any_pipelines?
}
context
'when user can read pipeline'
do
before
do
allow
(
presenter
).
to
receive
(
:can?
).
with
(
user
,
:read_pipeline
,
project
).
and_return
(
true
)
end
it
'returns if there are any pipelines for commit'
do
expect
(
commit
).
to
receive_message_chain
(
:pipelines
,
:any?
).
and_return
(
true
)
expect
(
subject
).
to
eq
(
true
)
end
end
context
'when user can not read pipeline'
do
it
'is false'
do
is_expected
.
to
eq
(
false
)
end
end
end
end
spec/serializers/merge_request_widget_entity_spec.rb
View file @
d4c72147
...
...
@@ -31,6 +31,14 @@ describe MergeRequestWidgetEntity do
describe
'pipeline'
do
let
(
:pipeline
)
{
create
(
:ci_empty_pipeline
,
project:
project
,
ref:
resource
.
source_branch
,
sha:
resource
.
source_branch_sha
,
head_pipeline_of:
resource
)
}
before
do
allow_any_instance_of
(
MergeRequestPresenter
).
to
receive
(
:can?
).
and_call_original
allow_any_instance_of
(
MergeRequestPresenter
).
to
receive
(
:can?
).
with
(
user
,
:read_pipeline
,
anything
).
and_return
(
result
)
end
context
'when user has access to pipelines'
do
let
(
:result
)
{
true
}
context
'when is up to date'
do
let
(
:req
)
{
double
(
'request'
,
current_user:
user
,
project:
project
)
}
...
...
@@ -47,7 +55,16 @@ describe MergeRequestWidgetEntity do
it
'returns nil'
do
pipeline
.
update
(
sha:
"not up to date"
)
expect
(
subject
[
:pipeline
]).
to
be_nil
expect
(
subject
[
:pipeline
]).
to
eq
(
nil
)
end
end
end
context
'when user does not have access to pipelines'
do
let
(
:result
)
{
false
}
it
'does not have pipeline'
do
expect
(
subject
[
:pipeline
]).
to
eq
(
nil
)
end
end
end
...
...
spec/views/projects/commit/_commit_box.html.haml_spec.rb
View file @
d4c72147
...
...
@@ -9,6 +9,7 @@ describe 'projects/commit/_commit_box.html.haml' do
assign
(
:commit
,
project
.
commit
)
allow
(
view
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
view
).
to
receive
(
:can_collaborate_with_project?
).
and_return
(
false
)
project
.
add_developer
(
user
)
end
it
'shows the commit SHA'
do
...
...
@@ -48,7 +49,6 @@ describe 'projects/commit/_commit_box.html.haml' do
context
'viewing a commit'
do
context
'as a developer'
do
before
do
project
.
add_developer
(
user
)
allow
(
view
).
to
receive
(
:can_collaborate_with_project?
).
and_return
(
true
)
end
...
...
@@ -60,6 +60,10 @@ describe 'projects/commit/_commit_box.html.haml' do
end
context
'as a non-developer'
do
before
do
project
.
add_guest
(
user
)
end
it
'does not have a link to create a new tag'
do
render
...
...
spec/views/projects/issues/_related_branches.html.haml_spec.rb
View file @
d4c72147
...
...
@@ -3,6 +3,7 @@ require 'spec_helper'
describe
'projects/issues/_related_branches'
do
include
Devise
::
Test
::
ControllerHelpers
let
(
:user
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:project
,
:repository
)
}
let
(
:branch
)
{
project
.
repository
.
find_branch
(
'feature'
)
}
let!
(
:pipeline
)
{
create
(
:ci_pipeline
,
project:
project
,
sha:
branch
.
dereferenced_target
.
id
,
ref:
'feature'
)
}
...
...
@@ -11,6 +12,9 @@ describe 'projects/issues/_related_branches' do
assign
(
:project
,
project
)
assign
(
:related_branches
,
[
'feature'
])
project
.
add_developer
(
user
)
allow
(
view
).
to
receive
(
:current_user
).
and_return
(
user
)
render
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment