Merge branch 'fix-restricted-visibility' into 'master'

Restricted visibility levels - bug fix and new feature

This allows admin users to override restricted visibility settings when creating and updating projects and snippets, and moves the restricted visibility configuration from gitlab.yml to the web UI.  See #1903.

## Move configuration location

I added a new section to the application settings page for restricted visibility levels.  Each level has a checkbox, styled with Bootstrap to look like a toggle button.  A checked box means that the level is restricted.  I added a glowing text shadow and changed the background color for checked buttons because the default styles made it hard to distinguish between checked and unchecked.  This image shows the new section with the "Public" box checked:

![restricted_visibility_settings](https://dev.gitlab.org/Okada/gitlabhq/uploads/629562e4313f89b795e81c3bb0f95893/restricted_visibility_settings.png)

## Allow admins to override

To allow admin users to override the restricted visibility levels, I had to remove the `visibility_level` validation from the `Project` class.  The model doesn't know about the `current_user`, which should determine whether the restrictions can be overridden.  We could use the creator in the validation, but that wouldn't work correctly for projects where a non-admin user is the creator and an admin tries to change the project to a restricted visibility level.

The `Project::UpdateService` and `Project::CreateService` classes already had code to determine whether the current user is allowed to use a given visibility level; now all visibility level validation is done in those classes.  Currently, when a non-admin tries to create or update a project using a restricted level, these classes silently set the visibility level to the global default (create) or the project's existing value (update).  I changed this behavior to be more like an Active Model validation, where using a restricted level causes the entire request to be rejected.

Project and personal snippets didn't have service classes, and restricted visibility levels weren't being enforced in the model or the controllers.  The UI disabled radio buttons for restricted levels, but that wouldn't be difficult to circumvent.  I created the `CreateSnippetService` and `UpdateSnippetService` classes to do the same restricted visibility check that the project classes do.  And since I was dealing with snippet visibility levels, I updated the API endpoints for project snippets to allow users to set and update the visibility level.

## TODO

* [x] Add more tests for restricted visibility functionality

cc @sytse @dzaporozhets

See merge request !1655

CHANGELOG

@@ -17,6 +17,8 @@ v 7.9.0 (unreleased)
   - Improve error messages for file edit failures
   - Improve UI for commits, issues and merge request lists
   - Fix commit comments on first line of diff not rendering in Merge Request Discussion view.
+  - Allow admins to override restricted project visibility settings.
+  - Move restricted visibility settings from gitlab.yml into the web UI.
   - Improve trigger merge request hook when source project branch has been updated (Kirill Zaitsev)
   - Save web edit in new branch
   - Fix ordering of imported but unchanged projects (Marco Wessel)

app/assets/stylesheets/generic/forms.scss

@@ -97,3 +97,8 @@ label {
 .wiki-content {
   margin-top: 35px;
 }
+
+.btn-group .btn.active {
+  text-shadow: 0 0 0.2em #D9534F, 0 0 0.2em #D9534F, 0 0 0.2em #D9534F;
+  background-color: #5487bf;
+}

app/controllers/admin/application_settings_controller.rb

@@ -20,6 +20,13 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
   end
 
   def application_setting_params
+    restricted_levels = params[:application_setting][:restricted_visibility_levels]
+    unless restricted_levels.nil?
+      restricted_levels.map! do |level|
+        level.to_i
+      end
+    end
+
     params.require(:application_setting).permit(
       :default_projects_limit,
       :default_branch_protection,
@@ -28,7 +35,8 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
       :gravatar_enabled,
       :twitter_sharing_enabled,
       :sign_in_text,
-      :home_page_url
+      :home_page_url,
+      restricted_visibility_levels: []
     )
   end
 end

app/controllers/projects/snippets_controller.rb

@@ -28,26 +28,22 @@ class Projects::SnippetsController < Projects::ApplicationController
   end
 
   def create
-    @snippet = @project.snippets.build(snippet_params)
-    @snippet.author = current_user
-
-    if @snippet.save
-      redirect_to namespace_project_snippet_path(@project.namespace, @project,
-                                                 @snippet)
-    else
-      respond_with(@snippet)
-    end
+    @snippet = CreateSnippetService.new(@project, current_user,
+                                        snippet_params).execute
+    respond_with(@snippet,
+                 location: namespace_project_snippet_path(@project.namespace,
+                                                          @project, @snippet))
   end
 
   def edit
   end
 
   def update
-    if @snippet.update_attributes(snippet_params)
-      redirect_to namespace_project_snippet_path(@project.namespace, @project, @snippet)
-    else
-      respond_with(@snippet)
-    end
+    UpdateSnippetService.new(project, current_user, @snippet,
+                             snippet_params).execute
+    respond_with(@snippet,
+                 location: namespace_project_snippet_path(@project.namespace,
+                                                          @project, @snippet))
   end
 
   def show

app/controllers/snippets_controller.rb

@@ -42,25 +42,19 @@ class SnippetsController < ApplicationController
   end
 
   def create
-    @snippet = PersonalSnippet.new(snippet_params)
-    @snippet.author = current_user
+    @snippet = CreateSnippetService.new(nil, current_user,
+                                        snippet_params).execute
 
-    if @snippet.save
-      redirect_to snippet_path(@snippet)
-    else
-      respond_with @snippet
-    end
+    respond_with @snippet.becomes(Snippet)
   end
 
   def edit
   end
 
   def update
-    if @snippet.update_attributes(snippet_params)
-      redirect_to snippet_path(@snippet)
-    else
-      respond_with @snippet
-    end
+    UpdateSnippetService.new(nil, current_user, @snippet,
+                             snippet_params).execute
+    respond_with @snippet.becomes(Snippet)
   end
 
   def show

app/helpers/application_settings_helper.rb

@@ -18,4 +18,21 @@ module ApplicationSettingsHelper
   def extra_sign_in_text
     current_application_settings.sign_in_text
   end
+
+  # Return a group of checkboxes that use Bootstrap's button plugin for a
+  # toggle button effect.
+  def restricted_level_checkboxes(help_block_id)
+    Gitlab::VisibilityLevel.options.map do |name, level|
+      checked = restricted_visibility_levels(true).include?(level)
+      css_class = 'btn btn-primary'
+      css_class += ' active' if checked
+      checkbox_name = 'application_setting[restricted_visibility_levels][]'
+
+      label_tag(checkbox_name, class: css_class) do
+        check_box_tag(checkbox_name, level, checked,
+                      autocomplete: 'off',
+                      'aria-describedby' => help_block_id) + name
+      end
+    end
+  end
 end

app/helpers/gitlab_routing_helper.rb

@@ -45,7 +45,8 @@ module GitlabRoutingHelper
     namespace_project_merge_request_url(entity.project.namespace, entity.project, entity, *args)
   end
 
-  def snippet_url(entity, *args)
+  def project_snippet_url(entity, *args)
     namespace_project_snippet_url(entity.project.namespace, entity.project, entity, *args)
+
   end
 end

app/helpers/visibility_level_helper.rb

@@ -60,7 +60,8 @@ module VisibilityLevelHelper
     Project.visibility_levels.key(level)
   end
 
-  def restricted_visibility_levels
-    current_user.is_admin? ? [] : gitlab_config.restricted_visibility_levels
+  def restricted_visibility_levels(show_all = false)
+    return [] if current_user.is_admin? && !show_all
+    current_application_settings.restricted_visibility_levels
   end
 end

app/models/ability.rb

@@ -225,13 +225,15 @@ class Ability
 
     [:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do |name|
       define_method "#{name}_abilities" do |user, subject|
-        if subject.author == user
-          [
+        if subject.author == user || user.is_admin?
+          rules = [
             :"read_#{name}",
             :"write_#{name}",
             :"modify_#{name}",
             :"admin_#{name}"
           ]
+          rules.push(:change_visibility_level) if subject.is_a?(Snippet)
+          rules
         elsif subject.respond_to?(:assignee) && subject.assignee == user
           [
             :"read_#{name}",

app/models/application_setting.rb

@@ -2,25 +2,38 @@
 #
 # Table name: application_settings
 #
-#  id                        :integer          not null, primary key
-#  default_projects_limit    :integer
-#  signup_enabled            :boolean
-#  signin_enabled            :boolean
-#  gravatar_enabled          :boolean
-#  sign_in_text              :text
-#  created_at                :datetime
-#  updated_at                :datetime
-#  home_page_url             :string(255)
-#  default_branch_protection :integer          default(2)
-#  twitter_sharing_enabled   :boolean          default(TRUE)
+#  id                           :integer        not null, primary key
+#  default_projects_limit       :integer
+#  default_branch_protection    :integer
+#  signup_enabled               :boolean
+#  signin_enabled               :boolean
+#  gravatar_enabled             :boolean
+#  twitter_sharing_enabled      :boolean
+#  sign_in_text                 :text
+#  created_at                   :datetime
+#  updated_at                   :datetime
+#  home_page_url                :string(255)
+#  default_branch_protection    :integer          default(2)
+#  twitter_sharing_enabled      :boolean          default(TRUE)
+#  restricted_visibility_levels :text
 #
 
 class ApplicationSetting < ActiveRecord::Base
+  serialize :restricted_visibility_levels
+
   validates :home_page_url,
     allow_blank: true,
     format: { with: URI::regexp(%w(http https)), message: "should be a valid url" },
     if: :home_page_url_column_exist
 
+  validates_each :restricted_visibility_levels do |record, attr, value|
+    value.each do |level|
+      unless Gitlab::VisibilityLevel.options.has_value?(level)
+        record.errors.add(attr, "'#{level}' is not a valid visibility level")
+      end
+    end
+  end
+
   def self.current
     ApplicationSetting.last
   end
@@ -34,6 +47,7 @@ class ApplicationSetting < ActiveRecord::Base
       twitter_sharing_enabled: Settings.gitlab['twitter_sharing_enabled'],
       gravatar_enabled: Settings.gravatar['enabled'],
       sign_in_text: Settings.extra['sign_in_text'],
+      restricted_visibility_levels: Settings.gitlab['restricted_visibility_levels']
     )
   end
 

app/models/project.rb

@@ -131,9 +131,6 @@ class Project < ActiveRecord::Base
               message: Gitlab::Regex.path_regex_message }
   validates :issues_enabled, :merge_requests_enabled,
             :wiki_enabled, inclusion: { in: [true, false] }
-  validates :visibility_level,
-    exclusion: { in: gitlab_config.restricted_visibility_levels },
-    if: -> { gitlab_config.restricted_visibility_levels.any? }
   validates :issues_tracker_id, length: { maximum: 255 }, allow_blank: true
   validates :namespace, presence: true
   validates_uniqueness_of :name, scope: :namespace_id

app/services/base_service.rb

@@ -31,8 +31,19 @@ class BaseService
     SystemHooksService.new
   end
 
-  def current_application_settings
-    ApplicationSetting.current
+  # Add an error to the specified model for restricted visibility levels
+  def deny_visibility_level(model, denied_visibility_level = nil)
+    denied_visibility_level ||= model.visibility_level
+
+    level_name = 'Unknown'
+    Gitlab::VisibilityLevel.options.each do |name, level|
+      level_name = name if level == denied_visibility_level
+    end
+
+    model.errors.add(
+      :visibility_level,
+      "#{level_name} visibility has been restricted by your GitLab administrator"
+    )
   end
 
   private

app/services/create_snippet_service.rb

+class CreateSnippetService < BaseService
+  def execute
+    if project.nil?
+      snippet = PersonalSnippet.new(params)
+    else
+      snippet = project.snippets.build(params)
+    end
+
+    unless Gitlab::VisibilityLevel.allowed_for?(current_user,
+                                                params[:visibility_level])
+      deny_visibility_level(snippet)
+      return snippet
+    end
+
+    snippet.author = current_user
+
+    snippet.save
+    snippet
+  end
+end

app/services/projects/create_service.rb

@@ -7,9 +7,12 @@ module Projects
     def execute
       @project = Project.new(params)
 
-      # Reset visibility level if is not allowed to set it
-      unless Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
-        @project.visibility_level = default_features.visibility_level
+      # Make sure that the user is allowed to use the specified visibility
+      # level
+      unless Gitlab::VisibilityLevel.allowed_for?(current_user,
+                                                  params[:visibility_level])
+        deny_visibility_level(@project)
+        return @project
       end
 
       # Set project name from path

app/services/projects/update_service.rb

@@ -2,8 +2,13 @@ module Projects
   class UpdateService < BaseService
     def execute
       # check that user is allowed to set specified visibility_level
-      unless can?(current_user, :change_visibility_level, project) && Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
-        params[:visibility_level] = project.visibility_level
+      new_visibility = params[:visibility_level]
+      if new_visibility && new_visibility.to_i != project.visibility_level
+        unless can?(current_user, :change_visibility_level, project) &&
+          Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility)
+          deny_visibility_level(project, new_visibility)
+          return project
+        end
       end
 
       new_branch = params[:default_branch]

app/services/update_snippet_service.rb

+class UpdateSnippetService < BaseService
+  attr_accessor :snippet
+
+  def initialize(project, user, snippet, params)
+    super(project, user, params)
+    @snippet = snippet
+  end
+
+  def execute
+    # check that user is allowed to set specified visibility_level
+    new_visibility = params[:visibility_level]
+    if new_visibility && new_visibility.to_i != snippet.visibility_level
+      unless can?(current_user, :change_visibility_level, snippet) &&
+        Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility)
+        deny_visibility_level(snippet, new_visibility)
+        return snippet
+      end
+    end
+
+    snippet.update_attributes(params)
+  end
+end

app/views/admin/application_settings/_form.html.haml

@@ -42,6 +42,14 @@
       = f.label :default_branch_protection, class: 'control-label col-sm-2'
       .col-sm-10
         = f.select :default_branch_protection, options_for_select(Gitlab::Access.protection_options, @application_setting.default_branch_protection), {}, class: 'form-control'
+    .form-group
+      = f.label :restricted_visibility_levels, class: 'control-label col-sm-2'
+      .col-sm-10
+        - data_attrs = { toggle: 'buttons' }
+        .btn-group{ data: data_attrs }
+          - restricted_level_checkboxes('restricted-visibility-help').each do |level|
+            = level
+        %span.help-block#restricted-visibility-help Selected levels cannot be used by non-admin users for projects or snippets
     .form-group
       = f.label :home_page_url, class: 'control-label col-sm-2'
       .col-sm-10

config/gitlab.yml.example

@@ -57,10 +57,6 @@ production: &base
     ##   COLOR  = 5
     # default_theme: 2 # default: 2
 
-    # Restrict setting visibility levels for non-admin users.
-    # The default is to allow all levels.
-    # restricted_visibility_levels: [ "public" ]
-
     ## Automatic issue closing
     # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
     # This happens when the commit is pushed or merged into the default branch of a project.

db/migrate/20150301014758_add_restricted_visibility_levels_to_application_settings.rb

+class AddRestrictedVisibilityLevelsToApplicationSettings < ActiveRecord::Migration
+  def change
+    add_column :application_settings, :restricted_visibility_levels, :text
+  end
+end

db/schema.rb

@@ -25,8 +25,9 @@ ActiveRecord::Schema.define(version: 20150306023112) do
     t.datetime "created_at"
     t.datetime "updated_at"
     t.string   "home_page_url"
-    t.integer  "default_branch_protection", default: 2
-    t.boolean  "twitter_sharing_enabled",   default: true
+    t.integer  "default_branch_protection",    default: 2
+    t.boolean  "twitter_sharing_enabled",      default: true
+    t.text     "restricted_visibility_levels"
   end
 
   create_table "broadcast_messages", force: true do |t|

doc/public_access/public_access.md

@@ -41,4 +41,4 @@ When visiting the public page of an user, you will only see listed projects whic
 
 ## Restricting the use of public or internal projects
 
-In [gitlab.yml](https://gitlab.com/gitlab-org/gitlab-ce/blob/dbd88d453b8e6c78a423fa7e692004b1db6ea069/config/gitlab.yml.example#L64) you can disable public projects or public and internal projects for the entire GitLab installation to prevent people making code public by accident.
+In [gitlab.yml](https://gitlab.com/gitlab-org/gitlab-ce/blob/dbd88d453b8e6c78a423fa7e692004b1db6ea069/config/gitlab.yml.example#L64) you can disable public projects or public and internal projects for the entire GitLab installation to prevent people making code public by accident.  The restricted visibility settings do not apply to admin users.

lib/api/helpers.rb

@@ -207,7 +207,7 @@ module API
     end
 
     def render_validation_error!(model)
-      unless model.valid?
+      if model.errors.any?
         render_api_error!(model.errors.messages || '400 Bad Request', 400)
       end
     end

lib/api/project_snippets.rb

@@ -42,21 +42,22 @@ module API
       #   title (required) - The title of a snippet
       #   file_name (required) - The name of a snippet file
       #   code (required) - The content of a snippet
+      #   visibility_level (required) - The snippet's visibility
       # Example Request:
       #   POST /projects/:id/snippets
       post ":id/snippets" do
         authorize! :write_project_snippet, user_project
-        required_attributes! [:title, :file_name, :code]
+        required_attributes! [:title, :file_name, :code, :visibility_level]
 
-        attrs = attributes_for_keys [:title, :file_name]
+        attrs = attributes_for_keys [:title, :file_name, :visibility_level]
         attrs[:content] = params[:code] if params[:code].present?
-        @snippet = user_project.snippets.new attrs
-        @snippet.author = current_user
+        @snippet = CreateSnippetService.new(user_project, current_user,
+                                            attrs).execute
 
-        if @snippet.save
-          present @snippet, with: Entities::ProjectSnippet
-        else
+        if @snippet.errors.any?
           render_validation_error!(@snippet)
+        else
+          present @snippet, with: Entities::ProjectSnippet
         end
       end
 
@@ -68,19 +69,22 @@ module API
       #   title (optional) - The title of a snippet
       #   file_name (optional) - The name of a snippet file
       #   code (optional) - The content of a snippet
+      #   visibility_level (optional) - The snippet's visibility
       # Example Request:
       #   PUT /projects/:id/snippets/:snippet_id
       put ":id/snippets/:snippet_id" do
         @snippet = user_project.snippets.find(params[:snippet_id])
         authorize! :modify_project_snippet, @snippet
 
-        attrs = attributes_for_keys [:title, :file_name]
+        attrs = attributes_for_keys [:title, :file_name, :visibility_level]
         attrs[:content] = params[:code] if params[:code].present?
 
-        if @snippet.update_attributes attrs
-          present @snippet, with: Entities::ProjectSnippet
-        else
+        UpdateSnippetService.new(user_project, current_user, @snippet,
+                                 attrs).execute
+        if @snippet.errors.any?
           render_validation_error!(@snippet)
+        else
+          present @snippet, with: Entities::ProjectSnippet
         end
       end
 

lib/api/projects.rb

@@ -233,10 +233,10 @@ module API
         ::Projects::UpdateService.new(user_project,
                                       current_user, attrs).execute
 
-        if user_project.valid?
-          present user_project, with: Entities::Project
-        else
+        if user_project.errors.any?
           render_validation_error!(user_project)
+        else
+          present user_project, with: Entities::Project
         end
       end
 

lib/gitlab/current_settings.rb

@@ -5,8 +5,7 @@ module Gitlab
 
       RequestStore.store[key] ||= begin
         if ActiveRecord::Base.connected? && ActiveRecord::Base.connection.table_exists?('application_settings')
-          RequestStore.store[:current_application_settings] =
-            (ApplicationSetting.current || ApplicationSetting.create_from_defaults)
+          ApplicationSetting.current || ApplicationSetting.create_from_defaults
         else
           fake_application_settings
         end
@@ -21,6 +20,7 @@ module Gitlab
         signin_enabled: Settings.gitlab['signin_enabled'],
         gravatar_enabled: Settings.gravatar['enabled'],
         sign_in_text: Settings.extra['sign_in_text'],
+        restricted_visibility_levels: Settings.gitlab['restricted_visibility_levels']
       )
     end
   end

lib/gitlab/url_builder.rb

@@ -51,9 +51,9 @@ module Gitlab
                           anchor: "note_#{note.id}")
       elsif note.for_project_snippet?
         snippet = Snippet.find(note.noteable_id)
-        snippet_url(snippet,
-                    host: Gitlab.config.gitlab['url'],
-                    anchor: "note_#{note.id}")
+        project_snippet_url(snippet,
+                            host: Gitlab.config.gitlab['url'],
+                            anchor: "note_#{note.id}")
       end
     end
   end

lib/gitlab/visibility_level.rb

@@ -5,6 +5,8 @@
 #
 module Gitlab
   module VisibilityLevel
+    extend CurrentSettings
+
     PRIVATE  = 0 unless const_defined?(:PRIVATE)
     INTERNAL = 10 unless const_defined?(:INTERNAL)
     PUBLIC   = 20 unless const_defined?(:PUBLIC)
@@ -23,21 +25,21 @@ module Gitlab
       end
 
       def allowed_for?(user, level)
-        user.is_admin? || allowed_level?(level)
+        user.is_admin? || allowed_level?(level.to_i)
       end
 
-      # Level can be a string `"public"` or a value `20`, first check if valid,
-      # then check if the corresponding string appears in the config
+      # Return true if the specified level is allowed for the current user.
+      # Level should be a numeric value, e.g. `20`.
       def allowed_level?(level)
-        if options.has_key?(level.to_s)
-          non_restricted_level?(level)
-        elsif options.has_value?(level.to_i)
-          non_restricted_level?(options.key(level.to_i).downcase)
-        end
+        valid_level?(level) && non_restricted_level?(level)
       end
 
       def non_restricted_level?(level)
-        ! Gitlab.config.gitlab.restricted_visibility_levels.include?(level)
+        ! current_application_settings.restricted_visibility_levels.include?(level)
+      end
+
+      def valid_level?(level)
+        options.has_value?(level)
       end
     end
 

spec/models/application_setting_spec.rb

@@ -2,17 +2,19 @@
 #
 # Table name: application_settings
 #
-#  id                        :integer          not null, primary key
-#  default_projects_limit    :integer
-#  signup_enabled            :boolean
-#  signin_enabled            :boolean
-#  gravatar_enabled          :boolean
-#  sign_in_text              :text
-#  created_at                :datetime
-#  updated_at                :datetime
-#  home_page_url             :string(255)
-#  default_branch_protection :integer          default(2)
-#  twitter_sharing_enabled   :boolean          default(TRUE)
+#  id                           :integer          not null, primary key
+#  default_projects_limit       :integer
+#  default_branch_protection    :integer
+#  signup_enabled               :boolean
+#  signin_enabled               :boolean
+#  gravatar_enabled             :boolean
+#  sign_in_text                 :text
+#  created_at                   :datetime
+#  updated_at                   :datetime
+#  home_page_url                :string(255)
+#  default_branch_protection    :integer          default(2)
+#  twitter_sharing_enabled      :boolean          default(TRUE)
+#  restricted_visibility_levels :text
 #
 
 require 'spec_helper'

spec/requests/api/projects_spec.rb

@@ -3,6 +3,7 @@ require 'spec_helper'
 
 describe API::API, api: true  do
   include ApiHelpers
+  include Gitlab::CurrentSettings
   let(:user) { create(:user) }
   let(:user2) { create(:user) }
   let(:user3) { create(:user) }
@@ -202,6 +203,31 @@ describe API::API, api: true  do
       expect(json_response['public']).to be_falsey
       expect(json_response['visibility_level']).to eq(Gitlab::VisibilityLevel::PRIVATE)
     end
+
+    context 'when a visibility level is restricted' do
+      before do
+        @project = attributes_for(:project, { public: true })
+        allow_any_instance_of(ApplicationSetting).to(
+          receive(:restricted_visibility_levels).and_return([20])
+        )
+      end
+
+      it 'should not allow a non-admin to use a restricted visibility level' do
+        post api('/projects', user), @project
+        expect(response.status).to eq(400)
+        expect(json_response['message']['visibility_level'].first).to(
+          match('restricted by your GitLab administrator')
+        )
+      end
+
+      it 'should allow an admin to override restricted visibility settings' do
+        post api('/projects', admin), @project
+        expect(json_response['public']).to be_truthy
+        expect(json_response['visibility_level']).to(
+          eq(Gitlab::VisibilityLevel::PUBLIC)
+        )
+      end
+    end
   end
 
   describe 'POST /projects/user/:id' do
@@ -399,7 +425,8 @@ describe API::API, api: true  do
   describe 'POST /projects/:id/snippets' do
     it 'should create a new project snippet' do
       post api("/projects/#{project.id}/snippets", user),
-        title: 'api test', file_name: 'sample.rb', code: 'test'
+        title: 'api test', file_name: 'sample.rb', code: 'test',
+        visibility_level: '0'
       expect(response.status).to eq(201)
       expect(json_response['title']).to eq('api test')
     end

spec/services/create_snippet_service_spec.rb

+require 'spec_helper'
+
+describe CreateSnippetService do
+  before do
+    @user = create :user
+    @admin = create :user, admin: true
+    @opts = {
+      title: 'Test snippet',
+      file_name: 'snippet.rb',
+      content: 'puts "hello world"',
+      visibility_level: Gitlab::VisibilityLevel::PRIVATE
+    }
+  end
+
+  context 'When public visibility is restricted' do
+    before do
+      allow_any_instance_of(ApplicationSetting).to(
+        receive(:restricted_visibility_levels).and_return(
+          [Gitlab::VisibilityLevel::PUBLIC]
+        )
+      )
+
+      @opts.merge!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+    end
+
+    it 'non-admins should not be able to create a public snippet' do
+      snippet = create_snippet(nil, @user, @opts)
+      expect(snippet.errors.messages).to have_key(:visibility_level)
+      expect(snippet.errors.messages[:visibility_level].first).to(
+        match('Public visibility has been restricted')
+      )
+    end
+
+    it 'admins should be able to create a public snippet' do
+      snippet = create_snippet(nil, @admin, @opts)
+      expect(snippet.errors.any?).to be_falsey
+      expect(snippet.visibility_level).to eq(Gitlab::VisibilityLevel::PUBLIC)
+    end
+  end
+
+  def create_snippet(project, user, opts)
+    CreateSnippetService.new(project, user, opts).execute
+  end
+end

spec/services/projects/create_service_spec.rb

@@ -55,6 +55,33 @@ describe Projects::CreateService do
         it { expect(File.exists?(@path)).to be_falsey }
       end
     end
+
+    context 'restricted visibility level' do
+      before do
+        allow_any_instance_of(ApplicationSetting).to(
+          receive(:restricted_visibility_levels).and_return([20])
+        )
+
+        @opts.merge!(
+          visibility_level: Gitlab::VisibilityLevel.options['Public']
+        )
+      end
+
+      it 'should not allow a restricted visibility level for non-admins' do
+        project = create_project(@user, @opts)
+        expect(project).to respond_to(:errors)
+        expect(project.errors.messages).to have_key(:visibility_level)
+        expect(project.errors.messages[:visibility_level].first).to(
+          match('restricted by your GitLab administrator')
+        )
+      end
+
+      it 'should allow a restricted visibility level for admins' do
+        project = create_project(@admin, @opts)
+        expect(project.errors.any?).to be(false)
+        expect(project.saved?).to be(true)
+      end
+    end
   end
 
   def create_project(user, opts)

spec/services/projects/update_service_spec.rb

@@ -47,9 +47,9 @@ describe Projects::UpdateService do
 
     context 'respect configured visibility restrictions setting' do
       before(:each) do
-        @restrictions = double("restrictions")
-        allow(@restrictions).to receive(:restricted_visibility_levels) { [ "public" ] }
-        Settings.stub_chain(:gitlab).and_return(@restrictions)
+        allow_any_instance_of(ApplicationSetting).to(
+          receive(:restricted_visibility_levels).and_return([20])
+        )
       end
 
       context 'should be private when updated to private' do

spec/services/update_snippet_service_spec.rb

+require 'spec_helper'
+
+describe UpdateSnippetService do
+  before do
+    @user = create :user
+    @admin = create :user, admin: true
+    @opts = {
+      title: 'Test snippet',
+      file_name: 'snippet.rb',
+      content: 'puts "hello world"',
+      visibility_level: Gitlab::VisibilityLevel::PRIVATE
+    }
+  end
+
+  context 'When public visibility is restricted' do
+    before do
+      allow_any_instance_of(ApplicationSetting).to(
+        receive(:restricted_visibility_levels).and_return(
+          [Gitlab::VisibilityLevel::PUBLIC]
+        )
+      )
+
+      @snippet = create_snippet(@project, @user, @opts)
+      @opts.merge!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+    end
+
+    it 'non-admins should not be able to update to public visibility' do
+      old_visibility = @snippet.visibility_level
+      update_snippet(@project, @user, @snippet, @opts)
+      expect(@snippet.errors.messages).to have_key(:visibility_level)
+      expect(@snippet.errors.messages[:visibility_level].first).to(
+        match('Public visibility has been restricted')
+      )
+      expect(@snippet.visibility_level).to eq(old_visibility)
+    end
+
+    it 'admins should be able to update to pubic visibility' do
+      old_visibility = @snippet.visibility_level
+      update_snippet(@project, @admin, @snippet, @opts)
+      expect(@snippet.visibility_level).not_to eq(old_visibility)
+      expect(@snippet.visibility_level).to eq(Gitlab::VisibilityLevel::PUBLIC)
+    end
+  end
+
+  def create_snippet(project, user, opts)
+    CreateSnippetService.new(project, user, opts).execute
+  end
+
+  def update_snippet(project = nil, user, snippet, opts)
+    UpdateSnippetService.new(project, user, snippet, opts).execute
+  end
+end