Commit dcf0caaa authored by Thong Kuah's avatar Thong Kuah

Add policy for clusters on group level

- maintainer for group can read, create, update, and admin cluster
- project user, at any level, cannot do anything with group cluster
parent df8f6636
...@@ -4,11 +4,7 @@ module Clusters ...@@ -4,11 +4,7 @@ module Clusters
class ClusterPolicy < BasePolicy class ClusterPolicy < BasePolicy
alias_method :cluster, :subject alias_method :cluster, :subject
delegate { cluster.group }
delegate { cluster.project } delegate { cluster.project }
rule { can?(:maintainer_access) }.policy do
enable :update_cluster
enable :admin_cluster
end
end end
end end
...@@ -65,6 +65,10 @@ class GroupPolicy < BasePolicy ...@@ -65,6 +65,10 @@ class GroupPolicy < BasePolicy
enable :create_projects enable :create_projects
enable :admin_pipeline enable :admin_pipeline
enable :admin_build enable :admin_build
enable :read_cluster
enable :create_cluster
enable :update_cluster
enable :admin_cluster
end end
rule { owner }.policy do rule { owner }.policy do
......
...@@ -258,6 +258,8 @@ class ProjectPolicy < BasePolicy ...@@ -258,6 +258,8 @@ class ProjectPolicy < BasePolicy
enable :update_pages enable :update_pages
enable :read_cluster enable :read_cluster
enable :create_cluster enable :create_cluster
enable :update_cluster
enable :admin_cluster
enable :create_environment_terminal enable :create_environment_terminal
end end
......
...@@ -24,5 +24,47 @@ describe Clusters::ClusterPolicy, :models do ...@@ -24,5 +24,47 @@ describe Clusters::ClusterPolicy, :models do
it { expect(policy).to be_allowed :update_cluster } it { expect(policy).to be_allowed :update_cluster }
it { expect(policy).to be_allowed :admin_cluster } it { expect(policy).to be_allowed :admin_cluster }
end end
context 'group cluster' do
let(:cluster) { create(:cluster, :group) }
let(:group) { cluster.group }
let(:project) { create(:project, namespace: group) }
context 'when group developer' do
before do
group.add_developer(user)
end
it { expect(policy).to be_disallowed :update_cluster }
it { expect(policy).to be_disallowed :admin_cluster }
end
context 'when group maintainer' do
before do
group.add_maintainer(user)
end
it { expect(policy).to be_allowed :update_cluster }
it { expect(policy).to be_allowed :admin_cluster }
end
context 'when project maintainer' do
before do
project.add_maintainer(user)
end
it { expect(policy).to be_disallowed :update_cluster }
it { expect(policy).to be_disallowed :admin_cluster }
end
context 'when project developer' do
before do
project.add_developer(user)
end
it { expect(policy).to be_disallowed :update_cluster }
it { expect(policy).to be_disallowed :admin_cluster }
end
end
end end
end end
...@@ -21,7 +21,11 @@ describe GroupPolicy do ...@@ -21,7 +21,11 @@ describe GroupPolicy do
let(:maintainer_permissions) do let(:maintainer_permissions) do
[ [
:create_projects :create_projects,
:read_cluster,
:create_cluster,
:update_cluster,
:admin_cluster
] ]
end end
......
...@@ -163,7 +163,7 @@ describe ProjectPolicy do ...@@ -163,7 +163,7 @@ describe ProjectPolicy do
:create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
] ]
...@@ -182,7 +182,7 @@ describe ProjectPolicy do ...@@ -182,7 +182,7 @@ describe ProjectPolicy do
:create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
] ]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment