Update policy for group and project for updating max artifacts size

Adds specific rules for admins under the group and project policies instead of manually checking `admin?` everytime we try to update the setting.

Update policy for group and project for updating max artifacts size
Adds specific rules for admins under the group and project policies instead of manually checking `admin?` everytime we try to update the setting.
32a622bc · Erick Bajao · 22762832 · 32a622bc · 32a622bc · 32a622bc
Commit 32a622bc authored Oct 14, 2019 by Erick Bajao
8 changed files
--- a/app/controllers/groups/settings/ci_cd_controller.rb
+++ b/app/controllers/groups/settings/ci_cd_controller.rb
@@ -4,8 +4,8 @@ module Groups
  module Settings
    class CiCdController < Groups::ApplicationController
      skip_cross_project_access_check :show
-      before_action :authorize_admin_group!, except: [:update]
-      before_action :authorize_admin!, only: [:update]
+      before_action :authorize_admin_group!
+      before_action :authorize_update_max_artifacts_size!, only: [:update]

      def show
        define_ci_variables
@@ -51,8 +51,8 @@ module Groups
        return render_404 unless can?(current_user, :admin_group, group)
      end

-      def authorize_admin!
-        return render_404 unless current_user&.admin?
+      def authorize_update_max_artifacts_size!
+        return render_404 unless can?(current_user, :update_max_artifacts_size, group)
      end

      def auto_devops_params

--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -57,7 +57,7 @@ module Projects
          auto_devops_attributes: [:id, :domain, :enabled, :deploy_strategy],
          ci_cd_settings_attributes: [:default_git_depth]
        ].tap do |list|
-          list << :max_artifacts_size if current_user.admin?
+          list << :max_artifacts_size if can?(current_user, :update_max_artifacts_size, project)
        end
      end


--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -53,7 +53,10 @@ class GroupPolicy < BasePolicy
    enable :upload_file
  end

-  rule { admin }.enable :read_group
+  rule { admin }.policy do
+    enable :read_group
+    enable :update_max_artifacts_size
+  end

  rule { has_projects }.policy do
    enable :read_group

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -137,6 +137,8 @@ class ProjectPolicy < BasePolicy
  # not.
  rule { guest | admin }.enable :read_project_for_iids

+  rule { admin }.enable :update_max_artifacts_size
+
  rule { guest }.enable :guest_access
  rule { reporter }.enable :reporter_access
  rule { developer }.enable :developer_access

--- a/app/views/groups/settings/ci_cd/show.html.haml
+++ b/app/views/groups/settings/ci_cd/show.html.haml
@@ -6,7 +6,7 @@

 -# Given we only have one field in this form which is also admin-only,
 -# we don't want to show an empty section to non-admin users,
- if current_user.admin?
+- if can?(current_user, :update_max_artifacts_size, @group)
  %section.settings#js-general-pipeline-settings.no-animate{ class: ('expanded' if general_expanded) }
    .settings-header
      %h4

--- a/app/views/projects/settings/ci_cd/_form.html.haml
+++ b/app/views/projects/settings/ci_cd/_form.html.haml
@@ -40,7 +40,7 @@
            = _('If any job surpasses this timeout threshold, it will be marked as failed. Human readable time input language is accepted like "1 hour". Values without specification represent seconds.')
            = link_to icon('question-circle'), help_page_path('user/project/pipelines/settings', anchor: 'timeout'), target: '_blank'

-        - if current_user.admin?
+        - if can?(current_user, :update_max_artifacts_size, @project)
          %hr
          .form-group
            = f.label :max_artifacts_size, _('Maximum artifacts size (MB)'), class: 'label-bold'

--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -547,4 +547,28 @@ describe GroupPolicy do
             groups: [clusterable])
    end
  end
+
+  describe 'update_max_artifacts_size' do
+    let(:group) { create(:group, :public) }
+
+    context 'when no user' do
+      let(:current_user) { nil }
+
+      it { expect_disallowed(:update_max_artifacts_size) }
+    end
+
+    context 'admin' do
+      let(:current_user) { admin }
+
+      it { expect_allowed(:update_max_artifacts_size) }
+    end
+
+    %w(guest reporter developer maintainer owner).each do |role|
+      context role do
+        let(:current_user) { send(role) }
+
+        it { expect_disallowed(:update_max_artifacts_size) }
+      end
+    end
+  end
 end
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -478,4 +478,28 @@ describe ProjectPolicy do
      end
    end
  end
+
+  describe 'update_max_artifacts_size' do
+    subject { described_class.new(current_user, project) }
+
+    context 'when no user' do
+      let(:current_user) { nil }
+
+      it { expect_disallowed(:update_max_artifacts_size) }
+    end
+
+    context 'admin' do
+      let(:current_user) { admin }
+
+      it { expect_allowed(:update_max_artifacts_size) }
+    end
+
+    %w(guest reporter developer maintainer owner).each do |role|
+      context role do
+        let(:current_user) { send(role) }
+
+        it { expect_disallowed(:update_max_artifacts_size) }
+      end
+    end
+  end
 end