Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
4250c48d
Commit
4250c48d
authored
Aug 10, 2021
by
Steve Abrams
Committed by
David Fernandez
Aug 10, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Disconnect package permission from repository
parent
64f3d893
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
53 additions
and
73 deletions
+53
-73
app/policies/project_policy.rb
app/policies/project_policy.rb
+1
-1
spec/policies/project_policy_spec.rb
spec/policies/project_policy_spec.rb
+5
-12
spec/requests/api/maven_packages_spec.rb
spec/requests/api/maven_packages_spec.rb
+32
-60
spec/support/shared_examples/policies/project_policy_shared_examples.rb
...hared_examples/policies/project_policy_shared_examples.rb
+15
-0
No files found.
app/policies/project_policy.rb
View file @
4250c48d
...
@@ -337,7 +337,7 @@ class ProjectPolicy < BasePolicy
...
@@ -337,7 +337,7 @@ class ProjectPolicy < BasePolicy
enable
:read_metrics_user_starred_dashboard
enable
:read_metrics_user_starred_dashboard
end
end
rule
{
packages_disabled
|
repository_disabled
}.
policy
do
rule
{
packages_disabled
}.
policy
do
prevent
(
*
create_read_update_admin_destroy
(
:package
))
prevent
(
*
create_read_update_admin_destroy
(
:package
))
end
end
...
...
spec/policies/project_policy_spec.rb
View file @
4250c48d
...
@@ -840,6 +840,8 @@ RSpec.describe ProjectPolicy do
...
@@ -840,6 +840,8 @@ RSpec.describe ProjectPolicy do
it
{
is_expected
.
to
be_allowed
(
:read_package
)
}
it
{
is_expected
.
to
be_allowed
(
:read_package
)
}
it
{
is_expected
.
to
be_allowed
(
:read_project
)
}
it
{
is_expected
.
to
be_allowed
(
:read_project
)
}
it
{
is_expected
.
to
be_disallowed
(
:create_package
)
}
it
{
is_expected
.
to
be_disallowed
(
:create_package
)
}
it_behaves_like
'package access with repository disabled'
end
end
context
'a deploy token with write_package_registry scope'
do
context
'a deploy token with write_package_registry scope'
do
...
@@ -849,6 +851,8 @@ RSpec.describe ProjectPolicy do
...
@@ -849,6 +851,8 @@ RSpec.describe ProjectPolicy do
it
{
is_expected
.
to
be_allowed
(
:read_package
)
}
it
{
is_expected
.
to
be_allowed
(
:read_package
)
}
it
{
is_expected
.
to
be_allowed
(
:read_project
)
}
it
{
is_expected
.
to
be_allowed
(
:read_project
)
}
it
{
is_expected
.
to
be_disallowed
(
:destroy_package
)
}
it
{
is_expected
.
to
be_disallowed
(
:destroy_package
)
}
it_behaves_like
'package access with repository disabled'
end
end
end
end
...
@@ -1021,18 +1025,7 @@ RSpec.describe ProjectPolicy do
...
@@ -1021,18 +1025,7 @@ RSpec.describe ProjectPolicy do
it
{
is_expected
.
to
be_allowed
(
:read_package
)
}
it
{
is_expected
.
to
be_allowed
(
:read_package
)
}
context
'when repository is disabled'
do
it_behaves_like
'package access with repository disabled'
before
do
project
.
project_feature
.
update!
(
# Disable merge_requests and builds as well, since merge_requests and
# builds cannot have higher visibility than repository.
merge_requests_access_level:
ProjectFeature
::
DISABLED
,
builds_access_level:
ProjectFeature
::
DISABLED
,
repository_access_level:
ProjectFeature
::
DISABLED
)
end
it
{
is_expected
.
to
be_disallowed
(
:read_package
)
}
end
end
end
context
'with owner'
do
context
'with owner'
do
...
...
spec/requests/api/maven_packages_spec.rb
View file @
4250c48d
...
@@ -217,6 +217,15 @@ RSpec.describe API::MavenPackages do
...
@@ -217,6 +217,15 @@ RSpec.describe API::MavenPackages do
end
end
end
end
shared_examples
'successfully returning the file'
do
it
'returns the file'
,
:aggregate_failures
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
media_type
).
to
eq
(
'application/octet-stream'
)
end
end
describe
'GET /api/v4/packages/maven/*path/:file_name'
do
describe
'GET /api/v4/packages/maven/*path/:file_name'
do
context
'a public project'
do
context
'a public project'
do
subject
{
download_file
(
file_name:
package_file
.
file_name
)
}
subject
{
download_file
(
file_name:
package_file
.
file_name
)
}
...
@@ -224,12 +233,7 @@ RSpec.describe API::MavenPackages do
...
@@ -224,12 +233,7 @@ RSpec.describe API::MavenPackages do
shared_examples
'getting a file'
do
shared_examples
'getting a file'
do
it_behaves_like
'tracking the file download event'
it_behaves_like
'tracking the file download event'
it
'returns the file'
do
it_behaves_like
'successfully returning the file'
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
media_type
).
to
eq
(
'application/octet-stream'
)
end
it
'returns sha1 of the file'
do
it
'returns sha1 of the file'
do
download_file
(
file_name:
package_file
.
file_name
+
'.sha1'
)
download_file
(
file_name:
package_file
.
file_name
+
'.sha1'
)
...
@@ -260,12 +264,7 @@ RSpec.describe API::MavenPackages do
...
@@ -260,12 +264,7 @@ RSpec.describe API::MavenPackages do
shared_examples
'getting a file'
do
shared_examples
'getting a file'
do
it_behaves_like
'tracking the file download event'
it_behaves_like
'tracking the file download event'
it
'returns the file'
do
it_behaves_like
'successfully returning the file'
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
media_type
).
to
eq
(
'application/octet-stream'
)
end
it
'denies download when no private token'
do
it
'denies download when no private token'
do
download_file
(
file_name:
package_file
.
file_name
)
download_file
(
file_name:
package_file
.
file_name
)
...
@@ -297,12 +296,7 @@ RSpec.describe API::MavenPackages do
...
@@ -297,12 +296,7 @@ RSpec.describe API::MavenPackages do
shared_examples
'getting a file'
do
shared_examples
'getting a file'
do
it_behaves_like
'tracking the file download event'
it_behaves_like
'tracking the file download event'
it
'returns the file'
do
it_behaves_like
'successfully returning the file'
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
media_type
).
to
eq
(
'application/octet-stream'
)
end
it
'denies download when not enough permissions'
do
it
'denies download when not enough permissions'
do
unless
project
.
root_namespace
==
user
.
namespace
unless
project
.
root_namespace
==
user
.
namespace
...
@@ -409,12 +403,7 @@ RSpec.describe API::MavenPackages do
...
@@ -409,12 +403,7 @@ RSpec.describe API::MavenPackages do
shared_examples
'getting a file for a group'
do
shared_examples
'getting a file for a group'
do
it_behaves_like
'tracking the file download event'
it_behaves_like
'tracking the file download event'
it
'returns the file'
do
it_behaves_like
'successfully returning the file'
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
media_type
).
to
eq
(
'application/octet-stream'
)
end
it
'returns sha1 of the file'
do
it
'returns sha1 of the file'
do
download_file
(
file_name:
package_file
.
file_name
+
'.sha1'
)
download_file
(
file_name:
package_file
.
file_name
+
'.sha1'
)
...
@@ -445,12 +434,7 @@ RSpec.describe API::MavenPackages do
...
@@ -445,12 +434,7 @@ RSpec.describe API::MavenPackages do
shared_examples
'getting a file for a group'
do
shared_examples
'getting a file for a group'
do
it_behaves_like
'tracking the file download event'
it_behaves_like
'tracking the file download event'
it
'returns the file'
do
it_behaves_like
'successfully returning the file'
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
media_type
).
to
eq
(
'application/octet-stream'
)
end
it
'denies download when no private token'
do
it
'denies download when no private token'
do
download_file
(
file_name:
package_file
.
file_name
)
download_file
(
file_name:
package_file
.
file_name
)
...
@@ -482,12 +466,7 @@ RSpec.describe API::MavenPackages do
...
@@ -482,12 +466,7 @@ RSpec.describe API::MavenPackages do
shared_examples
'getting a file for a group'
do
shared_examples
'getting a file for a group'
do
it_behaves_like
'tracking the file download event'
it_behaves_like
'tracking the file download event'
it
'returns the file'
do
it_behaves_like
'successfully returning the file'
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
media_type
).
to
eq
(
'application/octet-stream'
)
end
it
'denies download when not enough permissions'
do
it
'denies download when not enough permissions'
do
group
.
add_guest
(
user
)
group
.
add_guest
(
user
)
...
@@ -516,12 +495,7 @@ RSpec.describe API::MavenPackages do
...
@@ -516,12 +495,7 @@ RSpec.describe API::MavenPackages do
context
'with group deploy token'
do
context
'with group deploy token'
do
subject
{
download_file_with_token
(
file_name:
package_file
.
file_name
,
request_headers:
group_deploy_token_headers
)
}
subject
{
download_file_with_token
(
file_name:
package_file
.
file_name
,
request_headers:
group_deploy_token_headers
)
}
it
'returns the file'
do
it_behaves_like
'successfully returning the file'
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
media_type
).
to
eq
(
'application/octet-stream'
)
end
it
'returns the file with only write_package_registry scope'
do
it
'returns the file with only write_package_registry scope'
do
deploy_token_for_group
.
update!
(
read_package_registry:
false
)
deploy_token_for_group
.
update!
(
read_package_registry:
false
)
...
@@ -553,12 +527,7 @@ RSpec.describe API::MavenPackages do
...
@@ -553,12 +527,7 @@ RSpec.describe API::MavenPackages do
group
.
add_reporter
(
user
)
group
.
add_reporter
(
user
)
end
end
it
'returns the file'
do
it_behaves_like
'successfully returning the file'
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
media_type
).
to
eq
(
'application/octet-stream'
)
end
context
'with a non existing maven path'
do
context
'with a non existing maven path'
do
subject
{
download_file_with_token
(
file_name:
package_file
.
file_name
,
path:
'foo/bar/1.2.3'
,
request_headers:
headers_with_token
,
group_id:
root_group
.
id
)
}
subject
{
download_file_with_token
(
file_name:
package_file
.
file_name
,
path:
'foo/bar/1.2.3'
,
request_headers:
headers_with_token
,
group_id:
root_group
.
id
)
}
...
@@ -657,12 +626,7 @@ RSpec.describe API::MavenPackages do
...
@@ -657,12 +626,7 @@ RSpec.describe API::MavenPackages do
it_behaves_like
'tracking the file download event'
it_behaves_like
'tracking the file download event'
it
'returns the file'
do
it_behaves_like
'successfully returning the file'
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
media_type
).
to
eq
(
'application/octet-stream'
)
end
it
'returns sha1 of the file'
do
it
'returns sha1 of the file'
do
download_file
(
file_name:
package_file
.
file_name
+
'.sha1'
)
download_file
(
file_name:
package_file
.
file_name
+
'.sha1'
)
...
@@ -672,6 +636,19 @@ RSpec.describe API::MavenPackages do
...
@@ -672,6 +636,19 @@ RSpec.describe API::MavenPackages do
expect
(
response
.
body
).
to
eq
(
package_file
.
file_sha1
)
expect
(
response
.
body
).
to
eq
(
package_file
.
file_sha1
)
end
end
context
'when the repository is disabled'
do
before
do
project
.
project_feature
.
update!
(
# Disable merge_requests and builds as well, since merge_requests and
# builds cannot have higher visibility than repository.
merge_requests_access_level:
ProjectFeature
::
DISABLED
,
builds_access_level:
ProjectFeature
::
DISABLED
,
repository_access_level:
ProjectFeature
::
DISABLED
)
end
it_behaves_like
'successfully returning the file'
end
context
'with a non existing maven path'
do
context
'with a non existing maven path'
do
subject
{
download_file
(
file_name:
package_file
.
file_name
,
path:
'foo/bar/1.2.3'
)
}
subject
{
download_file
(
file_name:
package_file
.
file_name
,
path:
'foo/bar/1.2.3'
)
}
...
@@ -688,12 +665,7 @@ RSpec.describe API::MavenPackages do
...
@@ -688,12 +665,7 @@ RSpec.describe API::MavenPackages do
it_behaves_like
'tracking the file download event'
it_behaves_like
'tracking the file download event'
it
'returns the file'
do
it_behaves_like
'successfully returning the file'
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
media_type
).
to
eq
(
'application/octet-stream'
)
end
it
'denies download when not enough permissions'
do
it
'denies download when not enough permissions'
do
project
.
add_guest
(
user
)
project
.
add_guest
(
user
)
...
...
spec/support/shared_examples/policies/project_policy_shared_examples.rb
View file @
4250c48d
...
@@ -330,3 +330,18 @@ RSpec.shared_examples 'project policies as admin without admin mode' do
...
@@ -330,3 +330,18 @@ RSpec.shared_examples 'project policies as admin without admin mode' do
end
end
end
end
end
end
RSpec
.
shared_examples
'package access with repository disabled'
do
context
'when repository is disabled'
do
before
do
project
.
project_feature
.
update!
(
# Disable merge_requests and builds as well, since merge_requests and
# builds cannot have higher visibility than repository.
merge_requests_access_level:
ProjectFeature
::
DISABLED
,
builds_access_level:
ProjectFeature
::
DISABLED
,
repository_access_level:
ProjectFeature
::
DISABLED
)
end
it
{
is_expected
.
to
be_allowed
(
:read_package
)
}
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment