Commit 4c63ab7d authored by Amparo Luna's avatar Amparo Luna Committed by Dmitriy Zaporozhets

Update ProjectSnippets rule for guest authors

Example scenario:
A user with developer access creates a snippet and as the author is able
to update and delete the snippet. This user is then demoted to guest in
the project, but keeps the access to update and delete (as the author).

This new rule prevents the access to update and delete the snippet for
the author if their access level is less than reporter. Those author
users can still see the snippet and add comments.
parent 222e7033
...@@ -38,6 +38,10 @@ class ProjectSnippetPolicy < BasePolicy ...@@ -38,6 +38,10 @@ class ProjectSnippetPolicy < BasePolicy
rule { public_snippet }.enable :read_project_snippet rule { public_snippet }.enable :read_project_snippet
rule { is_author & ~project.reporter & ~admin }.policy do
prevent :admin_project_snippet
end
rule { is_author | admin }.policy do rule { is_author | admin }.policy do
enable :read_project_snippet enable :read_project_snippet
enable :update_project_snippet enable :update_project_snippet
......
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
- if can?(current_user, :update_project_snippet, @snippet) - if can?(current_user, :update_project_snippet, @snippet)
= link_to edit_project_snippet_path(@project, @snippet), class: "btn btn-grouped" do = link_to edit_project_snippet_path(@project, @snippet), class: "btn btn-grouped" do
= _('Edit') = _('Edit')
- if can?(current_user, :update_project_snippet, @snippet) - if can?(current_user, :admin_project_snippet, @snippet)
= link_to project_snippet_path(@project, @snippet), method: :delete, data: { confirm: _("Are you sure?") }, class: "btn btn-grouped btn-inverted btn-remove", title: _('Delete Snippet') do = link_to project_snippet_path(@project, @snippet), method: :delete, data: { confirm: _("Are you sure?") }, class: "btn btn-grouped btn-inverted btn-remove", title: _('Delete Snippet') do
= _('Delete') = _('Delete')
- if can?(current_user, :create_project_snippet, @project) - if can?(current_user, :create_project_snippet, @project)
...@@ -23,7 +23,7 @@ ...@@ -23,7 +23,7 @@
%li %li
= link_to new_project_snippet_path(@project), title: _("New snippet") do = link_to new_project_snippet_path(@project), title: _("New snippet") do
= _('New snippet') = _('New snippet')
- if can?(current_user, :update_project_snippet, @snippet) - if can?(current_user, :admin_project_snippet, @snippet)
%li %li
= link_to project_snippet_path(@project, @snippet), method: :delete, data: { confirm: _("Are you sure?") }, title: _('Delete Snippet') do = link_to project_snippet_path(@project, @snippet), method: :delete, data: { confirm: _("Are you sure?") }, title: _('Delete Snippet') do
= _('Delete') = _('Delete')
......
---
title: Guest users should not delete project snippets they created
merge_request: 20477
author:
type: fixed
...@@ -4,10 +4,12 @@ require 'spec_helper' ...@@ -4,10 +4,12 @@ require 'spec_helper'
# Snippet visibility scenarios are included in more details in spec/support/snippet_visibility.rb # Snippet visibility scenarios are included in more details in spec/support/snippet_visibility.rb
describe ProjectSnippetPolicy do describe ProjectSnippetPolicy do
let(:regular_user) { create(:user) } let_it_be(:regular_user) { create(:user) }
let(:external_user) { create(:user, :external) } let_it_be(:other_user) { create(:user) }
let(:project) { create(:project, :public) } let_it_be(:external_user) { create(:user, :external) }
let(:snippet) { create(:project_snippet, snippet_visibility, project: project) } let_it_be(:project) { create(:project, :public) }
let(:snippet) { create(:project_snippet, snippet_visibility, project: project, author: author) }
let(:author) { other_user }
let(:author_permissions) do let(:author_permissions) do
[ [
:update_project_snippet, :update_project_snippet,
...@@ -17,6 +19,65 @@ describe ProjectSnippetPolicy do ...@@ -17,6 +19,65 @@ describe ProjectSnippetPolicy do
subject { described_class.new(current_user, snippet) } subject { described_class.new(current_user, snippet) }
shared_examples 'regular user access rights' do
context 'project team member (non guest)' do
before do
project.add_developer(current_user)
end
it do
expect_allowed(:read_project_snippet, :create_note)
expect_disallowed(*author_permissions)
end
end
context 'project team member (guest)' do
before do
project.add_guest(current_user)
end
context 'not snippet author' do
it do
expect_allowed(:read_project_snippet, :create_note)
expect_disallowed(:admin_project_snippet)
end
end
end
context 'snippet author' do
let(:author) { current_user }
context 'project member (non guest)' do
before do
project.add_developer(current_user)
end
it do
expect_allowed(:read_project_snippet, :create_note)
expect_allowed(*author_permissions)
end
end
context 'project member (guest)' do
before do
project.add_guest(current_user)
end
it do
expect_allowed(:read_project_snippet, :create_note)
expect_disallowed(:admin_project_snippet)
end
end
context 'not a project member' do
it do
expect_allowed(:read_project_snippet, :create_note)
expect_disallowed(:admin_project_snippet)
end
end
end
end
context 'public snippet' do context 'public snippet' do
let(:snippet_visibility) { :public } let(:snippet_visibility) { :public }
...@@ -36,6 +97,8 @@ describe ProjectSnippetPolicy do ...@@ -36,6 +97,8 @@ describe ProjectSnippetPolicy do
expect_allowed(:read_project_snippet, :create_note) expect_allowed(:read_project_snippet, :create_note)
expect_disallowed(*author_permissions) expect_disallowed(*author_permissions)
end end
it_behaves_like 'regular user access rights'
end end
context 'external user' do context 'external user' do
...@@ -45,6 +108,17 @@ describe ProjectSnippetPolicy do ...@@ -45,6 +108,17 @@ describe ProjectSnippetPolicy do
expect_allowed(:read_project_snippet, :create_note) expect_allowed(:read_project_snippet, :create_note)
expect_disallowed(*author_permissions) expect_disallowed(*author_permissions)
end end
context 'project team member' do
before do
project.add_developer(external_user)
end
it do
expect_allowed(:read_project_snippet, :create_note)
expect_disallowed(*author_permissions)
end
end
end end
end end
...@@ -67,6 +141,8 @@ describe ProjectSnippetPolicy do ...@@ -67,6 +141,8 @@ describe ProjectSnippetPolicy do
expect_allowed(:read_project_snippet, :create_note) expect_allowed(:read_project_snippet, :create_note)
expect_disallowed(*author_permissions) expect_disallowed(*author_permissions)
end end
it_behaves_like 'regular user access rights'
end end
context 'external user' do context 'external user' do
...@@ -110,33 +186,20 @@ describe ProjectSnippetPolicy do ...@@ -110,33 +186,20 @@ describe ProjectSnippetPolicy do
expect_disallowed(*author_permissions) expect_disallowed(*author_permissions)
end end
context 'snippet author' do it_behaves_like 'regular user access rights'
let(:snippet) { create(:project_snippet, :private, author: regular_user, project: project) }
it do
expect_allowed(:read_project_snippet, :create_note)
expect_allowed(*author_permissions)
end
end end
context 'project team member normal user' do context 'external user' do
before do let(:current_user) { external_user }
project.add_developer(regular_user)
end
it do it do
expect_allowed(:read_project_snippet, :create_note) expect_disallowed(:read_project_snippet, :create_note)
expect_disallowed(*author_permissions) expect_disallowed(*author_permissions)
end end
end
end
context 'external user' do
context 'project team member' do context 'project team member' do
let(:current_user) { external_user }
before do before do
project.add_developer(external_user) project.add_developer(current_user)
end end
it do it do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment