Merge branch 'fix-feature-flags-visibility' into 'master'

Disable Feature Flags and Packages if repository is disabled See merge request gitlab-org/gitlab-ee!8037

Merge branch 'fix-feature-flags-visibility' into 'master'
Disable Feature Flags and Packages if repository is disabled See merge request gitlab-org/gitlab-ee!8037
506a5f8f · Grzegorz Bizon · 3d7b06c5 · c49322d4 · 506a5f8f · 506a5f8f
Commit 506a5f8f authored Oct 23, 2018 by Grzegorz Bizon
3 changed files
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -132,11 +132,11 @@ module EE

      rule { deploy_board_disabled & ~is_development }.prevent :read_deploy_board

-      rule { packages_disabled }.policy do
+      rule { packages_disabled | repository_disabled }.policy do
        prevent(*create_read_update_admin_destroy(:package))
      end

-      rule { feature_flags_disabled }.policy do
+      rule { feature_flags_disabled | repository_disabled }.policy do
        prevent(*create_read_update_admin_destroy(:feature_flag))
      end


--- a/ee/changelogs/unreleased/fix-feature-flags-visibility.yml
+++ b/ee/changelogs/unreleased/fix-feature-flags-visibility.yml
+---
+title: Disable Feature Flags and Packages if repository is disabled
+merge_request:
+author:
+type: fixed
--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -368,6 +368,138 @@ describe ProjectPolicy do
    end
  end

+  describe 'read_package' do
+    subject { described_class.new(current_user, project) }
+
+    context 'with admin' do
+      let(:current_user) { admin }
+
+      it { is_expected.to be_allowed(:read_package) }
+
+      context 'when repository is disabled' do
+        before do
+          project.project_feature.update(repository_access_level: ProjectFeature::DISABLED)
+        end
+
+        it { is_expected.to be_disallowed(:read_package) }
+      end
+    end
+
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_allowed(:read_package) }
+    end
+
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+
+      it { is_expected.to be_allowed(:read_package) }
+    end
+
+    context 'with developer' do
+      let(:current_user) { developer }
+
+      it { is_expected.to be_allowed(:read_package) }
+    end
+
+    context 'with reporter' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_allowed(:read_package) }
+    end
+
+    context 'with guest' do
+      let(:current_user) { guest }
+
+      it { is_expected.to be_allowed(:read_package) }
+    end
+
+    context 'with non member' do
+      let(:current_user) { create(:user) }
+
+      it { is_expected.to be_allowed(:read_package) }
+    end
+
+    context 'with anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.to be_allowed(:read_package) }
+    end
+  end
+
+  describe 'read_feature_flag' do
+    before do
+      stub_licensed_features(feature_flags: true)
+    end
+
+    subject { described_class.new(current_user, project) }
+
+    context 'with admin' do
+      let(:current_user) { admin }
+
+      it { is_expected.to be_allowed(:read_feature_flag) }
+
+      context 'when repository is disabled' do
+        before do
+          project.project_feature.update(repository_access_level: ProjectFeature::DISABLED)
+        end
+
+        it { is_expected.to be_disallowed(:read_feature_flag) }
+      end
+    end
+
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_allowed(:read_feature_flag) }
+    end
+
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+
+      it { is_expected.to be_allowed(:read_feature_flag) }
+    end
+
+    context 'with developer' do
+      let(:current_user) { developer }
+
+      it { is_expected.to be_allowed(:read_feature_flag) }
+
+      context 'when feature flags features is not available' do
+        before do
+          stub_licensed_features(feature_flags: false)
+        end
+
+        it { is_expected.to be_disallowed(:read_feature_flag) }
+      end
+    end
+
+    context 'with reporter' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_disallowed(:read_feature_flag) }
+    end
+
+    context 'with guest' do
+      let(:current_user) { guest }
+
+      it { is_expected.to be_disallowed(:read_feature_flag) }
+    end
+
+    context 'with non member' do
+      let(:current_user) { create(:user) }
+
+      it { is_expected.to be_disallowed(:read_feature_flag) }
+    end
+
+    context 'with anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.to be_disallowed(:read_feature_flag) }
+    end
+  end
+
  describe 'admin_license_management' do
    before do
      stub_licensed_features(license_management: true)