Commit 96b14687 authored by Tomasz Maczukin's avatar Tomasz Maczukin

Introduce :read_namespace access policy for namespace and group

parent 5845dd6f
...@@ -45,6 +45,8 @@ class GroupPolicy < BasePolicy ...@@ -45,6 +45,8 @@ class GroupPolicy < BasePolicy
rule { admin } .enable :read_group rule { admin } .enable :read_group
rule { has_projects } .enable :read_group rule { has_projects } .enable :read_group
rule { has_access }.enable :read_namespace
rule { developer }.enable :admin_milestones rule { developer }.enable :admin_milestones
rule { reporter }.enable :admin_label rule { reporter }.enable :admin_label
......
...@@ -8,6 +8,7 @@ class NamespacePolicy < BasePolicy ...@@ -8,6 +8,7 @@ class NamespacePolicy < BasePolicy
rule { owner | admin }.policy do rule { owner | admin }.policy do
enable :create_projects enable :create_projects
enable :admin_namespace enable :admin_namespace
enable :read_namespace
end end
rule { personal_project & ~can_create_personal_project }.prevent :create_projects rule { personal_project & ~can_create_personal_project }.prevent :create_projects
......
...@@ -138,7 +138,7 @@ module API ...@@ -138,7 +138,7 @@ module API
def find_namespace!(id) def find_namespace!(id)
namespace = find_namespace(id) namespace = find_namespace(id)
if can?(current_user, :admin_namespace, namespace) if can?(current_user, :read_namespace, namespace)
namespace namespace
else else
not_found!('Namespace') not_found!('Namespace')
......
...@@ -142,6 +142,7 @@ describe API::Namespaces do ...@@ -142,6 +142,7 @@ describe API::Namespaces do
describe 'GET /namespaces/:id' do describe 'GET /namespaces/:id' do
let(:owned_group) { group1 } let(:owned_group) { group1 }
let(:user2) { create(:user) }
shared_examples 'can access namespace' do shared_examples 'can access namespace' do
it 'returns namespace details' do it 'returns namespace details' do
...@@ -164,15 +165,33 @@ describe API::Namespaces do ...@@ -164,15 +165,33 @@ describe API::Namespaces do
context 'when namespace exists' do context 'when namespace exists' do
context 'when requested by ID' do context 'when requested by ID' do
let(:namespace_id) { owned_group.id } context 'when requesting group' do
let(:namespace_id) { owned_group.id }
it_behaves_like 'can access namespace' it_behaves_like 'can access namespace'
end
context 'when requesting personal namespace' do
let(:namespace_id) { request_actor.namespace.id }
let(:requested_namespace) { request_actor.namespace }
it_behaves_like 'can access namespace'
end
end end
context 'when requested by path' do context 'when requested by path' do
let(:namespace_id) { owned_group.path } context 'when requesting group' do
let(:namespace_id) { owned_group.path }
it_behaves_like 'can access namespace' it_behaves_like 'can access namespace'
end
context 'when requesting personal namespace' do
let(:namespace_id) { request_actor.namespace.path }
let(:requested_namespace) { request_actor.namespace }
it_behaves_like 'can access namespace'
end
end end
end end
...@@ -197,10 +216,20 @@ describe API::Namespaces do ...@@ -197,10 +216,20 @@ describe API::Namespaces do
let(:request_actor) { user } let(:request_actor) { user }
context 'when requested namespace is not owned by user' do context 'when requested namespace is not owned by user' do
it 'returns not-found' do context 'when requesting group' do
get api("/namespaces/#{group2.id}", request_actor) it 'returns not-found' do
get api("/namespaces/#{group2.id}", request_actor)
expect(response).to have_gitlab_http_status(404) expect(response).to have_gitlab_http_status(404)
end
end
context 'when requesting personal namespace' do
it 'returns not-found' do
get api("/namespaces/#{user2.namespace.id}", request_actor)
expect(response).to have_gitlab_http_status(404)
end
end end
end end
...@@ -213,10 +242,19 @@ describe API::Namespaces do ...@@ -213,10 +242,19 @@ describe API::Namespaces do
let(:request_actor) { admin } let(:request_actor) { admin }
context 'when requested namespace is not owned by user' do context 'when requested namespace is not owned by user' do
let(:namespace_id) { group2.id } context 'when requesting group' do
let(:requested_namespace) { group2 } let(:namespace_id) { group2.id }
let(:requested_namespace) { group2 }
it_behaves_like 'can access namespace'
end
context 'when requesting personal namespace' do
let(:namespace_id) { user2.namespace.id }
let(:requested_namespace) { user2.namespace }
it_behaves_like 'can access namespace' it_behaves_like 'can access namespace'
end
end end
context 'when requested namespace is owned by user' do context 'when requested namespace is owned by user' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment