Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
96b14687
Commit
96b14687
authored
Nov 23, 2017
by
Tomasz Maczukin
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Introduce :read_namespace access policy for namespace and group
parent
5845dd6f
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
52 additions
and
11 deletions
+52
-11
app/policies/group_policy.rb
app/policies/group_policy.rb
+2
-0
app/policies/namespace_policy.rb
app/policies/namespace_policy.rb
+1
-0
lib/api/helpers.rb
lib/api/helpers.rb
+1
-1
spec/requests/api/namespaces_spec.rb
spec/requests/api/namespaces_spec.rb
+48
-10
No files found.
app/policies/group_policy.rb
View file @
96b14687
...
...
@@ -45,6 +45,8 @@ class GroupPolicy < BasePolicy
rule
{
admin
}
.
enable
:read_group
rule
{
has_projects
}
.
enable
:read_group
rule
{
has_access
}.
enable
:read_namespace
rule
{
developer
}.
enable
:admin_milestones
rule
{
reporter
}.
enable
:admin_label
...
...
app/policies/namespace_policy.rb
View file @
96b14687
...
...
@@ -8,6 +8,7 @@ class NamespacePolicy < BasePolicy
rule
{
owner
|
admin
}.
policy
do
enable
:create_projects
enable
:admin_namespace
enable
:read_namespace
end
rule
{
personal_project
&
~
can_create_personal_project
}.
prevent
:create_projects
...
...
lib/api/helpers.rb
View file @
96b14687
...
...
@@ -138,7 +138,7 @@ module API
def
find_namespace!
(
id
)
namespace
=
find_namespace
(
id
)
if
can?
(
current_user
,
:
admin
_namespace
,
namespace
)
if
can?
(
current_user
,
:
read
_namespace
,
namespace
)
namespace
else
not_found!
(
'Namespace'
)
...
...
spec/requests/api/namespaces_spec.rb
View file @
96b14687
...
...
@@ -142,6 +142,7 @@ describe API::Namespaces do
describe
'GET /namespaces/:id'
do
let
(
:owned_group
)
{
group1
}
let
(
:user2
)
{
create
(
:user
)
}
shared_examples
'can access namespace'
do
it
'returns namespace details'
do
...
...
@@ -164,16 +165,34 @@ describe API::Namespaces do
context
'when namespace exists'
do
context
'when requested by ID'
do
context
'when requesting group'
do
let
(
:namespace_id
)
{
owned_group
.
id
}
it_behaves_like
'can access namespace'
end
context
'when requesting personal namespace'
do
let
(
:namespace_id
)
{
request_actor
.
namespace
.
id
}
let
(
:requested_namespace
)
{
request_actor
.
namespace
}
it_behaves_like
'can access namespace'
end
end
context
'when requested by path'
do
context
'when requesting group'
do
let
(
:namespace_id
)
{
owned_group
.
path
}
it_behaves_like
'can access namespace'
end
context
'when requesting personal namespace'
do
let
(
:namespace_id
)
{
request_actor
.
namespace
.
path
}
let
(
:requested_namespace
)
{
request_actor
.
namespace
}
it_behaves_like
'can access namespace'
end
end
end
context
"when namespace doesn't exist"
do
...
...
@@ -197,6 +216,7 @@ describe API::Namespaces do
let
(
:request_actor
)
{
user
}
context
'when requested namespace is not owned by user'
do
context
'when requesting group'
do
it
'returns not-found'
do
get
api
(
"/namespaces/
#{
group2
.
id
}
"
,
request_actor
)
...
...
@@ -204,6 +224,15 @@ describe API::Namespaces do
end
end
context
'when requesting personal namespace'
do
it
'returns not-found'
do
get
api
(
"/namespaces/
#{
user2
.
namespace
.
id
}
"
,
request_actor
)
expect
(
response
).
to
have_gitlab_http_status
(
404
)
end
end
end
context
'when requested namespace is owned by user'
do
it_behaves_like
'namespace reader'
end
...
...
@@ -213,12 +242,21 @@ describe API::Namespaces do
let
(
:request_actor
)
{
admin
}
context
'when requested namespace is not owned by user'
do
context
'when requesting group'
do
let
(
:namespace_id
)
{
group2
.
id
}
let
(
:requested_namespace
)
{
group2
}
it_behaves_like
'can access namespace'
end
context
'when requesting personal namespace'
do
let
(
:namespace_id
)
{
user2
.
namespace
.
id
}
let
(
:requested_namespace
)
{
user2
.
namespace
}
it_behaves_like
'can access namespace'
end
end
context
'when requested namespace is owned by user'
do
it_behaves_like
'namespace reader'
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment