Introduce :read_namespace access policy for namespace and group

97f966c4 · Tomasz Maczukin · dfbfd3c7 · 97f966c4 · 97f966c4 · 97f966c4
Commit 97f966c4 authored Nov 23, 2017 by Tomasz Maczukin
4 changed files
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -34,6 +34,8 @@ class GroupPolicy < BasePolicy
  rule { admin }             .enable :read_group
  rule { has_projects }      .enable :read_group

+  rule { has_access }.enable :read_namespace
+
  rule { developer }.enable :admin_milestones
  rule { reporter }.enable :admin_label


--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
@@ -8,6 +8,7 @@ class NamespacePolicy < BasePolicy
  rule { owner | admin }.policy do
    enable :create_projects
    enable :admin_namespace
+    enable :read_namespace
  end

  rule { personal_project & ~can_create_personal_project }.prevent :create_projects

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -127,7 +127,7 @@ module API
    def find_namespace!(id)
      namespace = find_namespace(id)

-      if can?(current_user, :admin_namespace, namespace)
+      if can?(current_user, :read_namespace, namespace)
        namespace
      else
        not_found!('Namespace')

--- a/spec/requests/api/namespaces_spec.rb
+++ b/spec/requests/api/namespaces_spec.rb
@@ -94,6 +94,7 @@ describe API::Namespaces do

  describe 'GET /namespaces/:id' do
    let(:owned_group) { group1 }
+    let(:user2) { create(:user) }

    shared_examples 'can access namespace' do
      it 'returns namespace details' do
@@ -116,15 +117,33 @@ describe API::Namespaces do

      context 'when namespace exists' do
        context 'when requested by ID' do
-          let(:namespace_id) { owned_group.id }
+          context 'when requesting group' do
+            let(:namespace_id) { owned_group.id }

-          it_behaves_like 'can access namespace'
+            it_behaves_like 'can access namespace'
+          end
+
+          context 'when requesting personal namespace' do
+            let(:namespace_id) { request_actor.namespace.id }
+            let(:requested_namespace) { request_actor.namespace }
+
+            it_behaves_like 'can access namespace'
+          end
        end

        context 'when requested by path' do
-          let(:namespace_id) { owned_group.path }
+          context 'when requesting group' do
+            let(:namespace_id) { owned_group.path }

-          it_behaves_like 'can access namespace'
+            it_behaves_like 'can access namespace'
+          end
+
+          context 'when requesting personal namespace' do
+            let(:namespace_id) { request_actor.namespace.path }
+            let(:requested_namespace) { request_actor.namespace }
+
+            it_behaves_like 'can access namespace'
+          end
        end
      end

@@ -149,10 +168,20 @@ describe API::Namespaces do
      let(:request_actor) { user }

      context 'when requested namespace is not owned by user' do
-        it 'returns not-found' do
-          get api("/namespaces/#{group2.id}", request_actor)
+        context 'when requesting group' do
+          it 'returns not-found' do
+            get api("/namespaces/#{group2.id}", request_actor)

-          expect(response).to have_gitlab_http_status(404)
+            expect(response).to have_gitlab_http_status(404)
+          end
+        end
+
+        context 'when requesting personal namespace' do
+          it 'returns not-found' do
+            get api("/namespaces/#{user2.namespace.id}", request_actor)
+
+            expect(response).to have_gitlab_http_status(404)
+          end
        end
      end

@@ -165,10 +194,19 @@ describe API::Namespaces do
      let(:request_actor) { admin }

      context 'when requested namespace is not owned by user' do
-        let(:namespace_id) { group2.id }
-        let(:requested_namespace) { group2 }
+        context 'when requesting group' do
+          let(:namespace_id) { group2.id }
+          let(:requested_namespace) { group2 }
+
+          it_behaves_like 'can access namespace'
+        end
+
+        context 'when requesting personal namespace' do
+          let(:namespace_id) { user2.namespace.id }
+          let(:requested_namespace) { user2.namespace }

-        it_behaves_like 'can access namespace'
+          it_behaves_like 'can access namespace'
+        end
      end

      context 'when requested namespace is owned by user' do