Commit ac299a0e authored by Timothy Andrew's avatar Timothy Andrew

Allow auditor users to create groups and projects.

1. Projects under the groups they belong to, or under their own personal
   namespace. They cannot create projects under groups they don't have explicit
   control over.

2. Since we're thinking of auditor users as "regular users with readonly access
   to everything they wouldn't normally see", it makes sense to let them do
   anything a regular user would do, including creating projects and groups.
parent 2bacfd48
......@@ -2,7 +2,7 @@ class GlobalPolicy < BasePolicy
def rules
return unless @user
can! :create_group if @user.can_create_group && !@user.auditor?
can! :create_group if @user.can_create_group
can! :read_users_list
end
end
class NamespacePolicy < BasePolicy
def rules
return unless @user
return if @user.auditor?
if @subject.owner == @user || @user.admin?
can! :create_projects
......
......@@ -159,14 +159,14 @@ describe GroupsController do
expect(response).to have_http_status(404)
end
it 'does not allow an auditor with "can_create_group" set to true to create a group' do
it 'allows an auditor with "can_create_group" set to true to create a group' do
sign_in(create(:user, :auditor, can_create_group: true))
expect do
post :create, group: { name: 'new_group', path: "new_group" }
end.not_to change { Group.count }
end.to change { Group.count }.by(1)
expect(response).to have_http_status(404)
expect(response).to have_http_status(302)
end
end
end
......
......@@ -34,8 +34,16 @@ describe NamespacePolicy, models: true do
context 'auditor' do
let(:current_user) { auditor }
context 'owner' do
let(:namespace) { create(:namespace, owner: auditor) }
it { is_expected.to include(*owner_permissions) }
end
context 'non-owner' do
it { is_expected.to be_empty }
end
end
context 'admin' do
let(:current_user) { admin }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment