Commit ac299a0e authored by Timothy Andrew's avatar Timothy Andrew

Allow auditor users to create groups and projects.

1. Projects under the groups they belong to, or under their own personal
   namespace. They cannot create projects under groups they don't have explicit
   control over.

2. Since we're thinking of auditor users as "regular users with readonly access
   to everything they wouldn't normally see", it makes sense to let them do
   anything a regular user would do, including creating projects and groups.
parent 2bacfd48
...@@ -2,7 +2,7 @@ class GlobalPolicy < BasePolicy ...@@ -2,7 +2,7 @@ class GlobalPolicy < BasePolicy
def rules def rules
return unless @user return unless @user
can! :create_group if @user.can_create_group && !@user.auditor? can! :create_group if @user.can_create_group
can! :read_users_list can! :read_users_list
end end
end end
class NamespacePolicy < BasePolicy class NamespacePolicy < BasePolicy
def rules def rules
return unless @user return unless @user
return if @user.auditor?
if @subject.owner == @user || @user.admin? if @subject.owner == @user || @user.admin?
can! :create_projects can! :create_projects
......
...@@ -159,14 +159,14 @@ describe GroupsController do ...@@ -159,14 +159,14 @@ describe GroupsController do
expect(response).to have_http_status(404) expect(response).to have_http_status(404)
end end
it 'does not allow an auditor with "can_create_group" set to true to create a group' do it 'allows an auditor with "can_create_group" set to true to create a group' do
sign_in(create(:user, :auditor, can_create_group: true)) sign_in(create(:user, :auditor, can_create_group: true))
expect do expect do
post :create, group: { name: 'new_group', path: "new_group" } post :create, group: { name: 'new_group', path: "new_group" }
end.not_to change { Group.count } end.to change { Group.count }.by(1)
expect(response).to have_http_status(404) expect(response).to have_http_status(302)
end end
end end
end end
......
...@@ -34,7 +34,15 @@ describe NamespacePolicy, models: true do ...@@ -34,7 +34,15 @@ describe NamespacePolicy, models: true do
context 'auditor' do context 'auditor' do
let(:current_user) { auditor } let(:current_user) { auditor }
it { is_expected.to be_empty } context 'owner' do
let(:namespace) { create(:namespace, owner: auditor) }
it { is_expected.to include(*owner_permissions) }
end
context 'non-owner' do
it { is_expected.to be_empty }
end
end end
context 'admin' do context 'admin' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment