Merge branch 'fj-207803-fix-project-snippet-policy-bug' into 'master'

Fix bug with internal project snippets and project maintainer Closes #207803 See merge request gitlab-org/gitlab!25792

Merge branch 'fj-207803-fix-project-snippet-policy-bug' into 'master'
Fix bug with internal project snippets and project maintainer Closes #207803 See merge request gitlab-org/gitlab!25792
bfd6f39a · Peter Leitzen · a97fd577 · 6ed730f1 · bfd6f39a · bfd6f39a
Commit bfd6f39a authored Feb 24, 2020 by Peter Leitzen
3 changed files
--- a/app/policies/project_snippet_policy.rb
+++ b/app/policies/project_snippet_policy.rb
@@ -31,7 +31,7 @@ class ProjectSnippetPolicy < BasePolicy
         ~can?(:read_all_resources))
  end.prevent :read_snippet

-  rule { internal_snippet & ~is_author & ~admin }.policy do
+  rule { internal_snippet & ~is_author & ~admin & ~project.maintainer }.policy do
    prevent :update_snippet
    prevent :admin_snippet
  end
@@ -42,7 +42,7 @@ class ProjectSnippetPolicy < BasePolicy
    prevent :admin_snippet
  end

-  rule { is_author | admin }.policy do
+  rule { is_author | admin | project.maintainer }.policy do
    enable :read_snippet
    enable :update_snippet
    enable :admin_snippet

--- a/changelogs/unreleased/fj-207803-fix-project-snippet-policy-bug.yml
+++ b/changelogs/unreleased/fj-207803-fix-project-snippet-policy-bug.yml
+---
+title: Fix bug deleting internal project snippets by project maintainer
+merge_request: 25792
+author:
+type: fixed
--- a/spec/policies/project_snippet_policy_spec.rb
+++ b/spec/policies/project_snippet_policy_spec.rb
@@ -20,28 +20,39 @@ describe ProjectSnippetPolicy do
  subject { described_class.new(current_user, snippet) }

  shared_examples 'regular user access rights' do
-    context 'project team member (non guest)' do
-      before do
-        project.add_developer(current_user)
-      end
+    context 'not snippet author' do
+      context 'project team member (non guest)' do
+        before do
+          project.add_developer(current_user)
+        end

-      it do
-        expect_allowed(:read_snippet, :create_note)
-        expect_disallowed(*author_permissions)
+        it do
+          expect_allowed(:read_snippet, :create_note)
+          expect_disallowed(*author_permissions)
+        end
      end
-    end

-    context 'project team member (guest)' do
-      before do
-        project.add_guest(current_user)
-      end
+      context 'project team member (guest)' do
+        before do
+          project.add_guest(current_user)
+        end

-      context 'not snippet author' do
        it do
          expect_allowed(:read_snippet, :create_note)
          expect_disallowed(:admin_snippet)
        end
      end
+
+      context 'project team member (maintainer)' do
+        before do
+          project.add_maintainer(current_user)
+        end
+
+        it do
+          expect_allowed(:read_snippet, :create_note)
+          expect_allowed(*author_permissions)
+        end
+      end
    end

    context 'snippet author' do
@@ -69,6 +80,17 @@ describe ProjectSnippetPolicy do
        end
      end

+      context 'project team member (maintainer)' do
+        before do
+          project.add_maintainer(current_user)
+        end
+
+        it do
+          expect_allowed(:read_snippet, :create_note)
+          expect_allowed(*author_permissions)
+        end
+      end
+
      context 'not a project member' do
        it do
          expect_allowed(:read_snippet, :create_note)