Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
ce7c9d43
Commit
ce7c9d43
authored
Aug 18, 2020
by
GitLab Release Tools Bot
Browse files
Options
Browse Files
Download
Plain Diff
Merge remote-tracking branch 'dev/master'
parents
83e64811
6bee5dd0
Changes
10
Hide whitespace changes
Inline
Side-by-side
Showing
10 changed files
with
266 additions
and
10 deletions
+266
-10
CHANGELOG-EE.md
CHANGELOG-EE.md
+24
-0
CHANGELOG.md
CHANGELOG.md
+36
-0
app/policies/group_policy.rb
app/policies/group_policy.rb
+7
-0
app/policies/project_policy.rb
app/policies/project_policy.rb
+7
-0
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+3
-0
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+8
-1
spec/policies/group_policy_spec.rb
spec/policies/group_policy_spec.rb
+46
-0
spec/requests/api/maven_packages_spec.rb
spec/requests/api/maven_packages_spec.rb
+46
-0
spec/requests/lfs_http_spec.rb
spec/requests/lfs_http_spec.rb
+8
-7
spec/support/shared_examples/policies/project_policy_shared_examples.rb
...hared_examples/policies/project_policy_shared_examples.rb
+81
-2
No files found.
CHANGELOG-EE.md
View file @
ce7c9d43
Please view this file on the master branch, on stable branches it's out of date.
Please view this file on the master branch, on stable branches it's out of date.
## 13.2.6 (2020-08-18)
-
No changes.
## 13.2.5 (2020-08-17)
-
No changes.
## 13.2.4 (2020-08-11)
## 13.2.4 (2020-08-11)
### Performance (1 change)
### Performance (1 change)
...
@@ -383,6 +391,14 @@ Please view this file on the master branch, on stable branches it's out of date.
...
@@ -383,6 +391,14 @@ Please view this file on the master branch, on stable branches it's out of date.
-
Resolve duplicate use of shorcuts-tree. !36732
-
Resolve duplicate use of shorcuts-tree. !36732
## 13.1.8 (2020-08-18)
-
No changes.
## 13.1.7 (2020-08-17)
-
No changes.
## 13.1.6 (2020-08-05)
## 13.1.6 (2020-08-05)
-
No changes.
-
No changes.
...
@@ -568,6 +584,14 @@ Please view this file on the master branch, on stable branches it's out of date.
...
@@ -568,6 +584,14 @@ Please view this file on the master branch, on stable branches it's out of date.
-
Relocate Go models. !34338 (Ethan Reesor (@firelizzard))
-
Relocate Go models. !34338 (Ethan Reesor (@firelizzard))
## 13.0.14 (2020-08-18)
-
No changes.
## 13.0.13 (2020-08-17)
-
No changes.
## 13.0.12 (2020-08-05)
## 13.0.12 (2020-08-05)
-
No changes.
-
No changes.
...
...
CHANGELOG.md
View file @
ce7c9d43
...
@@ -2,6 +2,18 @@
...
@@ -2,6 +2,18 @@
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
entry.
entry.
## 13.2.6 (2020-08-18)
-
No changes.
## 13.2.5 (2020-08-17)
### Security (2 changes)
-
Stop deploy token being mis-used as user in ProjectPolicy and GroupPolicy.
-
Project access is checked during deploy token authentication.
## 13.2.4 (2020-08-11)
## 13.2.4 (2020-08-11)
### Security (1 change)
### Security (1 change)
...
@@ -1058,6 +1070,18 @@ entry.
...
@@ -1058,6 +1070,18 @@ entry.
-
Remove removeIssue logic from list model. (nuwe1)
-
Remove removeIssue logic from list model. (nuwe1)
## 13.1.8 (2020-08-18)
-
No changes.
## 13.1.7 (2020-08-17)
### Security (2 changes)
-
Stop deploy token being mis-used as user in ProjectPolicy and GroupPolicy.
-
Project access is checked during deploy token authentication.
## 13.1.6 (2020-08-05)
## 13.1.6 (2020-08-05)
### Security (11 changes)
### Security (11 changes)
...
@@ -1609,6 +1633,18 @@ entry.
...
@@ -1609,6 +1633,18 @@ entry.
-
Remove removeIssue logic from list model. (nuwe1)
-
Remove removeIssue logic from list model. (nuwe1)
## 13.0.14 (2020-08-18)
-
No changes.
## 13.0.13 (2020-08-17)
### Security (2 changes)
-
Stop deploy token being mis-used as user in ProjectPolicy and GroupPolicy.
-
Project access is checked during deploy token authentication.
## 13.0.12 (2020-08-05)
## 13.0.12 (2020-08-05)
### Security (10 changes)
### Security (10 changes)
...
...
app/policies/group_policy.rb
View file @
ce7c9d43
...
@@ -167,6 +167,7 @@ class GroupPolicy < BasePolicy
...
@@ -167,6 +167,7 @@ class GroupPolicy < BasePolicy
def
access_level
def
access_level
return
GroupMember
::
NO_ACCESS
if
@user
.
nil?
return
GroupMember
::
NO_ACCESS
if
@user
.
nil?
return
GroupMember
::
NO_ACCESS
unless
user_is_user?
@access_level
||=
lookup_access_level!
@access_level
||=
lookup_access_level!
end
end
...
@@ -174,6 +175,12 @@ class GroupPolicy < BasePolicy
...
@@ -174,6 +175,12 @@ class GroupPolicy < BasePolicy
def
lookup_access_level!
def
lookup_access_level!
@subject
.
max_member_access_for_user
(
@user
)
@subject
.
max_member_access_for_user
(
@user
)
end
end
private
def
user_is_user?
user
.
is_a?
(
User
)
end
end
end
GroupPolicy
.
prepend_if_ee
(
'EE::GroupPolicy'
)
GroupPolicy
.
prepend_if_ee
(
'EE::GroupPolicy'
)
app/policies/project_policy.rb
View file @
ce7c9d43
...
@@ -589,8 +589,13 @@ class ProjectPolicy < BasePolicy
...
@@ -589,8 +589,13 @@ class ProjectPolicy < BasePolicy
private
private
def
user_is_user?
user
.
is_a?
(
User
)
end
def
team_member?
def
team_member?
return
false
if
@user
.
nil?
return
false
if
@user
.
nil?
return
false
unless
user_is_user?
greedy_load_subject
=
false
greedy_load_subject
=
false
...
@@ -618,6 +623,7 @@ class ProjectPolicy < BasePolicy
...
@@ -618,6 +623,7 @@ class ProjectPolicy < BasePolicy
# rubocop: disable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def
project_group_member?
def
project_group_member?
return
false
if
@user
.
nil?
return
false
if
@user
.
nil?
return
false
unless
user_is_user?
project
.
group
&&
project
.
group
&&
(
(
...
@@ -629,6 +635,7 @@ class ProjectPolicy < BasePolicy
...
@@ -629,6 +635,7 @@ class ProjectPolicy < BasePolicy
def
team_access_level
def
team_access_level
return
-
1
if
@user
.
nil?
return
-
1
if
@user
.
nil?
return
-
1
unless
user_is_user?
lookup_access_level!
lookup_access_level!
end
end
...
...
lib/gitlab/auth.rb
View file @
ce7c9d43
...
@@ -220,6 +220,9 @@ module Gitlab
...
@@ -220,6 +220,9 @@ module Gitlab
return
unless
token
&&
login
return
unless
token
&&
login
return
if
login
!=
token
.
username
return
if
login
!=
token
.
username
# Registry access (with jwt) does not have access to project
return
if
project
&&
!
token
.
has_access_to?
(
project
)
scopes
=
abilities_for_scopes
(
token
.
scopes
)
scopes
=
abilities_for_scopes
(
token
.
scopes
)
if
valid_scoped_token?
(
token
,
all_available_scopes
)
if
valid_scoped_token?
(
token
,
all_available_scopes
)
...
...
spec/lib/gitlab/auth_spec.rb
View file @
ce7c9d43
...
@@ -551,7 +551,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
...
@@ -551,7 +551,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
it
'fails if token is not related to project'
do
it
'fails if token is not related to project'
do
another_deploy_token
=
create
(
:deploy_token
)
another_deploy_token
=
create
(
:deploy_token
)
expect
(
gl_auth
.
find_for_git_client
(
login
,
another_deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
expect
(
gl_auth
.
find_for_git_client
(
another_deploy_token
.
username
,
another_deploy_token
.
token
,
project:
project
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
.
to
eq
(
auth_failure
)
end
end
...
@@ -576,6 +576,13 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
...
@@ -576,6 +576,13 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
expect
(
subject
).
to
eq
(
auth_success
)
expect
(
subject
).
to
eq
(
auth_success
)
end
end
it
'fails if token is not related to group'
do
another_deploy_token
=
create
(
:deploy_token
,
:group
,
read_repository:
true
)
expect
(
gl_auth
.
find_for_git_client
(
another_deploy_token
.
username
,
another_deploy_token
.
token
,
project:
project_with_group
,
ip:
'ip'
))
.
to
eq
(
auth_failure
)
end
end
end
context
'when the deploy token has read_registry as a scope'
do
context
'when the deploy token has read_registry as a scope'
do
...
...
spec/policies/group_policy_spec.rb
View file @
ce7c9d43
...
@@ -63,6 +63,24 @@ RSpec.describe GroupPolicy do
...
@@ -63,6 +63,24 @@ RSpec.describe GroupPolicy do
end
end
end
end
shared_examples
'deploy token does not get confused with user'
do
before
do
deploy_token
.
update!
(
id:
user_id
)
end
let
(
:deploy_token
)
{
create
(
:deploy_token
)
}
let
(
:current_user
)
{
deploy_token
}
it
do
expect_disallowed
(
*
read_group_permissions
)
expect_disallowed
(
*
guest_permissions
)
expect_disallowed
(
*
reporter_permissions
)
expect_disallowed
(
*
developer_permissions
)
expect_disallowed
(
*
maintainer_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
end
context
'guests'
do
context
'guests'
do
let
(
:current_user
)
{
guest
}
let
(
:current_user
)
{
guest
}
...
@@ -74,6 +92,10 @@ RSpec.describe GroupPolicy do
...
@@ -74,6 +92,10 @@ RSpec.describe GroupPolicy do
expect_disallowed
(
*
maintainer_permissions
)
expect_disallowed
(
*
maintainer_permissions
)
expect_disallowed
(
*
owner_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
end
it_behaves_like
'deploy token does not get confused with user'
do
let
(
:user_id
)
{
guest
.
id
}
end
end
end
context
'reporter'
do
context
'reporter'
do
...
@@ -87,6 +109,10 @@ RSpec.describe GroupPolicy do
...
@@ -87,6 +109,10 @@ RSpec.describe GroupPolicy do
expect_disallowed
(
*
maintainer_permissions
)
expect_disallowed
(
*
maintainer_permissions
)
expect_disallowed
(
*
owner_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
end
it_behaves_like
'deploy token does not get confused with user'
do
let
(
:user_id
)
{
reporter
.
id
}
end
end
end
context
'developer'
do
context
'developer'
do
...
@@ -100,6 +126,10 @@ RSpec.describe GroupPolicy do
...
@@ -100,6 +126,10 @@ RSpec.describe GroupPolicy do
expect_disallowed
(
*
maintainer_permissions
)
expect_disallowed
(
*
maintainer_permissions
)
expect_disallowed
(
*
owner_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
end
it_behaves_like
'deploy token does not get confused with user'
do
let
(
:user_id
)
{
developer
.
id
}
end
end
end
context
'maintainer'
do
context
'maintainer'
do
...
@@ -136,6 +166,10 @@ RSpec.describe GroupPolicy do
...
@@ -136,6 +166,10 @@ RSpec.describe GroupPolicy do
expect_disallowed
(
*
owner_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
end
end
end
it_behaves_like
'deploy token does not get confused with user'
do
let
(
:user_id
)
{
maintainer
.
id
}
end
end
end
context
'owner'
do
context
'owner'
do
...
@@ -149,6 +183,10 @@ RSpec.describe GroupPolicy do
...
@@ -149,6 +183,10 @@ RSpec.describe GroupPolicy do
expect_allowed
(
*
maintainer_permissions
)
expect_allowed
(
*
maintainer_permissions
)
expect_allowed
(
*
owner_permissions
)
expect_allowed
(
*
owner_permissions
)
end
end
it_behaves_like
'deploy token does not get confused with user'
do
let
(
:user_id
)
{
owner
.
id
}
end
end
end
context
'admin'
do
context
'admin'
do
...
@@ -166,6 +204,14 @@ RSpec.describe GroupPolicy do
...
@@ -166,6 +204,14 @@ RSpec.describe GroupPolicy do
context
'with admin mode'
,
:enable_admin_mode
do
context
'with admin mode'
,
:enable_admin_mode
do
specify
{
expect_allowed
(
*
admin_permissions
)
}
specify
{
expect_allowed
(
*
admin_permissions
)
}
end
end
it_behaves_like
'deploy token does not get confused with user'
do
let
(
:user_id
)
{
admin
.
id
}
context
'with admin mode'
,
:enable_admin_mode
do
it
{
expect_disallowed
(
*
admin_permissions
)
}
end
end
end
end
describe
'private nested group use the highest access level from the group and inherited permissions'
do
describe
'private nested group use the highest access level from the group and inherited permissions'
do
...
...
spec/requests/api/maven_packages_spec.rb
View file @
ce7c9d43
...
@@ -193,6 +193,24 @@ RSpec.describe API::MavenPackages do
...
@@ -193,6 +193,24 @@ RSpec.describe API::MavenPackages do
it_behaves_like
'downloads with a job token'
it_behaves_like
'downloads with a job token'
it_behaves_like
'downloads with a deploy token'
it_behaves_like
'downloads with a deploy token'
it
'does not allow download by a unauthorized deploy token with same id as a user with access'
do
unauthorized_deploy_token
=
create
(
:deploy_token
,
read_package_registry:
true
,
write_package_registry:
true
)
another_user
=
create
(
:user
)
project
.
add_developer
(
another_user
)
# We force the id of the deploy token and the user to be the same
unauthorized_deploy_token
.
update!
(
id:
another_user
.
id
)
download_file
(
package_file
.
file_name
,
{},
Gitlab
::
Auth
::
AuthFinders
::
DEPLOY_TOKEN_HEADER
=>
unauthorized_deploy_token
.
token
)
expect
(
response
).
to
have_gitlab_http_status
(
:forbidden
)
end
end
end
context
'project name is different from a package name'
do
context
'project name is different from a package name'
do
...
@@ -451,6 +469,20 @@ RSpec.describe API::MavenPackages do
...
@@ -451,6 +469,20 @@ RSpec.describe API::MavenPackages do
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
end
end
it
'rejects requests by a unauthorized deploy token with same id as a user with access'
do
unauthorized_deploy_token
=
create
(
:deploy_token
,
read_package_registry:
true
,
write_package_registry:
true
)
another_user
=
create
(
:user
)
project
.
add_developer
(
another_user
)
# We force the id of the deploy token and the user to be the same
unauthorized_deploy_token
.
update!
(
id:
another_user
.
id
)
authorize_upload
({},
headers
.
merge
(
Gitlab
::
Auth
::
AuthFinders
::
DEPLOY_TOKEN_HEADER
=>
unauthorized_deploy_token
.
token
))
expect
(
response
).
to
have_gitlab_http_status
(
:forbidden
)
end
def
authorize_upload
(
params
=
{},
request_headers
=
headers
)
def
authorize_upload
(
params
=
{},
request_headers
=
headers
)
put
api
(
"/projects/
#{
project
.
id
}
/packages/maven/com/example/my-app/
#{
version
}
/maven-metadata.xml/authorize"
),
params:
params
,
headers:
request_headers
put
api
(
"/projects/
#{
project
.
id
}
/packages/maven/com/example/my-app/
#{
version
}
/maven-metadata.xml/authorize"
),
params:
params
,
headers:
request_headers
end
end
...
@@ -538,6 +570,20 @@ RSpec.describe API::MavenPackages do
...
@@ -538,6 +570,20 @@ RSpec.describe API::MavenPackages do
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
end
end
it
'rejects uploads by a unauthorized deploy token with same id as a user with access'
do
unauthorized_deploy_token
=
create
(
:deploy_token
,
read_package_registry:
true
,
write_package_registry:
true
)
another_user
=
create
(
:user
)
project
.
add_developer
(
another_user
)
# We force the id of the deploy token and the user to be the same
unauthorized_deploy_token
.
update!
(
id:
another_user
.
id
)
upload_file
(
params
,
headers
.
merge
(
Gitlab
::
Auth
::
AuthFinders
::
DEPLOY_TOKEN_HEADER
=>
unauthorized_deploy_token
.
token
))
expect
(
response
).
to
have_gitlab_http_status
(
:forbidden
)
end
context
'version is not correct'
do
context
'version is not correct'
do
let
(
:version
)
{
'$%123'
}
let
(
:version
)
{
'$%123'
}
...
...
spec/requests/lfs_http_spec.rb
View file @
ce7c9d43
...
@@ -549,12 +549,6 @@ RSpec.describe 'Git LFS API and storage' do
...
@@ -549,12 +549,6 @@ RSpec.describe 'Git LFS API and storage' do
project
.
lfs_objects
<<
lfs_object
project
.
lfs_objects
<<
lfs_object
end
end
context
'when Deploy Token is valid'
do
let
(
:deploy_token
)
{
create
(
:deploy_token
,
projects:
[
project
])
}
it_behaves_like
'an authorized request'
,
renew_authorization:
false
end
context
'when Deploy Token is not valid'
do
context
'when Deploy Token is not valid'
do
let
(
:deploy_token
)
{
create
(
:deploy_token
,
projects:
[
project
],
read_repository:
false
)
}
let
(
:deploy_token
)
{
create
(
:deploy_token
,
projects:
[
project
],
read_repository:
false
)
}
...
@@ -564,7 +558,14 @@ RSpec.describe 'Git LFS API and storage' do
...
@@ -564,7 +558,14 @@ RSpec.describe 'Git LFS API and storage' do
context
'when Deploy Token is not related to the project'
do
context
'when Deploy Token is not related to the project'
do
let
(
:deploy_token
)
{
create
(
:deploy_token
,
projects:
[
other_project
])
}
let
(
:deploy_token
)
{
create
(
:deploy_token
,
projects:
[
other_project
])
}
it_behaves_like
'LFS http 404 response'
it_behaves_like
'LFS http 401 response'
end
# TODO: We should fix this test case that causes flakyness by alternating the result of the above test cases.
context
'when Deploy Token is valid'
do
let
(
:deploy_token
)
{
create
(
:deploy_token
,
projects:
[
project
])
}
it_behaves_like
'an authorized request'
,
renew_authorization:
false
end
end
end
end
...
...
spec/support/shared_examples/policies/project_policy_shared_examples.rb
View file @
ce7c9d43
...
@@ -86,6 +86,28 @@ RSpec.shared_examples 'project policies as anonymous' do
...
@@ -86,6 +86,28 @@ RSpec.shared_examples 'project policies as anonymous' do
end
end
end
end
RSpec
.
shared_examples
'deploy token does not get confused with user'
do
before
do
deploy_token
.
update!
(
id:
user_id
)
# Project with public builds are available to all
project
.
update!
(
public_builds:
false
)
end
let
(
:deploy_token
)
{
create
(
:deploy_token
)
}
subject
{
described_class
.
new
(
deploy_token
,
project
)
}
it
do
expect_disallowed
(
*
guest_permissions
)
expect_disallowed
(
*
reporter_permissions
)
expect_disallowed
(
*
team_member_reporter_permissions
)
expect_disallowed
(
*
developer_permissions
)
expect_disallowed
(
*
maintainer_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
end
RSpec
.
shared_examples
'project policies as guest'
do
RSpec
.
shared_examples
'project policies as guest'
do
subject
{
described_class
.
new
(
guest
,
project
)
}
subject
{
described_class
.
new
(
guest
,
project
)
}
...
@@ -104,6 +126,10 @@ RSpec.shared_examples 'project policies as guest' do
...
@@ -104,6 +126,10 @@ RSpec.shared_examples 'project policies as guest' do
expect_disallowed
(
*
owner_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
end
it_behaves_like
'deploy token does not get confused with user'
do
let
(
:user_id
)
{
guest
.
id
}
end
it_behaves_like
'archived project policies'
do
it_behaves_like
'archived project policies'
do
let
(
:regular_abilities
)
{
guest_permissions
}
let
(
:regular_abilities
)
{
guest_permissions
}
end
end
...
@@ -117,7 +143,7 @@ RSpec.shared_examples 'project policies as guest' do
...
@@ -117,7 +143,7 @@ RSpec.shared_examples 'project policies as guest' do
context
'when public builds disabled'
do
context
'when public builds disabled'
do
before
do
before
do
project
.
update
(
public_builds:
false
)
project
.
update
!
(
public_builds:
false
)
end
end
it
do
it
do
...
@@ -128,7 +154,7 @@ RSpec.shared_examples 'project policies as guest' do
...
@@ -128,7 +154,7 @@ RSpec.shared_examples 'project policies as guest' do
context
'when builds are disabled'
do
context
'when builds are disabled'
do
before
do
before
do
project
.
project_feature
.
update
(
builds_access_level:
ProjectFeature
::
DISABLED
)
project
.
project_feature
.
update
!
(
builds_access_level:
ProjectFeature
::
DISABLED
)
end
end
it
do
it
do
...
@@ -154,6 +180,10 @@ RSpec.shared_examples 'project policies as reporter' do
...
@@ -154,6 +180,10 @@ RSpec.shared_examples 'project policies as reporter' do
expect_disallowed
(
*
owner_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
end
it_behaves_like
'deploy token does not get confused with user'
do
let
(
:user_id
)
{
reporter
.
id
}
end
it_behaves_like
'archived project policies'
do
it_behaves_like
'archived project policies'
do
let
(
:regular_abilities
)
{
reporter_permissions
}
let
(
:regular_abilities
)
{
reporter_permissions
}
end
end
...
@@ -175,6 +205,10 @@ RSpec.shared_examples 'project policies as developer' do
...
@@ -175,6 +205,10 @@ RSpec.shared_examples 'project policies as developer' do
expect_disallowed
(
*
owner_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
end
it_behaves_like
'deploy token does not get confused with user'
do
let
(
:user_id
)
{
developer
.
id
}
end
it_behaves_like
'archived project policies'
do
it_behaves_like
'archived project policies'
do
let
(
:regular_abilities
)
{
developer_permissions
}
let
(
:regular_abilities
)
{
developer_permissions
}
end
end
...
@@ -196,6 +230,10 @@ RSpec.shared_examples 'project policies as maintainer' do
...
@@ -196,6 +230,10 @@ RSpec.shared_examples 'project policies as maintainer' do
expect_disallowed
(
*
owner_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
end
it_behaves_like
'deploy token does not get confused with user'
do
let
(
:user_id
)
{
maintainer
.
id
}
end
it_behaves_like
'archived project policies'
do
it_behaves_like
'archived project policies'
do
let
(
:regular_abilities
)
{
maintainer_permissions
}
let
(
:regular_abilities
)
{
maintainer_permissions
}
end
end
...
@@ -217,6 +255,10 @@ RSpec.shared_examples 'project policies as owner' do
...
@@ -217,6 +255,10 @@ RSpec.shared_examples 'project policies as owner' do
expect_allowed
(
*
owner_permissions
)
expect_allowed
(
*
owner_permissions
)
end
end
it_behaves_like
'deploy token does not get confused with user'
do
let
(
:user_id
)
{
owner
.
id
}
end
it_behaves_like
'archived project policies'
do
it_behaves_like
'archived project policies'
do
let
(
:regular_abilities
)
{
owner_permissions
}
let
(
:regular_abilities
)
{
owner_permissions
}
end
end
...
@@ -238,6 +280,28 @@ RSpec.shared_examples 'project policies as admin with admin mode' do
...
@@ -238,6 +280,28 @@ RSpec.shared_examples 'project policies as admin with admin mode' do
expect_allowed
(
*
owner_permissions
)
expect_allowed
(
*
owner_permissions
)
end
end
context
'deploy token does not get confused with user'
do
before
do
allow
(
deploy_token
).
to
receive
(
:id
).
and_return
(
admin
.
id
)
# Project with public builds are available to all
project
.
update!
(
public_builds:
false
)
end
let
(
:deploy_token
)
{
create
(
:deploy_token
)
}
subject
{
described_class
.
new
(
deploy_token
,
project
)
}
it
do
expect_disallowed
(
*
guest_permissions
)
expect_disallowed
(
*
reporter_permissions
)
expect_disallowed
(
*
team_member_reporter_permissions
)
expect_disallowed
(
*
developer_permissions
)
expect_disallowed
(
*
maintainer_permissions
)
expect_disallowed
(
*
owner_permissions
)
end
end
it_behaves_like
'archived project policies'
do
it_behaves_like
'archived project policies'
do
let
(
:regular_abilities
)
{
owner_permissions
}
let
(
:regular_abilities
)
{
owner_permissions
}
end
end
...
@@ -257,5 +321,20 @@ RSpec.shared_examples 'project policies as admin without admin mode' do
...
@@ -257,5 +321,20 @@ RSpec.shared_examples 'project policies as admin without admin mode' do
subject
{
described_class
.
new
(
admin
,
project
)
}
subject
{
described_class
.
new
(
admin
,
project
)
}
it
{
is_expected
.
to
be_banned
}
it
{
is_expected
.
to
be_banned
}
context
'deploy token does not get confused with user'
do
before
do
allow
(
deploy_token
).
to
receive
(
:id
).
and_return
(
admin
.
id
)
# Project with public builds are available to all
project
.
update!
(
public_builds:
false
)
end
let
(
:deploy_token
)
{
create
(
:deploy_token
)
}
subject
{
described_class
.
new
(
deploy_token
,
project
)
}
it
{
is_expected
.
to
be_banned
}
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment