Commit cfd9f688 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'test-permissions' into 'master'

[master] Pipelines section is available to unauthorized users

See merge request gitlab/gitlabhq!2480
parents 35d4344e a0383ab4
...@@ -39,8 +39,11 @@ class Projects::MergeRequests::ApplicationController < Projects::ApplicationCont ...@@ -39,8 +39,11 @@ class Projects::MergeRequests::ApplicationController < Projects::ApplicationCont
end end
def set_pipeline_variables def set_pipeline_variables
@pipelines = @merge_request.all_pipelines @pipelines =
@pipeline = @merge_request.head_pipeline if can?(current_user, :read_pipeline, @project)
@statuses_count = @pipeline.present? ? @pipeline.statuses.relevant.count : 0 @merge_request.all_pipelines
else
Ci::Pipeline.none
end
end end
end end
...@@ -4,6 +4,7 @@ class Projects::PipelinesController < Projects::ApplicationController ...@@ -4,6 +4,7 @@ class Projects::PipelinesController < Projects::ApplicationController
before_action :whitelist_query_limiting, only: [:create, :retry] before_action :whitelist_query_limiting, only: [:create, :retry]
before_action :pipeline, except: [:index, :new, :create, :charts] before_action :pipeline, except: [:index, :new, :create, :charts]
before_action :authorize_read_pipeline! before_action :authorize_read_pipeline!
before_action :authorize_read_build!, only: [:index]
before_action :authorize_create_pipeline!, only: [:new, :create] before_action :authorize_create_pipeline!, only: [:new, :create]
before_action :authorize_update_pipeline!, only: [:retry, :cancel] before_action :authorize_update_pipeline!, only: [:retry, :cancel]
......
...@@ -305,7 +305,8 @@ module ProjectsHelper ...@@ -305,7 +305,8 @@ module ProjectsHelper
nav_tabs << :container_registry nav_tabs << :container_registry
end end
if project.builds_enabled? && can?(current_user, :read_pipeline, project) # Pipelines feature is tied to presence of builds
if can?(current_user, :read_build, project)
nav_tabs << :pipelines nav_tabs << :pipelines
end end
......
...@@ -11,6 +11,7 @@ class Commit ...@@ -11,6 +11,7 @@ class Commit
include Mentionable include Mentionable
include Referable include Referable
include StaticModel include StaticModel
include Presentable
include ::Gitlab::Utils::StrongMemoize include ::Gitlab::Utils::StrongMemoize
attr_mentionable :safe_message, pipeline: :single_line attr_mentionable :safe_message, pipeline: :single_line
...@@ -304,7 +305,9 @@ class Commit ...@@ -304,7 +305,9 @@ class Commit
end end
def last_pipeline def last_pipeline
@last_pipeline ||= pipelines.last strong_memoize(:last_pipeline) do
pipelines.last
end
end end
def status(ref = nil) def status(ref = nil)
......
...@@ -578,6 +578,14 @@ class Project < ActiveRecord::Base ...@@ -578,6 +578,14 @@ class Project < ActiveRecord::Base
end end
end end
def all_pipelines
if builds_enabled?
super
else
super.external
end
end
# returns all ancestor-groups upto but excluding the given namespace # returns all ancestor-groups upto but excluding the given namespace
# when no namespace is given, all ancestors upto the top are returned # when no namespace is given, all ancestors upto the top are returned
def ancestors_upto(top = nil, hierarchy_order: nil) def ancestors_upto(top = nil, hierarchy_order: nil)
......
...@@ -10,6 +10,15 @@ module Ci ...@@ -10,6 +10,15 @@ module Ci
@subject.project.branch_allows_collaboration?(@user, @subject.ref) @subject.project.branch_allows_collaboration?(@user, @subject.ref)
end end
condition(:external_pipeline, scope: :subject, score: 0) do
@subject.external?
end
# Disallow users without permissions from accessing internal pipelines
rule { ~can?(:read_build) & ~external_pipeline }.policy do
prevent :read_pipeline
end
rule { protected_ref }.prevent :update_pipeline rule { protected_ref }.prevent :update_pipeline
rule { can?(:public_access) & branch_allows_collaboration }.policy do rule { can?(:public_access) & branch_allows_collaboration }.policy do
......
...@@ -108,6 +108,10 @@ class ProjectPolicy < BasePolicy ...@@ -108,6 +108,10 @@ class ProjectPolicy < BasePolicy
condition(:has_clusters, scope: :subject) { clusterable_has_clusters? } condition(:has_clusters, scope: :subject) { clusterable_has_clusters? }
condition(:can_have_multiple_clusters) { multiple_clusters_available? } condition(:can_have_multiple_clusters) { multiple_clusters_available? }
condition(:internal_builds_disabled) do
!@subject.builds_enabled?
end
features = %w[ features = %w[
merge_requests merge_requests
issues issues
...@@ -196,7 +200,6 @@ class ProjectPolicy < BasePolicy ...@@ -196,7 +200,6 @@ class ProjectPolicy < BasePolicy
enable :read_build enable :read_build
enable :read_container_image enable :read_container_image
enable :read_pipeline enable :read_pipeline
enable :read_pipeline_schedule
enable :read_environment enable :read_environment
enable :read_deployment enable :read_deployment
enable :read_merge_request enable :read_merge_request
...@@ -235,6 +238,7 @@ class ProjectPolicy < BasePolicy ...@@ -235,6 +238,7 @@ class ProjectPolicy < BasePolicy
enable :update_build enable :update_build
enable :create_pipeline enable :create_pipeline
enable :update_pipeline enable :update_pipeline
enable :read_pipeline_schedule
enable :create_pipeline_schedule enable :create_pipeline_schedule
enable :create_merge_request_from enable :create_merge_request_from
enable :create_wiki enable :create_wiki
...@@ -320,7 +324,6 @@ class ProjectPolicy < BasePolicy ...@@ -320,7 +324,6 @@ class ProjectPolicy < BasePolicy
end end
rule { builds_disabled | repository_disabled }.policy do rule { builds_disabled | repository_disabled }.policy do
prevent(*create_update_admin_destroy(:pipeline))
prevent(*create_read_update_admin_destroy(:build)) prevent(*create_read_update_admin_destroy(:build))
prevent(*create_read_update_admin_destroy(:pipeline_schedule)) prevent(*create_read_update_admin_destroy(:pipeline_schedule))
prevent(*create_read_update_admin_destroy(:environment)) prevent(*create_read_update_admin_destroy(:environment))
...@@ -328,11 +331,22 @@ class ProjectPolicy < BasePolicy ...@@ -328,11 +331,22 @@ class ProjectPolicy < BasePolicy
prevent(*create_read_update_admin_destroy(:deployment)) prevent(*create_read_update_admin_destroy(:deployment))
end end
# There's two separate cases when builds_disabled is true:
# 1. When internal CI is disabled - builds_disabled && internal_builds_disabled
# - We do not prevent the user from accessing Pipelines to allow him to access external CI
# 2. When the user is not allowed to access CI - builds_disabled && ~internal_builds_disabled
# - We prevent the user from accessing Pipelines
rule { (builds_disabled & ~internal_builds_disabled) | repository_disabled }.policy do
prevent(*create_read_update_admin_destroy(:pipeline))
prevent(*create_read_update_admin_destroy(:commit_status))
end
rule { repository_disabled }.policy do rule { repository_disabled }.policy do
prevent :push_code prevent :push_code
prevent :download_code prevent :download_code
prevent :fork_project prevent :fork_project
prevent :read_commit_status prevent :read_commit_status
prevent :read_pipeline
prevent(*create_read_update_admin_destroy(:release)) prevent(*create_read_update_admin_destroy(:release))
end end
...@@ -359,7 +373,6 @@ class ProjectPolicy < BasePolicy ...@@ -359,7 +373,6 @@ class ProjectPolicy < BasePolicy
enable :read_merge_request enable :read_merge_request
enable :read_note enable :read_note
enable :read_pipeline enable :read_pipeline
enable :read_pipeline_schedule
enable :read_commit_status enable :read_commit_status
enable :read_container_image enable :read_container_image
enable :download_code enable :download_code
...@@ -378,7 +391,6 @@ class ProjectPolicy < BasePolicy ...@@ -378,7 +391,6 @@ class ProjectPolicy < BasePolicy
rule { public_builds & can?(:guest_access) }.policy do rule { public_builds & can?(:guest_access) }.policy do
enable :read_pipeline enable :read_pipeline
enable :read_pipeline_schedule
end end
# These rules are included to allow maintainers of projects to push to certain # These rules are included to allow maintainers of projects to push to certain
......
# frozen_string_literal: true
class CommitPresenter < Gitlab::View::Presenter::Simple
presents :commit
def status_for(ref)
can?(current_user, :read_commit_status, commit.project) && commit.status(ref)
end
def any_pipelines?
can?(current_user, :read_pipeline, commit.project) && commit.pipelines.any?
end
end
...@@ -170,6 +170,10 @@ class MergeRequestPresenter < Gitlab::View::Presenter::Delegated ...@@ -170,6 +170,10 @@ class MergeRequestPresenter < Gitlab::View::Presenter::Delegated
source_branch_exists? && merge_request.can_remove_source_branch?(current_user) source_branch_exists? && merge_request.can_remove_source_branch?(current_user)
end end
def can_read_pipeline?
pipeline && can?(current_user, :read_pipeline, pipeline)
end
def mergeable_discussions_state def mergeable_discussions_state
# This avoids calling MergeRequest#mergeable_discussions_state without # This avoids calling MergeRequest#mergeable_discussions_state without
# considering the state of the MR first. If a MR isn't mergeable, we can # considering the state of the MR first. If a MR isn't mergeable, we can
......
...@@ -57,7 +57,7 @@ class MergeRequestWidgetEntity < IssuableEntity ...@@ -57,7 +57,7 @@ class MergeRequestWidgetEntity < IssuableEntity
end end
expose :merge_commit_message expose :merge_commit_message
expose :actual_head_pipeline, with: PipelineDetailsEntity, as: :pipeline expose :actual_head_pipeline, with: PipelineDetailsEntity, as: :pipeline, if: -> (mr, _) { presenter(mr).can_read_pipeline? }
expose :merge_pipeline, with: PipelineDetailsEntity, if: ->(mr, _) { mr.merged? && can?(request.current_user, :read_pipeline, mr.target_project)} expose :merge_pipeline, with: PipelineDetailsEntity, if: ->(mr, _) { mr.merged? && can?(request.current_user, :read_pipeline, mr.target_project)}
# Booleans # Booleans
......
- any_pipelines = @commit.present(current_user: current_user).any_pipelines?
%ul.nav-links.no-top.no-bottom.commit-ci-menu.nav.nav-tabs %ul.nav-links.no-top.no-bottom.commit-ci-menu.nav.nav-tabs
= nav_link(path: 'commit#show') do = nav_link(path: 'commit#show') do
= link_to project_commit_path(@project, @commit.id) do = link_to project_commit_path(@project, @commit.id) do
Changes Changes
%span.badge.badge-pill= @diffs.size %span.badge.badge-pill= @diffs.size
- if can?(current_user, :read_pipeline, @project) - if any_pipelines
= nav_link(path: 'commit#pipelines') do = nav_link(path: 'commit#pipelines') do
= link_to pipelines_project_commit_path(@project, @commit.id) do = link_to pipelines_project_commit_path(@project, @commit.id) do
Pipelines Pipelines
......
...@@ -74,8 +74,8 @@ ...@@ -74,8 +74,8 @@
%span.commit-info.merge-requests{ 'data-project-commit-path' => merge_requests_project_commit_path(@project, @commit.id, format: :json) } %span.commit-info.merge-requests{ 'data-project-commit-path' => merge_requests_project_commit_path(@project, @commit.id, format: :json) }
= icon('spinner spin') = icon('spinner spin')
- if @commit.last_pipeline
- last_pipeline = @commit.last_pipeline - last_pipeline = @commit.last_pipeline
- if can?(current_user, :read_pipeline, last_pipeline)
.well-segment.pipeline-info .well-segment.pipeline-info
.status-icon-container .status-icon-container
= link_to project_pipeline_path(@project, last_pipeline.id), class: "ci-status-icon-#{last_pipeline.status}" do = link_to project_pipeline_path(@project, last_pipeline.id), class: "ci-status-icon-#{last_pipeline.status}" do
......
...@@ -9,10 +9,7 @@ ...@@ -9,10 +9,7 @@
.container-fluid{ class: [limited_container_width, container_class] } .container-fluid{ class: [limited_container_width, container_class] }
= render "commit_box" = render "commit_box"
- if @commit.status
= render "ci_menu" = render "ci_menu"
- else
.block-connector
= render "projects/diffs/diffs", diffs: @diffs, environment: @environment, is_commit: true = render "projects/diffs/diffs", diffs: @diffs, environment: @environment, is_commit: true
.limited-width-notes .limited-width-notes
......
...@@ -6,6 +6,7 @@ ...@@ -6,6 +6,7 @@
- merge_request = local_assigns.fetch(:merge_request, nil) - merge_request = local_assigns.fetch(:merge_request, nil)
- project = local_assigns.fetch(:project) { merge_request&.project } - project = local_assigns.fetch(:project) { merge_request&.project }
- ref = local_assigns.fetch(:ref) { merge_request&.source_branch } - ref = local_assigns.fetch(:ref) { merge_request&.source_branch }
- commit_status = commit.present(current_user: current_user).status_for(ref)
- link = commit_path(project, commit, merge_request: merge_request) - link = commit_path(project, commit, merge_request: merge_request)
%li.commit.flex-row.js-toggle-container{ id: "commit-#{commit.short_id}" } %li.commit.flex-row.js-toggle-container{ id: "commit-#{commit.short_id}" }
...@@ -22,7 +23,7 @@ ...@@ -22,7 +23,7 @@
%span.commit-row-message.d-block.d-sm-none %span.commit-row-message.d-block.d-sm-none
&middot; &middot;
= commit.short_id = commit.short_id
- if commit.status(ref) - if commit_status
.d-block.d-sm-none .d-block.d-sm-none
= render_commit_status(commit, ref: ref) = render_commit_status(commit, ref: ref)
- if commit.description? - if commit.description?
...@@ -45,7 +46,7 @@ ...@@ -45,7 +46,7 @@
- else - else
= render partial: 'projects/commit/ajax_signature', locals: { commit: commit } = render partial: 'projects/commit/ajax_signature', locals: { commit: commit }
- if commit.status(ref) - if commit_status
= render_commit_status(commit, ref: ref) = render_commit_status(commit, ref: ref)
.js-commit-pipeline-status{ data: { endpoint: pipelines_project_commit_path(project, commit.id, ref: ref) } } .js-commit-pipeline-status{ data: { endpoint: pipelines_project_commit_path(project, commit.id, ref: ref) } }
......
...@@ -12,6 +12,7 @@ ...@@ -12,6 +12,7 @@
%ul.content-list.related-items-list %ul.content-list.related-items-list
- has_any_head_pipeline = @merge_requests.any?(&:head_pipeline_id) - has_any_head_pipeline = @merge_requests.any?(&:head_pipeline_id)
- @merge_requests.each do |merge_request| - @merge_requests.each do |merge_request|
- merge_request = merge_request.present(current_user: current_user)
%li.list-item.py-0.px-0 %li.list-item.py-0.px-0
.item-body.issuable-info-container.py-lg-3.px-lg-3.pl-md-3 .item-body.issuable-info-container.py-lg-3.px-lg-3.pl-md-3
.item-contents .item-contents
...@@ -25,7 +26,7 @@ ...@@ -25,7 +26,7 @@
= merge_request.target_project.full_path = merge_request.target_project.full_path
= merge_request.to_reference = merge_request.to_reference
%span.mr-ci-status.flex-md-grow-1.justify-content-end.d-flex.ml-md-2 %span.mr-ci-status.flex-md-grow-1.justify-content-end.d-flex.ml-md-2
- if merge_request.head_pipeline - if merge_request.can_read_pipeline?
= render_pipeline_status(merge_request.head_pipeline, tooltip_placement: 'bottom') = render_pipeline_status(merge_request.head_pipeline, tooltip_placement: 'bottom')
- elsif has_any_head_pipeline - elsif has_any_head_pipeline
= icon('blank fw') = icon('blank fw')
......
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
%li %li
- target = @project.repository.find_branch(branch).dereferenced_target - target = @project.repository.find_branch(branch).dereferenced_target
- pipeline = @project.pipeline_for(branch, target.sha) if target - pipeline = @project.pipeline_for(branch, target.sha) if target
- if pipeline - if can?(current_user, :read_pipeline, pipeline)
%span.related-branch-ci-status %span.related-branch-ci-status
= render_pipeline_status(pipeline) = render_pipeline_status(pipeline)
%span.related-branch-info %span.related-branch-info
......
...@@ -46,7 +46,7 @@ ...@@ -46,7 +46,7 @@
%li.issuable-status.d-none.d-sm-inline-block %li.issuable-status.d-none.d-sm-inline-block
= icon('ban') = icon('ban')
CLOSED CLOSED
- if merge_request.head_pipeline - if can?(current_user, :read_pipeline, merge_request.head_pipeline)
%li.issuable-pipeline-status.d-none.d-sm-inline-block %li.issuable-pipeline-status.d-none.d-sm-inline-block
= render_pipeline_status(merge_request.head_pipeline) = render_pipeline_status(merge_request.head_pipeline)
- if merge_request.open? && merge_request.broken? - if merge_request.open? && merge_request.broken?
......
...@@ -6,7 +6,6 @@ ...@@ -6,7 +6,6 @@
= preserve(markdown(commit.description, pipeline: :single_line)) = preserve(markdown(commit.description, pipeline: :single_line))
.info-well .info-well
- if commit.status
.well-segment.pipeline-info .well-segment.pipeline-info
.icon-container .icon-container
= icon('clock-o') = icon('clock-o')
......
---
title: Disallows unauthorized users from accessing the pipelines section.
merge_request:
author:
type: security
...@@ -76,7 +76,7 @@ module API ...@@ -76,7 +76,7 @@ module API
requires :pipeline_id, type: Integer, desc: 'The pipeline ID' requires :pipeline_id, type: Integer, desc: 'The pipeline ID'
end end
get ':id/pipelines/:pipeline_id' do get ':id/pipelines/:pipeline_id' do
authorize! :read_pipeline, user_project authorize! :read_pipeline, pipeline
present pipeline, with: Entities::Pipeline present pipeline, with: Entities::Pipeline
end end
...@@ -104,7 +104,7 @@ module API ...@@ -104,7 +104,7 @@ module API
requires :pipeline_id, type: Integer, desc: 'The pipeline ID' requires :pipeline_id, type: Integer, desc: 'The pipeline ID'
end end
post ':id/pipelines/:pipeline_id/retry' do post ':id/pipelines/:pipeline_id/retry' do
authorize! :update_pipeline, user_project authorize! :update_pipeline, pipeline
pipeline.retry_failed(current_user) pipeline.retry_failed(current_user)
...@@ -119,7 +119,7 @@ module API ...@@ -119,7 +119,7 @@ module API
requires :pipeline_id, type: Integer, desc: 'The pipeline ID' requires :pipeline_id, type: Integer, desc: 'The pipeline ID'
end end
post ':id/pipelines/:pipeline_id/cancel' do post ':id/pipelines/:pipeline_id/cancel' do
authorize! :update_pipeline, user_project authorize! :update_pipeline, pipeline
pipeline.cancel_running pipeline.cancel_running
......
...@@ -3,9 +3,14 @@ require 'spec_helper' ...@@ -3,9 +3,14 @@ require 'spec_helper'
describe Projects::PipelineSchedulesController do describe Projects::PipelineSchedulesController do
include AccessMatchersForController include AccessMatchersForController
set(:user) { create(:user) }
set(:project) { create(:project, :public, :repository) } set(:project) { create(:project, :public, :repository) }
set(:pipeline_schedule) { create(:ci_pipeline_schedule, project: project) } set(:pipeline_schedule) { create(:ci_pipeline_schedule, project: project) }
before do
project.add_developer(user)
end
describe 'GET #index' do describe 'GET #index' do
render_views render_views
...@@ -14,6 +19,10 @@ describe Projects::PipelineSchedulesController do ...@@ -14,6 +19,10 @@ describe Projects::PipelineSchedulesController do
create(:ci_pipeline_schedule, :inactive, project: project) create(:ci_pipeline_schedule, :inactive, project: project)
end end
before do
sign_in(user)
end
it 'renders the index view' do it 'renders the index view' do
visit_pipelines_schedules visit_pipelines_schedules
...@@ -21,7 +30,7 @@ describe Projects::PipelineSchedulesController do ...@@ -21,7 +30,7 @@ describe Projects::PipelineSchedulesController do
expect(response).to render_template(:index) expect(response).to render_template(:index)
end end
it 'avoids N + 1 queries' do it 'avoids N + 1 queries', :request_store do
control_count = ActiveRecord::QueryRecorder.new { visit_pipelines_schedules }.count control_count = ActiveRecord::QueryRecorder.new { visit_pipelines_schedules }.count
create_list(:ci_pipeline_schedule, 2, project: project) create_list(:ci_pipeline_schedule, 2, project: project)
......
...@@ -5,7 +5,7 @@ describe Projects::PipelinesController do ...@@ -5,7 +5,7 @@ describe Projects::PipelinesController do
set(:user) { create(:user) } set(:user) { create(:user) }
let(:project) { create(:project, :public, :repository) } let(:project) { create(:project, :public, :repository) }
let(:feature) { ProjectFeature::DISABLED } let(:feature) { ProjectFeature::ENABLED }
before do before do
stub_not_protect_default_branch stub_not_protect_default_branch
...@@ -186,6 +186,27 @@ describe Projects::PipelinesController do ...@@ -186,6 +186,27 @@ describe Projects::PipelinesController do
end end
end end
context 'when builds are disabled' do
let(:feature) { ProjectFeature::DISABLED }
it 'users can not see internal pipelines' do
get_pipeline_json
expect(response).to have_gitlab_http_status(:not_found)
end
context 'when pipeline is external' do
let(:pipeline) { create(:ci_pipeline, source: :external, project: project) }
it 'users can see the external pipeline' do
get_pipeline_json
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['id']).to be(pipeline.id)
end
end
end
def get_pipeline_json def get_pipeline_json
get :show, params: { namespace_id: project.namespace, project_id: project, id: pipeline }, format: :json get :show, params: { namespace_id: project.namespace, project_id: project, id: pipeline }, format: :json
end end
...@@ -326,16 +347,14 @@ describe Projects::PipelinesController do ...@@ -326,16 +347,14 @@ describe Projects::PipelinesController do
format: :json format: :json
end end
context 'when builds are enabled' do
let(:feature) { ProjectFeature::ENABLED }
it 'retries a pipeline without returning any content' do it 'retries a pipeline without returning any content' do
expect(response).to have_gitlab_http_status(:no_content) expect(response).to have_gitlab_http_status(:no_content)
expect(build.reload).to be_retried expect(build.reload).to be_retried
end end
end
context 'when builds are disabled' do context 'when builds are disabled' do
let(:feature) { ProjectFeature::DISABLED }
it 'fails to retry pipeline' do it 'fails to retry pipeline' do
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:not_found)
end end
...@@ -355,16 +374,14 @@ describe Projects::PipelinesController do ...@@ -355,16 +374,14 @@ describe Projects::PipelinesController do
format: :json format: :json
end end
context 'when builds are enabled' do
let(:feature) { ProjectFeature::ENABLED }
it 'cancels a pipeline without returning any content' do it 'cancels a pipeline without returning any content' do
expect(response).to have_gitlab_http_status(:no_content) expect(response).to have_gitlab_http_status(:no_content)
expect(pipeline.reload).to be_canceled expect(pipeline.reload).to be_canceled
end end
end
context 'when builds are disabled' do context 'when builds are disabled' do
let(:feature) { ProjectFeature::DISABLED }
it 'fails to retry pipeline' do it 'fails to retry pipeline' do
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:not_found)
end end
......
...@@ -452,9 +452,9 @@ describe "Internal Project Access" do ...@@ -452,9 +452,9 @@ describe "Internal Project Access" do
it { is_expected.to be_allowed_for(:owner).of(project) } it { is_expected.to be_allowed_for(:owner).of(project) }
it { is_expected.to be_allowed_for(:maintainer).of(project) } it { is_expected.to be_allowed_for(:maintainer).of(project) }
it { is_expected.to be_allowed_for(:developer).of(project) } it { is_expected.to be_allowed_for(:developer).of(project) }
it { is_expected.to be_allowed_for(:reporter).of(project) } it { is_expected.to be_denied_for(:reporter).of(project) }
it { is_expected.to be_allowed_for(:guest).of(project) } it { is_expected.to be_denied_for(:guest).of(project) }
it { is_expected.to be_allowed_for(:user) } it { is_expected.to be_denied_for(:user) }
it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:external) }
it { is_expected.to be_denied_for(:visitor) } it { is_expected.to be_denied_for(:visitor) }
end end
......
...@@ -485,7 +485,7 @@ describe "Private Project Access" do ...@@ -485,7 +485,7 @@ describe "Private Project Access" do
it { is_expected.to be_allowed_for(:owner).of(project) } it { is_expected.to be_allowed_for(:owner).of(project) }
it { is_expected.to be_allowed_for(:maintainer).of(project) } it { is_expected.to be_allowed_for(:maintainer).of(project) }
it { is_expected.to be_allowed_for(:developer).of(project) } it { is_expected.to be_allowed_for(:developer).of(project) }
it { is_expected.to be_allowed_for(:reporter).of(project) } it { is_expected.to be_denied_for(:reporter).of(project) }
it { is_expected.to be_denied_for(:guest).of(project) } it { is_expected.to be_denied_for(:guest).of(project) }
it { is_expected.to be_denied_for(:user) } it { is_expected.to be_denied_for(:user) }
it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:external) }
......
...@@ -272,11 +272,11 @@ describe "Public Project Access" do ...@@ -272,11 +272,11 @@ describe "Public Project Access" do
it { is_expected.to be_allowed_for(:owner).of(project) } it { is_expected.to be_allowed_for(:owner).of(project) }
it { is_expected.to be_allowed_for(:maintainer).of(project) } it { is_expected.to be_allowed_for(:maintainer).of(project) }
it { is_expected.to be_allowed_for(:developer).of(project) } it { is_expected.to be_allowed_for(:developer).of(project) }
it { is_expected.to be_allowed_for(:reporter).of(project) } it { is_expected.to be_denied_for(:reporter).of(project) }
it { is_expected.to be_allowed_for(:guest).of(project) } it { is_expected.to be_denied_for(:guest).of(project) }
it { is_expected.to be_allowed_for(:user) } it { is_expected.to be_denied_for(:user) }
it { is_expected.to be_allowed_for(:external) } it { is_expected.to be_denied_for(:external) }
it { is_expected.to be_allowed_for(:visitor) } it { is_expected.to be_denied_for(:visitor) }
end end
describe "GET /:project_path/environments" do describe "GET /:project_path/environments" do
......
...@@ -354,10 +354,22 @@ describe ProjectsHelper do ...@@ -354,10 +354,22 @@ describe ProjectsHelper do
allow(project).to receive(:builds_enabled?).and_return(false) allow(project).to receive(:builds_enabled?).and_return(false)
end end
it "do not include pipelines tab" do context 'when user has access to builds' do
it "does include pipelines tab" do
is_expected.to include(:pipelines)
end
end
context 'when user does not have access to builds' do
before do
allow(helper).to receive(:can?) { false }
end
it "does not include pipelines tab" do
is_expected.not_to include(:pipelines) is_expected.not_to include(:pipelines)
end end
end end
end
context 'when project has external wiki' do context 'when project has external wiki' do
before do before do
......
...@@ -12,7 +12,7 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do ...@@ -12,7 +12,7 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
] ]
RSpec::Mocks.with_temporary_scope do RSpec::Mocks.with_temporary_scope do
@project = create(:project, :builds_disabled, :issues_disabled, name: 'project', path: 'project') @project = create(:project, :builds_enabled, :issues_disabled, name: 'project', path: 'project')
@shared = @project.import_export_shared @shared = @project.import_export_shared
allow(@shared).to receive(:export_path).and_return('spec/lib/gitlab/import_export/') allow(@shared).to receive(:export_path).and_return('spec/lib/gitlab/import_export/')
...@@ -40,7 +40,7 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do ...@@ -40,7 +40,7 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
project = Project.find_by_path('project') project = Project.find_by_path('project')
expect(project.project_feature.issues_access_level).to eq(ProjectFeature::DISABLED) expect(project.project_feature.issues_access_level).to eq(ProjectFeature::DISABLED)
expect(project.project_feature.builds_access_level).to eq(ProjectFeature::DISABLED) expect(project.project_feature.builds_access_level).to eq(ProjectFeature::ENABLED)
expect(project.project_feature.snippets_access_level).to eq(ProjectFeature::ENABLED) expect(project.project_feature.snippets_access_level).to eq(ProjectFeature::ENABLED)
expect(project.project_feature.wiki_access_level).to eq(ProjectFeature::ENABLED) expect(project.project_feature.wiki_access_level).to eq(ProjectFeature::ENABLED)
expect(project.project_feature.merge_requests_access_level).to eq(ProjectFeature::ENABLED) expect(project.project_feature.merge_requests_access_level).to eq(ProjectFeature::ENABLED)
......
...@@ -11,6 +11,7 @@ describe Commit do ...@@ -11,6 +11,7 @@ describe Commit do
it { is_expected.to include_module(Participable) } it { is_expected.to include_module(Participable) }
it { is_expected.to include_module(Referable) } it { is_expected.to include_module(Referable) }
it { is_expected.to include_module(StaticModel) } it { is_expected.to include_module(StaticModel) }
it { is_expected.to include_module(Presentable) }
end end
describe '.lazy' do describe '.lazy' do
......
...@@ -405,6 +405,30 @@ describe Project do ...@@ -405,6 +405,30 @@ describe Project do
end end
end end
describe '#all_pipelines' do
let(:project) { create(:project) }
before do
create(:ci_pipeline, project: project, ref: 'master', source: :web)
create(:ci_pipeline, project: project, ref: 'master', source: :external)
end
it 'has all pipelines' do
expect(project.all_pipelines.size).to eq(2)
end
context 'when builds are disabled' do
before do
project.project_feature.update_attribute(:builds_access_level, ProjectFeature::DISABLED)
end
it 'should return .external pipelines' do
expect(project.all_pipelines).to all(have_attributes(source: 'external'))
expect(project.all_pipelines.size).to eq(1)
end
end
end
describe 'project token' do describe 'project token' do
it 'sets an random token if none provided' do it 'sets an random token if none provided' do
project = FactoryBot.create(:project, runners_token: '') project = FactoryBot.create(:project, runners_token: '')
......
...@@ -75,6 +75,14 @@ describe Ci::PipelinePolicy, :models do ...@@ -75,6 +75,14 @@ describe Ci::PipelinePolicy, :models do
end end
end end
context 'when user does not have access to internal CI' do
let(:project) { create(:project, :builds_disabled, :public) }
it 'disallows the user from reading the pipeline' do
expect(policy).to be_disallowed :read_pipeline
end
end
describe 'destroy_pipeline' do describe 'destroy_pipeline' do
let(:project) { create(:project, :public) } let(:project) { create(:project, :public) }
......
...@@ -175,17 +175,19 @@ describe ProjectPolicy do ...@@ -175,17 +175,19 @@ describe ProjectPolicy do
end end
context 'builds feature' do context 'builds feature' do
context 'when builds are disabled' do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
it 'disallows all permissions when the feature is disabled' do before do
project.project_feature.update(builds_access_level: ProjectFeature::DISABLED) project.project_feature.update(builds_access_level: ProjectFeature::DISABLED)
end
it 'disallows all permissions except pipeline when the feature is disabled' do
builds_permissions = [ builds_permissions = [
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
:create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster, :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
] ]
...@@ -193,6 +195,24 @@ describe ProjectPolicy do ...@@ -193,6 +195,24 @@ describe ProjectPolicy do
end end
end end
context 'when builds are disabled only for some users' do
subject { described_class.new(guest, project) }
before do
project.project_feature.update(builds_access_level: ProjectFeature::PRIVATE)
end
it 'disallows pipeline and commit_status permissions' do
builds_permissions = [
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
:create_commit_status, :update_commit_status, :admin_commit_status, :destroy_commit_status
]
expect_disallowed(*builds_permissions)
end
end
end
context 'repository feature' do context 'repository feature' do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
......
# frozen_string_literal: true
require 'spec_helper'
describe CommitPresenter do
let(:project) { create(:project, :repository) }
let(:commit) { project.commit }
let(:user) { create(:user) }
let(:presenter) { described_class.new(commit, current_user: user) }
describe '#status_for' do
subject { presenter.status_for('ref') }
context 'when user can read_commit_status' do
before do
allow(presenter).to receive(:can?).with(user, :read_commit_status, project).and_return(true)
end
it 'returns commit status for ref' do
expect(commit).to receive(:status).with('ref').and_return('test')
expect(subject).to eq('test')
end
end
context 'when user can not read_commit_status' do
it 'is false' do
is_expected.to eq(false)
end
end
end
describe '#any_pipelines?' do
subject { presenter.any_pipelines? }
context 'when user can read pipeline' do
before do
allow(presenter).to receive(:can?).with(user, :read_pipeline, project).and_return(true)
end
it 'returns if there are any pipelines for commit' do
expect(commit).to receive_message_chain(:pipelines, :any?).and_return(true)
expect(subject).to eq(true)
end
end
context 'when user can not read pipeline' do
it 'is false' do
is_expected.to eq(false)
end
end
end
end
...@@ -31,6 +31,14 @@ describe MergeRequestWidgetEntity do ...@@ -31,6 +31,14 @@ describe MergeRequestWidgetEntity do
describe 'pipeline' do describe 'pipeline' do
let(:pipeline) { create(:ci_empty_pipeline, project: project, ref: resource.source_branch, sha: resource.source_branch_sha, head_pipeline_of: resource) } let(:pipeline) { create(:ci_empty_pipeline, project: project, ref: resource.source_branch, sha: resource.source_branch_sha, head_pipeline_of: resource) }
before do
allow_any_instance_of(MergeRequestPresenter).to receive(:can?).and_call_original
allow_any_instance_of(MergeRequestPresenter).to receive(:can?).with(user, :read_pipeline, anything).and_return(result)
end
context 'when user has access to pipelines' do
let(:result) { true }
context 'when is up to date' do context 'when is up to date' do
let(:req) { double('request', current_user: user, project: project) } let(:req) { double('request', current_user: user, project: project) }
...@@ -47,7 +55,16 @@ describe MergeRequestWidgetEntity do ...@@ -47,7 +55,16 @@ describe MergeRequestWidgetEntity do
it 'returns nil' do it 'returns nil' do
pipeline.update(sha: "not up to date") pipeline.update(sha: "not up to date")
expect(subject[:pipeline]).to be_nil expect(subject[:pipeline]).to eq(nil)
end
end
end
context 'when user does not have access to pipelines' do
let(:result) { false }
it 'does not have pipeline' do
expect(subject[:pipeline]).to eq(nil)
end end
end end
end end
......
...@@ -9,6 +9,7 @@ describe 'projects/commit/_commit_box.html.haml' do ...@@ -9,6 +9,7 @@ describe 'projects/commit/_commit_box.html.haml' do
assign(:commit, project.commit) assign(:commit, project.commit)
allow(view).to receive(:current_user).and_return(user) allow(view).to receive(:current_user).and_return(user)
allow(view).to receive(:can_collaborate_with_project?).and_return(false) allow(view).to receive(:can_collaborate_with_project?).and_return(false)
project.add_developer(user)
end end
it 'shows the commit SHA' do it 'shows the commit SHA' do
...@@ -48,7 +49,6 @@ describe 'projects/commit/_commit_box.html.haml' do ...@@ -48,7 +49,6 @@ describe 'projects/commit/_commit_box.html.haml' do
context 'viewing a commit' do context 'viewing a commit' do
context 'as a developer' do context 'as a developer' do
before do before do
project.add_developer(user)
allow(view).to receive(:can_collaborate_with_project?).and_return(true) allow(view).to receive(:can_collaborate_with_project?).and_return(true)
end end
...@@ -60,6 +60,10 @@ describe 'projects/commit/_commit_box.html.haml' do ...@@ -60,6 +60,10 @@ describe 'projects/commit/_commit_box.html.haml' do
end end
context 'as a non-developer' do context 'as a non-developer' do
before do
project.add_guest(user)
end
it 'does not have a link to create a new tag' do it 'does not have a link to create a new tag' do
render render
......
...@@ -3,6 +3,7 @@ require 'spec_helper' ...@@ -3,6 +3,7 @@ require 'spec_helper'
describe 'projects/issues/_related_branches' do describe 'projects/issues/_related_branches' do
include Devise::Test::ControllerHelpers include Devise::Test::ControllerHelpers
let(:user) { create(:user) }
let(:project) { create(:project, :repository) } let(:project) { create(:project, :repository) }
let(:branch) { project.repository.find_branch('feature') } let(:branch) { project.repository.find_branch('feature') }
let!(:pipeline) { create(:ci_pipeline, project: project, sha: branch.dereferenced_target.id, ref: 'feature') } let!(:pipeline) { create(:ci_pipeline, project: project, sha: branch.dereferenced_target.id, ref: 'feature') }
...@@ -11,6 +12,9 @@ describe 'projects/issues/_related_branches' do ...@@ -11,6 +12,9 @@ describe 'projects/issues/_related_branches' do
assign(:project, project) assign(:project, project)
assign(:related_branches, ['feature']) assign(:related_branches, ['feature'])
project.add_developer(user)
allow(view).to receive(:current_user).and_return(user)
render render
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment