Remove superfluous permission check for alerts

The policy `read_prometheus_alerts` already makes sure that the user has at least maintainer access. Add some missing specs to cover unprivileged access.

Remove superfluous permission check for alerts
The policy `read_prometheus_alerts` already makes sure that the user has at least maintainer access. Add some missing specs to cover unprivileged access.
d06f9dc3 · Peter Leitzen · Dmitriy Zaporozhets · f4769469 · d06f9dc3 · d06f9dc3
Commit d06f9dc3 authored May 07, 2019 by Peter Leitzen Committed by Dmitriy Zaporozhets May 07, 2019
3 changed files
--- a/ee/app/controllers/projects/prometheus/alerts_controller.rb
+++ b/ee/app/controllers/projects/prometheus/alerts_controller.rb
@@ -12,7 +12,6 @@ module Projects
      prepend_before_action :repository, :project_without_auth, only: [:notify]
      before_action :authorize_read_prometheus_alerts!, except: [:notify]
-      before_action :authorize_admin_project!, except: [:notify]
      before_action :alert, only: [:update, :show, :destroy]
      def index

--- a/ee/spec/controllers/projects/prometheus/alerts_controller_spec.rb
+++ b/ee/spec/controllers/projects/prometheus/alerts_controller_spec.rb
@@ -10,10 +10,22 @@ describe Projects::Prometheus::AlertsController do
  before do
    stub_licensed_features(prometheus_alerts: true)
-    project.add_master(user)
+    project.add_maintainer(user)
    sign_in(user)
  end
+  shared_examples 'unprivileged' do
+    before do
+      project.add_developer(user)
+    end
+    it 'returns not_found' do
+      make_request
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+  end
  shared_examples 'unlicensed' do
    before do
      stub_licensed_features(prometheus_alerts: false)
@@ -105,6 +117,7 @@ describe Projects::Prometheus::AlertsController do
      end
    end
+    it_behaves_like 'unprivileged'
    it_behaves_like 'unlicensed'
    it_behaves_like 'project non-specific environment', :ok
  end
@@ -152,6 +165,7 @@ describe Projects::Prometheus::AlertsController do
        expect(json_response).to include(alert_params)
      end
+      it_behaves_like 'unprivileged'
      it_behaves_like 'unlicensed'
      it_behaves_like 'project non-specific environment', :not_found
      it_behaves_like 'project non-specific metric', :not_found
@@ -254,6 +268,7 @@ describe Projects::Prometheus::AlertsController do
      expect(response).to have_gitlab_http_status(:no_content)
    end
+    it_behaves_like 'unprivileged'
    it_behaves_like 'unlicensed'
    it_behaves_like 'project non-specific environment', :no_content
  end
@@ -302,6 +317,7 @@ describe Projects::Prometheus::AlertsController do
      expect(json_response).to include(alert_params)
    end
+    it_behaves_like 'unprivileged'
    it_behaves_like 'unlicensed'
    it_behaves_like 'project non-specific environment', :not_found
    it_behaves_like 'project non-specific metric', :not_found
@@ -333,6 +349,7 @@ describe Projects::Prometheus::AlertsController do
      expect(schedule_update_service).to have_received(:execute)
    end
+    it_behaves_like 'unprivileged'
    it_behaves_like 'unlicensed'
    it_behaves_like 'project non-specific environment', :not_found
    it_behaves_like 'project non-specific metric', :not_found

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -493,6 +493,66 @@ describe ProjectPolicy do
    end
  end
+  describe 'read_prometheus_alerts' do
+    context 'with prometheus_alerts available' do
+      before do
+        stub_licensed_features(prometheus_alerts: true)
+      end
+      context 'with admin' do
+        let(:current_user) { admin }
+        it { is_expected.to be_allowed(:read_prometheus_alerts) }
+      end
+      context 'with owner' do
+        let(:current_user) { owner }
+        it { is_expected.to be_allowed(:read_prometheus_alerts) }
+      end
+      context 'with maintainer' do
+        let(:current_user) { maintainer }
+        it { is_expected.to be_allowed(:read_prometheus_alerts) }
+      end
+      context 'with developer' do
+        let(:current_user) { developer }
+        it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+      end
+      context 'with reporter' do
+        let(:current_user) { reporter }
+        it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+      end
+      context 'with guest' do
+        let(:current_user) { guest }
+        it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+      end
+      context 'with anonymous' do
+        let(:current_user) { nil }
+        it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+      end
+    end
+    context 'without prometheus_alerts available' do
+      before do
+        stub_licensed_features(prometheus_alerts: false)
+      end
+      let(:current_user) { admin }
+      it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+    end
+  end
  it_behaves_like 'ee clusterable policies' do
    let(:clusterable) { create(:project, :repository) }