Add policy for clusters on group level

- maintainer for group can read, create, update, and admin cluster - project user, at any level, cannot do anything with group cluster

Add policy for clusters on group level
- maintainer for group can read, create, update, and admin cluster - project user, at any level, cannot do anything with group cluster
dcf0caaa · Thong Kuah · df8f6636 · dcf0caaa · dcf0caaa · dcf0caaa
Commit dcf0caaa authored Oct 15, 2018 by Thong Kuah
6 changed files
--- a/app/policies/clusters/cluster_policy.rb
+++ b/app/policies/clusters/cluster_policy.rb
@@ -4,11 +4,7 @@ module Clusters
  class ClusterPolicy < BasePolicy
    alias_method :cluster, :subject
+    delegate { cluster.group }
    delegate { cluster.project }
-    rule { can?(:maintainer_access) }.policy do
-      enable :update_cluster
-      enable :admin_cluster
-    end
  end
 end
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -65,6 +65,10 @@ class GroupPolicy < BasePolicy
    enable :create_projects
    enable :admin_pipeline
    enable :admin_build
+    enable :read_cluster
+    enable :create_cluster
+    enable :update_cluster
+    enable :admin_cluster
  end
  rule { owner }.policy do

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -258,6 +258,8 @@ class ProjectPolicy < BasePolicy
    enable :update_pages
    enable :read_cluster
    enable :create_cluster
+    enable :update_cluster
+    enable :admin_cluster
    enable :create_environment_terminal
  end

--- a/spec/policies/clusters/cluster_policy_spec.rb
+++ b/spec/policies/clusters/cluster_policy_spec.rb
@@ -24,5 +24,47 @@ describe Clusters::ClusterPolicy, :models do
      it { expect(policy).to be_allowed :update_cluster }
      it { expect(policy).to be_allowed :admin_cluster }
    end
+    context 'group cluster' do
+      let(:cluster) { create(:cluster, :group) }
+      let(:group) { cluster.group }
+      let(:project) { create(:project, namespace: group) }
+      context 'when group developer' do
+        before do
+          group.add_developer(user)
+        end
+        it { expect(policy).to be_disallowed :update_cluster }
+        it { expect(policy).to be_disallowed :admin_cluster }
+      end
+      context 'when group maintainer' do
+        before do
+          group.add_maintainer(user)
+        end
+        it { expect(policy).to be_allowed :update_cluster }
+        it { expect(policy).to be_allowed :admin_cluster }
+      end
+      context 'when project maintainer' do
+        before do
+          project.add_maintainer(user)
+        end
+        it { expect(policy).to be_disallowed :update_cluster }
+        it { expect(policy).to be_disallowed :admin_cluster }
+      end
+      context 'when project developer' do
+        before do
+          project.add_developer(user)
+        end
+        it { expect(policy).to be_disallowed :update_cluster }
+        it { expect(policy).to be_disallowed :admin_cluster }
+      end
+    end
  end
 end
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -21,7 +21,11 @@ describe GroupPolicy do
  let(:maintainer_permissions) do
    [
-      :create_projects
+      :create_projects,
+      :read_cluster,
+      :create_cluster,
+      :update_cluster,
+      :admin_cluster
    ]
  end

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -163,7 +163,7 @@ describe ProjectPolicy do
        :create_build, :read_build, :update_build, :admin_build, :destroy_build,
        :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
        :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
-        :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
+        :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
        :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
      ]
@@ -182,7 +182,7 @@ describe ProjectPolicy do
        :create_build, :read_build, :update_build, :admin_build, :destroy_build,
        :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
        :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
-        :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
+        :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
        :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
      ]