Introduce :read_namespace access policy for namespace and group

author: Tomasz Maczukin <tomasz@maczukin.pl> 2017-11-23 15:47:15 +0100
committer: Tomasz Maczukin <tomasz@maczukin.pl> 2017-11-23 17:44:05 +0100
commit: 97f966c445c0c2191a8017aa981a34737b9adf56 (patch)
tree: 297294c7ae4b22267da7c88aac70a13263346542
parent: dfbfd3c7d7d4677ac99a7f8147a673911e8d4e98 (diff)
download: gitlab-ce-97f966c445c0c2191a8017aa981a34737b9adf56.tar.gz
4 files changed, 52 insertions, 11 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 8af9738d75c..a2518bc1080 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -34,6 +34,8 @@ class GroupPolicy < BasePolicy
   rule { admin }             .enable :read_group
   rule { has_projects }      .enable :read_group
 
+  rule { has_access }.enable :read_namespace
+
   rule { developer }.enable :admin_milestones
   rule { reporter }.enable :admin_label
 
diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb
index 92213f0155e..eb01218eb0a 100644
--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
@@ -8,6 +8,7 @@ class NamespacePolicy < BasePolicy
   rule { owner | admin }.policy do
     enable :create_projects
     enable :admin_namespace
+    enable :read_namespace
   end
 
   rule { personal_project & ~can_create_personal_project }.prevent :create_projects
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 52ac416f9ad..686bf7a3c2b 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -127,7 +127,7 @@ module API
     def find_namespace!(id)
       namespace = find_namespace(id)
 
-      if can?(current_user, :admin_namespace, namespace)
+      if can?(current_user, :read_namespace, namespace)
         namespace
       else
         not_found!('Namespace')
diff --git a/spec/requests/api/namespaces_spec.rb b/spec/requests/api/namespaces_spec.rb
index 900d7e059b8..98102fcd6a7 100644
--- a/spec/requests/api/namespaces_spec.rb
+++ b/spec/requests/api/namespaces_spec.rb
@@ -94,6 +94,7 @@ describe API::Namespaces do
 
   describe 'GET /namespaces/:id' do
     let(:owned_group) { group1 }
+    let(:user2) { create(:user) }
 
     shared_examples 'can access namespace' do
       it 'returns namespace details' do
@@ -116,15 +117,33 @@ describe API::Namespaces do
 
       context 'when namespace exists' do
         context 'when requested by ID' do
-          let(:namespace_id) { owned_group.id }
+          context 'when requesting group' do
+            let(:namespace_id) { owned_group.id }
 
-          it_behaves_like 'can access namespace'
+            it_behaves_like 'can access namespace'
+          end
+
+          context 'when requesting personal namespace' do
+            let(:namespace_id) { request_actor.namespace.id }
+            let(:requested_namespace) { request_actor.namespace }
+
+            it_behaves_like 'can access namespace'
+          end
         end
 
         context 'when requested by path' do
-          let(:namespace_id) { owned_group.path }
+          context 'when requesting group' do
+            let(:namespace_id) { owned_group.path }
 
-          it_behaves_like 'can access namespace'
+            it_behaves_like 'can access namespace'
+          end
+
+          context 'when requesting personal namespace' do
+            let(:namespace_id) { request_actor.namespace.path }
+            let(:requested_namespace) { request_actor.namespace }
+
+            it_behaves_like 'can access namespace'
+          end
         end
       end
 
@@ -149,10 +168,20 @@ describe API::Namespaces do
       let(:request_actor) { user }
 
       context 'when requested namespace is not owned by user' do
-        it 'returns not-found' do
-          get api("/namespaces/#{group2.id}", request_actor)
+        context 'when requesting group' do
+          it 'returns not-found' do
+            get api("/namespaces/#{group2.id}", request_actor)
 
-          expect(response).to have_gitlab_http_status(404)
+            expect(response).to have_gitlab_http_status(404)
+          end
+        end
+
+        context 'when requesting personal namespace' do
+          it 'returns not-found' do
+            get api("/namespaces/#{user2.namespace.id}", request_actor)
+
+            expect(response).to have_gitlab_http_status(404)
+          end
         end
       end
 
@@ -165,10 +194,19 @@ describe API::Namespaces do
       let(:request_actor) { admin }
 
       context 'when requested namespace is not owned by user' do
-        let(:namespace_id) { group2.id }
-        let(:requested_namespace) { group2 }
+        context 'when requesting group' do
+          let(:namespace_id) { group2.id }
+          let(:requested_namespace) { group2 }
+
+          it_behaves_like 'can access namespace'
+        end
+
+        context 'when requesting personal namespace' do
+          let(:namespace_id) { user2.namespace.id }
+          let(:requested_namespace) { user2.namespace }
 
-        it_behaves_like 'can access namespace'
+          it_behaves_like 'can access namespace'
+        end
       end
 
       context 'when requested namespace is owned by user' do
author	Tomasz Maczukin <tomasz@maczukin.pl>	2017-11-23 15:47:15 +0100
committer	Tomasz Maczukin <tomasz@maczukin.pl>	2017-11-23 17:44:05 +0100
commit	97f966c445c0c2191a8017aa981a34737b9adf56 (patch)
tree	297294c7ae4b22267da7c88aac70a13263346542
parent	dfbfd3c7d7d4677ac99a7f8147a673911e8d4e98 (diff)
download	gitlab-ce-97f966c445c0c2191a8017aa981a34737b9adf56.tar.gz