Add security specs

author: Felipe Artur <felipefac@gmail.com> 2016-03-09 13:57:57 -0300
committer: Felipe Artur <felipefac@gmail.com> 2016-03-10 10:38:36 -0300
commit: 96fc1d90927624345c7426b28fb3fd135e901e60 (patch)
tree: d3e4fd45a242555f854a99531705c70b245c444a /spec/features/security
parent: c3e70280dffe7ee0859ebd73b902d424ca5f809a (diff)
download: gitlab-ce-96fc1d90927624345c7426b28fb3fd135e901e60.tar.gz
4 files changed, 312 insertions, 40 deletions
diff --git a/spec/features/security/group/internal_access_spec.rb b/spec/features/security/group/internal_access_spec.rb
new file mode 100644
index 00000000000..69a0fbb4468
--- /dev/null
+++ b/spec/features/security/group/internal_access_spec.rb
@@ -0,0 +1,104 @@
+require 'rails_helper'
+
+describe 'Internal group access', feature: true do
+  include AccessMatchers
+  include GroupAccessHelper
+
+
+
+  describe 'GET /groups/:path' do
+    subject { group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+  end
+
+  describe 'GET /groups/:path/issues' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+  end
+
+  describe 'GET /groups/:path/merge_requests' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+  end
+
+
+  describe 'GET /groups/:path/group_members' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+  end
+
+  describe 'GET /groups/:path/edit' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+  end
+end
diff --git a/spec/features/security/group/private_access_spec.rb b/spec/features/security/group/private_access_spec.rb
new file mode 100644
index 00000000000..0d01310b449
--- /dev/null
+++ b/spec/features/security/group/private_access_spec.rb
@@ -0,0 +1,104 @@
+require 'rails_helper'
+
+describe 'Private group access', feature: true do
+  include AccessMatchers
+  include GroupAccessHelper
+
+
+
+  describe 'GET /groups/:path' do
+    subject { group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to_not be_allowed_for :user }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+  end
+
+  describe 'GET /groups/:path/issues' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to_not be_allowed_for :user }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+  end
+
+  describe 'GET /groups/:path/merge_requests' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to_not be_allowed_for :user }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+  end
+
+
+  describe 'GET /groups/:path/group_members' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to_not be_allowed_for :user }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+  end
+
+  describe 'GET /groups/:path/edit' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to_not be_allowed_for :user }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to_not be_allowed_for :visitor }
+    end
+  end
+end
diff --git a/spec/features/security/group/public_access_spec.rb b/spec/features/security/group/public_access_spec.rb
new file mode 100644
index 00000000000..75d208f2949
--- /dev/null
+++ b/spec/features/security/group/public_access_spec.rb
@@ -0,0 +1,104 @@
+require 'rails_helper'
+
+describe 'Public group access', feature: true do
+  include AccessMatchers
+  include GroupAccessHelper
+
+
+
+  describe 'GET /groups/:path' do
+    subject { group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to be_allowed_for :visitor }
+    end
+  end
+
+  describe 'GET /groups/:path/issues' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to be_allowed_for :visitor }
+    end
+  end
+
+  describe 'GET /groups/:path/merge_requests' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to be_allowed_for :visitor }
+    end
+  end
+
+
+  describe 'GET /groups/:path/group_members' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to be_allowed_for :visitor }
+    end
+  end
+
+  describe 'GET /groups/:path/edit' do
+    subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
+
+    context "when user not in group project" do
+      it { is_expected.to be_allowed_for group_member(:owner) }
+      it { is_expected.to be_allowed_for group_member(:master) }
+      it { is_expected.to be_allowed_for group_member(:reporter) }
+      it { is_expected.to be_allowed_for group_member(:guest) }
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for :visitor }
+    end
+
+    context "when user in group project" do
+      it { is_expected.to be_allowed_for project_group_member(:user) }
+      it { is_expected.to be_allowed_for :visitor }
+    end
+  end
+end
diff --git a/spec/features/security/group_access_spec.rb b/spec/features/security/group_access_spec.rb
index 65f8073c693..0194581dfd1 100644
--- a/spec/features/security/group_access_spec.rb
+++ b/spec/features/security/group_access_spec.rb
@@ -43,8 +43,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
     end
 
     context 'with mixed projects' do
@@ -55,8 +53,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
     end
 
     context 'with internal projects' do
@@ -67,8 +63,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
     end
 
     context 'with no projects' do
@@ -77,8 +71,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
     end
   end
 
@@ -93,8 +85,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
     end
 
     context 'with mixed projects' do
@@ -105,8 +95,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
     end
 
     context 'with internal projects' do
@@ -117,8 +105,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_denied_for :visitor }
     end
 
     context 'with no projects' do
@@ -127,8 +113,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
     end
   end
 
@@ -143,8 +127,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
     end
 
     context 'with mixed projects' do
@@ -155,8 +137,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
     end
 
     context 'with internal projects' do
@@ -167,8 +147,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_denied_for :visitor }
     end
 
     context 'with no projects' do
@@ -177,8 +155,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
     end
   end
 
@@ -193,8 +169,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
     end
 
     context 'with mixed projects' do
@@ -205,8 +179,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
     end
 
     context 'with internal projects' do
@@ -217,8 +189,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_denied_for :visitor }
     end
 
     context 'with no projects' do
@@ -227,8 +197,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_allowed_for group_member(:reporter) }
       it { is_expected.to be_allowed_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
     end
   end
 
@@ -243,8 +211,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_denied_for group_member(:reporter) }
       it { is_expected.to be_denied_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
     end
 
     context 'with mixed projects' do
@@ -255,8 +221,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_denied_for group_member(:reporter) }
       it { is_expected.to be_denied_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
     end
 
     context 'with internal projects' do
@@ -267,8 +231,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_denied_for group_member(:reporter) }
       it { is_expected.to be_denied_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
     end
 
     context 'with no projects' do
@@ -277,8 +239,6 @@ describe 'Group access', feature: true do
       it { is_expected.to be_denied_for group_member(:reporter) }
       it { is_expected.to be_denied_for group_member(:guest) }
       it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
     end
   end
 end
author	Felipe Artur <felipefac@gmail.com>	2016-03-09 13:57:57 -0300
committer	Felipe Artur <felipefac@gmail.com>	2016-03-10 10:38:36 -0300
commit	96fc1d90927624345c7426b28fb3fd135e901e60 (patch)
tree	d3e4fd45a242555f854a99531705c70b245c444a /spec/features/security
parent	c3e70280dffe7ee0859ebd73b902d424ca5f809a (diff)
download	gitlab-ce-96fc1d90927624345c7426b28fb3fd135e901e60.tar.gz