From ae5aa1100c7e11fa5109b6fb79247d2884aaaffe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Francisco=20Javier=20L=C3=B3pez?= <fjlopez@gitlab.com>
Date: Tue, 10 Sep 2019 13:30:03 +0200
Subject: Added rule to prevent external users from creating project snippet

---
 app/policies/project_snippet_policy.rb        |  1 +
 spec/policies/personal_snippet_policy_spec.rb | 14 ++++++++++++++
 spec/policies/project_snippet_policy_spec.rb  |  3 +++
 3 files changed, 18 insertions(+)

diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb
index e5e005cee6d..03af719e750 100644
--- a/app/policies/project_snippet_policy.rb
+++ b/app/policies/project_snippet_policy.rb
@@ -45,4 +45,5 @@ class ProjectSnippetPolicy < BasePolicy
   end
 
   rule { ~can?(:read_project_snippet) }.prevent :create_note
+  rule { external_user }.prevent :create_project_snippet
 end
diff --git a/spec/policies/personal_snippet_policy_spec.rb b/spec/policies/personal_snippet_policy_spec.rb
index 097000ceb6a..8fcedef64c3 100644
--- a/spec/policies/personal_snippet_policy_spec.rb
+++ b/spec/policies/personal_snippet_policy_spec.rb
@@ -43,6 +43,18 @@ describe PersonalSnippetPolicy do
       end
     end
 
+    context 'external user' do
+      subject { permissions(external_user) }
+
+      it do
+        is_expected.to be_allowed(:read_personal_snippet)
+        is_expected.to be_disallowed(:create_personal_snippet)
+        is_expected.to be_allowed(:create_note)
+        is_expected.to be_allowed(:award_emoji)
+        is_expected.to be_disallowed(*author_permissions)
+      end
+    end
+
     context 'author' do
       subject { permissions(snippet.author) }
 
@@ -85,6 +97,7 @@ describe PersonalSnippetPolicy do
 
       it do
         is_expected.to be_disallowed(:read_personal_snippet)
+        is_expected.to be_disallowed(:create_personal_snippet)
         is_expected.to be_disallowed(:create_note)
         is_expected.to be_disallowed(:award_emoji)
         is_expected.to be_disallowed(*author_permissions)
@@ -144,6 +157,7 @@ describe PersonalSnippetPolicy do
 
       it do
         is_expected.to be_disallowed(:read_personal_snippet)
+        is_expected.to be_disallowed(:create_personal_snippet)
         is_expected.to be_disallowed(:create_note)
         is_expected.to be_disallowed(:award_emoji)
         is_expected.to be_disallowed(*author_permissions)
diff --git a/spec/policies/project_snippet_policy_spec.rb b/spec/policies/project_snippet_policy_spec.rb
index 2e9ef1e89fd..fab654223f8 100644
--- a/spec/policies/project_snippet_policy_spec.rb
+++ b/spec/policies/project_snippet_policy_spec.rb
@@ -41,6 +41,7 @@ describe ProjectSnippetPolicy do
 
       it do
         expect_allowed(:read_project_snippet, :create_note)
+        expect_disallowed(:create_project_snippet)
         expect_disallowed(*author_permissions)
       end
     end
@@ -72,6 +73,7 @@ describe ProjectSnippetPolicy do
 
       it do
         expect_disallowed(:read_project_snippet, :create_note)
+        expect_disallowed(:create_project_snippet)
         expect_disallowed(*author_permissions)
       end
 
@@ -139,6 +141,7 @@ describe ProjectSnippetPolicy do
 
         it do
           expect_allowed(:read_project_snippet, :create_note)
+          expect_disallowed(:create_project_snippet)
           expect_disallowed(*author_permissions)
         end
       end
-- 
cgit v1.2.1