1# frozen_string_literal: true 2 3require 'spec_helper' 4 5RSpec.describe BasePolicy do 6 include ExternalAuthorizationServiceHelpers 7 include AdminModeHelper 8 9 describe '.class_for' do 10 it 'detects policy class based on the subject ancestors' do 11 expect(DeclarativePolicy.class_for(GenericCommitStatus.new)).to eq(CommitStatusPolicy) 12 end 13 14 it 'detects policy class for a presented subject' do 15 presentee = Ci::BuildPresenter.new(Ci::Build.new) 16 17 expect(DeclarativePolicy.class_for(presentee)).to eq(Ci::BuildPolicy) 18 end 19 20 it 'uses GlobalPolicy when :global is given' do 21 expect(DeclarativePolicy.class_for(:global)).to eq(GlobalPolicy) 22 end 23 end 24 25 shared_examples 'admin only access' do |ability| 26 def policy 27 # method, because we want a fresh cache each time. 28 described_class.new(current_user, nil) 29 end 30 31 let(:current_user) { build_stubbed(:user) } 32 33 subject { policy } 34 35 it { is_expected.not_to be_allowed(ability) } 36 37 context 'with an admin' do 38 let(:current_user) { build_stubbed(:admin) } 39 40 it 'allowed when in admin mode' do 41 enable_admin_mode!(current_user) 42 43 is_expected.to be_allowed(ability) 44 end 45 46 it 'prevented when not in admin mode' do 47 is_expected.not_to be_allowed(ability) 48 end 49 end 50 51 context 'with anonymous' do 52 let(:current_user) { nil } 53 54 it { is_expected.not_to be_allowed(ability) } 55 end 56 57 describe 'bypassing the session for sessionless login', :request_store do 58 let(:current_user) { build_stubbed(:admin) } 59 60 it 'changes from prevented to allowed' do 61 expect { Gitlab::Auth::CurrentUserMode.bypass_session!(current_user.id) } 62 .to change { policy.allowed?(ability) }.from(false).to(true) 63 end 64 end 65 end 66 67 describe 'read cross project' do 68 let(:current_user) { build_stubbed(:user) } 69 let(:user) { build_stubbed(:user) } 70 71 subject { described_class.new(current_user, [user]) } 72 73 it { is_expected.to be_allowed(:read_cross_project) } 74 75 context 'for anonymous' do 76 let(:current_user) { nil } 77 78 it { is_expected.to be_allowed(:read_cross_project) } 79 end 80 81 context 'when an external authorization service is enabled' do 82 before do 83 enable_external_authorization_service_check 84 end 85 86 it_behaves_like 'admin only access', :read_cross_project 87 end 88 end 89 90 describe 'full private access: read_all_resources' do 91 it_behaves_like 'admin only access', :read_all_resources 92 end 93 94 describe 'full private access: admin_all_resources' do 95 it_behaves_like 'admin only access', :admin_all_resources 96 end 97 98 describe 'change_repository_storage' do 99 it_behaves_like 'admin only access', :change_repository_storage 100 end 101end 102