1# frozen_string_literal: true
2
3require 'spec_helper'
4
5RSpec.describe GlobalPolicy do
6  include TermsHelper
7
8  let_it_be(:project_bot) { create(:user, :project_bot) }
9  let_it_be(:migration_bot) { create(:user, :migration_bot) }
10  let_it_be(:security_bot) { create(:user, :security_bot) }
11
12  let(:current_user) { create(:user) }
13  let(:user) { create(:user) }
14
15  subject { described_class.new(current_user, [user]) }
16
17  describe "reading the list of users" do
18    context "for a logged in user" do
19      it { is_expected.to be_allowed(:read_users_list) }
20    end
21
22    context "for an anonymous user" do
23      let(:current_user) { nil }
24
25      context "when the public level is restricted" do
26        before do
27          stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
28        end
29
30        it { is_expected.not_to be_allowed(:read_users_list) }
31      end
32
33      context "when the public level is not restricted" do
34        before do
35          stub_application_setting(restricted_visibility_levels: [])
36        end
37
38        it { is_expected.to be_allowed(:read_users_list) }
39      end
40    end
41
42    context "for an admin" do
43      let(:current_user) { create(:admin) }
44
45      context "when the public level is restricted" do
46        before do
47          stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
48        end
49
50        it { is_expected.to be_allowed(:read_users_list) }
51      end
52
53      context "when the public level is not restricted" do
54        before do
55          stub_application_setting(restricted_visibility_levels: [])
56        end
57
58        it { is_expected.to be_allowed(:read_users_list) }
59      end
60    end
61  end
62
63  describe "create fork" do
64    context "when user has not exceeded project limit" do
65      it { is_expected.to be_allowed(:create_fork) }
66    end
67
68    context "when user has exceeded project limit" do
69      let(:current_user) { create(:user, projects_limit: 0) }
70
71      it { is_expected.not_to be_allowed(:create_fork) }
72    end
73
74    context "when user is a maintainer in a group" do
75      let(:group) { create(:group) }
76      let(:current_user) { create(:user, projects_limit: 0) }
77
78      before do
79        group.add_maintainer(current_user)
80      end
81
82      it { is_expected.to be_allowed(:create_fork) }
83    end
84  end
85
86  describe 'create group' do
87    context 'when user has the ability to create group' do
88      let(:current_user) { create(:user, can_create_group: true) }
89
90      it { is_expected.to be_allowed(:create_group) }
91    end
92
93    context 'when user does not have the ability to create group' do
94      let(:current_user) { create(:user, can_create_group: false) }
95
96      it { is_expected.not_to be_allowed(:create_group) }
97    end
98  end
99
100  describe 'create group with default branch protection' do
101    context 'when user has the ability to create group' do
102      let(:current_user) { create(:user, can_create_group: true) }
103
104      it { is_expected.to be_allowed(:create_group_with_default_branch_protection) }
105    end
106
107    context 'when user does not have the ability to create group' do
108      let(:current_user) { create(:user, can_create_group: false) }
109
110      it { is_expected.not_to be_allowed(:create_group_with_default_branch_protection) }
111    end
112  end
113
114  describe 'custom attributes' do
115    context 'regular user' do
116      it { is_expected.not_to be_allowed(:read_custom_attribute) }
117      it { is_expected.not_to be_allowed(:update_custom_attribute) }
118    end
119
120    context 'admin' do
121      let(:current_user) { create(:user, :admin) }
122
123      context 'when admin mode is enabled', :enable_admin_mode do
124        it { is_expected.to be_allowed(:read_custom_attribute) }
125        it { is_expected.to be_allowed(:update_custom_attribute) }
126      end
127
128      context 'when admin mode is disabled' do
129        it { is_expected.to be_disallowed(:read_custom_attribute) }
130        it { is_expected.to be_disallowed(:update_custom_attribute) }
131      end
132    end
133  end
134
135  describe 'approving users' do
136    context 'regular user' do
137      it { is_expected.not_to be_allowed(:approve_user) }
138    end
139
140    context 'admin' do
141      let(:current_user) { create(:admin) }
142
143      context 'when admin mode is enabled', :enable_admin_mode do
144        it { is_expected.to be_allowed(:approve_user) }
145      end
146
147      context 'when admin mode is disabled' do
148        it { is_expected.to be_disallowed(:approve_user) }
149      end
150    end
151  end
152
153  describe 'rejecting users' do
154    context 'regular user' do
155      it { is_expected.not_to be_allowed(:reject_user) }
156    end
157
158    context 'admin' do
159      let(:current_user) { create(:admin) }
160
161      context 'when admin mode is enabled', :enable_admin_mode do
162        it { is_expected.to be_allowed(:reject_user) }
163      end
164
165      context 'when admin mode is disabled' do
166        it { is_expected.to be_disallowed(:reject_user) }
167      end
168    end
169  end
170
171  describe 'using project statistics filters' do
172    context 'regular user' do
173      it { is_expected.not_to be_allowed(:use_project_statistics_filters) }
174    end
175
176    context 'admin' do
177      let(:current_user) { create(:user, :admin) }
178
179      context 'when admin mode is enabled', :enable_admin_mode do
180        it { is_expected.to be_allowed(:use_project_statistics_filters) }
181      end
182
183      context 'when admin mode is disabled' do
184        it { is_expected.to be_disallowed(:use_project_statistics_filters) }
185      end
186    end
187  end
188
189  shared_examples 'access allowed when terms accepted' do |ability|
190    it { is_expected.not_to be_allowed(ability) }
191
192    it "allows #{ability} when the user accepted the terms" do
193      accept_terms(current_user)
194
195      is_expected.to be_allowed(ability)
196    end
197  end
198
199  describe 'API access' do
200    context 'regular user' do
201      it { is_expected.to be_allowed(:access_api) }
202    end
203
204    context 'admin' do
205      let(:current_user) { create(:admin) }
206
207      it { is_expected.to be_allowed(:access_api) }
208    end
209
210    context 'anonymous' do
211      let(:current_user) { nil }
212
213      it { is_expected.to be_allowed(:access_api) }
214    end
215
216    context 'project bot' do
217      let(:current_user) { project_bot }
218
219      it { is_expected.to be_allowed(:access_api) }
220    end
221
222    context 'migration bot' do
223      let(:current_user) { migration_bot }
224
225      it { is_expected.not_to be_allowed(:access_api) }
226    end
227
228    context 'security bot' do
229      let(:current_user) { security_bot }
230
231      it { is_expected.not_to be_allowed(:access_api) }
232    end
233
234    context 'user blocked pending approval' do
235      before do
236        current_user.block_pending_approval
237      end
238
239      it { is_expected.not_to be_allowed(:access_api) }
240    end
241
242    context 'with a deactivated user' do
243      before do
244        current_user.deactivate!
245      end
246
247      it { is_expected.not_to be_allowed(:access_api) }
248    end
249
250    context 'user with expired password' do
251      before do
252        current_user.update!(password_expires_at: 2.minutes.ago)
253      end
254
255      it { is_expected.not_to be_allowed(:access_api) }
256
257      context 'when user is using ldap' do
258        let(:current_user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }
259
260        it { is_expected.to be_allowed(:access_api) }
261      end
262    end
263
264    context 'when terms are enforced' do
265      before do
266        enforce_terms
267      end
268
269      context 'regular user' do
270        it_behaves_like 'access allowed when terms accepted', :access_api
271      end
272
273      context 'admin' do
274        let(:current_user) { create(:admin) }
275
276        it_behaves_like 'access allowed when terms accepted', :access_api
277      end
278
279      context 'anonymous' do
280        let(:current_user) { nil }
281
282        it { is_expected.to be_allowed(:access_api) }
283      end
284    end
285
286    context 'inactive user' do
287      before do
288        current_user.update!(confirmed_at: nil, confirmation_sent_at: 5.days.ago)
289      end
290
291      context 'when within the confirmation grace period' do
292        before do
293          allow(User).to receive(:allow_unconfirmed_access_for).and_return(10.days)
294        end
295
296        it { is_expected.to be_allowed(:access_api) }
297      end
298
299      context 'when confirmation grace period is expired' do
300        before do
301          allow(User).to receive(:allow_unconfirmed_access_for).and_return(2.days)
302        end
303
304        it { is_expected.not_to be_allowed(:access_api) }
305      end
306    end
307  end
308
309  describe 'receive notifications' do
310    describe 'regular user' do
311      it { is_expected.to be_allowed(:receive_notifications) }
312    end
313
314    describe 'admin' do
315      let(:current_user) { create(:admin) }
316
317      it { is_expected.to be_allowed(:receive_notifications) }
318    end
319
320    describe 'anonymous' do
321      let(:current_user) { nil }
322
323      it { is_expected.not_to be_allowed(:receive_notifications) }
324    end
325
326    describe 'blocked user' do
327      before do
328        current_user.block
329      end
330
331      it { is_expected.not_to be_allowed(:receive_notifications) }
332    end
333
334    describe 'deactivated user' do
335      before do
336        current_user.deactivate
337      end
338
339      it { is_expected.not_to be_allowed(:receive_notifications) }
340    end
341
342    context 'project bot' do
343      let(:current_user) { project_bot }
344
345      it { is_expected.not_to be_allowed(:receive_notifications) }
346    end
347
348    context 'migration bot' do
349      let(:current_user) { migration_bot }
350
351      it { is_expected.not_to be_allowed(:receive_notifications) }
352    end
353
354    context 'user blocked pending approval' do
355      before do
356        current_user.block_pending_approval
357      end
358
359      it { is_expected.not_to be_allowed(:receive_notifications) }
360    end
361  end
362
363  describe 'git access' do
364    describe 'regular user' do
365      it { is_expected.to be_allowed(:access_git) }
366    end
367
368    describe 'admin' do
369      let(:current_user) { create(:admin) }
370
371      it { is_expected.to be_allowed(:access_git) }
372    end
373
374    describe 'anonymous' do
375      let(:current_user) { nil }
376
377      it { is_expected.to be_allowed(:access_git) }
378    end
379
380    context 'migration bot' do
381      let(:current_user) { migration_bot }
382
383      it { is_expected.to be_allowed(:access_git) }
384    end
385
386    context 'security bot' do
387      let(:current_user) { security_bot }
388
389      it { is_expected.to be_allowed(:access_git) }
390    end
391
392    describe 'deactivated user' do
393      before do
394        current_user.deactivate
395      end
396
397      it { is_expected.not_to be_allowed(:access_git) }
398    end
399
400    describe 'inactive user' do
401      before do
402        current_user.update!(confirmed_at: nil)
403      end
404
405      it { is_expected.not_to be_allowed(:access_git) }
406    end
407
408    context 'when terms are enforced' do
409      before do
410        enforce_terms
411      end
412
413      context 'regular user' do
414        it_behaves_like 'access allowed when terms accepted', :access_git
415      end
416
417      context 'admin' do
418        let(:current_user) { create(:admin) }
419
420        it_behaves_like 'access allowed when terms accepted', :access_git
421      end
422
423      context 'anonymous' do
424        let(:current_user) { nil }
425
426        it { is_expected.to be_allowed(:access_git) }
427      end
428    end
429
430    context 'project bot' do
431      let(:current_user) { project_bot }
432
433      it { is_expected.to be_allowed(:access_git) }
434    end
435
436    context 'user blocked pending approval' do
437      before do
438        current_user.block_pending_approval
439      end
440
441      it { is_expected.not_to be_allowed(:access_git) }
442    end
443
444    context 'user with expired password' do
445      before do
446        current_user.update!(password_expires_at: 2.minutes.ago)
447      end
448
449      it { is_expected.not_to be_allowed(:access_git) }
450
451      context 'when user is using ldap' do
452        let(:current_user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }
453
454        it { is_expected.to be_allowed(:access_git) }
455      end
456    end
457  end
458
459  describe 'read instance metadata' do
460    context 'regular user' do
461      it { is_expected.to be_allowed(:read_instance_metadata) }
462    end
463
464    context 'anonymous' do
465      let(:current_user) { nil }
466
467      it { is_expected.not_to be_allowed(:read_instance_metadata) }
468    end
469  end
470
471  describe 'slash commands' do
472    context 'regular user' do
473      it { is_expected.to be_allowed(:use_slash_commands) }
474    end
475
476    context 'when internal' do
477      let(:current_user) { User.ghost }
478
479      it { is_expected.not_to be_allowed(:use_slash_commands) }
480    end
481
482    context 'when blocked' do
483      before do
484        current_user.block
485      end
486
487      it { is_expected.not_to be_allowed(:use_slash_commands) }
488    end
489
490    context 'when deactivated' do
491      before do
492        current_user.deactivate
493      end
494
495      it { is_expected.not_to be_allowed(:use_slash_commands) }
496    end
497
498    describe 'inactive user' do
499      before do
500        current_user.update!(confirmed_at: nil)
501      end
502
503      it { is_expected.not_to be_allowed(:use_slash_commands) }
504    end
505
506    context 'when access locked' do
507      before do
508        current_user.lock_access!
509      end
510
511      it { is_expected.not_to be_allowed(:use_slash_commands) }
512    end
513
514    context 'project bot' do
515      let(:current_user) { project_bot }
516
517      it { is_expected.to be_allowed(:use_slash_commands) }
518    end
519
520    context 'migration bot' do
521      let(:current_user) { migration_bot }
522
523      it { is_expected.not_to be_allowed(:use_slash_commands) }
524    end
525
526    context 'user blocked pending approval' do
527      before do
528        current_user.block_pending_approval
529      end
530
531      it { is_expected.not_to be_allowed(:use_slash_commands) }
532    end
533
534    context 'user with expired password' do
535      before do
536        current_user.update!(password_expires_at: 2.minutes.ago)
537      end
538
539      it { is_expected.not_to be_allowed(:use_slash_commands) }
540
541      context 'when user is using ldap' do
542        let(:current_user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }
543
544        it { is_expected.to be_allowed(:use_slash_commands) }
545      end
546    end
547  end
548
549  describe 'create_snippet' do
550    context 'when anonymous' do
551      let(:current_user) { nil }
552
553      it { is_expected.not_to be_allowed(:create_snippet) }
554    end
555
556    context 'regular user' do
557      it { is_expected.to be_allowed(:create_snippet) }
558    end
559
560    context 'when external' do
561      let(:current_user) { build(:user, :external) }
562
563      it { is_expected.not_to be_allowed(:create_snippet) }
564    end
565  end
566
567  describe 'log in' do
568    context 'project bot' do
569      let(:current_user) { project_bot }
570
571      it { is_expected.not_to be_allowed(:log_in) }
572    end
573
574    context 'migration bot' do
575      let(:current_user) { migration_bot }
576
577      it { is_expected.not_to be_allowed(:log_in) }
578    end
579
580    context 'security bot' do
581      let(:current_user) { security_bot }
582
583      it { is_expected.not_to be_allowed(:log_in) }
584    end
585
586    context 'user blocked pending approval' do
587      before do
588        current_user.block_pending_approval
589      end
590
591      it { is_expected.not_to be_allowed(:log_in) }
592    end
593  end
594
595  describe 'update_runners_registration_token' do
596    context 'when anonymous' do
597      let(:current_user) { nil }
598
599      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
600    end
601
602    context 'regular user' do
603      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
604    end
605
606    context 'when external' do
607      let(:current_user) { build(:user, :external) }
608
609      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
610    end
611
612    context 'admin' do
613      let(:current_user) { create(:admin) }
614
615      context 'when admin mode is enabled', :enable_admin_mode do
616        it { is_expected.to be_allowed(:update_runners_registration_token) }
617      end
618
619      context 'when admin mode is disabled' do
620        it { is_expected.to be_disallowed(:update_runners_registration_token) }
621      end
622    end
623  end
624end
625