1# frozen_string_literal: true 2 3require 'spec_helper' 4 5RSpec.describe GlobalPolicy do 6 include TermsHelper 7 8 let_it_be(:project_bot) { create(:user, :project_bot) } 9 let_it_be(:migration_bot) { create(:user, :migration_bot) } 10 let_it_be(:security_bot) { create(:user, :security_bot) } 11 12 let(:current_user) { create(:user) } 13 let(:user) { create(:user) } 14 15 subject { described_class.new(current_user, [user]) } 16 17 describe "reading the list of users" do 18 context "for a logged in user" do 19 it { is_expected.to be_allowed(:read_users_list) } 20 end 21 22 context "for an anonymous user" do 23 let(:current_user) { nil } 24 25 context "when the public level is restricted" do 26 before do 27 stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC]) 28 end 29 30 it { is_expected.not_to be_allowed(:read_users_list) } 31 end 32 33 context "when the public level is not restricted" do 34 before do 35 stub_application_setting(restricted_visibility_levels: []) 36 end 37 38 it { is_expected.to be_allowed(:read_users_list) } 39 end 40 end 41 42 context "for an admin" do 43 let(:current_user) { create(:admin) } 44 45 context "when the public level is restricted" do 46 before do 47 stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC]) 48 end 49 50 it { is_expected.to be_allowed(:read_users_list) } 51 end 52 53 context "when the public level is not restricted" do 54 before do 55 stub_application_setting(restricted_visibility_levels: []) 56 end 57 58 it { is_expected.to be_allowed(:read_users_list) } 59 end 60 end 61 end 62 63 describe "create fork" do 64 context "when user has not exceeded project limit" do 65 it { is_expected.to be_allowed(:create_fork) } 66 end 67 68 context "when user has exceeded project limit" do 69 let(:current_user) { create(:user, projects_limit: 0) } 70 71 it { is_expected.not_to be_allowed(:create_fork) } 72 end 73 74 context "when user is a maintainer in a group" do 75 let(:group) { create(:group) } 76 let(:current_user) { create(:user, projects_limit: 0) } 77 78 before do 79 group.add_maintainer(current_user) 80 end 81 82 it { is_expected.to be_allowed(:create_fork) } 83 end 84 end 85 86 describe 'create group' do 87 context 'when user has the ability to create group' do 88 let(:current_user) { create(:user, can_create_group: true) } 89 90 it { is_expected.to be_allowed(:create_group) } 91 end 92 93 context 'when user does not have the ability to create group' do 94 let(:current_user) { create(:user, can_create_group: false) } 95 96 it { is_expected.not_to be_allowed(:create_group) } 97 end 98 end 99 100 describe 'create group with default branch protection' do 101 context 'when user has the ability to create group' do 102 let(:current_user) { create(:user, can_create_group: true) } 103 104 it { is_expected.to be_allowed(:create_group_with_default_branch_protection) } 105 end 106 107 context 'when user does not have the ability to create group' do 108 let(:current_user) { create(:user, can_create_group: false) } 109 110 it { is_expected.not_to be_allowed(:create_group_with_default_branch_protection) } 111 end 112 end 113 114 describe 'custom attributes' do 115 context 'regular user' do 116 it { is_expected.not_to be_allowed(:read_custom_attribute) } 117 it { is_expected.not_to be_allowed(:update_custom_attribute) } 118 end 119 120 context 'admin' do 121 let(:current_user) { create(:user, :admin) } 122 123 context 'when admin mode is enabled', :enable_admin_mode do 124 it { is_expected.to be_allowed(:read_custom_attribute) } 125 it { is_expected.to be_allowed(:update_custom_attribute) } 126 end 127 128 context 'when admin mode is disabled' do 129 it { is_expected.to be_disallowed(:read_custom_attribute) } 130 it { is_expected.to be_disallowed(:update_custom_attribute) } 131 end 132 end 133 end 134 135 describe 'approving users' do 136 context 'regular user' do 137 it { is_expected.not_to be_allowed(:approve_user) } 138 end 139 140 context 'admin' do 141 let(:current_user) { create(:admin) } 142 143 context 'when admin mode is enabled', :enable_admin_mode do 144 it { is_expected.to be_allowed(:approve_user) } 145 end 146 147 context 'when admin mode is disabled' do 148 it { is_expected.to be_disallowed(:approve_user) } 149 end 150 end 151 end 152 153 describe 'rejecting users' do 154 context 'regular user' do 155 it { is_expected.not_to be_allowed(:reject_user) } 156 end 157 158 context 'admin' do 159 let(:current_user) { create(:admin) } 160 161 context 'when admin mode is enabled', :enable_admin_mode do 162 it { is_expected.to be_allowed(:reject_user) } 163 end 164 165 context 'when admin mode is disabled' do 166 it { is_expected.to be_disallowed(:reject_user) } 167 end 168 end 169 end 170 171 describe 'using project statistics filters' do 172 context 'regular user' do 173 it { is_expected.not_to be_allowed(:use_project_statistics_filters) } 174 end 175 176 context 'admin' do 177 let(:current_user) { create(:user, :admin) } 178 179 context 'when admin mode is enabled', :enable_admin_mode do 180 it { is_expected.to be_allowed(:use_project_statistics_filters) } 181 end 182 183 context 'when admin mode is disabled' do 184 it { is_expected.to be_disallowed(:use_project_statistics_filters) } 185 end 186 end 187 end 188 189 shared_examples 'access allowed when terms accepted' do |ability| 190 it { is_expected.not_to be_allowed(ability) } 191 192 it "allows #{ability} when the user accepted the terms" do 193 accept_terms(current_user) 194 195 is_expected.to be_allowed(ability) 196 end 197 end 198 199 describe 'API access' do 200 context 'regular user' do 201 it { is_expected.to be_allowed(:access_api) } 202 end 203 204 context 'admin' do 205 let(:current_user) { create(:admin) } 206 207 it { is_expected.to be_allowed(:access_api) } 208 end 209 210 context 'anonymous' do 211 let(:current_user) { nil } 212 213 it { is_expected.to be_allowed(:access_api) } 214 end 215 216 context 'project bot' do 217 let(:current_user) { project_bot } 218 219 it { is_expected.to be_allowed(:access_api) } 220 end 221 222 context 'migration bot' do 223 let(:current_user) { migration_bot } 224 225 it { is_expected.not_to be_allowed(:access_api) } 226 end 227 228 context 'security bot' do 229 let(:current_user) { security_bot } 230 231 it { is_expected.not_to be_allowed(:access_api) } 232 end 233 234 context 'user blocked pending approval' do 235 before do 236 current_user.block_pending_approval 237 end 238 239 it { is_expected.not_to be_allowed(:access_api) } 240 end 241 242 context 'with a deactivated user' do 243 before do 244 current_user.deactivate! 245 end 246 247 it { is_expected.not_to be_allowed(:access_api) } 248 end 249 250 context 'user with expired password' do 251 before do 252 current_user.update!(password_expires_at: 2.minutes.ago) 253 end 254 255 it { is_expected.not_to be_allowed(:access_api) } 256 257 context 'when user is using ldap' do 258 let(:current_user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) } 259 260 it { is_expected.to be_allowed(:access_api) } 261 end 262 end 263 264 context 'when terms are enforced' do 265 before do 266 enforce_terms 267 end 268 269 context 'regular user' do 270 it_behaves_like 'access allowed when terms accepted', :access_api 271 end 272 273 context 'admin' do 274 let(:current_user) { create(:admin) } 275 276 it_behaves_like 'access allowed when terms accepted', :access_api 277 end 278 279 context 'anonymous' do 280 let(:current_user) { nil } 281 282 it { is_expected.to be_allowed(:access_api) } 283 end 284 end 285 286 context 'inactive user' do 287 before do 288 current_user.update!(confirmed_at: nil, confirmation_sent_at: 5.days.ago) 289 end 290 291 context 'when within the confirmation grace period' do 292 before do 293 allow(User).to receive(:allow_unconfirmed_access_for).and_return(10.days) 294 end 295 296 it { is_expected.to be_allowed(:access_api) } 297 end 298 299 context 'when confirmation grace period is expired' do 300 before do 301 allow(User).to receive(:allow_unconfirmed_access_for).and_return(2.days) 302 end 303 304 it { is_expected.not_to be_allowed(:access_api) } 305 end 306 end 307 end 308 309 describe 'receive notifications' do 310 describe 'regular user' do 311 it { is_expected.to be_allowed(:receive_notifications) } 312 end 313 314 describe 'admin' do 315 let(:current_user) { create(:admin) } 316 317 it { is_expected.to be_allowed(:receive_notifications) } 318 end 319 320 describe 'anonymous' do 321 let(:current_user) { nil } 322 323 it { is_expected.not_to be_allowed(:receive_notifications) } 324 end 325 326 describe 'blocked user' do 327 before do 328 current_user.block 329 end 330 331 it { is_expected.not_to be_allowed(:receive_notifications) } 332 end 333 334 describe 'deactivated user' do 335 before do 336 current_user.deactivate 337 end 338 339 it { is_expected.not_to be_allowed(:receive_notifications) } 340 end 341 342 context 'project bot' do 343 let(:current_user) { project_bot } 344 345 it { is_expected.not_to be_allowed(:receive_notifications) } 346 end 347 348 context 'migration bot' do 349 let(:current_user) { migration_bot } 350 351 it { is_expected.not_to be_allowed(:receive_notifications) } 352 end 353 354 context 'user blocked pending approval' do 355 before do 356 current_user.block_pending_approval 357 end 358 359 it { is_expected.not_to be_allowed(:receive_notifications) } 360 end 361 end 362 363 describe 'git access' do 364 describe 'regular user' do 365 it { is_expected.to be_allowed(:access_git) } 366 end 367 368 describe 'admin' do 369 let(:current_user) { create(:admin) } 370 371 it { is_expected.to be_allowed(:access_git) } 372 end 373 374 describe 'anonymous' do 375 let(:current_user) { nil } 376 377 it { is_expected.to be_allowed(:access_git) } 378 end 379 380 context 'migration bot' do 381 let(:current_user) { migration_bot } 382 383 it { is_expected.to be_allowed(:access_git) } 384 end 385 386 context 'security bot' do 387 let(:current_user) { security_bot } 388 389 it { is_expected.to be_allowed(:access_git) } 390 end 391 392 describe 'deactivated user' do 393 before do 394 current_user.deactivate 395 end 396 397 it { is_expected.not_to be_allowed(:access_git) } 398 end 399 400 describe 'inactive user' do 401 before do 402 current_user.update!(confirmed_at: nil) 403 end 404 405 it { is_expected.not_to be_allowed(:access_git) } 406 end 407 408 context 'when terms are enforced' do 409 before do 410 enforce_terms 411 end 412 413 context 'regular user' do 414 it_behaves_like 'access allowed when terms accepted', :access_git 415 end 416 417 context 'admin' do 418 let(:current_user) { create(:admin) } 419 420 it_behaves_like 'access allowed when terms accepted', :access_git 421 end 422 423 context 'anonymous' do 424 let(:current_user) { nil } 425 426 it { is_expected.to be_allowed(:access_git) } 427 end 428 end 429 430 context 'project bot' do 431 let(:current_user) { project_bot } 432 433 it { is_expected.to be_allowed(:access_git) } 434 end 435 436 context 'user blocked pending approval' do 437 before do 438 current_user.block_pending_approval 439 end 440 441 it { is_expected.not_to be_allowed(:access_git) } 442 end 443 444 context 'user with expired password' do 445 before do 446 current_user.update!(password_expires_at: 2.minutes.ago) 447 end 448 449 it { is_expected.not_to be_allowed(:access_git) } 450 451 context 'when user is using ldap' do 452 let(:current_user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) } 453 454 it { is_expected.to be_allowed(:access_git) } 455 end 456 end 457 end 458 459 describe 'read instance metadata' do 460 context 'regular user' do 461 it { is_expected.to be_allowed(:read_instance_metadata) } 462 end 463 464 context 'anonymous' do 465 let(:current_user) { nil } 466 467 it { is_expected.not_to be_allowed(:read_instance_metadata) } 468 end 469 end 470 471 describe 'slash commands' do 472 context 'regular user' do 473 it { is_expected.to be_allowed(:use_slash_commands) } 474 end 475 476 context 'when internal' do 477 let(:current_user) { User.ghost } 478 479 it { is_expected.not_to be_allowed(:use_slash_commands) } 480 end 481 482 context 'when blocked' do 483 before do 484 current_user.block 485 end 486 487 it { is_expected.not_to be_allowed(:use_slash_commands) } 488 end 489 490 context 'when deactivated' do 491 before do 492 current_user.deactivate 493 end 494 495 it { is_expected.not_to be_allowed(:use_slash_commands) } 496 end 497 498 describe 'inactive user' do 499 before do 500 current_user.update!(confirmed_at: nil) 501 end 502 503 it { is_expected.not_to be_allowed(:use_slash_commands) } 504 end 505 506 context 'when access locked' do 507 before do 508 current_user.lock_access! 509 end 510 511 it { is_expected.not_to be_allowed(:use_slash_commands) } 512 end 513 514 context 'project bot' do 515 let(:current_user) { project_bot } 516 517 it { is_expected.to be_allowed(:use_slash_commands) } 518 end 519 520 context 'migration bot' do 521 let(:current_user) { migration_bot } 522 523 it { is_expected.not_to be_allowed(:use_slash_commands) } 524 end 525 526 context 'user blocked pending approval' do 527 before do 528 current_user.block_pending_approval 529 end 530 531 it { is_expected.not_to be_allowed(:use_slash_commands) } 532 end 533 534 context 'user with expired password' do 535 before do 536 current_user.update!(password_expires_at: 2.minutes.ago) 537 end 538 539 it { is_expected.not_to be_allowed(:use_slash_commands) } 540 541 context 'when user is using ldap' do 542 let(:current_user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) } 543 544 it { is_expected.to be_allowed(:use_slash_commands) } 545 end 546 end 547 end 548 549 describe 'create_snippet' do 550 context 'when anonymous' do 551 let(:current_user) { nil } 552 553 it { is_expected.not_to be_allowed(:create_snippet) } 554 end 555 556 context 'regular user' do 557 it { is_expected.to be_allowed(:create_snippet) } 558 end 559 560 context 'when external' do 561 let(:current_user) { build(:user, :external) } 562 563 it { is_expected.not_to be_allowed(:create_snippet) } 564 end 565 end 566 567 describe 'log in' do 568 context 'project bot' do 569 let(:current_user) { project_bot } 570 571 it { is_expected.not_to be_allowed(:log_in) } 572 end 573 574 context 'migration bot' do 575 let(:current_user) { migration_bot } 576 577 it { is_expected.not_to be_allowed(:log_in) } 578 end 579 580 context 'security bot' do 581 let(:current_user) { security_bot } 582 583 it { is_expected.not_to be_allowed(:log_in) } 584 end 585 586 context 'user blocked pending approval' do 587 before do 588 current_user.block_pending_approval 589 end 590 591 it { is_expected.not_to be_allowed(:log_in) } 592 end 593 end 594 595 describe 'update_runners_registration_token' do 596 context 'when anonymous' do 597 let(:current_user) { nil } 598 599 it { is_expected.not_to be_allowed(:update_runners_registration_token) } 600 end 601 602 context 'regular user' do 603 it { is_expected.not_to be_allowed(:update_runners_registration_token) } 604 end 605 606 context 'when external' do 607 let(:current_user) { build(:user, :external) } 608 609 it { is_expected.not_to be_allowed(:update_runners_registration_token) } 610 end 611 612 context 'admin' do 613 let(:current_user) { create(:admin) } 614 615 context 'when admin mode is enabled', :enable_admin_mode do 616 it { is_expected.to be_allowed(:update_runners_registration_token) } 617 end 618 619 context 'when admin mode is disabled' do 620 it { is_expected.to be_disallowed(:update_runners_registration_token) } 621 end 622 end 623 end 624end 625