diff --git a/app/policies/repository_policy.rb b/app/policies/repository_policy.rb index 492b0407c..2835f6671 100644 --- a/app/policies/repository_policy.rb +++ b/app/policies/repository_policy.rb @@ -1,7 +1,7 @@ class RepositoryPolicy < ApplicationPolicy def show? - PlatformPolicy.new(user, record.platform).show? + is_admin? || PlatformPolicy.new(user, record.platform).show? end alias_method :projects?, :show? alias_method :projects_list?, :show? @@ -41,11 +41,6 @@ class RepositoryPolicy < ApplicationPolicy end alias_method :remove_project?, :add_project? - def destroy? - return false if record.platform.personal? && record.name == 'main' - is_admin? || owner?(record.platform) || local_admin?(record.platform) - end - def settings? is_admin? || owner?(record.platform) || local_admin?(record.platform) end diff --git a/spec/policies/repository_policy_spec.rb b/spec/policies/repository_policy_spec.rb new file mode 100644 index 000000000..76d7d9c17 --- /dev/null +++ b/spec/policies/repository_policy_spec.rb @@ -0,0 +1,205 @@ +require 'spec_helper' + +RSpec.describe RepositoryPolicy, type: :policy do + let(:repository) { FactoryGirl.build(:repository) } + subject { described_class } + + %i(show? projects? projects_list? read?).each do |perm| + permissions perm do + it "denies access if user can not show a platform" do + allow_any_instance_of(PlatformPolicy).to receive(:show?).and_return(false) + expect(subject).to_not permit(User.new, repository) + end + + it "grants access if user can show a platform" do + allow_any_instance_of(PlatformPolicy).to receive(:show?).and_return(true) + expect(subject).to permit(User.new, repository) + end + + it "grants access for to global admin" do + expect(subject).to permit(FactoryGirl.build(:admin), repository) + end + end + end + + permissions :reader? do + it "denies access to user" do + expect(subject).to_not permit(User.new, repository) + end + + it "grants access for reader of platform" do + allow_any_instance_of(RepositoryPolicy).to receive(:local_reader?). + with(repository.platform).and_return(true) + expect(subject).to permit(User.new, repository) + end + + it "grants access for to global admin" do + expect(subject).to permit(FactoryGirl.build(:admin), repository) + end + end + + permissions :write? do + it "denies access to user" do + expect(subject).to_not permit(User.new, repository) + end + + it "grants access for writer of platform" do + allow_any_instance_of(RepositoryPolicy).to receive(:local_writer?). + with(repository.platform).and_return(true) + expect(subject).to permit(User.new, repository) + end + + it "grants access for to global admin" do + expect(subject).to permit(FactoryGirl.build(:admin), repository) + end + end + + %i(update? manage_members? regenerate_metadata? signatures?).each do |perm| + permissions perm do + it "denies access to user" do + expect(subject).to_not permit(User.new, repository) + end + + it "grants access for admin of platform" do + allow_any_instance_of(RepositoryPolicy).to receive(:local_admin?). + with(repository.platform).and_return(true) + expect(subject).to permit(User.new, repository) + end + + it "grants access for to global admin" do + expect(subject).to permit(FactoryGirl.build(:admin), repository) + end + end + end + + %i(create? destroy?).each do |perm| + permissions perm do + it "denies access to user" do + expect(subject).to_not permit(User.new, repository) + end + + it "grants access for admin of platform" do + allow_any_instance_of(RepositoryPolicy).to receive(:local_admin?). + with(repository.platform).and_return(true) + expect(subject).to permit(User.new, repository) + end + + it "grants access for to global admin" do + expect(subject).to permit(FactoryGirl.build(:admin), repository) + end + + it "denies access for personal platform and repository with 'main' name" do + repository.platform = FactoryGirl.build(:personal_platform) + repository.name = 'main' + expect(subject).to_not permit(FactoryGirl.build(:admin), repository) + end + end + end + + %i(packages? remove_member? remove_members? add_member? sync_lock_file?).each do |perm| + permissions perm do + it "denies access to user" do + expect(subject).to_not permit(User.new, repository) + end + + it "grants access for admin of platform" do + allow_any_instance_of(RepositoryPolicy).to receive(:local_admin?). + with(repository.platform).and_return(true) + expect(subject).to permit(User.new, repository) + end + + it "grants access for to global admin" do + expect(subject).to permit(FactoryGirl.build(:admin), repository) + end + + it "denies access for personal platform" do + repository.platform = FactoryGirl.build(:personal_platform) + expect(subject).to_not permit(FactoryGirl.build(:admin), repository) + end + end + end + + %i(add_project? remove_project?).each do |perm| + permissions perm do + it "denies access to user" do + expect(subject).to_not permit(User.new, repository) + end + + it "grants access for admin of platform" do + allow_any_instance_of(RepositoryPolicy).to receive(:local_admin?). + with(repository.platform).and_return(true) + expect(subject).to permit(User.new, repository) + end + + it "grants access for member of repository" do + user = FactoryGirl.build(:user, id: 123) + allow_any_instance_of(RepositoryPolicy).to receive(:repository_user_ids).and_return([123]) + expect(subject).to permit(user, repository) + end + + it "grants access for to global admin" do + expect(subject).to permit(FactoryGirl.build(:admin), repository) + end + end + end + + permissions :settings? do + it "denies access to user" do + expect(subject).to_not permit(User.new, repository) + end + + it "grants access for admin of platform" do + allow_any_instance_of(RepositoryPolicy).to receive(:local_admin?). + with(repository.platform).and_return(true) + expect(subject).to permit(User.new, repository) + end + + it "grants access for to global admin" do + expect(subject).to permit(FactoryGirl.build(:admin), repository) + end + end + + permissions :key_pair? do + it "denies access to user" do + expect(subject).to_not permit(User.new, repository) + end + + it "denies access for to global admin" do + expect(subject).to_not permit(FactoryGirl.build(:admin), repository) + end + + it "grants access to system user" do + expect(subject).to permit(FactoryGirl.build(:user, role: 'system'), repository) + end + end + + %i(add_repo_lock_file? remove_repo_lock_file?).each do |perm| + permissions perm do + it "denies access to user" do + expect(subject).to_not permit(User.new, repository) + end + + it "grants access for admin of platform" do + allow_any_instance_of(RepositoryPolicy).to receive(:local_admin?). + with(repository.platform).and_return(true) + expect(subject).to permit(User.new, repository) + end + + it "denies access for admin of personal platform" do + allow(repository.platform).to receive(:main?).and_return(false) + allow_any_instance_of(RepositoryPolicy).to receive(:local_admin?). + with(repository.platform).and_return(true) + expect(subject).to_not permit(User.new, repository) + end + + it "grants access for to global admin" do + expect(subject).to permit(FactoryGirl.build(:admin), repository) + end + + it "grants access to system user" do + expect(subject).to permit(FactoryGirl.build(:user, role: 'system'), repository) + end + end + end + +end