Download as
Browse Code »

Commit a350b52c9b621a5f37b27f8ca6cfc424ff573425

Authored by Dmitriy Zaporozhets
1 parent 674efd38
Exists in master and in 4 other branches 6-8-stable, 7-0-stable, 7-0-stable-spb, spb-stable

Rewrite project security model tests

Showing 2 changed files with 94 additions and 11 deletions   Show diff stats
app/models/project.rb
  Diff comments   View file @a350b52
... ... @@ -36,6 +36,10 @@ class Project < ActiveRecord::Base
36 36 # Relations
37 37 belongs_to :group, foreign_key: "namespace_id", conditions: "type = 'Group'"
38 38 belongs_to :namespace
  39 +
  40 + # TODO: replace owner with creator.
  41 + # With namespaces a project owner will be a namespace owner
  42 + # so this field makes sense only for global projects
39 43 belongs_to :owner, class_name: "User"
40 44 has_many :users, through: :users_projects
41 45 has_many :events, dependent: :destroy
... ... @@ -296,4 +300,12 @@ class Project < ActiveRecord::Base
296 300 def namespace_owner
297 301 namespace.try(:owner)
298 302 end
  303 +
  304 + def chief
  305 + if namespace
  306 + namespace_owner
  307 + else
  308 + owner
  309 + end
  310 + end
299 311 end
... ...
spec/models/project_security_spec.rb
  Diff comments   View file @a350b52
... ... @@ -4,38 +4,109 @@ describe Project do
4 4 describe :authorization do
5 5 before do
6 6 @p1 = create(:project)
  7 +
7 8 @u1 = create(:user)
8 9 @u2 = create(:user)
  10 + @u3 = create(:user)
  11 + @u4 = @p1.chief
  12 +
9 13 @abilities = Six.new
10 14 @abilities << Ability
11 15 end
12 16  
13   - describe "read access" do
  17 + let(:guest_actions) { Ability.project_guest_rules }
  18 + let(:report_actions) { Ability.project_report_rules }
  19 + let(:dev_actions) { Ability.project_dev_rules }
  20 + let(:master_actions) { Ability.project_master_rules }
  21 + let(:admin_actions) { Ability.project_admin_rules }
  22 +
  23 + describe "Non member rules" do
  24 + it "should deny for non-project users any actions" do
  25 + admin_actions.each do |action|
  26 + @abilities.allowed?(@u1, action, @p1).should be_false
  27 + end
  28 + end
  29 + end
  30 +
  31 + describe "Guest Rules" do
  32 + before do
  33 + @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::GUEST)
  34 + end
  35 +
  36 + it "should allow for project user any guest actions" do
  37 + guest_actions.each do |action|
  38 + @abilities.allowed?(@u2, action, @p1).should be_true
  39 + end
  40 + end
  41 + end
  42 +
  43 + describe "Report Rules" do
14 44 before do
15 45 @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::REPORTER)
16 46 end
17 47  
18   - it { @abilities.allowed?(@u1, :read_project, @p1).should be_false }
19   - it { @abilities.allowed?(@u2, :read_project, @p1).should be_true }
  48 + it "should allow for project user any report actions" do
  49 + report_actions.each do |action|
  50 + @abilities.allowed?(@u2, action, @p1).should be_true
  51 + end
  52 + end
20 53 end
21 54  
22   - describe "write access" do
  55 + describe "Developer Rules" do
  56 + before do
  57 + @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::REPORTER)
  58 + @p1.users_projects.create(project: @p1, user: @u3, project_access: UsersProject::DEVELOPER)
  59 + end
  60 +
  61 + it "should deny for developer master-specific actions" do
  62 + [dev_actions - report_actions].each do |action|
  63 + @abilities.allowed?(@u2, action, @p1).should be_false
  64 + end
  65 + end
  66 +
  67 + it "should allow for project user any dev actions" do
  68 + dev_actions.each do |action|
  69 + @abilities.allowed?(@u3, action, @p1).should be_true
  70 + end
  71 + end
  72 + end
  73 +
  74 + describe "Master Rules" do
23 75 before do
24 76 @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::DEVELOPER)
  77 + @p1.users_projects.create(project: @p1, user: @u3, project_access: UsersProject::MASTER)
25 78 end
26 79  
27   - it { @abilities.allowed?(@u1, :write_project, @p1).should be_false }
28   - it { @abilities.allowed?(@u2, :write_project, @p1).should be_true }
  80 + it "should deny for developer master-specific actions" do
  81 + [master_actions - dev_actions].each do |action|
  82 + @abilities.allowed?(@u2, action, @p1).should be_false
  83 + end
  84 + end
  85 +
  86 + it "should allow for project user any master actions" do
  87 + master_actions.each do |action|
  88 + @abilities.allowed?(@u3, action, @p1).should be_true
  89 + end
  90 + end
29 91 end
30 92  
31   - describe "admin access" do
  93 + describe "Admin Rules" do
32 94 before do
33   - @p1.users_projects.create(project: @p1, user: @u1, project_access: UsersProject::DEVELOPER)
34   - @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::MASTER)
  95 + @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::DEVELOPER)
  96 + @p1.users_projects.create(project: @p1, user: @u3, project_access: UsersProject::MASTER)
35 97 end
36 98  
37   - it { @abilities.allowed?(@u1, :admin_project, @p1).should be_false }
38   - it { @abilities.allowed?(@u2, :admin_project, @p1).should be_true }
  99 + it "should deny for masters admin-specific actions" do
  100 + [admin_actions - master_actions].each do |action|
  101 + @abilities.allowed?(@u2, action, @p1).should be_false
  102 + end
  103 + end
  104 +
  105 + it "should allow for project owner any admin actions" do
  106 + admin_actions.each do |action|
  107 + @abilities.allowed?(@u4, action, @p1).should be_true
  108 + end
  109 + end
39 110 end
40 111 end
41 112 end
... ...