Rewrite project security model tests

Dmitriy Zaporozhets
1 parent 674efd38
Showing 2 changed files with 94 additions and 11 deletions Show diff stats
app/models/project.rb
spec/models/project_security_spec.rb
@@ -36,6 +36,10 @@ class Project &lt; ActiveRecord::Base
   # Relations
   belongs_to :group, foreign_key: "namespace_id", conditions: "type = 'Group'"
   belongs_to :namespace
+
+  # TODO: replace owner with creator.
+  # With namespaces a project owner will be a namespace owner
+  # so this field makes sense only for global projects
   belongs_to :owner, class_name: "User"
   has_many :users,          through: :users_projects
   has_many :events,         dependent: :destroy
@@ -296,4 +300,12 @@ class Project &lt; ActiveRecord::Base
   def namespace_owner
     namespace.try(:owner)
   end
+
+  def chief
+    if namespace
+      namespace_owner
+    else
+      owner
+    end
+  end
 end
@@ -4,38 +4,109 @@ describe Project do
   describe :authorization do
     before do
       @p1 = create(:project)
+
       @u1 = create(:user)
       @u2 = create(:user)
+      @u3 = create(:user)
+      @u4 = @p1.chief
+
       @abilities = Six.new
       @abilities << Ability
     end
-    describe "read access" do
+    let(:guest_actions) { Ability.project_guest_rules }
+    let(:report_actions) { Ability.project_report_rules }
+    let(:dev_actions) { Ability.project_dev_rules }
+    let(:master_actions) { Ability.project_master_rules }
+    let(:admin_actions) { Ability.project_admin_rules }
+
+    describe "Non member rules" do
+      it "should deny for non-project users any actions" do
+        admin_actions.each do |action|
+          @abilities.allowed?(@u1, action, @p1).should be_false
+        end
+      end
+    end
+
+    describe "Guest Rules" do
+      before do
+        @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::GUEST)
+      end
+
+      it "should allow for project user any guest actions" do
+        guest_actions.each do |action|
+          @abilities.allowed?(@u2, action, @p1).should be_true
+        end
+      end
+    end
+
+    describe "Report Rules" do
       before do
         @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::REPORTER)
       end
-      it { @abilities.allowed?(@u1, :read_project, @p1).should be_false }
-      it { @abilities.allowed?(@u2, :read_project, @p1).should be_true }
+      it "should allow for project user any report actions" do
+        report_actions.each do |action|
+          @abilities.allowed?(@u2, action, @p1).should be_true
+        end
+      end
     end
-    describe "write access" do
+    describe "Developer Rules" do
+      before do
+        @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::REPORTER)
+        @p1.users_projects.create(project: @p1, user: @u3, project_access: UsersProject::DEVELOPER)
+      end
+
+      it "should deny for developer master-specific actions" do
+        [dev_actions - report_actions].each do |action|
+          @abilities.allowed?(@u2, action, @p1).should be_false
+        end
+      end
+
+      it "should allow for project user any dev actions" do
+        dev_actions.each do |action|
+          @abilities.allowed?(@u3, action, @p1).should be_true
+        end
+      end
+    end
+
+    describe "Master Rules" do
       before do
         @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::DEVELOPER)
+        @p1.users_projects.create(project: @p1, user: @u3, project_access: UsersProject::MASTER)
       end
-      it { @abilities.allowed?(@u1, :write_project, @p1).should be_false }
-      it { @abilities.allowed?(@u2, :write_project, @p1).should be_true }
+      it "should deny for developer master-specific actions" do
+        [master_actions - dev_actions].each do |action|
+          @abilities.allowed?(@u2, action, @p1).should be_false
+        end
+      end
+
+      it "should allow for project user any master actions" do
+        master_actions.each do |action|
+          @abilities.allowed?(@u3, action, @p1).should be_true
+        end
+      end
     end
-    describe "admin access" do
+    describe "Admin Rules" do
       before do
-        @p1.users_projects.create(project: @p1, user: @u1, project_access: UsersProject::DEVELOPER)
-        @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::MASTER)
+        @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::DEVELOPER)
+        @p1.users_projects.create(project: @p1, user: @u3, project_access: UsersProject::MASTER)
       end
-      it { @abilities.allowed?(@u1, :admin_project, @p1).should be_false }
-      it { @abilities.allowed?(@u2, :admin_project, @p1).should be_true }
+      it "should deny for masters admin-specific actions" do
+        [admin_actions - master_actions].each do |action|
+          @abilities.allowed?(@u2, action, @p1).should be_false
+        end
+      end
+
+      it "should allow for project owner any admin actions" do
+        admin_actions.each do |action|
+          @abilities.allowed?(@u4, action, @p1).should be_true
+        end
+      end
     end
   end
 end
	@@ -36,6 +36,10 @@ class Project < ActiveRecord::Base		@@ -36,6 +36,10 @@ class Project < ActiveRecord::Base
36	# Relations	36	# Relations
37	belongs_to :group, foreign_key: "namespace_id", conditions: "type = 'Group'"	37	belongs_to :group, foreign_key: "namespace_id", conditions: "type = 'Group'"
38	belongs_to :namespace	38	belongs_to :namespace
		39	+
		40	+ # TODO: replace owner with creator.
		41	+ # With namespaces a project owner will be a namespace owner
		42	+ # so this field makes sense only for global projects
39	belongs_to :owner, class_name: "User"	43	belongs_to :owner, class_name: "User"
40	has_many :users, through: :users_projects	44	has_many :users, through: :users_projects
41	has_many :events, dependent: :destroy	45	has_many :events, dependent: :destroy
	@@ -296,4 +300,12 @@ class Project < ActiveRecord::Base		@@ -296,4 +300,12 @@ class Project < ActiveRecord::Base
296	def namespace_owner	300	def namespace_owner
297	namespace.try(:owner)	301	namespace.try(:owner)
298	end	302	end
		303	+
		304	+ def chief
		305	+ if namespace
		306	+ namespace_owner
		307	+ else
		308	+ owner
		309	+ end
		310	+ end
299	end	311	end
	@@ -4,38 +4,109 @@ describe Project do		@@ -4,38 +4,109 @@ describe Project do
4	describe :authorization do	4	describe :authorization do
5	before do	5	before do
6	@p1 = create(:project)	6	@p1 = create(:project)
		7	+
7	@u1 = create(:user)	8	@u1 = create(:user)
8	@u2 = create(:user)	9	@u2 = create(:user)
		10	+ @u3 = create(:user)
		11	+ @u4 = @p1.chief
		12	+
9	@abilities = Six.new	13	@abilities = Six.new
10	@abilities << Ability	14	@abilities << Ability
11	end	15	end
12		16
13	- describe "read access" do	17	+ let(:guest_actions) { Ability.project_guest_rules }
		18	+ let(:report_actions) { Ability.project_report_rules }
		19	+ let(:dev_actions) { Ability.project_dev_rules }
		20	+ let(:master_actions) { Ability.project_master_rules }
		21	+ let(:admin_actions) { Ability.project_admin_rules }
		22	+
		23	+ describe "Non member rules" do
		24	+ it "should deny for non-project users any actions" do
		25	+ admin_actions.each do \|action\|
		26	+ @abilities.allowed?(@u1, action, @p1).should be_false
		27	+ end
		28	+ end
		29	+ end
		30	+
		31	+ describe "Guest Rules" do
		32	+ before do
		33	+ @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::GUEST)
		34	+ end
		35	+
		36	+ it "should allow for project user any guest actions" do
		37	+ guest_actions.each do \|action\|
		38	+ @abilities.allowed?(@u2, action, @p1).should be_true
		39	+ end
		40	+ end
		41	+ end
		42	+
		43	+ describe "Report Rules" do
14	before do	44	before do
15	@p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::REPORTER)	45	@p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::REPORTER)
16	end	46	end
17		47
18	- it { @abilities.allowed?(@u1, :read_project, @p1).should be_false }
19	- it { @abilities.allowed?(@u2, :read_project, @p1).should be_true }	48	+ it "should allow for project user any report actions" do
		49	+ report_actions.each do \|action\|
		50	+ @abilities.allowed?(@u2, action, @p1).should be_true
		51	+ end
		52	+ end
20	end	53	end
21		54
22	- describe "write access" do	55	+ describe "Developer Rules" do
		56	+ before do
		57	+ @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::REPORTER)
		58	+ @p1.users_projects.create(project: @p1, user: @u3, project_access: UsersProject::DEVELOPER)
		59	+ end
		60	+
		61	+ it "should deny for developer master-specific actions" do
		62	+ [dev_actions - report_actions].each do \|action\|
		63	+ @abilities.allowed?(@u2, action, @p1).should be_false
		64	+ end
		65	+ end
		66	+
		67	+ it "should allow for project user any dev actions" do
		68	+ dev_actions.each do \|action\|
		69	+ @abilities.allowed?(@u3, action, @p1).should be_true
		70	+ end
		71	+ end
		72	+ end
		73	+
		74	+ describe "Master Rules" do
23	before do	75	before do
24	@p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::DEVELOPER)	76	@p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::DEVELOPER)
		77	+ @p1.users_projects.create(project: @p1, user: @u3, project_access: UsersProject::MASTER)
25	end	78	end
26		79
27	- it { @abilities.allowed?(@u1, :write_project, @p1).should be_false }
28	- it { @abilities.allowed?(@u2, :write_project, @p1).should be_true }	80	+ it "should deny for developer master-specific actions" do
		81	+ [master_actions - dev_actions].each do \|action\|
		82	+ @abilities.allowed?(@u2, action, @p1).should be_false
		83	+ end
		84	+ end
		85	+
		86	+ it "should allow for project user any master actions" do
		87	+ master_actions.each do \|action\|
		88	+ @abilities.allowed?(@u3, action, @p1).should be_true
		89	+ end
		90	+ end
29	end	91	end
30		92
31	- describe "admin access" do	93	+ describe "Admin Rules" do
32	before do	94	before do
33	- @p1.users_projects.create(project: @p1, user: @u1, project_access: UsersProject::DEVELOPER)
34	- @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::MASTER)	95	+ @p1.users_projects.create(project: @p1, user: @u2, project_access: UsersProject::DEVELOPER)
		96	+ @p1.users_projects.create(project: @p1, user: @u3, project_access: UsersProject::MASTER)
35	end	97	end
36		98
37	- it { @abilities.allowed?(@u1, :admin_project, @p1).should be_false }
38	- it { @abilities.allowed?(@u2, :admin_project, @p1).should be_true }	99	+ it "should deny for masters admin-specific actions" do
		100	+ [admin_actions - master_actions].each do \|action\|
		101	+ @abilities.allowed?(@u2, action, @p1).should be_false
		102	+ end
		103	+ end
		104	+
		105	+ it "should allow for project owner any admin actions" do
		106	+ admin_actions.each do \|action\|
		107	+ @abilities.allowed?(@u4, action, @p1).should be_true
		108	+ end
		109	+ end
39	end	110	end
40	end	111	end
41	end	112	end