gitlabhq/spec/features/security/project_access_spec.rb

require 'spec_helper'

describe "Application access" do
  describe "GET /" do
    it { root_path.should be_allowed_for :admin }
    it { root_path.should be_allowed_for :user }
    it { root_path.should be_denied_for :visitor }
  end

  describe "GET /projects/new" do
    it { new_project_path.should be_allowed_for :admin }
    it { new_project_path.should be_allowed_for :user }
    it { new_project_path.should be_denied_for :visitor }
  end

  describe "Project" do
    let(:project)  { create(:project) }

    let(:master)   { create(:user) }
    let(:guest)    { create(:user) }
    let(:reporter) { create(:user) }

    before do
      # full access
      project.team << [master, :master]

      # readonly
      project.team << [reporter, :reporter]
    end

    describe "GET /project_code" do
      subject { project_path(project) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/tree/master" do
      subject { project_tree_path(project, project.repository.root_ref) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/commits/master" do
      subject { project_commits_path(project, project.repository.root_ref, limit: 1) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/commit/:sha" do
      subject { project_commit_path(project, project.repository.commit) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/compare" do
      subject { project_compare_index_path(project) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/team" do
      subject { project_team_index_path(project) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/wall" do
      subject { project_wall_path(project) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/blob" do
      before do
        commit = project.repository.commit
        path = commit.tree.contents.select { |i| i.is_a?(Grit::Blob)}.first.name
        @blob_path = project_blob_path(project, File.join(commit.id, path))
      end

      it { @blob_path.should be_allowed_for master }
      it { @blob_path.should be_allowed_for reporter }
      it { @blob_path.should be_denied_for :admin }
      it { @blob_path.should be_denied_for guest }
      it { @blob_path.should be_denied_for :user }
      it { @blob_path.should be_denied_for :visitor }
    end

    describe "GET /project_code/edit" do
      subject { edit_project_path(project) }

      it { should be_allowed_for master }
      it { should be_denied_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/deploy_keys" do
      subject { project_deploy_keys_path(project) }

      it { should be_allowed_for master }
      it { should be_denied_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/issues" do
      subject { project_issues_path(project) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/snippets" do
      subject { project_snippets_path(project) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/merge_requests" do
      subject { project_merge_requests_path(project) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/repository" do
      subject { project_repository_path(project) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/repository/branches" do
      subject { branches_project_repository_path(project) }

      before do
        # Speed increase
        Project.any_instance.stub(:branches).and_return([])
      end

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/repository/tags" do
      subject { tags_project_repository_path(project) }

      before do
        # Speed increase
        Project.any_instance.stub(:tags).and_return([])
      end

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end

    describe "GET /project_code/hooks" do
      subject { project_hooks_path(project) }

      it { should be_allowed_for master }
      it { should be_allowed_for reporter }
      it { should be_denied_for :admin }
      it { should be_denied_for guest }
      it { should be_denied_for :user }
      it { should be_denied_for :visitor }
    end
  end
end
init commit 2011-10-08 23:36:38 +02:00			`require 'spec_helper'`

Milestones cucumber. Renamed app security test 2012-08-03 18:39:54 +02:00			`describe "Application access" do`
Dashboard refactoring: * dashboard should be in dashboard controller not project index * projects index removed 2012-06-12 22:13:42 +02:00			`describe "GET /" do`
			`it { root_path.should be_allowed_for :admin }`
			`it { root_path.should be_allowed_for :user }`
			`it { root_path.should be_denied_for :visitor }`
init commit 2011-10-08 23:36:38 +02:00			`end`

clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 15:46:25 +02:00			`describe "GET /projects/new" do`
Dashboard refactoring: * dashboard should be in dashboard controller not project index * projects index removed 2012-06-12 22:13:42 +02:00			`it { new_project_path.should be_allowed_for :admin }`
			`it { new_project_path.should be_allowed_for :user }`
			`it { new_project_path.should be_denied_for :visitor }`
init commit 2011-10-08 23:36:38 +02:00			`end`

			`describe "Project" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`let(:project) { create(:project) }`

			`let(:master) { create(:user) }`
			`let(:guest) { create(:user) }`
			`let(:reporter) { create(:user) }`

clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 15:46:25 +02:00			`before do`
init commit 2011-10-08 23:36:38 +02:00			`# full access`
Fix some tests. Use travis-ci 1.9.2 2013-01-04 23:43:32 +01:00			`project.team << [master, :master]`
Clean up project access spec 2012-09-26 19:22:30 +02:00
init commit 2011-10-08 23:36:38 +02:00			`# readonly`
Fix some tests. Use travis-ci 1.9.2 2013-01-04 23:43:32 +01:00			`project.team << [reporter, :reporter]`
init commit 2011-10-08 23:36:38 +02:00			`end`

clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 15:46:25 +02:00			`describe "GET /project_code" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`subject { project_path(project) }`

			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
			`it { should be_denied_for :admin }`
			`it { should be_denied_for guest }`
			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
			`end`

			`describe "GET /project_code/tree/master" do`
Fix security spec 2013-01-04 23:49:43 +01:00			`subject { project_tree_path(project, project.repository.root_ref) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
init commit 2011-10-08 23:36:38 +02:00			`end`

Clean up project access spec 2012-09-26 19:22:30 +02:00			`describe "GET /project_code/commits/master" do`
Fix security spec 2013-01-04 23:49:43 +01:00			`subject { project_commits_path(project, project.repository.root_ref, limit: 1) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
init commit 2011-10-08 23:36:38 +02:00			`end`

Clean up project access spec 2012-09-26 19:22:30 +02:00			`describe "GET /project_code/commit/:sha" do`
Fix some tests. Use travis-ci 1.9.2 2013-01-04 23:43:32 +01:00			`subject { project_commit_path(project, project.repository.commit) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
init commit 2011-10-08 23:36:38 +02:00			`end`

Clean up project access spec 2012-09-26 19:22:30 +02:00			`describe "GET /project_code/compare" do`
			`subject { project_compare_index_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
init commit 2011-10-08 23:36:38 +02:00			`end`

clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 15:46:25 +02:00			`describe "GET /project_code/team" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`subject { project_team_index_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
init commit 2011-10-08 23:36:38 +02:00			`end`

clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 15:46:25 +02:00			`describe "GET /project_code/wall" do`
fix tests. added jquery.timeago.js 2013-03-19 13:39:32 +01:00			`subject { project_wall_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
init commit 2011-10-08 23:36:38 +02:00			`end`

clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 15:46:25 +02:00			`describe "GET /project_code/blob" do`
			`before do`
Fix some tests. Use travis-ci 1.9.2 2013-01-04 23:43:32 +01:00			`commit = project.repository.commit`
Clean up request specs 2012-08-25 19:43:55 +02:00			`path = commit.tree.contents.select { \|i\| i.is_a?(Grit::Blob)}.first.name`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`@blob_path = project_blob_path(project, File.join(commit.id, path))`
security improved 2011-10-17 12:39:03 +02:00			`end`

Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { @blob_path.should be_allowed_for master }`
			`it { @blob_path.should be_allowed_for reporter }`
security improved 2011-10-17 12:39:03 +02:00			`it { @blob_path.should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { @blob_path.should be_denied_for guest }`
security improved 2011-10-17 12:39:03 +02:00			`it { @blob_path.should be_denied_for :user }`
			`it { @blob_path.should be_denied_for :visitor }`
init commit 2011-10-08 23:36:38 +02:00			`end`

clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 15:46:25 +02:00			`describe "GET /project_code/edit" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`subject { edit_project_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_denied_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
init commit 2011-10-08 23:36:38 +02:00			`end`

Specs for deploy_keys 2011-12-29 23:33:26 +01:00			`describe "GET /project_code/deploy_keys" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`subject { project_deploy_keys_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_denied_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
Specs for deploy_keys 2011-12-29 23:33:26 +01:00			`end`

clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 15:46:25 +02:00			`describe "GET /project_code/issues" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`subject { project_issues_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
init commit 2011-10-08 23:36:38 +02:00			`end`
snippets are ready 2011-10-16 23:07:10 +02:00
clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 15:46:25 +02:00			`describe "GET /project_code/snippets" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`subject { project_snippets_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
snippets are ready 2011-10-16 23:07:10 +02:00			`end`
tests for merge request index/show 2011-11-28 19:42:32 +01:00
			`describe "GET /project_code/merge_requests" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`subject { project_merge_requests_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
tests for merge request index/show 2011-11-28 19:42:32 +01:00			`end`
projects link added. security specs added 2012-01-19 08:27:23 +01:00
			`describe "GET /project_code/repository" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`subject { project_repository_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
projects link added. security specs added 2012-01-19 08:27:23 +01:00			`end`

			`describe "GET /project_code/repository/branches" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`subject { branches_project_repository_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Speed up request specs a bit 2012-09-26 19:43:42 +02:00			`before do`
			`# Speed increase`
			`Project.any_instance.stub(:branches).and_return([])`
			`end`

Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
projects link added. security specs added 2012-01-19 08:27:23 +01:00			`end`

			`describe "GET /project_code/repository/tags" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`subject { tags_project_repository_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Speed up request specs a bit 2012-09-26 19:43:42 +02:00			`before do`
			`# Speed increase`
			`Project.any_instance.stub(:tags).and_return([])`
			`end`

Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
projects link added. security specs added 2012-01-19 08:27:23 +01:00			`end`

			`describe "GET /project_code/hooks" do`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`subject { project_hooks_path(project) }`
Clean up request specs 2012-08-25 19:43:55 +02:00
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_allowed_for master }`
			`it { should be_allowed_for reporter }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :admin }`
Clean up project access spec 2012-09-26 19:22:30 +02:00			`it { should be_denied_for guest }`
Clean up request specs 2012-08-25 19:43:55 +02:00			`it { should be_denied_for :user }`
			`it { should be_denied_for :visitor }`
projects link added. security specs added 2012-01-19 08:27:23 +01:00			`end`
init commit 2011-10-08 23:36:38 +02:00			`end`
			`end`