Add new ability check for stopping environment

6baaa8a9 · Grzegorz Bizon · 52bfc0ef · 6baaa8a9 · 6baaa8a9 · 6baaa8a9
Commit 6baaa8a9 authored 7 years ago by Grzegorz Bizon
--- a/app/policies/environment_policy.rb
+++ b/app/policies/environment_policy.rb
 class EnvironmentPolicy < BasePolicy
+  alias_method :environment, :subject
  def rules
-    delegate! @subject.project
+    delegate! environment.project
+    if environment.stop_action?
+      delegate! environment.stop_action
+    end
+    if can?(:create_deployment) && can?(:play_build)
+      can! :stop_environment
+    end
  end
 end
--- a/app/services/ci/stop_environments_service.rb
+++ b/app/services/ci/stop_environments_service.rb
@@ -5,12 +5,11 @@ module Ci
    def execute(branch_name)
      @ref = branch_name
-      return unless has_ref?
+      return unless @ref.present?
-      return unless can?(current_user, :create_deployment, project)
      environments.each do |environment|
        next unless environment.stop_action?
-        next unless can?(current_user, :play_build, environment.stop_action)
+        next unless can?(current_user, :stop_environment, environment)
        environment.stop_with_action!(current_user)
      end
@@ -18,10 +17,6 @@ module Ci
    private
-    def has_ref?
-      @ref.present?
-    end
    def environments
      @environments ||= EnvironmentsFinder
        .new(project, current_user, ref: @ref, recently_updated: true)

--- a/spec/policies/environment_policy_spec.rb
+++ b/spec/policies/environment_policy_spec.rb
+require 'spec_helper'
+describe Ci::EnvironmentPolicy do
+  let(:user) { create(:user) }
+  let(:project) { create(:project) }
+  let(:environment) do
+    create(:environment, :with_review_app, project: project)
+  end
+  let(:policies) do
+    described_class.abilities(user, environment).to_set
+  end
+  describe '#rules' do
+    context 'when user does not have access to the project' do
+      let(:project) { create(:project, :private) }
+      it 'does not include ability to stop environment' do
+        expect(policies).not_to include :stop_environment
+      end
+    end
+    context 'when anonymous user has access to the project' do
+      let(:project) { create(:project, :public) }
+      it 'does not include ability to stop environment' do
+        expect(policies).not_to include :stop_environment
+      end
+    end
+    context 'when team member has access to the project' do
+      let(:project) { create(:project, :public) }
+      before do
+        project.add_master(user)
+      end
+      context 'when team member has ability to stop environment' do
+        it 'does includes ability to stop environment' do
+          expect(policies).to include :stop_environment
+        end
+      end
+      context 'when team member has no ability to stop environment' do
+        before do
+          create(:protected_branch, :no_one_can_push,
+                 name: 'master', project: project)
+        end
+        it 'does not include ability to stop environment' do
+          expect(policies).not_to include :stop_environment
+        end
+      end
+    end
+  end
+end