Allow admins/auditors to read private personal snippets

2019-01-24 12:44:46 +00:00 · 2019-01-24 12:44:46 +00:00 · 40900669b3
parent 16ab0050f6
commit 40900669b3
4 changed files with 19 additions and 4 deletions
--- a/app/policies/personal_snippet_policy.rb
+++ b/app/policies/personal_snippet_policy.rb
@ -29,4 +29,6 @@ class PersonalSnippetPolicy < BasePolicy
  rule { anonymous }.prevent :comment_personal_snippet
  rule { can?(:comment_personal_snippet) }.enable :award_emoji
  rule { full_private_access }.enable :read_personal_snippet
 end
--- a/changelogs/unreleased/51754-admin-view-private-personal-snippets.yml
+++ b/changelogs/unreleased/51754-admin-view-private-personal-snippets.yml
@ -0,0 +1,5 @@
 ---
 title: Allow users with full private access to read private personal snippets.
 merge_request: 24560
 author:
 type: fixed
--- a/spec/models/event_spec.rb
+++ b/spec/models/event_spec.rb
@ -399,10 +399,7 @@ describe Event do
          expect(event.visible_to_user?(nil)).to be_falsy
          expect(event.visible_to_user?(non_member)).to be_falsy
          expect(event.visible_to_user?(author)).to be_truthy
-
+          expect(event.visible_to_user?(admin)).to be_truthy
          # It is very unexpected that a private personal snippet is not visible
          # to an instance administrator. This should be fixed in the future.
          expect(event.visible_to_user?(admin)).to be_falsy
        end
      end
    end
--- a/spec/policies/personal_snippet_policy_spec.rb
+++ b/spec/policies/personal_snippet_policy_spec.rb
@ -128,6 +128,17 @@ describe PersonalSnippetPolicy do
      end
    end
    context 'admin user' do
      subject { permissions(admin_user) }
      it do
        is_expected.to be_allowed(:read_personal_snippet)
        is_expected.to be_disallowed(:comment_personal_snippet)
        is_expected.to be_disallowed(:award_emoji)
        is_expected.to be_disallowed(*author_permissions)
      end
    end
    context 'external user' do
      subject { permissions(external_user) }