On a platform that allows restricted users: * In a project that is "Public incl. restricted" With a user group that contains a restricted user And this restricted user is not member of the project And a repo has read access for the user group => restricted user should be able to clone and see the repository in web ui * In a project that is not "Public incl. restricted" With a user group that contains a restricted user And this restricted user is not member of the project And a repo has read access for the user group => restricted user should NOT be able to clone and see the repository in web ui Regardless of the access controls of the platform: * In a project that is "Private" With a user group that contains a user And this user is not member of the project And a repo has read access for the user group => user should NOT be able to clone and see the repository in web ui * In a project that is "Public" With a user group that contains a user And this user is not member of the project And a repo has read access for the user group => user should be able to clone and see the repository in web ui * In a project that is "Private" or "Public" With a user group that contains a user And this user is member of the project And a repo has read access for the user group => user should be able to clone and see the repository in web ui Maybe an example will be more explicit. Given the following setup: User | Status ------------+------------ dev | active contractor1 | restricted contractor2 | restricted user1 | active user2 | active Project | Members -----------------------+------------------ Public | dev, contractor1 Private | dev, contractor1 Public incl Restricted | dev, contractor1 In each projects there is a static user group named 'developers' with following members: dev, contractor1, contractor2, user2 PROJECT , - ~ ~ ~ - , , ' ' , , , DEVELOPERS , ××××××××××××××××,××××××××××××××××××× , × , × , × ° dev , × , × , ° contractor2 × , × ° contractor1 , × , × , ° user2 × , ×××××××××××,×'×××××××××××××××××××××× ' - , _ _ _ , ' ° user1 Expected results ---------------- The users that are really members of the static ugroup 'developers' are: In a forge that allows restricted users: | Public | Private | Public incl Restricted ------------+--------+---------+------------------------ dev | ✓ | ✓ | ✓ contractor1 | ✓ | ✓ | ✓ contractor2 | | | ✓ user1 | | | user2 | ✓ | | ✓ In a forge that doesn't allow restricted users (anonymous or regular): | Public | Private ------+--------+--------- dev | ✓ | ✓ user1 | | user2 | ✓ | ~~~ Technical notes for REST tests: * We need libnss to be configured so that we don't get nasty errors while creating users (getuid & co). * Runner user uses too much file descriptors therefore we increase the limit in /etc/security/limits * SiteCache now restore ownership only on the realpath and not on the symlink (else it raises an error) * Phpunit assertions are usually of the form ($expected_value, $actual_value), but sometimes we use (actual, expected) and the reported error is hard to read so there are places in this commit where we invert parameters without functional changes behind. Change-Id: I9958dcba1d4eed096523031c8220e656f6e40416

+513 −35

Author

Nicolas Terray (nterray) 2016-07-06 17:26

Committer

Yannis ROSSETTO (rossettoy) 2016-07-15 18:10

Hash 55c9fb28a61d453e400677bdf3f1b7e7e61ec295

Parent f2dae137ee72c1ac965c1089f8dba1e6a6af6f3c

Reference git #tuleap/stable/55c9fb28a61d453e400677bdf3f1b7e7e61ec295