Ensures audit events are visible to auditor

Changelog: fixed
EE: true

ee/app/controllers/projects/audit_events_controller.rb

@@ -43,6 +43,8 @@ class Projects::AuditEventsController < Projects::ApplicationController
   end
 
   def filter_by_author(params)
-    can?(current_user, :admin_project, project) ? params : params.merge(author_id: current_user.id)
+    return params if can?(current_user, :admin_project, project) || current_user.auditor?
+
+    params.merge(author_id: current_user.id)
   end
 end

ee/app/policies/ee/project_policy.rb

@@ -276,6 +276,7 @@ module EE
         enable :read_environment
         enable :read_deployment
         enable :read_pages
+        enable :read_project_audit_events
       end
 
       rule { ~security_and_compliance_disabled & auditor }.policy do

ee/spec/controllers/projects/audit_events_controller_spec.rb

@@ -7,6 +7,7 @@ RSpec.describe Projects::AuditEventsController do
 
   let_it_be(:user) { create(:user) }
   let_it_be(:maintainer) { create(:user) }
+  let_it_be(:auditor) { create(:user, auditor: true) }
   let_it_be(:project) { create(:project, :private) }
   let_it_be(:events) { create_list(:project_audit_event, 5, entity_id: project.id) }
 
@@ -19,13 +20,7 @@ RSpec.describe Projects::AuditEventsController do
       get :index, params: { project_id: project.to_param, namespace_id: project.namespace.to_param, sort: sort, entity_type: entity_type, entity_id: entity_id }
     end
 
-    context 'authorized' do
-      before do
-        project.add_maintainer(maintainer)
-        sign_in(maintainer)
-      end
-
-      context 'when audit_events feature is available' do
+    shared_context 'when audit_events feature is available' do
       let(:level) { Gitlab::Audit::Levels::Project.new(project: project) }
       let(:audit_logs_params) { ActionController::Parameters.new(sort: '', entity_type: '', entity_id: '', created_after: Date.current.beginning_of_month, created_before: Date.current.end_of_day).permit! }
 
@@ -133,7 +128,7 @@ RSpec.describe Projects::AuditEventsController do
       end
     end
 
-      context 'pagination' do
+    shared_examples 'pagination' do
       it 'sets instance variables' do
         request
 
@@ -150,7 +145,7 @@ RSpec.describe Projects::AuditEventsController do
       end
     end
 
-      context 'when audit_events feature is not available' do
+    shared_context 'when audit_events feature is not available' do
       before do
         stub_licensed_features(audit_events: false)
       end
@@ -162,6 +157,42 @@ RSpec.describe Projects::AuditEventsController do
       end
     end
 
+    context 'when authorized as auditor' do
+      before do
+        sign_in(auditor)
+      end
+
+      it_behaves_like 'when audit_events feature is available'
+
+      it_behaves_like 'pagination'
+
+      it_behaves_like 'when audit_events feature is not available'
+
+      it 'tracks search event', :snowplow do
+        request
+
+        expect_snowplow_event(
+          category: 'Projects::AuditEventsController',
+          action: 'search_audit_event',
+          project: project,
+          user: auditor,
+          namespace: project.namespace
+        )
+      end
+    end
+
+    context 'when authorized as maintainer' do
+      before do
+        project.add_maintainer(maintainer)
+        sign_in(maintainer)
+      end
+
+      it_behaves_like 'when audit_events feature is available'
+
+      it_behaves_like 'pagination'
+
+      it_behaves_like 'when audit_events feature is not available'
+
       it 'tracks search event', :snowplow do
         request
 

ee/spec/policies/project_policy_spec.rb

@@ -47,6 +47,7 @@ RSpec.describe ProjectPolicy do
         read_software_license_policy
         read_threat_monitoring read_merge_train
         read_release
+        read_project_audit_events
       ]
     end