Conditionally display deploy tokens for packages

Only display the settings for the packages scope when the packages
features is enabled in the group or project.

app/helpers/deploy_tokens_helper.rb

@@ -7,8 +7,13 @@ module DeployTokensHelper
       Rails.env.test?
   end
 
-  def container_registry_enabled?(project)
+  def container_registry_enabled?(group_or_project)
     Gitlab.config.registry.enabled &&
-      can?(current_user, :read_container_image, project)
+      can?(current_user, :read_container_image, group_or_project)
+  end
+
+  def packages_registry_enabled?(group_or_project)
+    Gitlab.config.packages.enabled &&
+      can?(current_user, :read_package, group_or_project)
   end
 end

app/views/shared/deploy_tokens/_form.html.haml

@@ -35,6 +35,7 @@
         = label_tag ("deploy_token_write_registry"), 'write_registry', class: 'label-bold form-check-label'
         .text-secondary= s_('DeployTokens|Allows write access to the registry images')
 
+    - if packages_registry_enabled?(group_or_project)
       %fieldset.form-group.form-check
         = f.check_box :read_package_registry, class: 'form-check-input'
         = label_tag ("deploy_token_read_package_registry"), 'read_package_registry', class: 'label-bold form-check-label'

changelogs/unreleased/nelbacha-conditional-package-scopes.yml

+---
+title: Conditionally render the packages scopes in deploy token settings
+merge_request: 35334
+author:
+type: fixed

spec/views/shared/deploy_tokens/_form.html.haml_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'shared/deploy_tokens/_form.html.haml' do
+  using RSpec::Parameterized::TableSyntax
+
+  let_it_be(:user) { create(:user) }
+  let_it_be(:token) { build(:deploy_token) }
+
+  RSpec.shared_examples "display deploy token settings" do |role, shows_package_registry_permissions|
+    before do
+      subject.add_user(user, role)
+      allow(view).to receive(:current_user).and_return(user)
+      stub_config(packages: { enabled: packages_enabled })
+    end
+
+    it "correctly renders the form" do
+      render 'shared/deploy_tokens/form', token: token, group_or_project: subject
+
+      if shows_package_registry_permissions
+        expect(rendered).to have_content('Allows read access to the package registry')
+      else
+        expect(rendered).not_to have_content('Allows read access to the package registry')
+      end
+    end
+  end
+
+  context "when the subject is a project" do
+    let_it_be(:subject, refind: true) { create(:project, :private) }
+
+    where(:packages_enabled, :feature_enabled, :role, :shows_package_registry_permissions) do
+      true  | true  | :maintainer | true
+      false | true  | :maintainer | false
+      true  | false | :maintainer | false
+      false | false | :maintainer | false
+    end
+
+    with_them do
+      before do
+        subject.update!(packages_enabled: feature_enabled)
+      end
+
+      it_behaves_like 'display deploy token settings', params[:role], params[:shows_package_registry_permissions]
+    end
+  end
+
+  context "when the subject is a group" do
+    let_it_be(:subject, refind: true) { create(:group, :private) }
+
+    where(:packages_enabled, :role, :shows_package_registry_permissions) do
+      true  | :owner      | true
+      false | :owner      | false
+      true  | :maintainer | true
+      false | :maintainer | false
+    end
+
+    with_them do
+      it_behaves_like 'display deploy token settings', params[:role], params[:shows_package_registry_permissions]
+    end
+  end
+end