Move rule to ApplicationSettingPolicy

The :update_runners_registration_token rule doesn't really belong to :global since it lives in ApplicationSetting

Move rule to ApplicationSettingPolicy
The :update_runners_registration_token rule doesn't really belong to :global since it lives in ApplicationSetting
20e73b5d · Pedro Pombeiro · 0ef34d11 · 20e73b5d · 20e73b5d · 20e73b5d
Commit 20e73b5d authored Mar 11, 2022 by Pedro Pombeiro
6 changed files
--- a/app/graphql/mutations/ci/runners_registration_token/reset.rb
+++ b/app/graphql/mutations/ci/runners_registration_token/reset.rb
@@ -50,14 +50,16 @@ module Mutations
          when 'instance_type'
            raise Gitlab::Graphql::Errors::ArgumentError, "id must not be specified for '#{type}' scope" if id.present?
-            authorize!(:global)
+            scope = ApplicationSetting.current
+            authorize!(scope)
-            ApplicationSetting.current.reset_runners_registration_token!
+            scope.reset_runners_registration_token!
            ApplicationSetting.current_without_cache.runners_registration_token
          when 'group_type', 'project_type'
-            project_or_group = authorized_find!(type: type, id: id)
+            scope = authorized_find!(type: type, id: id)
-            project_or_group.reset_runners_token!
-            project_or_group.runners_token
+            scope.reset_runners_token!
+            scope.runners_token
          end
        end
      end

--- a/app/policies/application_setting_policy.rb
+++ b/app/policies/application_setting_policy.rb
 # frozen_string_literal: true
 class ApplicationSettingPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass
-  rule { admin }.enable :read_application_setting
+  rule { admin }.policy do
+    enable :read_application_setting
+    enable :update_runners_registration_token
+  end
 end
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -115,7 +115,6 @@ class GlobalPolicy < BasePolicy
    enable :approve_user
    enable :reject_user
    enable :read_usage_trends_measurement
-    enable :update_runners_registration_token
  end
  # We can't use `read_statistics` because the user may have different permissions for different projects

--- a/lib/api/ci/runners.rb
+++ b/lib/api/ci/runners.rb
@@ -246,7 +246,7 @@ module API
          success Entities::Ci::ResetTokenResult
        end
        post 'reset_registration_token' do
-          authorize! :update_runners_registration_token
+          authorize! :update_runners_registration_token, ApplicationSetting.current
          ApplicationSetting.current.reset_runners_registration_token!
          present ApplicationSetting.current_without_cache.runners_registration_token_with_expiration, with: Entities::Ci::ResetTokenResult

--- a/spec/policies/application_setting_policy_spec.rb
+++ b/spec/policies/application_setting_policy_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe ApplicationSettingPolicy do
+  let(:current_user) { create(:user) }
+  let(:user) { create(:user) }
+  subject { described_class.new(current_user, [user]) }
+  describe 'update_runners_registration_token' do
+    context 'when anonymous' do
+      let(:current_user) { nil }
+      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
+    end
+    context 'regular user' do
+      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
+    end
+    context 'when external' do
+      let(:current_user) { build(:user, :external) }
+      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
+    end
+    context 'admin' do
+      let(:current_user) { create(:admin) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:update_runners_registration_token) }
+      end
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:update_runners_registration_token) }
+      end
+    end
+  end
+end
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -591,34 +591,4 @@ RSpec.describe GlobalPolicy do
      it { is_expected.not_to be_allowed(:log_in) }
    end
  end
-  describe 'update_runners_registration_token' do
-    context 'when anonymous' do
-      let(:current_user) { nil }
-      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
-    end
-    context 'regular user' do
-      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
-    end
-    context 'when external' do
-      let(:current_user) { build(:user, :external) }
-      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
-    end
-    context 'admin' do
-      let(:current_user) { create(:admin) }
-      context 'when admin mode is enabled', :enable_admin_mode do
-        it { is_expected.to be_allowed(:update_runners_registration_token) }
-      end
-      context 'when admin mode is disabled' do
-        it { is_expected.to be_disallowed(:update_runners_registration_token) }
-      end
-    end
-  end
 end