Merge branch '300455-auditor-role-not-bypassing-sso-enforce-with-ip-restrictions-on' into 'master'

Exempt auditor from ip restriction See merge request gitlab-org/gitlab!55073

Merge branch '300455-auditor-role-not-bypassing-sso-enforce-with-ip-restrictions-on' into 'master'
Exempt auditor from ip restriction See merge request gitlab-org/gitlab!55073
2c680468 · Mikołaj Wawrzyniak · 411e8901 · 08a9cbb5 · 2c680468 · 2c680468
Commit 2c680468 authored Mar 02, 2021 by Mikołaj Wawrzyniak
5 changed files
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -288,7 +288,7 @@ module EE
        prevent :read_group
      end

-      rule { ip_enforcement_prevents_access & ~owner }.policy do
+      rule { ip_enforcement_prevents_access & ~owner & ~auditor }.policy do
        prevent :read_group
      end


--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -366,7 +366,7 @@ module EE
        prevent :owner_access
      end

-      rule { ip_enforcement_prevents_access & ~admin }.policy do
+      rule { ip_enforcement_prevents_access & ~admin & ~auditor }.policy do
        prevent :read_project
      end


--- a/ee/changelogs/unreleased/300455-auditor-role-not-bypassing-sso-enforce-with-ip-restrictions-on.yml
+++ b/ee/changelogs/unreleased/300455-auditor-role-not-bypassing-sso-enforce-with-ip-restrictions-on.yml
+---
+title: Exempt auditor from ip restriction
+merge_request: 55073
+author:
+type: changed
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -567,6 +567,12 @@ RSpec.describe GroupPolicy do

          it { is_expected.to be_allowed(:read_group) }
        end
+
+        context 'as auditor' do
+          let(:current_user) { create(:user, :auditor) }
+
+          it { is_expected.to be_allowed(:read_group) }
+        end
      end
    end
  end

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -439,6 +439,12 @@ RSpec.describe ProjectPolicy do
          context 'with admin disabled' do
            it { is_expected.to be_disallowed(:read_project) }
          end
+
+          context 'with auditor' do
+            let(:current_user) { create(:user, :auditor) }
+
+            it { is_expected.to be_allowed(:read_project) }
+          end
        end
      end