Commit 4ae3a7a7 authored by Pavel Shutsin's avatar Pavel Shutsin

Fix DevopsAdoption access error

Admins should be able to add even free tier groups
to devops adoption tables.
parent 077ada55
...@@ -25,7 +25,6 @@ class License < ApplicationRecord ...@@ -25,7 +25,6 @@ class License < ApplicationRecord
group_activity_analytics group_activity_analytics
group_bulk_edit group_bulk_edit
group_webhooks group_webhooks
group_level_devops_adoption
instance_level_devops_adoption instance_level_devops_adoption
group_level_devops_adoption group_level_devops_adoption
issuable_default_templates issuable_default_templates
......
...@@ -38,8 +38,12 @@ module EE ...@@ -38,8 +38,12 @@ module EE
end end
condition(:group_devops_adoption_available) do condition(:group_devops_adoption_available) do
@subject.feature_available?(:group_level_devops_adoption)
end
condition(:group_devops_adoption_enabled) do
::Feature.enabled?(:group_devops_adoption, @subject, default_enabled: :yaml) && ::Feature.enabled?(:group_devops_adoption, @subject, default_enabled: :yaml) &&
@subject.feature_available?(:group_level_devops_adoption) ::License.feature_available?(:group_level_devops_adoption)
end end
condition(:dora4_analytics_available) do condition(:dora4_analytics_available) do
...@@ -191,11 +195,15 @@ module EE ...@@ -191,11 +195,15 @@ module EE
enable :view_group_ci_cd_analytics enable :view_group_ci_cd_analytics
end end
rule { reporter & group_devops_adoption_available }.policy do rule { reporter & group_devops_adoption_enabled & group_devops_adoption_available }.policy do
enable :manage_devops_adoption_segments enable :manage_devops_adoption_segments
enable :view_group_devops_adoption enable :view_group_devops_adoption
end end
rule { admin & group_devops_adoption_enabled }.policy do
enable :manage_devops_adoption_segments
end
rule { owner & ~has_parent & prevent_group_forking_available }.policy do rule { owner & ~has_parent & prevent_group_forking_available }.policy do
enable :change_prevent_group_forking enable :change_prevent_group_forking
end end
......
---
title: Fix access bug for DevOps Adoption page and free tier groups
merge_request: 58684
author:
type: fixed
...@@ -1606,32 +1606,34 @@ RSpec.describe GroupPolicy do ...@@ -1606,32 +1606,34 @@ RSpec.describe GroupPolicy do
end end
context 'when license does not include the feature' do context 'when license does not include the feature' do
let(:current_user) { admin }
before do before do
stub_feature_flags(group_devops_adoption: true) stub_feature_flags(group_devops_adoption: true)
stub_licensed_features(group_level_devops_adoption: false) stub_licensed_features(group_level_devops_adoption: false)
enable_admin_mode!(current_user)
end end
it { is_expected.to be_disallowed(policy) } it { is_expected.to be_disallowed(policy) }
end end
context 'when feature is enabled and license include the feature' do context 'when feature is enabled and license includes the feature' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:role, :admin_mode, :allowed) do where(:role, :allowed) do
:admin | true | true :admin | true
:admin | false | false :owner | true
:owner | nil | true :maintainer | true
:maintainer | nil | true :developer | true
:developer | nil | true :reporter | true
:reporter | nil | true :guest | false
:guest | nil | false :non_group_member | false
:non_group_member | nil | false
end end
before do before do
stub_feature_flags(group_devops_adoption: true) stub_feature_flags(group_devops_adoption: true)
stub_licensed_features(group_level_devops_adoption: true) stub_licensed_features(group_level_devops_adoption: true)
enable_admin_mode!(current_user) if admin_mode enable_admin_mode!(current_user) if current_user.admin?
end end
with_them do with_them do
...@@ -1641,4 +1643,85 @@ RSpec.describe GroupPolicy do ...@@ -1641,4 +1643,85 @@ RSpec.describe GroupPolicy do
end end
end end
end end
describe 'manage_devops_adoption_segments' do
let(:current_user) { owner }
let(:policy) { :manage_devops_adoption_segments }
context 'when feature is disabled' do
before do
stub_feature_flags(group_devops_adoption: false)
end
it { is_expected.to be_disallowed(policy) }
end
context 'when license does not include the feature' do
let(:current_user) { admin }
before do
stub_feature_flags(group_devops_adoption: true)
stub_licensed_features(group_level_devops_adoption: false)
enable_admin_mode!(current_user)
end
it { is_expected.to be_disallowed(policy) }
end
context 'when feature is enabled' do
before do
stub_feature_flags(group_devops_adoption: true)
end
context 'when license includes the feature' do
using RSpec::Parameterized::TableSyntax
where(:role, :allowed) do
:admin | true
:owner | true
:maintainer | true
:developer | true
:reporter | true
:guest | false
:non_group_member | false
end
before do
stub_licensed_features(group_level_devops_adoption: true)
enable_admin_mode!(current_user) if current_user.admin?
end
with_them do
let(:current_user) { public_send(role) }
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
end
end
context 'when license plan does not include the feature' do
using RSpec::Parameterized::TableSyntax
where(:role, :allowed) do
:admin | true
:owner | false
:maintainer | false
:developer | false
:reporter | false
:guest | false
:non_group_member | false
end
before do
allow(group).to receive(:feature_available?).with(:group_level_devops_adoption).and_return(false)
enable_admin_mode!(current_user) if current_user.admin?
end
with_them do
let(:current_user) { public_send(role) }
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
end
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment