Commit 4ae3a7a7 authored by Pavel Shutsin's avatar Pavel Shutsin

Fix DevopsAdoption access error

Admins should be able to add even free tier groups
to devops adoption tables.
parent 077ada55
......@@ -25,7 +25,6 @@ class License < ApplicationRecord
group_activity_analytics
group_bulk_edit
group_webhooks
group_level_devops_adoption
instance_level_devops_adoption
group_level_devops_adoption
issuable_default_templates
......
......@@ -38,10 +38,14 @@ module EE
end
condition(:group_devops_adoption_available) do
::Feature.enabled?(:group_devops_adoption, @subject, default_enabled: :yaml) &&
@subject.feature_available?(:group_level_devops_adoption)
end
condition(:group_devops_adoption_enabled) do
::Feature.enabled?(:group_devops_adoption, @subject, default_enabled: :yaml) &&
::License.feature_available?(:group_level_devops_adoption)
end
condition(:dora4_analytics_available) do
@subject.feature_available?(:dora4_analytics)
end
......@@ -191,11 +195,15 @@ module EE
enable :view_group_ci_cd_analytics
end
rule { reporter & group_devops_adoption_available }.policy do
rule { reporter & group_devops_adoption_enabled & group_devops_adoption_available }.policy do
enable :manage_devops_adoption_segments
enable :view_group_devops_adoption
end
rule { admin & group_devops_adoption_enabled }.policy do
enable :manage_devops_adoption_segments
end
rule { owner & ~has_parent & prevent_group_forking_available }.policy do
enable :change_prevent_group_forking
end
......
---
title: Fix access bug for DevOps Adoption page and free tier groups
merge_request: 58684
author:
type: fixed
......@@ -1606,32 +1606,34 @@ RSpec.describe GroupPolicy do
end
context 'when license does not include the feature' do
let(:current_user) { admin }
before do
stub_feature_flags(group_devops_adoption: true)
stub_licensed_features(group_level_devops_adoption: false)
enable_admin_mode!(current_user)
end
it { is_expected.to be_disallowed(policy) }
end
context 'when feature is enabled and license include the feature' do
context 'when feature is enabled and license includes the feature' do
using RSpec::Parameterized::TableSyntax
where(:role, :admin_mode, :allowed) do
:admin | true | true
:admin | false | false
:owner | nil | true
:maintainer | nil | true
:developer | nil | true
:reporter | nil | true
:guest | nil | false
:non_group_member | nil | false
where(:role, :allowed) do
:admin | true
:owner | true
:maintainer | true
:developer | true
:reporter | true
:guest | false
:non_group_member | false
end
before do
stub_feature_flags(group_devops_adoption: true)
stub_licensed_features(group_level_devops_adoption: true)
enable_admin_mode!(current_user) if admin_mode
enable_admin_mode!(current_user) if current_user.admin?
end
with_them do
......@@ -1641,4 +1643,85 @@ RSpec.describe GroupPolicy do
end
end
end
describe 'manage_devops_adoption_segments' do
let(:current_user) { owner }
let(:policy) { :manage_devops_adoption_segments }
context 'when feature is disabled' do
before do
stub_feature_flags(group_devops_adoption: false)
end
it { is_expected.to be_disallowed(policy) }
end
context 'when license does not include the feature' do
let(:current_user) { admin }
before do
stub_feature_flags(group_devops_adoption: true)
stub_licensed_features(group_level_devops_adoption: false)
enable_admin_mode!(current_user)
end
it { is_expected.to be_disallowed(policy) }
end
context 'when feature is enabled' do
before do
stub_feature_flags(group_devops_adoption: true)
end
context 'when license includes the feature' do
using RSpec::Parameterized::TableSyntax
where(:role, :allowed) do
:admin | true
:owner | true
:maintainer | true
:developer | true
:reporter | true
:guest | false
:non_group_member | false
end
before do
stub_licensed_features(group_level_devops_adoption: true)
enable_admin_mode!(current_user) if current_user.admin?
end
with_them do
let(:current_user) { public_send(role) }
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
end
end
context 'when license plan does not include the feature' do
using RSpec::Parameterized::TableSyntax
where(:role, :allowed) do
:admin | true
:owner | false
:maintainer | false
:developer | false
:reporter | false
:guest | false
:non_group_member | false
end
before do
allow(group).to receive(:feature_available?).with(:group_level_devops_adoption).and_return(false)
enable_admin_mode!(current_user) if current_user.admin?
end
with_them do
let(:current_user) { public_send(role) }
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
end
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment