Merge branch 'ag-code-hotspots-mvc-add-policies' into 'master'

Add global and group policies for code analytics feature See merge request gitlab-org/gitlab!16515

Merge branch 'ag-code-hotspots-mvc-add-policies' into 'master'
Add global and group policies for code analytics feature See merge request gitlab-org/gitlab!16515
553cf378 · Peter Leitzen · 1b300fa3 · ccb74300 · 553cf378 · 553cf378
Commit 553cf378 authored Sep 17, 2019 by Peter Leitzen
4 changed files
--- a/ee/app/policies/ee/global_policy.rb
+++ b/ee/app/policies/ee/global_policy.rb
@@ -17,7 +17,10 @@ module EE

      rule { support_bot }.prevent :use_quick_actions

-      rule { ~anonymous }.enable :view_productivity_analytics
+      rule { ~anonymous }.policy do
+        enable :view_productivity_analytics
+        enable :view_code_analytics
+      end
    end
  end
 end
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -49,6 +49,8 @@ module EE
        enable :admin_list
        enable :admin_board
        enable :read_prometheus
+        enable :view_code_analytics
+        enable :view_productivity_analytics
      end

      rule { maintainer }.policy do
@@ -131,8 +133,6 @@ module EE
      rule { ip_enforcement_prevents_access & ~owner }.policy do
        prevent :read_group
      end
-
-      rule { reporter }.enable :view_productivity_analytics
    end

    override :lookup_access_level!

--- a/ee/spec/policies/global_policy_spec.rb
+++ b/ee/spec/policies/global_policy_spec.rb
@@ -32,15 +32,27 @@ describe GlobalPolicy do
  it { expect(described_class.new(create(:admin), [user])).to be_allowed(:read_licenses) }
  it { expect(described_class.new(create(:admin), [user])).to be_allowed(:destroy_licenses) }

-  describe 'view_productivity_analytics' do
-    context 'for anonymous' do
+  shared_examples 'analytics policy' do |action|
+    context 'anonymous user' do
      let(:current_user) { nil }

-      it { is_expected.not_to be_allowed(:view_productivity_analytics) }
+      it 'is not allowed' do
+        is_expected.not_to be_allowed(action)
+      end
    end

-    context 'for authenticated users' do
-      it { is_expected.to be_allowed(:view_productivity_analytics) }
+    context 'authenticated user' do
+      it 'is allowed' do
+        is_expected.to be_allowed(action)
+      end
    end
  end
+
+  describe 'view_code_analytics' do
+    include_examples 'analytics policy', :view_code_analytics
+  end
+
+  describe 'view_productivity_analytics' do
+    include_examples 'analytics policy', :view_productivity_analytics
+  end
 end
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -404,21 +404,35 @@ describe GroupPolicy do
    end
  end

-  describe 'view_productivity_analytics' do
-    %w[admin owner maintainer developer reporter].each do |role|
-      context "for #{role}" do
+  shared_examples 'analytics policy' do |action|
+    shared_examples 'policy by role' do |role|
+      context role do
        let(:current_user) { public_send(role) }

-        it { is_expected.to be_allowed(:view_productivity_analytics) }
+        it 'is allowed' do
+          is_expected.to be_allowed(action)
+        end
      end
    end

-    %w[guest].each do |role|
-      context "for #{role}" do
-        let(:current_user) { public_send(role) }
+    %w[admin owner maintainer developer reporter].each do |role|
+      include_examples 'policy by role', role
+    end

-        it { is_expected.to be_disallowed(:view_productivity_analytics) }
+    context 'guest' do
+      let(:current_user) { guest }
+
+      it 'is not allowed' do
+        is_expected.to be_disallowed(action)
      end
    end
  end
+
+  describe 'view_code_analytics' do
+    include_examples 'analytics policy', :view_code_analytics
+  end
+
+  describe 'view_productivity_analytics' do
+    include_examples 'analytics policy', :view_productivity_analytics
+  end
 end