Ensures audit events are visible to auditor

Changelog: fixed
EE: true

ee/app/controllers/groups/audit_events_controller.rb

@@ -44,6 +44,8 @@ class Groups::AuditEventsController < Groups::ApplicationController
   end
 
   def filter_by_author(params)
-    can?(current_user, :admin_group, group) ? params : params.merge(author_id: current_user.id)
+    return params if can?(current_user, :admin_group, group) || current_user.auditor?
+
+    params.merge(author_id: current_user.id)
   end
 end

ee/app/policies/ee/group_policy.rb

@@ -270,6 +270,7 @@ module EE
       rule { auditor }.policy do
         enable :read_group
         enable :read_group_security_dashboard
+        enable :read_group_audit_events
       end
 
       rule { group_saml_config_enabled & group_saml_available & (admin | owner) }.enable :admin_group_saml

ee/spec/controllers/groups/audit_events_controller_spec.rb

@@ -7,6 +7,7 @@ RSpec.describe Groups::AuditEventsController do
 
   let_it_be(:user) { create(:user) }
   let_it_be(:owner) { create(:user) }
+  let_it_be(:auditor) { create(:user, auditor: true) }
   let_it_be(:group) { create(:group, :private) }
   let_it_be(:events) { create_list(:group_audit_event, 5, entity_id: group.id) }
 
@@ -15,18 +16,7 @@ RSpec.describe Groups::AuditEventsController do
     let(:entity_type) { nil }
     let(:entity_id) { nil }
 
-    context 'authorized' do
-      before do
-        group.add_owner(owner)
-        sign_in(owner)
-      end
-
-      context do
-        let(:request) do
-          get :index, params: { group_id: group.to_param, sort: sort, entity_type: entity_type, entity_id: entity_id }
-        end
-
-        context 'when audit_events feature is available' do
+    shared_context 'when audit_events feature is available' do
       let(:level) { Gitlab::Audit::Levels::Group.new(group: group) }
       let(:audit_logs_params) { ActionController::Parameters.new(sort: '', entity_type: '', entity_id: '', created_after: Date.current.beginning_of_month, created_before: Date.current.end_of_day).permit! }
 
@@ -137,7 +127,7 @@ RSpec.describe Groups::AuditEventsController do
         expect_snowplow_event(
           category: 'Groups::AuditEventsController',
           action: 'search_audit_event',
-              user: owner,
+          user: client,
           namespace: group
         )
       end
@@ -161,6 +151,42 @@ RSpec.describe Groups::AuditEventsController do
         end
       end
     end
+
+    context 'when authorized owner' do
+      before do
+        group.add_owner(owner)
+        sign_in(owner)
+      end
+
+      let(:client) { owner }
+
+      context do
+        let(:request) do
+          get :index, params: { group_id: group.to_param, sort: sort, entity_type: entity_type, entity_id: entity_id }
+        end
+
+        it_behaves_like 'when audit_events feature is available'
+      end
+
+      it_behaves_like 'tracking unique visits', :index do
+        let(:request_params) { { group_id: group.to_param, sort: sort, entity_type: entity_type, entity_id: entity_id } }
+        let(:target_id) { 'g_compliance_audit_events' }
+      end
+    end
+
+    context 'when authorized auditor' do
+      before do
+        sign_in(auditor)
+      end
+
+      let(:client) { auditor }
+
+      context do
+        let(:request) do
+          get :index, params: { group_id: group.to_param, sort: sort, entity_type: entity_type, entity_id: entity_id }
+        end
+
+        it_behaves_like 'when audit_events feature is available'
       end
 
       it_behaves_like 'tracking unique visits', :index do

ee/spec/policies/group_policy_spec.rb

@@ -610,6 +610,7 @@ RSpec.describe GroupPolicy do
 
           it { is_expected.to be_allowed(:read_group) }
           it { is_expected.to be_allowed(:read_milestone) }
+          it { is_expected.to be_allowed(:read_group_audit_events) }
         end
       end
     end