Allow admin to register group runners at all times

Even if valid runner registrars doesn't specify permission for group

Changelog: fixed

app/policies/group_policy.rb

@@ -80,8 +80,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
 
   condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) && @subject.crm_enabled? }
 
-  with_scope :subject
-  condition(:group_runner_registration_allowed, score: 0, scope: :subject) do
+  condition(:group_runner_registration_allowed) do
     Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
   end
 
@@ -280,7 +279,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     prevent :admin_crm_organization
   end
 
-  rule { ~group_runner_registration_allowed }.policy do
+  rule { ~admin & ~group_runner_registration_allowed }.policy do
     prevent :register_group_runners
   end
 

spec/policies/group_policy_spec.rb

@@ -1076,37 +1076,33 @@ RSpec.describe GroupPolicy do
   end
 
   describe 'register_group_runners' do
-    shared_examples 'expected outcome based on runner registration control' do
-      context 'with runner_registration_control FF disabled' do
-        before do
-          stub_feature_flags(runner_registration_control: false)
-        end
+    context 'admin' do
+      let(:current_user) { admin }
 
-        it { is_expected.to be_allowed(:register_group_runners) }
-      end
+      context 'when admin mode is enabled', :enable_admin_mode do
+        context 'with runner_registration_control FF disabled' do
+          before do
+            stub_feature_flags(runner_registration_control: false)
+          end
 
-      context 'with runner_registration_control FF enabled' do
-        before do
-          stub_feature_flags(runner_registration_control: true)
+          it { is_expected.to be_allowed(:register_group_runners) }
         end
 
-        context 'with group runner registration disabled' do
+        context 'with runner_registration_control FF enabled' do
           before do
-            stub_application_setting(valid_runner_registrars: ['project'])
+            stub_feature_flags(runner_registration_control: true)
           end
 
-          it { is_expected.to be_disallowed(:register_group_runners) }
-        end
-      end
-    end
+          it { is_expected.to be_allowed(:register_group_runners) }
 
-    context 'admin' do
-      let(:current_user) { admin }
-
-      context 'when admin mode is enabled', :enable_admin_mode do
-        it { is_expected.to be_allowed(:register_group_runners) }
+          context 'with group runner registration disabled' do
+            before do
+              stub_application_setting(valid_runner_registrars: ['project'])
+            end
 
-        it_behaves_like 'expected outcome based on runner registration control'
+            it { is_expected.to be_allowed(:register_group_runners) }
+          end
+        end
       end
 
       context 'when admin mode is disabled' do
@@ -1119,7 +1115,29 @@ RSpec.describe GroupPolicy do
 
       it { is_expected.to be_allowed(:register_group_runners) }
 
-      it_behaves_like 'expected outcome based on runner registration control'
+      context 'with runner_registration_control FF disabled' do
+        before do
+          stub_feature_flags(runner_registration_control: false)
+        end
+
+        it { is_expected.to be_allowed(:register_group_runners) }
+      end
+
+      context 'with runner_registration_control FF enabled' do
+        before do
+          stub_feature_flags(runner_registration_control: true)
+        end
+
+        it { is_expected.to be_allowed(:register_group_runners) }
+
+        context 'with group runner registration disabled' do
+          before do
+            stub_application_setting(valid_runner_registrars: ['project'])
+          end
+
+          it { is_expected.to be_disallowed(:register_group_runners) }
+        end
+      end
     end
 
     context 'with maintainer' do