Merge branch '355531-fix-auditor-permissions-for-contribution-analytics' into 'master'

Allow auditor to read group contribution analytics

See merge request gitlab-org/gitlab!83722

ee/app/policies/ee/group_policy.rb

@@ -175,6 +175,7 @@ module EE
         enable :view_productivity_analytics
         enable :view_group_devops_adoption
         enable :read_group_repository_analytics
+        enable :read_group_contribution_analytics
       end
 
       rule { owner | admin }.policy do

ee/spec/controllers/groups/contribution_analytics_controller_spec.rb

@@ -35,20 +35,29 @@ RSpec.describe Groups::ContributionAnalyticsController do
   end
 
   describe '#authorize_read_contribution_analytics!' do
-    before do
-      group.add_user(guest_user, GroupMember::GUEST)
-      sign_in(guest_user)
-    end
+    let(:request) { get :show, params: { group_id: group.path } }
+
+    context 'when feature is available to the group' do
+      before do
+        stub_licensed_features(contribution_analytics: true)
+      end
+
+      context 'when user is an auditor' do
+        let(:auditor) { create(:user, :auditor) }
+
+        it 'allows access' do
+          sign_in(auditor)
 
-    context 'when user has access to the group' do
-      let(:request) { get :show, params: { group_id: group.path } }
+          request
+
+          expect(response).to have_gitlab_http_status(:success)
+        end
+      end
 
-      context 'when feature is available to the group' do
+      context 'when user has access to the group' do
         before do
-          allow(License).to receive(:feature_available?).and_call_original
-          allow(License).to receive(:feature_available?)
-            .with(:contribution_analytics)
-            .and_return(true)
+          group.add_user(guest_user, GroupMember::GUEST)
+          sign_in(guest_user)
 
           allow(Ability).to receive(:allowed?).and_call_original
           allow(Ability).to receive(:allowed?)

ee/spec/policies/group_policy_spec.rb

@@ -182,6 +182,14 @@ RSpec.describe GroupPolicy do
 
         it { is_expected.not_to be_allowed(:read_group_contribution_analytics) }
       end
+
+      context 'when user has an auditor role' do
+        before do
+          allow(current_user).to receive(:auditor?).and_return(true)
+        end
+
+        it { is_expected.to be_allowed(:read_group_contribution_analytics) }
+      end
     end
   end