Merge branch 'move-ff-license-to-core' into 'master'

Remove Feature Flag License Check RUN AS-IF-FOSS See merge request gitlab-org/gitlab!42023

Merge branch 'move-ff-license-to-core' into 'master'
Remove Feature Flag License Check RUN AS-IF-FOSS See merge request gitlab-org/gitlab!42023
7eb1c3bc · Shinya Maeda · 982533e4 · 2aebdde6 · 7eb1c3bc · 7eb1c3bc
Commit 7eb1c3bc authored Sep 17, 2020 by Shinya Maeda
47 changed files
--- a/ee/app/finders/feature_flags_finder.rb
+++ b/ee/app/finders/feature_flags_finder.rb
--- a/ee/app/policies/operations/feature_flag_policy.rb
+++ b/ee/app/policies/operations/feature_flag_policy.rb
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -325,6 +325,12 @@ class ProjectPolicy < BasePolicy
    enable :destroy_design
    enable :read_terraform_state
    enable :read_pod_logs
+    enable :read_feature_flag
+    enable :create_feature_flag
+    enable :update_feature_flag
+    enable :destroy_feature_flag
+    enable :admin_feature_flag
+    enable :admin_feature_flags_user_lists
  end
  rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -371,6 +377,7 @@ class ProjectPolicy < BasePolicy
    enable :read_freeze_period
    enable :update_freeze_period
    enable :destroy_freeze_period
+    enable :admin_feature_flags_client
  end
  rule { public_project & metrics_dashboard_allowed }.policy do
@@ -447,6 +454,8 @@ class ProjectPolicy < BasePolicy
    prevent :read_pipeline
    prevent :read_pipeline_schedule
    prevent(*create_read_update_admin_destroy(:release))
+    prevent(*create_read_update_admin_destroy(:feature_flag))
+    prevent(:admin_feature_flags_user_lists)
  end
  rule { container_registry_disabled }.policy do

--- a/doc/operations/feature_flags.md
+++ b/doc/operations/feature_flags.md
@@ -4,9 +4,10 @@ group: Progressive Delivery
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
 ---
-# Feature Flags **(PREMIUM)**
+# Feature Flags **(STARTER)**
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/7433) in GitLab 11.4.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/7433) in GitLab 11.4.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212318) to [GitLab Starter](https://about.gitlab.com/pricing/) in 13.4
 With Feature Flags, you can deploy your application's new features to production in smaller batches.
 You can toggle a feature on and off to subsets of users, helping you achieve Continuous Delivery.
@@ -349,7 +350,7 @@ else
 end
 ```
-## Feature Flag Related Issues
+## Feature Flag Related Issues **(PREMIUM)**
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/36617) in GitLab 13.2.
 > - It's deployed behind a feature flag, enabled by default.

--- a/ee/app/controllers/projects/feature_flag_issues_controller.rb
+++ b/ee/app/controllers/projects/feature_flag_issues_controller.rb
@@ -5,7 +5,7 @@ module Projects
    include IssuableLinks
    before_action :ensure_feature_enabled!
-    before_action :authorize_admin_feature_flag!
+    before_action :authorize_admin_feature_flags_issue_links!
    private

--- a/ee/app/helpers/ee/search_helper.rb
+++ b/ee/app/helpers/ee/search_helper.rb
@@ -30,7 +30,7 @@ module EE
    override :project_autocomplete
    def project_autocomplete
-      return super unless @project && @project.feature_available?(:feature_flags)
+      return super unless @project && @project.feature_available?(:repository)
      super + [{ category: "In this project", label: _("Feature Flags"), url: project_feature_flags_path(@project) }]
    end

--- a/ee/app/helpers/feature_flags_helper.rb
+++ b/ee/app/helpers/feature_flags_helper.rb
@@ -12,7 +12,7 @@ module FeatureFlagsHelper
  end
  def feature_flag_issues_links_endpoint(project, feature_flag, user)
-    return '' unless Feature.enabled?(:feature_flags_issue_links, project, default_enabled: true) && can?(user, :read_issue_link, project)
+    return '' unless Feature.enabled?(:feature_flags_issue_links, project, default_enabled: true) && can?(user, :admin_feature_flags_issue_links, project)
    project_feature_flag_issues_path(project, feature_flag)
  end

--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -72,7 +72,7 @@ class License < ApplicationRecord
    epics
    extended_audit_events
    external_authorization_service_api_management
-    feature_flags
+    feature_flags_related_issues
    file_locks
    geo
    generic_alert_fingerprinting

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -120,11 +120,6 @@ module EE
        @subject.feature_available?(:threat_monitoring)
      end
-      with_scope :subject
-      condition(:feature_flags_disabled) do
-        !@subject.feature_available?(:feature_flags)
-      end
      with_scope :subject
      condition(:code_review_analytics_enabled) do
        @subject.feature_available?(:code_review_analytics, @user)
@@ -142,6 +137,11 @@ module EE
        @subject.root_namespace.over_storage_limit?
      end
+      with_scope :subject
+      condition(:feature_flags_related_issues_disabled) do
+        !@subject.feature_available?(:feature_flags_related_issues)
+      end
      rule { visual_review_bot }.policy do
        prevent :read_note
        enable :create_note
@@ -154,6 +154,10 @@ module EE
        prevent :push_code
      end
+      rule { feature_flags_related_issues_disabled | repository_disabled }.policy do
+        prevent :admin_feature_flags_issue_links
+      end
      rule { ~group_timelogs_available }.prevent :read_group_timelogs
      rule { can?(:guest_access) & iterations_available }.enable :read_iteration
@@ -171,13 +175,8 @@ module EE
        enable :create_vulnerability_feedback
        enable :destroy_vulnerability_feedback
        enable :update_vulnerability_feedback
-        enable :read_feature_flag
-        enable :create_feature_flag
-        enable :update_feature_flag
-        enable :destroy_feature_flag
-        enable :admin_feature_flag
-        enable :admin_feature_flags_user_lists
        enable :read_ci_minutes_quota
+        enable :admin_feature_flags_issue_links
      end
      rule { can?(:developer_access) & iterations_available }.policy do
@@ -223,16 +222,10 @@ module EE
      rule { deploy_board_disabled & ~is_development }.prevent :read_deploy_board
-      rule { feature_flags_disabled | repository_disabled }.policy do
-        prevent(*create_read_update_admin_destroy(:feature_flag))
-        prevent(:admin_feature_flags_user_lists)
-      end
      rule { can?(:maintainer_access) }.policy do
        enable :push_code_to_protected_branches
        enable :admin_path_locks
        enable :update_approvers
-        enable :admin_feature_flags_client
        enable :modify_approvers_rules
        enable :modify_auto_fix_setting
        enable :modify_merge_request_author_setting

--- a/ee/changelogs/unreleased/move-ff-license-to-core.yml
+++ b/ee/changelogs/unreleased/move-ff-license-to-core.yml
+---
+title: Remove license check for feature flags
+merge_request: 42023
+author:
+type: changed
--- a/ee/config/feature_flags/licensed/feature_flags_related_issues.yml
+++ b/ee/config/feature_flags/licensed/feature_flags_related_issues.yml
+---
+name: feature_flags_related_issues
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/42023
+rollout_issue_url: 
+group: group::progressive delivery
+type: licensed
+default_enabled: true
--- a/ee/lib/api/unleash.rb
+++ b/ee/lib/api/unleash.rb
@@ -66,7 +66,7 @@ module API
      end
      def authorize_feature_flags_feature!
-        forbidden! unless project.feature_available?(:feature_flags)
+        forbidden! unless project.feature_available?(:repository)
      end
      def feature_flags

--- a/ee/spec/controllers/projects/feature_flag_issues_controller_spec.rb
+++ b/ee/spec/controllers/projects/feature_flag_issues_controller_spec.rb
@@ -13,7 +13,7 @@ RSpec.describe Projects::FeatureFlagIssuesController do
  end
  before do
-    stub_licensed_features(feature_flags: true)
+    stub_licensed_features(feature_flags_related_issues: true)
  end
  describe 'GET #index' do
@@ -172,19 +172,9 @@ RSpec.describe Projects::FeatureFlagIssuesController do
      expect(response).to have_gitlab_http_status(:not_found)
    end
-    it 'returns not found when related issues feature is unavailable' do
+    context 'when feature flag related issues feature is unlicensed' do
-      stub_licensed_features(blocked_issues: false)
-      feature_flag, _issue = setup
-      sign_in(developer)
-      get_request(project, feature_flag)
-      expect(response).to have_gitlab_http_status(:not_found)
-    end
-    context 'when feature flags are unlicensed' do
      before do
-        stub_licensed_features(feature_flags: false)
+        stub_licensed_features(feature_flags_related_issues: false)
      end
      it 'does not return linked issues' do
@@ -332,23 +322,12 @@ RSpec.describe Projects::FeatureFlagIssuesController do
      expect(::FeatureFlagIssue.count).to eq(0)
    end
-    it 'does not create a link when the related issues feature is unavailable' do
+    context 'when feature flag related issues feature is unlicensed' do
-      stub_licensed_features(blocked_issues: false)
-      feature_flag, issue = setup
-      sign_in(developer)
-      post_request(project, feature_flag, issue)
-      expect(response).to have_gitlab_http_status(:not_found)
-      expect(::FeatureFlagIssue.count).to eq(0)
-    end
-    context 'when feature flags are unlicensed' do
      before do
-        stub_licensed_features(feature_flags: false)
+        stub_licensed_features(feature_flags_related_issues: false)
      end
-      it 'does not create a link between the feature flag and the issue when feature flags are unlicensed' do
+      it 'does not create a link between the feature flag and the issue' do
        feature_flag, issue = setup
        sign_in(developer)
@@ -400,8 +379,12 @@ RSpec.describe Projects::FeatureFlagIssuesController do
      expect(feature_flag.reload.issues).to eq([issue])
    end
-    it 'does not unlink the issue when the related issues feature is unavailable' do
+    context 'when feature flag related issues feature is unlicensed' do
-      stub_licensed_features(blocked_issues: false)
+      before do
+        stub_licensed_features(feature_flags_related_issues: false)
+      end
+      it 'does not unlink the issue' do
        feature_flag, issue, link = setup
        sign_in(developer)
@@ -411,4 +394,5 @@ RSpec.describe Projects::FeatureFlagIssuesController do
        expect(feature_flag.reload.issues).to eq([issue])
      end
    end
+  end
 end
--- a/ee/spec/controllers/projects/feature_flags_clients_controller_spec.rb
+++ b/ee/spec/controllers/projects/feature_flags_clients_controller_spec.rb
@@ -16,7 +16,6 @@ RSpec.describe Projects::FeatureFlagsClientsController do
    end
    before do
-      stub_licensed_features(feature_flags: true)
      sign_in(user)
    end

--- a/ee/spec/controllers/projects/feature_flags_controller_spec.rb
+++ b/ee/spec/controllers/projects/feature_flags_controller_spec.rb
@@ -10,7 +10,6 @@ RSpec.describe Projects::FeatureFlagsController do
  let_it_be(:developer) { create(:user) }
  let_it_be(:reporter) { create(:user) }
  let(:user) { developer }
-  let(:feature_enabled) { true }
  before_all do
    project.add_developer(developer)
@@ -19,7 +18,6 @@ RSpec.describe Projects::FeatureFlagsController do
  before do
    sign_in(user)
-    stub_licensed_features(feature_flags: feature_enabled)
  end
  describe 'GET index' do
@@ -41,14 +39,6 @@ RSpec.describe Projects::FeatureFlagsController do
      end
    end
-    context 'when feature is not available' do
-      let(:feature_enabled) { false }
-      it 'responds with not found' do
-        is_expected.to have_gitlab_http_status(:not_found)
-      end
-    end
    context 'when the user is a reporter' do
      let(:user) { reporter }

--- a/ee/spec/controllers/projects/feature_flags_user_lists_controller_spec.rb
+++ b/ee/spec/controllers/projects/feature_flags_user_lists_controller_spec.rb
@@ -12,10 +12,6 @@ RSpec.describe Projects::FeatureFlagsUserListsController do
    project.add_developer(developer)
  end
-  before do
-    stub_licensed_features(feature_flags: true)
-  end
  def request_params(extra_params = {})
    { namespace_id: project.namespace, project_id: project }.merge(extra_params)
  end
@@ -44,15 +40,6 @@ RSpec.describe Projects::FeatureFlagsUserListsController do
      expect(response).to have_gitlab_http_status(:not_found)
    end
-    it 'returns not found when feature flags are not licensed' do
-      stub_licensed_features(feature_flags: false)
-      sign_in(developer)
-      get(:new, params: request_params)
-      expect(response).to have_gitlab_http_status(:not_found)
-    end
    it 'renders the new page for a developer' do
      sign_in(developer)

--- a/ee/spec/features/projects/feature_flag_user_lists/user_deletes_feature_flag_user_list_spec.rb
+++ b/ee/spec/features/projects/feature_flag_user_lists/user_deletes_feature_flag_user_list_spec.rb
@@ -8,7 +8,6 @@ RSpec.describe 'User deletes feature flag user list', :js do
  before do
    project.add_developer(developer)
-    stub_licensed_features(feature_flags: true)
    sign_in(developer)
  end

--- a/ee/spec/features/projects/feature_flag_user_lists/user_edits_feature_flag_user_list_spec.rb
+++ b/ee/spec/features/projects/feature_flag_user_lists/user_edits_feature_flag_user_list_spec.rb
@@ -8,7 +8,6 @@ RSpec.describe 'User edits feature flag user list', :js do
  before do
    project.add_developer(developer)
-    stub_licensed_features(feature_flags: true)
    sign_in(developer)
  end

--- a/ee/spec/features/projects/feature_flag_user_lists/user_sees_feature_flag_user_list_details_spec.rb
+++ b/ee/spec/features/projects/feature_flag_user_lists/user_sees_feature_flag_user_list_details_spec.rb
@@ -8,7 +8,6 @@ RSpec.describe 'User sees feature flag user list details', :js do
  before do
    project.add_developer(developer)
-    stub_licensed_features(feature_flags: true)
    sign_in(developer)
  end

--- a/ee/spec/features/projects/feature_flags/feature_flag_issues_spec.rb
+++ b/ee/spec/features/projects/feature_flags/feature_flag_issues_spec.rb
@@ -13,7 +13,7 @@ RSpec.describe 'Feature flag issue links', :js do
  end
  before do
-    stub_licensed_features(feature_flags: true)
+    stub_licensed_features(feature_flags_related_issues: true)
    sign_in(developer)
  end
@@ -72,6 +72,19 @@ RSpec.describe 'Feature flag issue links', :js do
        expect(page).not_to have_selector '#related-issues'
      end
    end
+    context 'when the feature is unlicensed' do
+      before do
+        stub_licensed_features(feature_flags_related_issues: false)
+      end
+      it 'does not show the related issues widget' do
+        visit(edit_project_feature_flag_path(project, feature_flag))
+        expect(page).to have_text 'Strategies'
+        expect(page).not_to have_selector '#related-issues'
+      end
+    end
  end
  describe 'unlinking a feature flag from an issue' do

--- a/ee/spec/features/projects/feature_flags/user_creates_feature_flag_spec.rb
+++ b/ee/spec/features/projects/feature_flags/user_creates_feature_flag_spec.rb
@@ -10,7 +10,6 @@ RSpec.describe 'User creates feature flag', :js do
  before do
    project.add_developer(user)
-    stub_licensed_features(feature_flags: true)
    stub_feature_flags(feature_flag_permissions: false)
    sign_in(user)
  end

--- a/ee/spec/features/projects/feature_flags/user_deletes_feature_flag_spec.rb
+++ b/ee/spec/features/projects/feature_flags/user_deletes_feature_flag_spec.rb
@@ -15,7 +15,6 @@ RSpec.describe 'User deletes feature flag', :js do
  before do
    project.add_developer(user)
-    stub_licensed_features(feature_flags: true)
    stub_feature_flags(feature_flag_permissions: false)
    sign_in(user)

--- a/ee/spec/features/projects/feature_flags/user_sees_feature_flag_list_spec.rb
+++ b/ee/spec/features/projects/feature_flags/user_sees_feature_flag_list_spec.rb
@@ -13,7 +13,6 @@ RSpec.describe 'User sees feature flag list', :js do
  end
  before do
-    stub_licensed_features(feature_flags: true)
    sign_in(user)
  end

--- a/ee/spec/features/projects/feature_flags/user_updates_feature_flag_spec.rb
+++ b/ee/spec/features/projects/feature_flags/user_updates_feature_flag_spec.rb
@@ -13,7 +13,6 @@ RSpec.describe 'User updates feature flag', :js do
  end
  before do
-    stub_licensed_features(feature_flags: true)
    stub_feature_flags(
      feature_flag_permissions: false,
      feature_flags_legacy_read_only_override: false

--- a/ee/spec/features/projects/navbar_spec.rb
+++ b/ee/spec/features/projects/navbar_spec.rb
@@ -14,6 +14,11 @@ RSpec.describe 'Project navbar' do
    stub_feature_flags(project_iterations: false)
    insert_package_nav(_('Operations'))
+    insert_after_sub_nav_item(
+      _('Kubernetes'),
+      within: _('Operations'),
+      new_sub_nav_item_name: _('Feature Flags')
+    )
    project.add_maintainer(user)
    sign_in(user)

--- a/ee/spec/helpers/feature_flags_helper_spec.rb
+++ b/ee/spec/helpers/feature_flags_helper_spec.rb
@@ -29,13 +29,13 @@ RSpec.describe FeatureFlagsHelper do
    end
    it 'returns an empty string when the user is not allowed' do
-      allow(helper).to receive(:can?).with(user, :read_issue_link, project).and_return(false)
+      allow(helper).to receive(:can?).with(user, :admin_feature_flags_issue_links, project).and_return(false)
      is_expected.to be_empty
    end
    it 'returns the issue endpoint when the user is allowed' do
-      allow(helper).to receive(:can?).with(user, :read_issue_link, project).and_return(true)
+      allow(helper).to receive(:can?).with(user, :admin_feature_flags_issue_links, project).and_return(true)
      is_expected.to eq("/#{project.full_path}/-/feature_flags/#{feature_flag.iid}/issues")
    end

--- a/ee/spec/helpers/search_helper_spec.rb
+++ b/ee/spec/helpers/search_helper_spec.rb
@@ -60,16 +60,6 @@ RSpec.describe SearchHelper do
    end
    context 'with a licensed user' do
-      it "does not include feature flags" do
-        expect(project_autocomplete.find { |i| i[:label] == 'Feature Flags'} ).to be_nil
-      end
-    end
-    context 'with a licensed user' do
-      before do
-        stub_licensed_features(feature_flags: true)
-      end
      it "does include feature flags" do
        expect(project_autocomplete.find { |i| i[:label] == 'Feature Flags' }).to be_present
      end

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -22,14 +22,14 @@ RSpec.describe ProjectPolicy do
    let(:additional_developer_permissions) do
      %i[
-        admin_vulnerability_feedback read_project_security_dashboard read_feature_flag
+        admin_vulnerability_feedback read_project_security_dashboard
        read_vulnerability read_vulnerability_scanner create_vulnerability create_vulnerability_export admin_vulnerability
        admin_vulnerability_issue_link read_merge_train
      ]
    end
    let(:additional_maintainer_permissions) do
-      %i[push_code_to_protected_branches admin_feature_flags_client modify_auto_fix_setting]
+      %i[push_code_to_protected_branches modify_auto_fix_setting]
    end
    let(:auditor_permissions) do
@@ -622,35 +622,48 @@ RSpec.describe ProjectPolicy do
    end
  end
-  describe 'read_feature_flag' do
+  describe 'admin_feature_flags_issue_links' do
-    context 'with admin' do
+    before do
-      let(:current_user) { admin }
+      stub_licensed_features(feature_flags_related_issues: true)
+    end
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+      it { is_expected.to be_allowed(:admin_feature_flags_issue_links) }
      context 'when repository is disabled' do
        before do
          project.project_feature.update!(
-            # Disable merge_requests and builds as well, since merge_requests and
-            # builds cannot have higher visibility than repository.
            merge_requests_access_level: ProjectFeature::DISABLED,
            builds_access_level: ProjectFeature::DISABLED,
-            repository_access_level: ProjectFeature::DISABLED)
+            repository_access_level: ProjectFeature::DISABLED
+          )
        end
-        it { is_expected.to be_disallowed(:read_feature_flag) }
+        it { is_expected.to be_disallowed(:admin_feature_flags_issue_links) }
      end
    end
    context 'with developer' do
      let(:current_user) { developer }
-      context 'when feature flags features is not available' do
+      it { is_expected.to be_allowed(:admin_feature_flags_issue_links) }
+      context 'when feature is unlicensed' do
        before do
-          stub_licensed_features(feature_flags: false)
+          stub_licensed_features(feature_flags_related_issues: false)
        end
-        it { is_expected.to be_disallowed(:read_feature_flag) }
+        it { is_expected.to be_disallowed(:admin_feature_flags_issue_links) }
      end
    end
+    context 'with reporter' do
+      let(:current_user) { reporter }
+      it { is_expected.to be_disallowed(:admin_feature_flags_issue_links) }
+    end
  end
  describe 'admin_software_license_policy' do
@@ -1336,7 +1349,7 @@ RSpec.describe ProjectPolicy do
    before do
      allow(project.root_namespace).to receive(:over_storage_limit?).and_return(over_storage_limit)
      allow(project).to receive(:design_management_enabled?).and_return(true)
-      stub_licensed_features(security_dashboard: true, license_scanning: true, feature_flags: true)
+      stub_licensed_features(security_dashboard: true, license_scanning: true)
    end
    context 'when the group has exceeded its storage limit' do

--- a/ee/spec/requests/api/feature_flag_scopes_spec.rb
+++ b/ee/spec/requests/api/feature_flag_scopes_spec.rb
@@ -10,8 +10,6 @@ RSpec.describe API::FeatureFlagScopes do
  let(:user) { developer }
  before do
-    stub_licensed_features(feature_flags: true)
    project.add_developer(developer)
    project.add_reporter(reporter)
  end
@@ -26,18 +24,6 @@ RSpec.describe API::FeatureFlagScopes do
        expect(response).to have_gitlab_http_status(:forbidden)
      end
    end
-    context 'when license is not sufficient' do
-      before do
-        stub_licensed_features(feature_flags: false)
-      end
-      it 'forbids the request' do
-        subject
-        expect(response).to have_gitlab_http_status(:forbidden)
-      end
-    end
  end
  shared_examples_for 'not found' do

--- a/ee/spec/requests/api/feature_flags_spec.rb
+++ b/ee/spec/requests/api/feature_flags_spec.rb
@@ -15,10 +15,6 @@ RSpec.describe API::FeatureFlags do
    project.add_reporter(reporter)
  end
-  before do
-    stub_licensed_features(feature_flags: true)
-  end
  shared_examples_for 'check user permission' do
    context 'when user is reporter' do
      let(:user) { reporter }

--- a/ee/spec/requests/api/feature_flags_user_lists_spec.rb
+++ b/ee/spec/requests/api/feature_flags_user_lists_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'
 RSpec.describe API::FeatureFlagsUserLists do
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project, refind: true) { create(:project) }
  let_it_be(:developer) { create(:user) }
  let_it_be(:reporter) { create(:user) }
@@ -12,14 +12,18 @@ RSpec.describe API::FeatureFlagsUserLists do
    project.add_reporter(reporter)
  end
-  before do
-    stub_licensed_features(feature_flags: true)
-  end
  def create_list(name: 'mylist', user_xids: 'user1')
    create(:operations_feature_flag_user_list, project: project, name: name, user_xids: user_xids)
  end
+  def disable_repository(project)
+    project.project_feature.update!(
+      repository_access_level: ::ProjectFeature::DISABLED,
+      merge_requests_access_level: ::ProjectFeature::DISABLED,
+      builds_access_level: ::ProjectFeature::DISABLED
+    )
+  end
  describe 'GET /projects/:id/feature_flags_user_lists' do
    it 'forbids the request for a reporter' do
      get api("/projects/#{project.id}/feature_flags_user_lists", reporter)
@@ -28,7 +32,7 @@ RSpec.describe API::FeatureFlagsUserLists do
    end
    it 'returns forbidden if the feature is unavailable' do
-      stub_licensed_features(feature_flags: false)
+      disable_repository(project)
      get api("/projects/#{project.id}/feature_flags_user_lists", developer)
@@ -103,7 +107,7 @@ RSpec.describe API::FeatureFlagsUserLists do
    end
    it 'returns forbidden if the feature is unavailable' do
-      stub_licensed_features(feature_flags: false)
+      disable_repository(project)
      list = create_list
      get api("/projects/#{project.id}/feature_flags_user_lists/#{list.iid}", developer)
@@ -171,7 +175,7 @@ RSpec.describe API::FeatureFlagsUserLists do
    end
    it 'returns forbidden if the feature is unavailable' do
-      stub_licensed_features(feature_flags: false)
+      disable_repository(project)
      post api("/projects/#{project.id}/feature_flags_user_lists", developer), params: {
        name: 'mylist', user_xids: 'user1'
@@ -254,7 +258,7 @@ RSpec.describe API::FeatureFlagsUserLists do
    it 'returns forbidden if the feature is unavailable' do
      list = create_list(name: 'original_name')
-      stub_licensed_features(feature_flags: false)
+      disable_repository(project)
      put api("/projects/#{project.id}/feature_flags_user_lists/#{list.iid}", developer), params: {
        name: 'mylist', user_xids: '456,789'
@@ -328,7 +332,7 @@ RSpec.describe API::FeatureFlagsUserLists do
    it 'returns forbidden if the feature is unavailable' do
      list = create_list
-      stub_licensed_features(feature_flags: false)
+      disable_repository(project)
      delete api("/projects/#{project.id}/feature_flags_user_lists/#{list.iid}", developer)

--- a/ee/spec/requests/api/unleash_spec.rb
+++ b/ee/spec/requests/api/unleash_spec.rb
@@ -5,16 +5,11 @@ require 'spec_helper'
 RSpec.describe API::Unleash do
  include FeatureFlagHelpers
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project, refind: true) { create(:project) }
  let(:project_id) { project.id }
-  let(:feature_enabled) { true }
  let(:params) { }
  let(:headers) { }
-  before do
-    stub_licensed_features(feature_flags: feature_enabled)
-  end
  shared_examples 'authenticated request' do
    context 'when using instance id' do
      let(:client) { create(:operations_feature_flags_client, project: project) }
@@ -27,7 +22,13 @@ RSpec.describe API::Unleash do
      end
      context 'when feature is not available' do
-        let(:feature_enabled) { false }
+        before do
+          project.project_feature.update!(
+            repository_access_level: ::ProjectFeature::DISABLED,
+            merge_requests_access_level: ::ProjectFeature::DISABLED,
+            builds_access_level: ::ProjectFeature::DISABLED
+          )
+        end
        it 'responds with forbidden' do
          subject

--- a/ee/spec/serializers/feature_flag_entity_spec.rb
+++ b/ee/spec/serializers/feature_flag_entity_spec.rb
@@ -11,8 +11,6 @@ RSpec.describe FeatureFlagEntity do
  before do
    project.add_developer(user)
-    stub_licensed_features(feature_flags: true)
  end
  subject { entity.as_json }

--- a/ee/spec/serializers/feature_flag_serializer_spec.rb
+++ b/ee/spec/serializers/feature_flag_serializer_spec.rb
@@ -9,7 +9,6 @@ RSpec.describe FeatureFlagSerializer do
  let(:feature_flags) { create_list(:operations_feature_flag, 3) }
  before do
-    stub_licensed_features(feature_flags: true)
    project.add_developer(user)
  end

--- a/ee/spec/serializers/feature_flag_summary_entity_spec.rb
+++ b/ee/spec/serializers/feature_flag_summary_entity_spec.rb
@@ -11,8 +11,6 @@ RSpec.describe FeatureFlagSummaryEntity do
  before do
    project.add_developer(user)
-    stub_licensed_features(feature_flags: true)
  end
  subject { entity.as_json }

--- a/ee/spec/serializers/feature_flag_summary_serializer_spec.rb
+++ b/ee/spec/serializers/feature_flag_summary_serializer_spec.rb
@@ -9,7 +9,6 @@ RSpec.describe FeatureFlagSummarySerializer do
  let!(:feature_flags) { create(:operations_feature_flag, project: project) }
  before do
-    stub_licensed_features(feature_flags: true)
    project.add_developer(user)
  end

--- a/ee/spec/serializers/feature_flags_client_serializer_spec.rb
+++ b/ee/spec/serializers/feature_flags_client_serializer_spec.rb
@@ -7,10 +7,6 @@ RSpec.describe FeatureFlagsClientSerializer do
  let(:feature_flags_client) { project.create_operations_feature_flags_client! }
  let(:serializer) { described_class.new }
-  before do
-    stub_licensed_features(feature_flags: true)
-  end
  describe '#represent_token' do
    subject { serializer.represent_token(feature_flags_client).to_json }

--- a/ee/spec/services/feature_flag_issues/destroy_service_spec.rb
+++ b/ee/spec/services/feature_flag_issues/destroy_service_spec.rb
@@ -13,7 +13,7 @@ RSpec.describe FeatureFlagIssues::DestroyService do
  end
  before do
-    stub_licensed_features(feature_flags: true)
+    stub_licensed_features(feature_flags_related_issues: true)
  end
  def setup

--- a/ee/spec/services/feature_flags/create_service_spec.rb
+++ b/ee/spec/services/feature_flags/create_service_spec.rb
@@ -9,7 +9,6 @@ RSpec.describe FeatureFlags::CreateService do
  let(:user) { developer }
  before do
-    stub_licensed_features(feature_flags: true)
    project.add_developer(developer)
    project.add_reporter(reporter)
  end

--- a/ee/spec/services/feature_flags/destroy_service_spec.rb
+++ b/ee/spec/services/feature_flags/destroy_service_spec.rb
@@ -12,7 +12,6 @@ RSpec.describe FeatureFlags::DestroyService do
  let!(:feature_flag) { create(:operations_feature_flag, project: project) }
  before do
-    stub_licensed_features(feature_flags: true)
    project.add_developer(developer)
    project.add_reporter(reporter)
  end

--- a/ee/spec/services/feature_flags/disable_service_spec.rb
+++ b/ee/spec/services/feature_flags/disable_service_spec.rb
@@ -11,7 +11,6 @@ RSpec.describe FeatureFlags::DisableService do
  let(:params) { {} }
  before do
-    stub_licensed_features(feature_flags: true)
    project.add_developer(user)
  end

--- a/ee/spec/services/feature_flags/enable_service_spec.rb
+++ b/ee/spec/services/feature_flags/enable_service_spec.rb
@@ -11,7 +11,6 @@ RSpec.describe FeatureFlags::EnableService do
  let(:params) { {} }
  before do
-    stub_licensed_features(feature_flags: true)
    project.add_developer(user)
  end

--- a/ee/spec/services/feature_flags/update_service_spec.rb
+++ b/ee/spec/services/feature_flags/update_service_spec.rb
@@ -10,7 +10,6 @@ RSpec.describe FeatureFlags::UpdateService do
  let(:feature_flag) { create(:operations_feature_flag, project: project, active: true) }
  before do
-    stub_licensed_features(feature_flags: true)
    project.add_developer(developer)
    project.add_reporter(reporter)
  end

--- a/ee/spec/views/layouts/nav/sidebar/_project.html.haml_spec.rb
+++ b/ee/spec/views/layouts/nav/sidebar/_project.html.haml_spec.rb
@@ -28,8 +28,6 @@ RSpec.describe 'layouts/nav/sidebar/_project' do
    let(:user) { create(:user) }
    before do
-      stub_licensed_features(feature_flags: true)
      project.project_feature.update!(builds_access_level: feature)
      project.team.add_developer(user)

--- a/spec/features/projects/navbar_spec.rb
+++ b/spec/features/projects/navbar_spec.rb
@@ -18,6 +18,14 @@ RSpec.describe 'Project navbar' do
    project.add_maintainer(user)
    sign_in(user)
+    if Gitlab.ee?
+      insert_after_sub_nav_item(
+        _('Kubernetes'),
+        within: _('Operations'),
+        new_sub_nav_item_name: _('Feature Flags')
+      )
+    end
  end
  it_behaves_like 'verified navigation bar' do

--- a/ee/spec/finders/feature_flags_finder_spec.rb
+++ b/ee/spec/finders/feature_flags_finder_spec.rb
@@ -15,8 +15,6 @@ RSpec.describe FeatureFlagsFinder do
  before do
    project.add_developer(developer)
    project.add_reporter(reporter)
-    stub_licensed_features(feature_flags: true)
  end
  describe '#execute' do

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -901,4 +901,44 @@ RSpec.describe ProjectPolicy do
      it { is_expected.to be_allowed(:read_package) }
    end
  end
+  describe 'read_feature_flag' do
+    subject { described_class.new(current_user, project) }
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+      context 'when repository is available' do
+        it { is_expected.to be_allowed(:read_feature_flag) }
+      end
+      context 'when repository is disabled' do
+        before do
+          project.project_feature.update!(
+            merge_requests_access_level: ProjectFeature::DISABLED,
+            builds_access_level: ProjectFeature::DISABLED,
+            repository_access_level: ProjectFeature::DISABLED
+          )
+        end
+        it { is_expected.to be_disallowed(:read_feature_flag) }
+      end
+    end
+    context 'with developer' do
+      let(:current_user) { developer }
+      context 'when repository is available' do
+        it { is_expected.to be_allowed(:read_feature_flag) }
+      end
+    end
+    context 'with reporter' do
+      let(:current_user) { reporter }
+      context 'when repository is available' do
+        it { is_expected.to be_disallowed(:read_feature_flag) }
+      end
+    end
+  end
 end