Lower access lvl to view pod logs to developer

To make log explorer more usable we should lower access level restrictions to it from maintainer to developer.

Lower access lvl to view pod logs to developer
To make log explorer more usable we should lower access level restrictions to it from maintainer to developer.
7f366ac0 · Mikołaj Wawrzyniak · Michael Kozono · 1d4e3c82 · 7f366ac0 · 7f366ac0
Commit 7f366ac0 authored Aug 04, 2020 by Mikołaj Wawrzyniak Committed by Michael Kozono Aug 04, 2020
7 changed files
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -328,6 +328,7 @@ class ProjectPolicy < BasePolicy
    enable :move_design
    enable :destroy_design
    enable :read_terraform_state
+    enable :read_pod_logs
  end
  rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -367,7 +368,6 @@ class ProjectPolicy < BasePolicy
    enable :admin_operations
    enable :read_deploy_token
    enable :create_deploy_token
-    enable :read_pod_logs
    enable :destroy_deploy_token
    enable :read_prometheus_alerts
    enable :admin_terraform_state

--- a/changelogs/unreleased/mwaw-218861-enable-read-pod-logs-to-developer-access-lvl.yml
+++ b/changelogs/unreleased/mwaw-218861-enable-read-pod-logs-to-developer-access-lvl.yml
+---
+title: Allow users with developer access level for given project to view kubernetes
+  pod logs
+merge_request: 38467
+author:
+type: changed
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -142,7 +142,7 @@ The following table depicts the various user permission levels in a project.
 | Remove GitLab Pages                               |         |            |             | ✓        | ✓      |
 | Manage clusters                                   |         |            |             | ✓        | ✓      |
 | Manage Project Operations                         |         |            |             | ✓        | ✓      |
-| View Pods logs                                    |         |            |             | ✓        | ✓      |
+| View Pods logs                                    |         |            | ✓           | ✓        | ✓      |
 | Read Terraform state                              |         |            | ✓           | ✓        | ✓      |
 | Manage Terraform state                            |         |            |             | ✓        | ✓      |
 | Manage license policy **(ULTIMATE)**              |         |            |             | ✓        | ✓      |

--- a/ee/spec/serializers/clusters/environment_entity_spec.rb
+++ b/ee/spec/serializers/clusters/environment_entity_spec.rb
@@ -62,6 +62,16 @@ RSpec.describe Clusters::EnvironmentEntity do
        group.add_developer(user)
      end
+      it 'exposes logs_path' do
+        expect(subject).to include(:logs_path)
+      end
+    end
+    context 'with reporter access' do
+      before do
+        group.add_reporter(user)
+      end
      it 'does not expose logs_path' do
        expect(subject).not_to include(:logs_path)
      end

--- a/spec/controllers/projects/logs_controller_spec.rb
+++ b/spec/controllers/projects/logs_controller_spec.rb
@@ -22,8 +22,8 @@ RSpec.describe Projects::LogsController do
  describe 'GET #index' do
    let(:empty_project) { create(:project) }
-    it 'returns 404 with developer access' do
+    it 'returns 404 with reporter access' do
-      project.add_developer(user)
+      project.add_reporter(user)
      get :index, params: environment_params
@@ -31,7 +31,7 @@ RSpec.describe Projects::LogsController do
    end
    it 'renders empty logs page if no environment exists' do
-      empty_project.add_maintainer(user)
+      empty_project.add_developer(user)
      get :index, params: { namespace_id: empty_project.namespace, project_id: empty_project }
@@ -40,7 +40,7 @@ RSpec.describe Projects::LogsController do
    end
    it 'renders index template' do
-      project.add_maintainer(user)
+      project.add_developer(user)
      get :index, params: environment_params
@@ -69,14 +69,27 @@ RSpec.describe Projects::LogsController do
      end
    end
-    it 'returns 404 with developer access' do
+    it 'returns 404 with reporter access' do
-      project.add_developer(user)
+      project.add_reporter(user)
      get endpoint, params: environment_params(pod_name: pod_name, format: :json)
      expect(response).to have_gitlab_http_status(:not_found)
    end
+    context 'with developer access' do
+      before do
+        project.add_developer(user)
+      end
+      it 'returns the service result' do
+        get endpoint, params: environment_params(pod_name: pod_name, format: :json)
+        expect(response).to have_gitlab_http_status(:success)
+        expect(json_response).to eq(service_result_json)
+      end
+    end
    context 'with maintainer access' do
      before do
        project.add_maintainer(user)

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -46,7 +46,7 @@ RSpec.describe ProjectPolicy do
      resolve_note create_container_image update_container_image destroy_container_image daily_statistics
      create_environment update_environment create_deployment update_deployment create_release update_release
      create_metrics_dashboard_annotation delete_metrics_dashboard_annotation update_metrics_dashboard_annotation
-      read_terraform_state
+      read_terraform_state read_pod_logs
    ]
  end

--- a/spec/serializers/environment_entity_spec.rb
+++ b/spec/serializers/environment_entity_spec.rb
@@ -83,9 +83,9 @@ RSpec.describe EnvironmentEntity do
  end
  context 'pod_logs' do
-    context 'with developer access' do
+    context 'with reporter access' do
      before do
-        project.add_developer(user)
+        project.add_reporter(user)
      end
      it 'does not expose logs keys' do
@@ -95,9 +95,9 @@ RSpec.describe EnvironmentEntity do
      end
    end
-    context 'with maintainer access' do
+    context 'with developer access' do
      before do
-        project.add_maintainer(user)
+        project.add_developer(user)
      end
      it 'exposes logs keys' do