Merge branch '13247-licenses-permissions' into 'master'

Update permissions for Licenses and Licenses Controllers See merge request gitlab-org/gitlab!21139

Merge branch '13247-licenses-permissions' into 'master'
Update permissions for Licenses and Licenses Controllers See merge request gitlab-org/gitlab!21139
bd7700b2 · Imre Farkas · d4a913dc · 44395fa1 · bd7700b2 · bd7700b2
Commit bd7700b2 authored Dec 12, 2019 by Imre Farkas
11 changed files
--- a/ee/app/controllers/projects/licenses_controller.rb
+++ b/ee/app/controllers/projects/licenses_controller.rb
@@ -2,6 +2,10 @@

 module Projects
  class LicensesController < Projects::ApplicationController
-    before_action :authorize_read_licenses_list!
+    before_action :authorize_read_licenses!
+
+    before_action do
+      push_frontend_feature_flag(:licenses_list)
+    end
  end
 end
--- a/ee/app/controllers/projects/security/licenses_controller.rb
+++ b/ee/app/controllers/projects/security/licenses_controller.rb
@@ -3,7 +3,7 @@
 module Projects
  module Security
    class LicensesController < Projects::ApplicationController
-      before_action :authorize_read_licenses_list!
+      before_action :authorize_read_licenses!, only: [:index]
      before_action :authorize_admin_software_license_policy!, only: [:create, :update]

      def index

--- a/ee/app/helpers/ee/projects_helper.rb
+++ b/ee/app/helpers/ee/projects_helper.rb
@@ -45,7 +45,7 @@ module EE
        nav_tabs << :dependencies
      end

-      if can?(current_user, :read_licenses_list, project)
+      if ::Feature.enabled?(:licenses_list, project) && can?(current_user, :read_licenses, project)
        nav_tabs << :licenses
      end


--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -112,7 +112,6 @@ class License < ApplicationRecord
    group_ip_restriction
    incident_management
    insights
-    licenses_list
    license_management
    personal_access_token_expiration_policy
    pod_logs

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -80,11 +80,6 @@ module EE
        @subject.feature_available?(:dependency_scanning)
      end

-      with_scope :subject
-      condition(:licenses_list_enabled) do
-        @subject.beta_feature_available?(:licenses_list)
-      end
-
      with_scope :subject
      condition(:feature_flags_disabled) do
        !@subject.feature_available?(:feature_flags)
@@ -175,11 +170,11 @@ module EE

      rule { can?(:read_project) & (can?(:read_merge_request) | can?(:read_build)) }.enable :read_vulnerability_feedback

-      rule { license_management_enabled & can?(:read_project) }.enable :read_software_license_policy
-
      rule { dependency_scanning_enabled & can?(:download_code) }.enable :read_dependencies

-      rule { licenses_list_enabled & can?(:read_software_license_policy) }.enable :read_licenses_list
+      rule { license_management_enabled & can?(:download_code) }.enable :read_licenses
+
+      rule { can?(:read_licenses) }.enable :read_software_license_policy

      rule { repository_mirrors_enabled & ((mirror_available & can?(:admin_project)) | admin) }.enable :admin_mirror


--- a/ee/app/serializers/dependency_entity.rb
+++ b/ee/app/serializers/dependency_entity.rb
@@ -27,6 +27,6 @@ class DependencyEntity < Grape::Entity
  end

  def can_read_licenses?
-    can?(request.user, :read_software_license_policy, request.project)
+    can?(request.user, :read_licenses, request.project)
  end
 end
--- a/ee/spec/controllers/projects/licenses_controller_spec.rb
+++ b/ee/spec/controllers/projects/licenses_controller_spec.rb
@@ -17,7 +17,7 @@ describe Projects::LicensesController do

      context 'when feature is available' do
        before do
-          stub_licensed_features(licenses_list: true, license_management: true)
+          stub_licensed_features(license_management: true)
        end

        it 'renders the show template' do
@@ -44,7 +44,7 @@ describe Projects::LicensesController do

      context 'when feature is available' do
        before do
-          stub_licensed_features(licenses_list: true, license_management: true)
+          stub_licensed_features(license_management: true)
        end

        it 'returns 404' do

--- a/ee/spec/controllers/projects/security/licenses_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/licenses_controller_spec.rb
@@ -15,12 +15,12 @@ describe Projects::Security::LicensesController do

    context 'with authorized user' do
      before do
-        project.add_guest(user)
+        project.add_reporter(user)
      end

      context 'when feature is available' do
        before do
-          stub_licensed_features(licenses_list: true, license_management: true)
+          stub_licensed_features(license_management: true)
        end

        it 'counts usage of the feature' do
@@ -139,7 +139,7 @@ describe Projects::Security::LicensesController do

    context 'with unauthorized user' do
      before do
-        stub_licensed_features(licenses_list: true, license_management: true)
+        stub_licensed_features(license_management: true)

        get_licenses
      end
@@ -168,7 +168,7 @@ describe Projects::Security::LicensesController do
      let(:current_user) { create(:user) }

      before do
-        stub_licensed_features(licenses_list: true, license_management: true)
+        stub_licensed_features(license_management: true)
        sign_in(current_user)
      end

@@ -286,7 +286,7 @@ describe Projects::Security::LicensesController do
      let(:current_user) { create(:user) }

      before do
-        stub_licensed_features(licenses_list: true, license_management: true)
+        stub_licensed_features(license_management: true)
        sign_in(current_user)
      end


--- a/ee/spec/models/sca/license_compliance_spec.rb
+++ b/ee/spec/models/sca/license_compliance_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe SCA::LicenseCompliance do
  let(:project) { create(:project, :repository, :private) }

  before do
-    stub_licensed_features(licenses_list: true, license_management: true)
+    stub_licensed_features(license_management: true)
  end

  describe "#policies" do

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -27,9 +27,11 @@ describe ProjectPolicy do
    include_context 'ProjectPolicy context'

    let(:additional_guest_permissions) do
-      %i[read_issue_link read_software_license_policy]
+      %i[read_issue_link]
+    end
+    let(:additional_reporter_permissions) do
+      %i[read_software_license_policy admin_issue_link]
    end
-    let(:additional_reporter_permissions) { [:admin_issue_link] }
    let(:additional_developer_permissions) do
      %i[
        admin_vulnerability_feedback read_project_security_dashboard read_feature_flag
@@ -717,7 +719,7 @@ describe ProjectPolicy do
    end
  end

-  describe 'read_license_management' do
+  describe 'read_software_license_policy' do
    context 'without license management feature available' do
      before do
        stub_licensed_features(license_management: false)
@@ -811,78 +813,55 @@ describe ProjectPolicy do
    end
  end

-  describe 'read_licenses_list' do
-    context 'when licenses list feature available' do
-      context 'when license management feature available' do
-        before do
-          stub_feature_flags(licenses_list: true)
-          stub_licensed_features(license_management: true)
-        end
-
-        context 'with public project' do
-          let(:current_user) { create(:user) }
+  describe 'read_licenses' do
+    context 'when license management feature available' do
+      context 'with public project' do
+        let(:current_user) { create(:user) }

-          context 'with public access to repository' do
-            it { is_expected.to be_allowed(:read_licenses_list) }
-          end
+        context 'with public access to repository' do
+          it { is_expected.to be_allowed(:read_licenses) }
        end
+      end

-        context 'with private project' do
-          let(:project) { create(:project, :private, namespace: owner.namespace) }
-
-          where(role: %w[admin owner maintainer developer reporter guest])
-
-          with_them do
-            let(:current_user) { public_send(role) }
+      context 'with private project' do
+        let(:project) { create(:project, :private, namespace: owner.namespace) }

-            it { is_expected.to be_allowed(:read_licenses_list) }
-          end
+        where(role: %w[admin owner maintainer developer reporter])

-          context 'with not member' do
-            let(:current_user) { create(:user) }
+        with_them do
+          let(:current_user) { public_send(role) }

-            it { is_expected.to be_disallowed(:read_licenses_list) }
-          end
+          it { is_expected.to be_allowed(:read_licenses) }
+        end

-          context 'with anonymous' do
-            let(:current_user) { nil }
+        context 'with guest' do
+          let(:current_user) { guest }

-            it { is_expected.to be_disallowed(:read_licenses_list) }
-          end
+          it { is_expected.to be_disallowed(:read_licenses) }
        end
-      end

-      context "when the licenses_list feature is enabled for a specific project" do
-        let(:current_user) { create(:user) }
+        context 'with not member' do
+          let(:current_user) { create(:user) }

-        before do
-          stub_feature_flags(licenses_list: { enabled: true, thing: project })
-          stub_licensed_features(license_management: true)
+          it { is_expected.to be_disallowed(:read_licenses) }
        end

-        it { is_expected.to be_allowed(:read_licenses_list) }
-      end
-
-      context 'when license management feature in not available' do
-        let(:current_user) { admin }
+        context 'with anonymous' do
+          let(:current_user) { nil }

-        before do
-          stub_feature_flags(licenses_list: true)
-          stub_licensed_features(license_management: false)
+          it { is_expected.to be_disallowed(:read_licenses) }
        end
-
-        it { is_expected.to be_disallowed(:read_licenses_list) }
      end
    end

-    context 'when licenses list feature not available' do
-      let(:current_user) { admin }
-
+    context 'when license management feature in not available' do
      before do
-        stub_feature_flags(licenses_list: false)
+        stub_licensed_features(license_management: false)
      end

-      it { is_expected.to be_disallowed(:read_licenses_list) }
+      let(:current_user) { admin }
+
+      it { is_expected.to be_disallowed(:read_licenses) }
    end
  end


--- a/spec/support/shared_examples/policies/project_policy_shared_examples.rb
+++ b/spec/support/shared_examples/policies/project_policy_shared_examples.rb
@@ -4,7 +4,7 @@ RSpec.shared_examples 'archived project policies' do
  let(:feature_write_abilities) do
    described_class::READONLY_FEATURES_WHEN_ARCHIVED.flat_map do |feature|
      described_class.create_update_admin_destroy(feature)
-    end + additional_reporter_permissions + additional_maintainer_permissions
+    end + additional_maintainer_permissions
  end

  let(:other_write_abilities) do
@@ -18,6 +18,7 @@ RSpec.shared_examples 'archived project policies' do
      resolve_note
      award_emoji
      admin_tag
+      admin_issue_link
    ]
  end