Merge branch '13247-licenses-permissions' into 'master'

Update permissions for Licenses and Licenses Controllers

See merge request gitlab-org/gitlab!21139

ee/app/controllers/projects/licenses_controller.rb

@@ -2,6 +2,10 @@
 
 module Projects
   class LicensesController < Projects::ApplicationController
-    before_action :authorize_read_licenses_list!
+    before_action :authorize_read_licenses!
+
+    before_action do
+      push_frontend_feature_flag(:licenses_list)
+    end
   end
 end

ee/app/controllers/projects/security/licenses_controller.rb

@@ -3,7 +3,7 @@
 module Projects
   module Security
     class LicensesController < Projects::ApplicationController
-      before_action :authorize_read_licenses_list!
+      before_action :authorize_read_licenses!, only: [:index]
       before_action :authorize_admin_software_license_policy!, only: [:create, :update]
 
       def index

ee/app/helpers/ee/projects_helper.rb

@@ -45,7 +45,7 @@ module EE
         nav_tabs << :dependencies
       end
 
-      if can?(current_user, :read_licenses_list, project)
+      if ::Feature.enabled?(:licenses_list, project) && can?(current_user, :read_licenses, project)
         nav_tabs << :licenses
       end
 

ee/app/models/license.rb

@@ -112,7 +112,6 @@ class License < ApplicationRecord
     group_ip_restriction
     incident_management
     insights
-    licenses_list
     license_management
     personal_access_token_expiration_policy
     pod_logs

ee/app/policies/ee/project_policy.rb

@@ -80,11 +80,6 @@ module EE
         @subject.feature_available?(:dependency_scanning)
       end
 
-      with_scope :subject
-      condition(:licenses_list_enabled) do
-        @subject.beta_feature_available?(:licenses_list)
-      end
-
       with_scope :subject
       condition(:feature_flags_disabled) do
         !@subject.feature_available?(:feature_flags)
@@ -175,11 +170,11 @@ module EE
 
       rule { can?(:read_project) & (can?(:read_merge_request) | can?(:read_build)) }.enable :read_vulnerability_feedback
 
-      rule { license_management_enabled & can?(:read_project) }.enable :read_software_license_policy
-
       rule { dependency_scanning_enabled & can?(:download_code) }.enable :read_dependencies
 
-      rule { licenses_list_enabled & can?(:read_software_license_policy) }.enable :read_licenses_list
+      rule { license_management_enabled & can?(:download_code) }.enable :read_licenses
+
+      rule { can?(:read_licenses) }.enable :read_software_license_policy
 
       rule { repository_mirrors_enabled & ((mirror_available & can?(:admin_project)) | admin) }.enable :admin_mirror
 

ee/app/serializers/dependency_entity.rb

@@ -27,6 +27,6 @@ class DependencyEntity < Grape::Entity
   end
 
   def can_read_licenses?
-    can?(request.user, :read_software_license_policy, request.project)
+    can?(request.user, :read_licenses, request.project)
   end
 end

ee/spec/controllers/projects/licenses_controller_spec.rb

@@ -17,7 +17,7 @@ describe Projects::LicensesController do
 
       context 'when feature is available' do
         before do
-          stub_licensed_features(licenses_list: true, license_management: true)
+          stub_licensed_features(license_management: true)
         end
 
         it 'renders the show template' do
@@ -44,7 +44,7 @@ describe Projects::LicensesController do
 
       context 'when feature is available' do
         before do
-          stub_licensed_features(licenses_list: true, license_management: true)
+          stub_licensed_features(license_management: true)
         end
 
         it 'returns 404' do

ee/spec/controllers/projects/security/licenses_controller_spec.rb

@@ -15,12 +15,12 @@ describe Projects::Security::LicensesController do
 
     context 'with authorized user' do
       before do
-        project.add_guest(user)
+        project.add_reporter(user)
       end
 
       context 'when feature is available' do
         before do
-          stub_licensed_features(licenses_list: true, license_management: true)
+          stub_licensed_features(license_management: true)
         end
 
         it 'counts usage of the feature' do
@@ -139,7 +139,7 @@ describe Projects::Security::LicensesController do
 
     context 'with unauthorized user' do
       before do
-        stub_licensed_features(licenses_list: true, license_management: true)
+        stub_licensed_features(license_management: true)
 
         get_licenses
       end
@@ -168,7 +168,7 @@ describe Projects::Security::LicensesController do
       let(:current_user) { create(:user) }
 
       before do
-        stub_licensed_features(licenses_list: true, license_management: true)
+        stub_licensed_features(license_management: true)
         sign_in(current_user)
       end
 
@@ -286,7 +286,7 @@ describe Projects::Security::LicensesController do
       let(:current_user) { create(:user) }
 
       before do
-        stub_licensed_features(licenses_list: true, license_management: true)
+        stub_licensed_features(license_management: true)
         sign_in(current_user)
       end
 

ee/spec/models/sca/license_compliance_spec.rb

@@ -8,7 +8,7 @@ RSpec.describe SCA::LicenseCompliance do
   let(:project) { create(:project, :repository, :private) }
 
   before do
-    stub_licensed_features(licenses_list: true, license_management: true)
+    stub_licensed_features(license_management: true)
   end
 
   describe "#policies" do

ee/spec/policies/project_policy_spec.rb

@@ -27,9 +27,11 @@ describe ProjectPolicy do
     include_context 'ProjectPolicy context'
 
     let(:additional_guest_permissions) do
-      %i[read_issue_link read_software_license_policy]
+      %i[read_issue_link]
+    end
+    let(:additional_reporter_permissions) do
+      %i[read_software_license_policy admin_issue_link]
     end
-    let(:additional_reporter_permissions) { [:admin_issue_link] }
     let(:additional_developer_permissions) do
       %i[
         admin_vulnerability_feedback read_project_security_dashboard read_feature_flag
@@ -717,7 +719,7 @@ describe ProjectPolicy do
     end
   end
 
-  describe 'read_license_management' do
+  describe 'read_software_license_policy' do
     context 'without license management feature available' do
       before do
         stub_licensed_features(license_management: false)
@@ -811,78 +813,55 @@ describe ProjectPolicy do
     end
   end
 
-  describe 'read_licenses_list' do
-    context 'when licenses list feature available' do
+  describe 'read_licenses' do
     context 'when license management feature available' do
-        before do
-          stub_feature_flags(licenses_list: true)
-          stub_licensed_features(license_management: true)
-        end
-
       context 'with public project' do
         let(:current_user) { create(:user) }
 
         context 'with public access to repository' do
-            it { is_expected.to be_allowed(:read_licenses_list) }
+          it { is_expected.to be_allowed(:read_licenses) }
         end
       end
 
       context 'with private project' do
         let(:project) { create(:project, :private, namespace: owner.namespace) }
 
-          where(role: %w[admin owner maintainer developer reporter guest])
+        where(role: %w[admin owner maintainer developer reporter])
 
         with_them do
           let(:current_user) { public_send(role) }
 
-            it { is_expected.to be_allowed(:read_licenses_list) }
+          it { is_expected.to be_allowed(:read_licenses) }
+        end
+
+        context 'with guest' do
+          let(:current_user) { guest }
+
+          it { is_expected.to be_disallowed(:read_licenses) }
         end
 
         context 'with not member' do
           let(:current_user) { create(:user) }
 
-            it { is_expected.to be_disallowed(:read_licenses_list) }
+          it { is_expected.to be_disallowed(:read_licenses) }
         end
 
         context 'with anonymous' do
           let(:current_user) { nil }
 
-            it { is_expected.to be_disallowed(:read_licenses_list) }
+          it { is_expected.to be_disallowed(:read_licenses) }
         end
       end
     end
 
-      context "when the licenses_list feature is enabled for a specific project" do
-        let(:current_user) { create(:user) }
-
-        before do
-          stub_feature_flags(licenses_list: { enabled: true, thing: project })
-          stub_licensed_features(license_management: true)
-        end
-
-        it { is_expected.to be_allowed(:read_licenses_list) }
-      end
-
     context 'when license management feature in not available' do
-        let(:current_user) { admin }
-
       before do
-          stub_feature_flags(licenses_list: true)
         stub_licensed_features(license_management: false)
       end
 
-        it { is_expected.to be_disallowed(:read_licenses_list) }
-      end
-    end
-
-    context 'when licenses list feature not available' do
       let(:current_user) { admin }
 
-      before do
-        stub_feature_flags(licenses_list: false)
-      end
-
-      it { is_expected.to be_disallowed(:read_licenses_list) }
+      it { is_expected.to be_disallowed(:read_licenses) }
     end
   end
 

spec/support/shared_examples/policies/project_policy_shared_examples.rb

@@ -4,7 +4,7 @@ RSpec.shared_examples 'archived project policies' do
   let(:feature_write_abilities) do
     described_class::READONLY_FEATURES_WHEN_ARCHIVED.flat_map do |feature|
       described_class.create_update_admin_destroy(feature)
-    end + additional_reporter_permissions + additional_maintainer_permissions
+    end + additional_maintainer_permissions
   end
 
   let(:other_write_abilities) do
@@ -18,6 +18,7 @@ RSpec.shared_examples 'archived project policies' do
       resolve_note
       award_emoji
       admin_tag
+      admin_issue_link
     ]
   end