Allow auditor user to access project private features

Previously the auditor user was unable to access a project repository for public/internal projects with the repository visibility set to 'only project members'. This change allows the project policy to respect the :read_all_resources ability for admins and auditors to allow all private features to be accessible.

Allow auditor user to access project private features
Previously the auditor user was unable to access a project repository for public/internal projects with the repository visibility set to 'only project members'. This change allows the project policy to respect the :read_all_resources ability for admins and auditors to allow all private features to be accessible.
c465d977 · Drew Blessing · Drew Blessing · ae811a1f · c465d977 · c465d977
Commit c465d977 authored Jun 17, 2020 by Drew Blessing Committed by Drew Blessing Jul 07, 2020
4 changed files
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -650,7 +650,7 @@ class ProjectPolicy < BasePolicy
    when ProjectFeature::DISABLED
      false
    when ProjectFeature::PRIVATE
-      admin? || team_access_level >= ProjectFeature.required_minimum_access_level(feature)
+      can?(:read_all_resources) || team_access_level >= ProjectFeature.required_minimum_access_level(feature)
    else
      true
    end

--- a/ee/changelogs/unreleased/dblessing-auditor-project-access.yml
+++ b/ee/changelogs/unreleased/dblessing-auditor-project-access.yml
+---
+title: Allow auditor user to access project private features
+merge_request: 34794
+author:
+type: fixed
--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -98,6 +98,10 @@ RSpec.describe ProjectPolicy do
          is_expected.to be_allowed(*auditor_permissions)
        end
      end
+
+      it_behaves_like 'project private features with read_all_resources ability' do
+        let(:user) { current_user }
+      end
    end
  end


--- a/spec/support/shared_examples/policies/project_policy_shared_examples.rb
+++ b/spec/support/shared_examples/policies/project_policy_shared_examples.rb
@@ -41,6 +41,28 @@ RSpec.shared_examples 'archived project policies' do
  end
 end

+RSpec.shared_examples 'project private features with read_all_resources ability' do
+  subject { described_class.new(user, project) }
+
+  before do
+    project.project_feature.update!(
+      repository_access_level: ProjectFeature::PRIVATE,
+      merge_requests_access_level: ProjectFeature::PRIVATE,
+      builds_access_level: ProjectFeature::PRIVATE
+    )
+  end
+
+  [:public, :internal, :private].each do |visibility|
+    context "for #{visibility} projects" do
+      let(:project) { create(:project, visibility, namespace: owner.namespace) }
+
+      it 'allows the download_code ability' do
+        expect_allowed(:download_code)
+      end
+    end
+  end
+end
+
 RSpec.shared_examples 'project policies as anonymous' do
  context 'abilities for public projects' do
    context 'when a project has pending invites' do
@@ -231,6 +253,12 @@ RSpec.shared_examples 'project policies as admin with admin mode' do
      let(:regular_abilities) { owner_permissions }
    end
  end
+
+  context 'abilities for all project visibility', :enable_admin_mode do
+    it_behaves_like 'project private features with read_all_resources ability' do
+      let(:user) { admin }
+    end
+  end
 end

 RSpec.shared_examples 'project policies as admin without admin mode' do