Commit ccb74300 authored by Aakriti Gupta's avatar Aakriti Gupta Committed by Peter Leitzen

Add global and group policies for code analytics feature

- Globally, allow everyone to view feature
- Once a group is selected, to get analytics,  only
allow a user, with a minimum access level of
`reporter` to access the feature
parent 1b300fa3
......@@ -17,7 +17,10 @@ module EE
rule { support_bot }.prevent :use_quick_actions
rule { ~anonymous }.enable :view_productivity_analytics
rule { ~anonymous }.policy do
enable :view_productivity_analytics
enable :view_code_analytics
end
end
end
end
......@@ -49,6 +49,8 @@ module EE
enable :admin_list
enable :admin_board
enable :read_prometheus
enable :view_code_analytics
enable :view_productivity_analytics
end
rule { maintainer }.policy do
......@@ -131,8 +133,6 @@ module EE
rule { ip_enforcement_prevents_access & ~owner }.policy do
prevent :read_group
end
rule { reporter }.enable :view_productivity_analytics
end
override :lookup_access_level!
......
......@@ -32,15 +32,27 @@ describe GlobalPolicy do
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:read_licenses) }
it { expect(described_class.new(create(:admin), [user])).to be_allowed(:destroy_licenses) }
describe 'view_productivity_analytics' do
context 'for anonymous' do
shared_examples 'analytics policy' do |action|
context 'anonymous user' do
let(:current_user) { nil }
it { is_expected.not_to be_allowed(:view_productivity_analytics) }
it 'is not allowed' do
is_expected.not_to be_allowed(action)
end
end
context 'for authenticated users' do
it { is_expected.to be_allowed(:view_productivity_analytics) }
context 'authenticated user' do
it 'is allowed' do
is_expected.to be_allowed(action)
end
end
end
describe 'view_code_analytics' do
include_examples 'analytics policy', :view_code_analytics
end
describe 'view_productivity_analytics' do
include_examples 'analytics policy', :view_productivity_analytics
end
end
......@@ -404,21 +404,35 @@ describe GroupPolicy do
end
end
describe 'view_productivity_analytics' do
%w[admin owner maintainer developer reporter].each do |role|
context "for #{role}" do
shared_examples 'analytics policy' do |action|
shared_examples 'policy by role' do |role|
context role do
let(:current_user) { public_send(role) }
it { is_expected.to be_allowed(:view_productivity_analytics) }
it 'is allowed' do
is_expected.to be_allowed(action)
end
end
end
%w[guest].each do |role|
context "for #{role}" do
let(:current_user) { public_send(role) }
%w[admin owner maintainer developer reporter].each do |role|
include_examples 'policy by role', role
end
it { is_expected.to be_disallowed(:view_productivity_analytics) }
context 'guest' do
let(:current_user) { guest }
it 'is not allowed' do
is_expected.to be_disallowed(action)
end
end
end
describe 'view_code_analytics' do
include_examples 'analytics policy', :view_code_analytics
end
describe 'view_productivity_analytics' do
include_examples 'analytics policy', :view_productivity_analytics
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment