Add global and group policies for code analytics feature

- Globally, allow everyone to view feature
- Once a group is selected, to get analytics,  only
allow a user, with a minimum access level of
`reporter` to access the feature

ee/app/policies/ee/global_policy.rb

@@ -17,7 +17,10 @@ module EE
 
       rule { support_bot }.prevent :use_quick_actions
 
-      rule { ~anonymous }.enable :view_productivity_analytics
+      rule { ~anonymous }.policy do
+        enable :view_productivity_analytics
+        enable :view_code_analytics
+      end
     end
   end
 end

ee/app/policies/ee/group_policy.rb

@@ -49,6 +49,8 @@ module EE
         enable :admin_list
         enable :admin_board
         enable :read_prometheus
+        enable :view_code_analytics
+        enable :view_productivity_analytics
       end
 
       rule { maintainer }.policy do
@@ -131,8 +133,6 @@ module EE
       rule { ip_enforcement_prevents_access & ~owner }.policy do
         prevent :read_group
       end
-
-      rule { reporter }.enable :view_productivity_analytics
     end
 
     override :lookup_access_level!

ee/spec/policies/global_policy_spec.rb

@@ -32,15 +32,27 @@ describe GlobalPolicy do
   it { expect(described_class.new(create(:admin), [user])).to be_allowed(:read_licenses) }
   it { expect(described_class.new(create(:admin), [user])).to be_allowed(:destroy_licenses) }
 
-  describe 'view_productivity_analytics' do
-    context 'for anonymous' do
+  shared_examples 'analytics policy' do |action|
+    context 'anonymous user' do
       let(:current_user) { nil }
 
-      it { is_expected.not_to be_allowed(:view_productivity_analytics) }
+      it 'is not allowed' do
+        is_expected.not_to be_allowed(action)
+      end
     end
 
-    context 'for authenticated users' do
-      it { is_expected.to be_allowed(:view_productivity_analytics) }
+    context 'authenticated user' do
+      it 'is allowed' do
+        is_expected.to be_allowed(action)
+      end
     end
   end
+
+  describe 'view_code_analytics' do
+    include_examples 'analytics policy', :view_code_analytics
+  end
+
+  describe 'view_productivity_analytics' do
+    include_examples 'analytics policy', :view_productivity_analytics
+  end
 end

ee/spec/policies/group_policy_spec.rb

@@ -404,21 +404,35 @@ describe GroupPolicy do
     end
   end
 
-  describe 'view_productivity_analytics' do
-    %w[admin owner maintainer developer reporter].each do |role|
-      context "for #{role}" do
+  shared_examples 'analytics policy' do |action|
+    shared_examples 'policy by role' do |role|
+      context role do
         let(:current_user) { public_send(role) }
 
-        it { is_expected.to be_allowed(:view_productivity_analytics) }
+        it 'is allowed' do
+          is_expected.to be_allowed(action)
+        end
       end
     end
 
-    %w[guest].each do |role|
-      context "for #{role}" do
-        let(:current_user) { public_send(role) }
+    %w[admin owner maintainer developer reporter].each do |role|
+      include_examples 'policy by role', role
+    end
 
-        it { is_expected.to be_disallowed(:view_productivity_analytics) }
+    context 'guest' do
+      let(:current_user) { guest }
+
+      it 'is not allowed' do
+        is_expected.to be_disallowed(action)
       end
     end
   end
+
+  describe 'view_code_analytics' do
+    include_examples 'analytics policy', :view_code_analytics
+  end
+
+  describe 'view_productivity_analytics' do
+    include_examples 'analytics policy', :view_productivity_analytics
+  end
 end