Merge branch '262094-fix-group-repository-analytics' into 'master'

Disallow guest access for group repository analytics See merge request gitlab-org/gitlab!44721

Merge branch '262094-fix-group-repository-analytics' into 'master'
Disallow guest access for group repository analytics See merge request gitlab-org/gitlab!44721
dabad744 · James Lopez · 57cdcf33 · 0525692d · dabad744 · dabad744
Commit dabad744 authored Oct 19, 2020 by James Lopez
4 changed files
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -140,7 +140,7 @@ module EE
      rule { has_access & group_activity_analytics_available }
        .enable :read_group_activity_analytics

-      rule { has_access & group_repository_analytics_available }
+      rule { reporter & group_repository_analytics_available }
        .enable :read_group_repository_analytics

      rule { reporter & group_merge_request_analytics_available }

--- a/ee/changelogs/unreleased/262094-fix-group-repository-analytics.yml
+++ b/ee/changelogs/unreleased/262094-fix-group-repository-analytics.yml
+---
+title: Disallow guest access for group repository analytics
+merge_request: 44721
+author:
+type: fixed
--- a/ee/spec/controllers/groups/analytics/repository_analytics_controller_spec.rb
+++ b/ee/spec/controllers/groups/analytics/repository_analytics_controller_spec.rb
@@ -17,7 +17,7 @@ RSpec.describe Groups::Analytics::RepositoryAnalyticsController do
    subject { get :show, params: { group_id: group } }

    before do
-      group.add_guest(current_user)
+      group.add_reporter(current_user)
    end

    specify { is_expected.to have_gitlab_http_status(:success) }

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -199,17 +199,25 @@ RSpec.describe GroupPolicy do
  end

  context 'when group repository analytics is available' do
-    let(:current_user) { guest }
-
    before do
      stub_licensed_features(group_repository_analytics: true)
    end

-    it { is_expected.to be_allowed(:read_group_repository_analytics) }
+    context 'for guests' do
+      let(:current_user) { guest }
+
+      it { is_expected.not_to be_allowed(:read_group_repository_analytics) }
+    end
+
+    context 'for reporter+' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_allowed(:read_group_repository_analytics) }
+    end
  end

  context 'when group repository analytics is not available' do
-    let(:current_user) { guest }
+    let(:current_user) { admin }

    before do
      stub_licensed_features(group_repository_analytics: false)