Merge branch 'chore/disable-admin-mode-in-services' into 'master'

[RUN AS-IF-FOSS] Migrate services specs to consider admin mode

See merge request gitlab-org/gitlab!45988

app/models/project.rb

@@ -602,7 +602,7 @@ class Project < ApplicationRecord
   # Returns a collection of projects that is either public or visible to the
   # logged in user.
   def self.public_or_visible_to_user(user = nil, min_access_level = nil)
-    min_access_level = nil if user&.admin?
+    min_access_level = nil if user&.can_read_all_resources?
 
     return public_to_user unless user
 
@@ -628,7 +628,7 @@ class Project < ApplicationRecord
   def self.with_feature_available_for_user(feature, user)
     visible = [ProjectFeature::ENABLED, ProjectFeature::PUBLIC]
 
-    if user&.admin?
+    if user&.can_read_all_resources?
       with_feature_enabled(feature)
     elsif user
       min_access_level = ProjectFeature.required_minimum_access_level(feature)

app/policies/concerns/policy_actor.rb

@@ -72,6 +72,10 @@ module PolicyActor
   def try_obtain_ldap_lease
     nil
   end
+
+  def can_read_all_resources?
+    false
+  end
 end
 
 PolicyActor.prepend_if_ee('EE::PolicyActor')

changelogs/unreleased/chore-disable-admin-mode-in-services.yml

+---
+title: Migrate services specs to consider admin mode
+merge_request: 45988
+author: Diego Louzán
+type: other

ee/spec/services/ci/compare_security_reports_service_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Ci::CompareSecurityReportsService do
   let_it_be(:project) { create(:project, :repository) }
-  let(:current_user) { build(:user, :admin) }
+  let(:current_user) { project.owner }
 
   def collect_ids(collection)
     collection.map { |t| t['identifiers'].first['external_id'] }

ee/spec/services/ci/create_pipeline_service/cross_needs_artifacts_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe Ci::CreatePipelineService do
   subject(:execute) { service.execute(:push) }
 
   let_it_be(:project) { create(:project, :repository) }
-  let_it_be(:user) { create(:admin) }
+  let_it_be(:user) { project.owner }
 
   let(:service) do
     described_class.new(project, user, { ref: 'refs/heads/master' })
@@ -64,6 +64,10 @@ RSpec.describe Ci::CreatePipelineService do
   end
 
   shared_examples 'mixed artifacts definitions' do
+    before do
+      other_project.add_developer(user)
+    end
+
     let(:other_project) { create(:project, :repository) }
 
     let(:other_pipeline) do

ee/spec/services/ci/create_pipeline_service/needs_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe Ci::CreatePipelineService do
 
   let_it_be(:downstream_project) { create(:project, name: 'project', namespace: create(:namespace, name: 'some')) }
   let(:project) { create(:project, :repository) }
-  let(:user) { create(:admin) }
+  let(:user) { project.owner }
   let(:service) { described_class.new(project, user, { ref: 'refs/heads/master' }) }
 
   let(:config) do
@@ -25,6 +25,7 @@ RSpec.describe Ci::CreatePipelineService do
   end
 
   before do
+    downstream_project.add_developer(user)
     stub_ci_pipeline_yaml_file(config)
   end
 

ee/spec/services/ee/users/destroy_service_spec.rb

@@ -12,6 +12,13 @@ RSpec.describe Users::DestroyService do
 
     subject(:operation) { service.execute(user) }
 
+    context 'when admin mode is disabled' do
+      it 'raises access denied' do
+        expect { operation }.to raise_error(::Gitlab::Access::AccessDeniedError)
+      end
+    end
+
+    context 'when admin mode is enabled', :enable_admin_mode do
       it 'returns result' do
         allow(user).to receive(:destroy).and_return(user)
 
@@ -59,4 +66,5 @@ RSpec.describe Users::DestroyService do
         end
       end
     end
+  end
 end

ee/spec/services/ee/users/update_service_spec.rb

@@ -10,13 +10,22 @@ RSpec.describe Users::UpdateService do
 
       shared_examples_for 'a user can update the name' do
         it 'updates the name' do
-          result = described_class.new(current_user, { user: user, name: 'New Name' }).execute!
+          result = update_user_as(current_user, user, { user: user, name: 'New Name' })
 
           expect(result).to be_truthy
           expect(user.name).to eq('New Name')
         end
       end
 
+      shared_examples_for 'a user cannot update the name' do
+        it 'does not update the name' do
+          result = update_user_as(current_user, user, { name: 'New Name' })
+
+          expect(result).to be_truthy
+          expect(user.name).not_to eq('New Name')
+        end
+      end
+
       context 'when `disable_name_update_for_users` feature is available' do
         before do
           stub_licensed_features(disable_name_update_for_users: true)
@@ -31,10 +40,12 @@ RSpec.describe Users::UpdateService do
             let(:current_user) { user }
           end
 
+          context 'when admin mode is enabled', :enable_admin_mode do
             it_behaves_like 'a user can update the name' do
               let(:current_user) { admin }
             end
           end
+        end
 
         context 'when the ability to update their name is disabled for users' do
           before do
@@ -42,18 +53,23 @@ RSpec.describe Users::UpdateService do
           end
 
           context 'as a regular user' do
-            it 'does not update the name' do
-              result = update_user(user, name: 'New Name')
-
-              expect(result).to be_truthy
-              expect(user.name).not_to eq('New Name')
+            it_behaves_like 'a user cannot update the name' do
+              let(:current_user) { user }
             end
           end
 
+          context 'when admin mode is enabled', :enable_admin_mode do
             it_behaves_like 'a user can update the name' do
               let(:current_user) { admin }
             end
           end
+
+          context 'when admin mode is disabled' do
+            it_behaves_like 'a user cannot update the name' do
+              let(:current_user) { admin }
+            end
+          end
+        end
       end
 
       context 'when `disable_name_update_for_users` feature is not available' do
@@ -65,10 +81,18 @@ RSpec.describe Users::UpdateService do
           let(:current_user) { user }
         end
 
+        context 'when admin mode is enabled', :enable_admin_mode do
           it_behaves_like 'a user can update the name' do
             let(:current_user) { admin }
           end
         end
+
+        context 'when admin mode is disabled' do
+          it_behaves_like 'a user cannot update the name' do
+            let(:current_user) { admin }
+          end
+        end
+      end
     end
 
     context 'audit events' do
@@ -84,7 +108,7 @@ RSpec.describe Users::UpdateService do
             expected_message = "Changed username from #{previous_username} to #{new_username}"
 
             expect do
-              update_user(user, username: new_username)
+              update_user_as_self(user, username: new_username)
             end.to change { AuditEvent.count }.by(1)
 
             expect(AuditEvent.last.present.action).to eq(expected_message)
@@ -97,7 +121,7 @@ RSpec.describe Users::UpdateService do
       allow(user).to receive(:group_managed_account?).and_return(true)
 
       expect do
-        update_user(user, { email: 'foreign@email' })
+        update_user_as_self(user, { email: 'foreign@email' })
       end.not_to change { user.reload.email }
     end
 
@@ -105,7 +129,7 @@ RSpec.describe Users::UpdateService do
       allow(user).to receive(:group_managed_account?).and_return(true)
 
       expect do
-        update_user(user, { commit_email: 'foreign@email' })
+        update_user_as_self(user, { commit_email: 'foreign@email' })
       end.not_to change { user.reload.commit_email }
     end
 
@@ -113,7 +137,7 @@ RSpec.describe Users::UpdateService do
       allow(user).to receive(:group_managed_account?).and_return(true)
 
       expect do
-        update_user(user, { public_email: 'foreign@email' })
+        update_user_as_self(user, { public_email: 'foreign@email' })
       end.not_to change { user.reload.public_email }
     end
 
@@ -121,7 +145,7 @@ RSpec.describe Users::UpdateService do
       allow(user).to receive(:group_managed_account?).and_return(true)
 
       expect do
-        update_user(user, { notification_email: 'foreign@email' })
+        update_user_as_self(user, { notification_email: 'foreign@email' })
       end.not_to change { user.reload.notification_email }
     end
 
@@ -142,7 +166,7 @@ RSpec.describe Users::UpdateService do
           end
 
           it 'adds identity to user' do
-            result = update_user(user, params)
+            result = update_user_as_self(user, params)
 
             expect(result).to be true
             expect(user.identities.last.saml_provider_id).to eq(provider.id)
@@ -152,8 +176,8 @@ RSpec.describe Users::UpdateService do
 
           it 'adds two different identities to user' do
             second_provider = create(:saml_provider)
-            result_one = update_user(user, { extern_uid: 'uid', provider: 'group_saml', saml_provider_id: provider.id })
-            result_two = update_user(user, { extern_uid: 'uid2', provider: 'group_saml', group_id_for_saml: second_provider.group.id } )
+            result_one = update_user_as_self(user, { extern_uid: 'uid', provider: 'group_saml', saml_provider_id: provider.id })
+            result_two = update_user_as_self(user, { extern_uid: 'uid2', provider: 'group_saml', group_id_for_saml: second_provider.group.id } )
 
             expect(result_one).to be true
             expect(result_two).to be true
@@ -165,8 +189,12 @@ RSpec.describe Users::UpdateService do
       end
     end
 
-    def update_user(user, opts)
-      described_class.new(user, opts.merge(user: user)).execute!
+    def update_user_as(current_user, user, opts)
+      described_class.new(current_user, opts.merge(user: user)).execute!
+    end
+
+    def update_user_as_self(user, opts)
+      update_user_as(user, user, opts)
     end
   end
 end

ee/spec/services/licenses/destroy_service_spec.rb

@@ -10,11 +10,19 @@ RSpec.describe Licenses::DestroyService do
     described_class.new(license, user).execute
   end
 
+  context 'when admin mode is enabled', :enable_admin_mode do
     it 'destroys a license' do
       destroy_with(user)
 
       expect(License.where(id: license.id)).not_to exist
     end
+  end
+
+  context 'when admin mode is disabled' do
+    it 'raises not allowed error' do
+      expect { destroy_with(user) }.to raise_error(::Gitlab::Access::AccessDeniedError)
+    end
+  end
 
   it 'raises an error if license is nil' do
     expect { described_class.new(nil, user).execute }.to raise_error ActiveRecord::RecordNotFound

ee/spec/services/search/global_service_spec.rb

@@ -29,12 +29,13 @@ RSpec.describe Search::GlobalService do
       let!(:merge_request) { create :merge_request, target_project: project, source_project: project }
       let!(:note) { create :note, project: project, noteable: merge_request }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_reporter_feature_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           update_feature_access_level(project, feature_access_level)
           ensure_elasticsearch_index!
 
@@ -53,12 +54,13 @@ RSpec.describe Search::GlobalService do
       let!(:project) { create(:project, project_level, :repository, namespace: group ) }
       let!(:note) { create :note_on_commit, project: project }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_guest_feature_access_and_non_private_project_only
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           update_feature_access_level(project, feature_access_level)
           ElasticCommitIndexerWorker.new.perform(project.id)
           ensure_elasticsearch_index!
@@ -85,12 +87,13 @@ RSpec.describe Search::GlobalService do
         let!(:issue) { create :issue, project: project }
         let!(:note) { create :note, project: project, noteable: issue }
 
-        where(:project_level, :feature_access_level, :membership, :expected_count) do
+        where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
           permission_table_for_guest_feature_access
         end
 
         with_them do
           it "respects visibility" do
+            enable_admin_mode!(user) if admin_mode
             update_feature_access_level(project, feature_access_level)
             ensure_elasticsearch_index!
 
@@ -143,12 +146,13 @@ RSpec.describe Search::GlobalService do
     context 'wiki' do
       let!(:project) { create(:project, project_level, :wiki_repo) }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_guest_feature_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           project.wiki.create_page('test.md', '# term')
           project.wiki.index_wiki_blobs
           update_feature_access_level(project, feature_access_level)
@@ -164,12 +168,13 @@ RSpec.describe Search::GlobalService do
     context 'milestone' do
       let!(:milestone) { create :milestone, project: project }
 
-      where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :expected_count) do
+      where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_milestone_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           project.update!(
             'issues_access_level' => issues_access_level,
             'merge_requests_access_level' => merge_requests_access_level
@@ -261,11 +266,19 @@ RSpec.describe Search::GlobalService do
     context 'when the user is an admin' do
       let(:user) { admin }
 
+      context 'when admin mode is enabled', :enable_admin_mode do
         it 'returns :any' do
           expect(elastic_projects).to eq(:any)
         end
       end
 
+      context 'when admin mode is disabled' do
+        it 'returns empty array' do
+          expect(elastic_projects).to eq([])
+        end
+      end
+    end
+
     context 'when the user is not an admin' do
       let(:user) { non_admin_user }
 

ee/spec/services/search/group_service_spec.rb

@@ -81,12 +81,13 @@ RSpec.describe Search::GroupService, :elastic do
       let!(:note) { create :note, project: project, noteable: merge_request }
       let!(:note2) { create :note, project: project2, noteable: merge_request2, note: note.note }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_reporter_feature_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           [project, project2].each do |project|
             update_feature_access_level(project, feature_access_level)
           end
@@ -107,12 +108,13 @@ RSpec.describe Search::GroupService, :elastic do
       let!(:project) { create(:project, project_level, :repository, namespace: group ) }
       let!(:note) { create :note_on_commit, project: project }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_guest_feature_access_and_non_private_project_only
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           [project, project2].each do |project|
             update_feature_access_level(project, feature_access_level)
             ElasticCommitIndexerWorker.new.perform(project.id)
@@ -141,12 +143,13 @@ RSpec.describe Search::GroupService, :elastic do
       let!(:note) { create :note, project: project, noteable: issue }
       let!(:note2) { create :note, project: project2, noteable: issue2, note: note.note }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_guest_feature_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           [project, project2].each do |project|
             update_feature_access_level(project, feature_access_level)
           end
@@ -166,12 +169,13 @@ RSpec.describe Search::GroupService, :elastic do
     context 'wiki' do
       let!(:project) { create(:project, project_level, :wiki_repo) }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_guest_feature_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           project.wiki.create_page('test.md', '# term')
           project.wiki.index_wiki_blobs
           update_feature_access_level(project, feature_access_level)
@@ -187,12 +191,13 @@ RSpec.describe Search::GroupService, :elastic do
     context 'milestone' do
       let!(:milestone) { create :milestone, project: project }
 
-      where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :expected_count) do
+      where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_milestone_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           project.update!(
             'issues_access_level' => issues_access_level,
             'merge_requests_access_level' => merge_requests_access_level

ee/spec/services/search/project_service_spec.rb

@@ -48,12 +48,13 @@ RSpec.describe Search::ProjectService do
       let!(:note) { create :note, project: project, noteable: merge_request }
       let!(:note2) { create :note, project: project2, noteable: merge_request2, note: note.note }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_reporter_feature_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           [project, project2].each do |project|
             update_feature_access_level(project, feature_access_level)
           end
@@ -76,12 +77,13 @@ RSpec.describe Search::ProjectService do
       let!(:note) { create :note_on_commit, project: project }
       let!(:note2) { create :note_on_commit, project: project2, note: note.note }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_guest_feature_access_and_non_private_project_only
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           [project, project2].each do |project|
             update_feature_access_level(project, feature_access_level)
             ElasticCommitIndexerWorker.new.perform(project.id)
@@ -109,12 +111,13 @@ RSpec.describe Search::ProjectService do
       let!(:note) { create :note, project: project, noteable: issue }
       let!(:note2) { create :note, project: project2, noteable: issue2, note: note.note }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_guest_feature_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           [project, project2].each do |project|
             update_feature_access_level(project, feature_access_level)
           end
@@ -134,12 +137,13 @@ RSpec.describe Search::ProjectService do
     context 'wiki' do
       let!(:project) { create(:project, project_level, :wiki_repo) }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_guest_feature_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           project.wiki.create_page('test.md', '# term')
           project.wiki.index_wiki_blobs
           update_feature_access_level(project, feature_access_level)
@@ -155,12 +159,13 @@ RSpec.describe Search::ProjectService do
     context 'milestone' do
       let!(:milestone) { create :milestone, project: project }
 
-      where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :expected_count) do
+      where(:project_level, :issues_access_level, :merge_requests_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_milestone_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           project.update!(
             'issues_access_level' => issues_access_level,
             'merge_requests_access_level' => merge_requests_access_level

ee/spec/services/search/snippet_service_spec.rb

@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe Search::SnippetService do
   include SearchResultHelpers
   include ProjectHelpers
+  include AdminModeHelper
   using RSpec::Parameterized::TableSyntax
 
   it_behaves_like 'EE search service shared examples', ::Gitlab::SnippetSearchResults, ::Gitlab::Elastic::SnippetSearchResults do
@@ -32,11 +33,20 @@ RSpec.describe Search::SnippetService do
 
       context 'project snippet' do
         let(:pendings) do
+          # TODO: Ignore some spec cases, non-members regular users or non-member admins without admin mode should see snippets if:
+          #   - feature access level is enabled, and
+          #   - project access level is public or internal, and
+          #   - snippet access level is equal or more open than the project access level
+          # See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/45988#note_436009204
           [
-            { snippet_level: :public, project_level: :public, feature_access_level: :enabled, membership: :non_member, expected_count: 1 },
-            { snippet_level: :public, project_level: :internal, feature_access_level: :enabled, membership: :non_member, expected_count: 1 },
-            { snippet_level: :internal, project_level: :public, feature_access_level: :enabled, membership: :non_member, expected_count: 1 },
-            { snippet_level: :internal, project_level: :internal, feature_access_level: :enabled, membership: :non_member, expected_count: 1 }
+            { snippet_level: :public, project_level: :public, feature_access_level: :enabled, membership: :admin, admin_mode: false, expected_count: 1 },
+            { snippet_level: :public, project_level: :internal, feature_access_level: :enabled, membership: :admin, admin_mode: false, expected_count: 1 },
+            { snippet_level: :internal, project_level: :public, feature_access_level: :enabled, membership: :admin, admin_mode: false, expected_count: 1 },
+            { snippet_level: :internal, project_level: :internal, feature_access_level: :enabled, membership: :admin, admin_mode: false, expected_count: 1 },
+            { snippet_level: :public, project_level: :public, feature_access_level: :enabled, membership: :non_member, admin_mode: nil, expected_count: 1 },
+            { snippet_level: :public, project_level: :internal, feature_access_level: :enabled, membership: :non_member, admin_mode: nil, expected_count: 1 },
+            { snippet_level: :internal, project_level: :public, feature_access_level: :enabled, membership: :non_member, admin_mode: nil, expected_count: 1 },
+            { snippet_level: :internal, project_level: :internal, feature_access_level: :enabled, membership: :non_member, admin_mode: nil, expected_count: 1 }
           ]
         end
 
@@ -47,6 +57,7 @@ RSpec.describe Search::SnippetService do
               project_level: project_level,
               feature_access_level: feature_access_level,
               membership: membership,
+              admin_mode: admin_mode,
               expected_count: expected_count
             }
           )
@@ -62,7 +73,7 @@ RSpec.describe Search::SnippetService do
 
         let_it_be(:snippet) { create(:project_snippet, :public, project: project, author: snippet_author, title: 'foobar') }
 
-        where(:snippet_level, :project_level, :feature_access_level, :membership, :expected_count) do
+        where(:snippet_level, :project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
           permission_table_for_project_snippet_access
         end
 
@@ -75,6 +86,7 @@ RSpec.describe Search::SnippetService do
             expected_objects = expected_count == 0 ? [] : [snippet]
 
             search_user = user_from_membership(membership)
+            enable_admin_mode!(search_user) if admin_mode
 
             expect_search_results(search_user, 'snippet_titles', expected_objects: expected_objects, pending: pending?) do |user|
               described_class.new(user, search: snippet.title).execute
@@ -98,7 +110,7 @@ RSpec.describe Search::SnippetService do
 
         let(:snippet) { snippets[snippet_level] }
 
-        where(:snippet_level, :membership, :expected_count) do
+        where(:snippet_level, :membership, :admin_mode, :expected_count) do
           permission_table_for_personal_snippet_access
         end
 
@@ -111,6 +123,7 @@ RSpec.describe Search::SnippetService do
             expected_objects = expected_count == 0 ? [] : [snippet]
 
             search_user = user_from_membership(membership)
+            enable_admin_mode!(search_user) if admin_mode
 
             expect_search_results(search_user, 'snippet_titles', expected_objects: expected_objects) do |user|
               described_class.new(user, search: snippet.title).execute

ee/spec/services/vulnerabilities/confirm_service_spec.rb

@@ -51,7 +51,12 @@ RSpec.describe Vulnerabilities::ConfirmService do
   end
 
   describe 'permissions' do
+    context 'when admin mode is enabled', :enable_admin_mode do
       it { expect { confirm_vulnerability }.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { expect { confirm_vulnerability }.to be_denied_for(:admin) }
+    end
     it { expect { confirm_vulnerability }.to be_allowed_for(:owner).of(project) }
     it { expect { confirm_vulnerability }.to be_allowed_for(:maintainer).of(project) }
     it { expect { confirm_vulnerability }.to be_allowed_for(:developer).of(project) }

ee/spec/services/vulnerabilities/dismiss_service_spec.rb

@@ -103,7 +103,12 @@ RSpec.describe Vulnerabilities::DismissService do
   end
 
   describe 'permissions' do
+    context 'when admin mode is enabled', :enable_admin_mode do
       it { expect { dismiss_vulnerability }.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { expect { dismiss_vulnerability }.to be_denied_for(:admin) }
+    end
     it { expect { dismiss_vulnerability }.to be_allowed_for(:owner).of(project) }
     it { expect { dismiss_vulnerability }.to be_allowed_for(:maintainer).of(project) }
     it { expect { dismiss_vulnerability }.to be_allowed_for(:developer).of(project) }

ee/spec/services/vulnerabilities/resolve_service_spec.rb

@@ -51,7 +51,12 @@ RSpec.describe Vulnerabilities::ResolveService do
   end
 
   describe 'permissions' do
+    context 'when admin mode is enabled', :enable_admin_mode do
       it { expect { resolve_vulnerability }.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { expect { resolve_vulnerability }.to be_denied_for(:admin) }
+    end
     it { expect { resolve_vulnerability }.to be_allowed_for(:owner).of(project) }
     it { expect { resolve_vulnerability }.to be_allowed_for(:maintainer).of(project) }
     it { expect { resolve_vulnerability }.to be_allowed_for(:developer).of(project) }

ee/spec/services/vulnerabilities/revert_to_detected_service_spec.rb

@@ -71,7 +71,12 @@ RSpec.describe Vulnerabilities::RevertToDetectedService do
   end
 
   describe 'permissions' do
+    context 'when admin mode is enabled', :enable_admin_mode do
       it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { expect { revert_vulnerability_to_detected }.to be_denied_for(:admin) }
+    end
     it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:owner).of(project) }
     it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:maintainer).of(project) }
     it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:developer).of(project) }

ee/spec/services/vulnerability_issue_links/create_service_spec.rb

@@ -117,7 +117,12 @@ RSpec.describe VulnerabilityIssueLinks::CreateService do
   end
 
   describe 'permissions' do
+    context 'when admin mode enabled', :enable_admin_mode do
       it { expect { create_issue_link }.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode disabled' do
+      it { expect { create_issue_link }.to be_denied_for(:admin) }
+    end
     it { expect { create_issue_link }.to be_allowed_for(:owner).of(project) }
     it { expect { create_issue_link }.to be_allowed_for(:maintainer).of(project) }
     it { expect { create_issue_link }.to be_allowed_for(:developer).of(project) }

ee/spec/services/vulnerability_issue_links/delete_service_spec.rb

@@ -46,7 +46,12 @@ RSpec.describe VulnerabilityIssueLinks::DeleteService do
   end
 
   describe 'permissions' do
+    context 'when admin mode is enabled', :enable_admin_mode do
       it { expect { delete_issue_link }.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { expect { delete_issue_link }.to be_denied_for(:admin) }
+    end
     it { expect { delete_issue_link }.to be_allowed_for(:owner).of(project) }
     it { expect { delete_issue_link }.to be_allowed_for(:maintainer).of(project) }
     it { expect { delete_issue_link }.to be_allowed_for(:developer).of(project) }

spec/lib/gitlab/git_access_snippet_spec.rb

@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::GitAccessSnippet do
   include ProjectHelpers
   include TermsHelper
+  include AdminModeHelper
   include_context 'ProjectPolicyTable context'
   using RSpec::Parameterized::TableSyntax
 
@@ -207,12 +208,13 @@ RSpec.describe Gitlab::GitAccessSnippet do
     let(:snippet) { create(:personal_snippet, snippet_level, :repository) }
     let(:user) { membership == :author ? snippet.author : create_user_from_membership(nil, membership) }
 
-    where(:snippet_level, :membership, :_expected_count) do
+    where(:snippet_level, :membership, :admin_mode, :_expected_count) do
       permission_table_for_personal_snippet_access
     end
 
     with_them do
       it "respects accessibility" do
+        enable_admin_mode!(user) if admin_mode
         error_class = described_class::ForbiddenError
 
         if Ability.allowed?(user, :update_snippet, snippet)

spec/models/project_spec.rb

@@ -3996,10 +3996,18 @@ RSpec.describe Project, factory_default: :keep do
       context 'when feature is private' do
         let(:project) { create(:project, :public, :merge_requests_private) }
 
+        context 'when admin mode is enabled', :enable_admin_mode do
           it 'returns projects with the project feature private' do
             is_expected.to include(project)
           end
         end
+
+        context 'when admin mode is disabled' do
+          it 'does not return projects with the project feature private' do
+            is_expected.not_to include(project)
+          end
+        end
+      end
     end
 
     context 'without user' do
@@ -4020,7 +4028,7 @@ RSpec.describe Project, factory_default: :keep do
     end
   end
 
-  describe '.filter_by_feature_visibility', :enable_admin_mode do
+  describe '.filter_by_feature_visibility' do
     include_context 'ProjectPolicyTable context'
     include ProjectHelpers
     using RSpec::Parameterized::TableSyntax
@@ -4032,12 +4040,13 @@ RSpec.describe Project, factory_default: :keep do
     context 'reporter level access' do
       let(:feature) { MergeRequest }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_reporter_feature_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           update_feature_access_level(project, feature_access_level)
 
           expected_objects = expected_count == 1 ? [project] : []
@@ -4052,12 +4061,13 @@ RSpec.describe Project, factory_default: :keep do
     context 'issues' do
       let(:feature) { Issue }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_guest_feature_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           update_feature_access_level(project, feature_access_level)
 
           expected_objects = expected_count == 1 ? [project] : []
@@ -4072,12 +4082,13 @@ RSpec.describe Project, factory_default: :keep do
     context 'wiki' do
       let(:feature) { :wiki }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_guest_feature_access
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           update_feature_access_level(project, feature_access_level)
 
           expected_objects = expected_count == 1 ? [project] : []
@@ -4092,12 +4103,13 @@ RSpec.describe Project, factory_default: :keep do
     context 'code' do
       let(:feature) { :repository }
 
-      where(:project_level, :feature_access_level, :membership, :expected_count) do
+      where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
         permission_table_for_guest_feature_access_and_non_private_project_only
       end
 
       with_them do
         it "respects visibility" do
+          enable_admin_mode!(user) if admin_mode
           update_feature_access_level(project, feature_access_level)
 
           expected_objects = expected_count == 1 ? [project] : []

spec/policies/blob_policy_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe BlobPolicy, :enable_admin_mode do
+RSpec.describe BlobPolicy do
   include_context 'ProjectPolicyTable context'
   include ProjectHelpers
   using RSpec::Parameterized::TableSyntax
@@ -13,12 +13,13 @@ RSpec.describe BlobPolicy, :enable_admin_mode do
 
   subject(:policy) { described_class.new(user, blob) }
 
-  where(:project_level, :feature_access_level, :membership, :expected_count) do
+  where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
     permission_table_for_guest_feature_access_and_non_private_project_only
   end
 
   with_them do
     it "grants permission" do
+      enable_admin_mode!(user) if admin_mode
       update_feature_access_level(project, feature_access_level)
 
       if expected_count == 1

spec/policies/wiki_page_policy_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe WikiPagePolicy, :enable_admin_mode do
+RSpec.describe WikiPagePolicy do
   include_context 'ProjectPolicyTable context'
   include ProjectHelpers
   using RSpec::Parameterized::TableSyntax
@@ -13,12 +13,13 @@ RSpec.describe WikiPagePolicy, :enable_admin_mode do
 
   subject(:policy) { described_class.new(user, wiki_page) }
 
-  where(:project_level, :feature_access_level, :membership, :expected_count) do
+  where(:project_level, :feature_access_level, :membership, :admin_mode, :expected_count) do
     permission_table_for_guest_feature_access
   end
 
   with_them do
     it "grants permission" do
+      enable_admin_mode!(user) if admin_mode
       update_feature_access_level(project, feature_access_level)
 
       if expected_count == 1

spec/services/auth/container_registry_authentication_service_spec.rb

@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe Auth::ContainerRegistryAuthenticationService do
+  include AdminModeHelper
+
   let(:current_project) { nil }
   let(:current_user) { nil }
   let(:current_params) { {} }
@@ -696,6 +698,10 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
     context 'user has access to all projects' do
       let_it_be(:current_user) { create(:user, :admin) }
 
+      before do
+        enable_admin_mode!(current_user)
+      end
+
       it_behaves_like 'a browsable' do
         let(:access) do
           [

spec/services/ci/create_pipeline_service/cache_spec.rb

@@ -4,13 +4,13 @@ require 'spec_helper'
 
 RSpec.describe Ci::CreatePipelineService do
   context 'cache' do
-    let(:user)     { create(:admin) }
+    let(:project)  { create(:project, :custom_repo, files: files) }
+    let(:user)     { project.owner }
     let(:ref)      { 'refs/heads/master' }
     let(:source)   { :push }
     let(:service)  { described_class.new(project, user, { ref: ref }) }
     let(:pipeline) { service.execute(source) }
     let(:job)      { pipeline.builds.find_by(name: 'job') }
-    let(:project)  { create(:project, :custom_repo, files: files) }
 
     before do
       stub_ci_pipeline_yaml_file(config)

spec/services/ci/create_pipeline_service/creation_errors_and_warnings_spec.rb

@@ -4,8 +4,8 @@ require 'spec_helper'
 
 RSpec.describe Ci::CreatePipelineService do
   describe 'creation errors and warnings' do
-    let_it_be(:user)    { create(:admin) }
-    let_it_be(:project) { create(:project, :repository, creator: user) }
+    let_it_be(:project) { create(:project, :repository) }
+    let_it_be(:user)    { project.owner }
 
     let(:ref)      { 'refs/heads/master' }
     let(:source)   { :push }

spec/services/ci/create_pipeline_service/custom_config_content_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 
 RSpec.describe Ci::CreatePipelineService do
   let_it_be(:project) { create(:project, :repository) }
-  let_it_be(:user) { create(:admin) }
+  let_it_be(:user) { project.owner }
   let(:ref) { 'refs/heads/master' }
   let(:service) { described_class.new(project, user, { ref: ref }) }
 

spec/services/ci/create_pipeline_service/dry_run_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Ci::CreatePipelineService do
   let_it_be(:project) { create(:project, :repository) }
-  let_it_be(:user) { create(:admin) }
+  let_it_be(:user) { project.owner }
   let(:ref) { 'refs/heads/master' }
   let(:service) { described_class.new(project, user, { ref: ref }) }
 

spec/services/ci/create_pipeline_service/needs_spec.rb

@@ -4,8 +4,8 @@ require 'spec_helper'
 
 RSpec.describe Ci::CreatePipelineService do
   context 'needs' do
-    let_it_be(:user)    { create(:admin) }
-    let_it_be(:project) { create(:project, :repository, creator: user) }
+    let_it_be(:project) { create(:project, :repository) }
+    let_it_be(:user)    { project.owner }
 
     let(:ref)      { 'refs/heads/master' }
     let(:source)   { :push }
@@ -14,6 +14,7 @@ RSpec.describe Ci::CreatePipelineService do
 
     before do
       stub_ci_pipeline_yaml_file(config)
+      project.add_developer(user)
     end
 
     context 'with a valid config' do

spec/services/ci/create_pipeline_service/parameter_content_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Ci::CreatePipelineService do
   let_it_be(:project) { create(:project, :repository) }
-  let_it_be(:user) { create(:admin) }
+  let_it_be(:user) { project.owner }
   let(:service) { described_class.new(project, user, { ref: 'refs/heads/master' }) }
   let(:content) do
     <<~EOY

spec/services/ci/create_pipeline_service/pre_post_stages_spec.rb

@@ -3,8 +3,8 @@ require 'spec_helper'
 
 RSpec.describe Ci::CreatePipelineService do
   describe '.pre/.post stages' do
-    let_it_be(:user)    { create(:admin) }
-    let_it_be(:project) { create(:project, :repository, creator: user) }
+    let_it_be(:project) { create(:project, :repository) }
+    let_it_be(:user)    { project.owner }
 
     let(:source)   { :push }
     let(:service)  { described_class.new(project, user, { ref: ref }) }

spec/services/ci/create_pipeline_service/rules_spec.rb

@@ -2,10 +2,10 @@
 require 'spec_helper'
 
 RSpec.describe Ci::CreatePipelineService do
-  let(:user)        { create(:admin) }
+  let(:project)     { create(:project, :repository) }
+  let(:user)        { project.owner }
   let(:ref)         { 'refs/heads/master' }
   let(:source)      { :push }
-  let(:project)     { create(:project, :repository) }
   let(:service)     { described_class.new(project, user, { ref: ref }) }
   let(:pipeline)    { service.execute(source) }
   let(:build_names) { pipeline.builds.pluck(:name) }

spec/services/ci/create_pipeline_service_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe Ci::CreatePipelineService do
   include ProjectForksHelper
 
   let_it_be(:project, reload: true) { create(:project, :repository) }
-  let(:user) { create(:admin) }
+  let_it_be(:user, reload: true) { project.owner }
   let(:ref_name) { 'refs/heads/master' }
 
   before do
@@ -155,6 +155,11 @@ RSpec.describe Ci::CreatePipelineService do
         context 'when merge request target project is different from source project' do
           let!(:project) { fork_project(target_project, nil, repository: true) }
           let!(:target_project) { create(:project, :repository) }
+          let!(:user) { create(:user) }
+
+          before do
+            project.add_developer(user)
+          end
 
           it 'updates head pipeline for merge request', :sidekiq_might_not_need_inline do
             merge_request = create(:merge_request, source_branch: 'feature',
@@ -1442,6 +1447,11 @@ RSpec.describe Ci::CreatePipelineService do
               let(:ref_name) { 'refs/heads/feature' }
               let!(:project) { fork_project(target_project, nil, repository: true) }
               let!(:target_project) { create(:project, :repository) }
+              let!(:user) { create(:user) }
+
+              before do
+                project.add_developer(user)
+              end
 
               it 'creates a legacy detached merge request pipeline in the forked project', :sidekiq_might_not_need_inline do
                 expect(pipeline).to be_persisted

spec/services/issues/move_service_spec.rb

@@ -321,10 +321,13 @@ RSpec.describe Issues::MoveService do
 
     before do
       authorized_project.add_developer(user)
+      authorized_project.add_developer(admin)
       authorized_project2.add_developer(user)
+      authorized_project2.add_developer(admin)
     end
 
     context 'multiple related issues' do
+      context 'when admin mode is enabled', :enable_admin_mode do
         it 'moves all related issues and retains permissions' do
           new_issue = move_service.execute(old_issue, new_project)
 
@@ -338,6 +341,22 @@ RSpec.describe Issues::MoveService do
             .to match_array([new_issue])
         end
       end
+
+      context 'when admin mode is disabled' do
+        it 'moves all related issues and retains permissions' do
+          new_issue = move_service.execute(old_issue, new_project)
+
+          expect(new_issue.related_issues(admin))
+              .to match_array([authorized_issue_b, authorized_issue_c, authorized_issue_d])
+
+          expect(new_issue.related_issues(user))
+              .to match_array([authorized_issue_b, authorized_issue_c, authorized_issue_d])
+
+          expect(authorized_issue_d.related_issues(user))
+              .to match_array([new_issue])
+        end
+      end
+    end
   end
 
   context 'updating sent notifications' do

spec/services/issues/related_branches_service_spec.rb

@@ -74,11 +74,19 @@ RSpec.describe Issues::RelatedBranchesService do
       context 'the user has access to otherwise unreadable pipelines' do
         let(:user) { create(:admin) }
 
+        context 'when admin mode is enabled', :enable_admin_mode do
           it 'returns info a developer could not see' do
             expect(branch_info.pluck(:pipeline_status)).to include(an_instance_of(Gitlab::Ci::Status::Running))
           end
         end
 
+        context 'when admin mode is disabled' do
+          it 'does not return info a developer could not see' do
+            expect(branch_info.pluck(:pipeline_status)).not_to include(an_instance_of(Gitlab::Ci::Status::Running))
+          end
+        end
+      end
+
       it 'excludes branches referenced in merge requests' do
         merge_request = create(:merge_request, { description: "Closes #{issue.to_reference}",
                                                  source_project: issue.project,

spec/services/labels/transfer_service_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Labels::TransferService do
   describe '#execute' do
-    let_it_be(:user) { create(:admin) }
+    let_it_be(:user) { create(:user) }
 
     let_it_be(:old_group_ancestor) { create(:group) }
     let_it_be(:old_group) { create(:group, parent: old_group_ancestor) }
@@ -15,6 +15,11 @@ RSpec.describe Labels::TransferService do
 
     subject(:service) { described_class.new(user, old_group, project) }
 
+    before do
+      old_group_ancestor.add_developer(user)
+      new_group.add_developer(user)
+    end
+
     it 'recreates missing group labels at project level and assigns them to the issuables' do
       old_group_label_1 = create(:group_label, group: old_group)
       old_group_label_2 = create(:group_label, group: old_group)

spec/services/merge_requests/add_context_service_spec.rb

@@ -12,11 +12,21 @@ RSpec.describe MergeRequests::AddContextService do
   subject(:service) { described_class.new(project, admin, merge_request: merge_request, commits: commits) }
 
   describe "#execute" do
+    context "when admin mode is enabled", :enable_admin_mode do
       it "adds context commit" do
         service.execute
 
         expect(merge_request.merge_request_context_commit_diff_files.length).to eq(2)
       end
+    end
+
+    context "when admin mode is disabled" do
+      it "doesn't add context commit" do
+        subject.execute
+
+        expect(merge_request.merge_request_context_commit_diff_files.length).to eq(0)
+      end
+    end
 
     context "when user doesn't have permission to update merge request" do
       let(:user) { create(:user) }

spec/services/notification_service_spec.rb

@@ -3099,14 +3099,28 @@ RSpec.describe NotificationService, :mailer do
         subject.new_issue(issue, member)
       end
 
-      it 'still delivers email to admins' do
+      context 'with admin user' do
+        before do
           member.update!(admin: true)
+        end
 
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it 'still delivers email to admins' do
             expect(Notify).to receive(:new_issue_email).at_least(:once).with(member.id, issue.id, nil).and_call_original
 
             subject.new_issue(issue, member)
           end
         end
+
+        context 'when admin mode is disabled' do
+          it 'does not send an email' do
+            expect(Notify).not_to receive(:new_issue_email)
+
+            subject.new_issue(issue, member)
+          end
+        end
+      end
+    end
   end
 
   describe '#prometheus_alerts_fired' do

spec/services/personal_access_tokens/create_service_spec.rb

@@ -38,9 +38,15 @@ RSpec.describe PersonalAccessTokens::CreateService do
     context 'when current_user is an administrator' do
       let(:current_user) { create(:admin) }
 
+      context 'when admin mode is enabled', :enable_admin_mode do
         it_behaves_like 'a successfully created token'
       end
 
+      context 'when admin mode is disabled' do
+        it_behaves_like 'an unsuccessfully created token'
+      end
+    end
+
     context 'when current_user is not an administrator' do
       context 'target_user is not the same as current_user' do
         it_behaves_like 'an unsuccessfully created token'

spec/services/personal_access_tokens/revoke_service_spec.rb

@@ -24,12 +24,21 @@ RSpec.describe PersonalAccessTokens::RevokeService do
     let(:service) { described_class.new(current_user, token: token) }
 
     context 'when current_user is an administrator' do
+      context 'when admin mode is enabled', :enable_admin_mode do
         let_it_be(:current_user) { create(:admin) }
         let_it_be(:token) { create(:personal_access_token) }
 
         it_behaves_like 'a successfully revoked token'
       end
 
+      context 'when admin mode is disabled' do
+        let_it_be(:current_user) { create(:admin) }
+        let_it_be(:token) { create(:personal_access_token) }
+
+        it_behaves_like 'an unsuccessfully revoked token'
+      end
+    end
+
     context 'when current_user is not an administrator' do
       let_it_be(:current_user) { create(:user) }
 

spec/services/projects/autocomplete_service_spec.rb

@@ -79,7 +79,8 @@ RSpec.describe Projects::AutocompleteService do
         expect(issues.count).to eq 3
       end
 
-      it 'lists all project issues for admin' do
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it 'lists all project issues for admin', :enable_admin_mode do
           autocomplete = described_class.new(project, admin)
           issues = autocomplete.issues.map(&:iid)
 
@@ -89,6 +90,19 @@ RSpec.describe Projects::AutocompleteService do
           expect(issues.count).to eq 3
         end
       end
+
+      context 'when admin mode is disabled' do
+        it 'does not list project confidential issues for admin' do
+          autocomplete = described_class.new(project, admin)
+          issues = autocomplete.issues.map(&:iid)
+
+          expect(issues).to include issue.iid
+          expect(issues).not_to include security_issue_1.iid
+          expect(issues).not_to include security_issue_2.iid
+          expect(issues.count).to eq 1
+        end
+      end
+    end
   end
 
   describe '#milestones' do

spec/services/projects/create_service_spec.rb

@@ -72,6 +72,7 @@ RSpec.describe Projects::CreateService, '#execute' do
   end
 
   context "admin creates project with other user's namespace_id" do
+    context 'when admin mode is enabled', :enable_admin_mode do
       it 'sets the correct permissions' do
         admin = create(:admin)
         project = create_project(admin, opts)
@@ -83,6 +84,16 @@ RSpec.describe Projects::CreateService, '#execute' do
       end
     end
 
+    context 'when admin mode is disabled' do
+      it 'is not allowed' do
+        admin = create(:admin)
+        project = create_project(admin, opts)
+
+        expect(project).not_to be_persisted
+      end
+    end
+  end
+
   context 'group namespace' do
     let(:group) do
       create(:group).tap do |group|
@@ -336,7 +347,15 @@ RSpec.describe Projects::CreateService, '#execute' do
         )
       end
 
-      it 'allows a restricted visibility level for admins' do
+      it 'does not allow a restricted visibility level for admins when admin mode is disabled' do
+        admin = create(:admin)
+        project = create_project(admin, opts)
+
+        expect(project.errors.any?).to be(true)
+        expect(project.saved?).to be_falsey
+      end
+
+      it 'allows a restricted visibility level for admins when admin mode is enabled', :enable_admin_mode do
         admin = create(:admin)
         project = create_project(admin, opts)
 

spec/services/projects/update_service_spec.rb

@@ -127,6 +127,7 @@ RSpec.describe Projects::UpdateService do
           end
 
           context 'when updated by an admin' do
+            context 'when admin mode is enabled', :enable_admin_mode do
               it 'updates the project to public' do
                 result = update_project(project, admin, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
 
@@ -134,6 +135,16 @@ RSpec.describe Projects::UpdateService do
                 expect(project).to be_public
               end
             end
+
+            context 'when admin mode is disabled' do
+              it 'does not update the project to public' do
+                result = update_project(project, admin, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+
+                expect(result).to eq({ status: :error, message: 'New visibility level not allowed!' })
+                expect(project).to be_private
+              end
+            end
+          end
         end
       end
 
@@ -144,7 +155,7 @@ RSpec.describe Projects::UpdateService do
           project.update!(namespace: group, visibility_level: group.visibility_level)
         end
 
-        it 'does not update project visibility level' do
+        it 'does not update project visibility level even if admin', :enable_admin_mode do
           result = update_project(project, admin, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
 
           expect(result).to eq({ status: :error, message: 'Visibility level public is not allowed in a internal group.' })
@@ -181,6 +192,7 @@ RSpec.describe Projects::UpdateService do
 
     describe 'when updating project that has forks' do
       let(:project) { create(:project, :internal) }
+      let(:user) { project.owner }
       let(:forked_project) { fork_project(project) }
 
       context 'and unlink forks feature flag is off' do
@@ -194,7 +206,7 @@ RSpec.describe Projects::UpdateService do
           expect(project).to be_internal
           expect(forked_project).to be_internal
 
-          expect(update_project(project, admin, opts)).to eq({ status: :success })
+          expect(update_project(project, user, opts)).to eq({ status: :success })
 
           expect(project).to be_private
           expect(forked_project.reload).to be_private
@@ -206,7 +218,7 @@ RSpec.describe Projects::UpdateService do
           expect(project).to be_internal
           expect(forked_project).to be_internal
 
-          expect(update_project(project, admin, opts)).to eq({ status: :success })
+          expect(update_project(project, user, opts)).to eq({ status: :success })
 
           expect(project).to be_public
           expect(forked_project.reload).to be_internal
@@ -220,7 +232,7 @@ RSpec.describe Projects::UpdateService do
           expect(project).to be_internal
           expect(forked_project).to be_internal
 
-          expect(update_project(project, admin, opts)).to eq({ status: :success })
+          expect(update_project(project, user, opts)).to eq({ status: :success })
 
           expect(project).to be_private
           expect(forked_project.reload).to be_internal
@@ -576,6 +588,7 @@ RSpec.describe Projects::UpdateService do
       context 'authenticated as admin' do
         let(:user) { create(:admin) }
 
+        context 'when admin mode is enabled', :enable_admin_mode do
           it 'schedules the transfer of the repository to the new storage and locks the project' do
             update_project(project, admin, opts)
 
@@ -586,6 +599,11 @@ RSpec.describe Projects::UpdateService do
               destination_storage_name: 'test_second_storage'
             )
           end
+        end
+
+        context 'when admin mode is disabled' do
+          it_behaves_like 'the transfer was not scheduled'
+        end
 
         context 'the repository is read-only' do
           let(:repository_read_only) { true }

spec/services/resource_access_tokens/create_service_spec.rb

@@ -46,8 +46,18 @@ RSpec.describe ResourceAccessTokens::CreateService do
         end
 
         context 'when created by an admin' do
-          it_behaves_like 'creates a user that has their email confirmed' do
           let(:user) { create(:admin) }
+
+          context 'when admin mode is enabled', :enable_admin_mode do
+            it_behaves_like 'creates a user that has their email confirmed'
+          end
+
+          context 'when admin mode is disabled' do
+            it 'returns error' do
+              response = subject
+
+              expect(response.error?).to be true
+            end
           end
         end
 

spec/services/search/snippet_service_spec.rb

@@ -49,6 +49,7 @@ RSpec.describe Search::SnippetService do
         expect(results.objects('snippet_titles')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet]
       end
 
+      context 'when admin mode is enabled', :enable_admin_mode do
         it 'returns all snippets when user is admin' do
           admin = create(:admin)
           search = described_class.new(admin, search: 'bar')
@@ -57,6 +58,17 @@ RSpec.describe Search::SnippetService do
           expect(results.objects('snippet_titles')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
         end
       end
+
+      context 'when admin mode is disabled' do
+        it 'returns only public & internal snippets when user is admin' do
+          admin = create(:admin)
+          search = described_class.new(admin, search: 'bar')
+          results = search.execute
+
+          expect(results.objects('snippet_titles')).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet]
+        end
+      end
+    end
   end
 
   describe '#scope' do

spec/services/todo_service_spec.rb

@@ -150,7 +150,7 @@ RSpec.describe TodoService do
         service.new_issue(issue, author)
 
         should_create_todo(user: member, target: issue, action: Todo::DIRECTLY_ADDRESSED)
-        should_create_todo(user: admin, target: issue, action: Todo::MENTIONED)
+        should_not_create_todo(user: admin, target: issue, action: Todo::MENTIONED)
         should_create_todo(user: guest, target: issue, action: Todo::MENTIONED)
       end
 
@@ -160,7 +160,7 @@ RSpec.describe TodoService do
         should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::ASSIGNED)
         should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
         should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
-        should_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
+        should_not_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
         should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
         should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
       end
@@ -171,7 +171,7 @@ RSpec.describe TodoService do
         should_create_todo(user: assignee, target: addressed_confident_issue, author: john_doe, action: Todo::ASSIGNED)
         should_create_todo(user: author, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
         should_create_todo(user: member, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
-        should_create_todo(user: admin, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
+        should_not_create_todo(user: admin, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
         should_not_create_todo(user: guest, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
         should_create_todo(user: john_doe, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
       end
@@ -228,7 +228,7 @@ RSpec.describe TodoService do
 
         should_create_todo(user: member, target: issue, action: Todo::DIRECTLY_ADDRESSED)
         should_create_todo(user: guest, target: issue, action: Todo::MENTIONED)
-        should_create_todo(user: admin, target: issue, action: Todo::MENTIONED)
+        should_not_create_todo(user: admin, target: issue, action: Todo::MENTIONED)
         should_not_create_todo(user: skipped, target: issue)
       end
 
@@ -273,7 +273,7 @@ RSpec.describe TodoService do
         should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
         should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
         should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
-        should_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
+        should_not_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
         should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
         should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::MENTIONED)
       end
@@ -284,7 +284,7 @@ RSpec.describe TodoService do
         should_create_todo(user: author, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
         should_create_todo(user: assignee, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
         should_create_todo(user: member, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
-        should_create_todo(user: admin, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
+        should_not_create_todo(user: admin, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
         should_not_create_todo(user: guest, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
         should_create_todo(user: john_doe, target: addressed_confident_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED)
       end
@@ -432,7 +432,7 @@ RSpec.describe TodoService do
         service.new_note(note, john_doe)
 
         should_create_todo(user: member, target: issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: note)
-        should_create_todo(user: admin, target: issue, author: john_doe, action: Todo::MENTIONED, note: note)
+        should_not_create_todo(user: admin, target: issue, author: john_doe, action: Todo::MENTIONED, note: note)
         should_create_todo(user: guest, target: issue, author: john_doe, action: Todo::MENTIONED, note: note)
       end
 
@@ -452,7 +452,7 @@ RSpec.describe TodoService do
         should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
         should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
         should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
-        should_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
+        should_not_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
         should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
         should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::MENTIONED, note: note_on_confidential_issue)
       end
@@ -463,7 +463,7 @@ RSpec.describe TodoService do
         should_create_todo(user: author, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
         should_create_todo(user: assignee, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
         should_create_todo(user: member, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
-        should_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
+        should_not_create_todo(user: admin, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
         should_not_create_todo(user: guest, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
         should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
       end
@@ -699,7 +699,7 @@ RSpec.describe TodoService do
         service.new_merge_request(mr_assigned, author)
 
         should_create_todo(user: member, target: mr_assigned, action: Todo::DIRECTLY_ADDRESSED)
-        should_create_todo(user: admin, target: mr_assigned, action: Todo::MENTIONED)
+        should_not_create_todo(user: admin, target: mr_assigned, action: Todo::MENTIONED)
       end
 
       it 'creates a directly addressed todo for each valid addressed user' do
@@ -731,7 +731,7 @@ RSpec.describe TodoService do
         service.update_merge_request(mr_assigned, author, skip_users)
 
         should_create_todo(user: member, target: mr_assigned, action: Todo::DIRECTLY_ADDRESSED)
-        should_create_todo(user: admin, target: mr_assigned, action: Todo::MENTIONED)
+        should_not_create_todo(user: admin, target: mr_assigned, action: Todo::MENTIONED)
         should_not_create_todo(user: skipped, target: mr_assigned)
       end
 
@@ -997,7 +997,7 @@ RSpec.describe TodoService do
 
       should_create_todo(user: member, target: noteable, action: Todo::DIRECTLY_ADDRESSED)
       should_create_todo(user: guest, target: noteable, action: Todo::MENTIONED)
-      should_create_todo(user: admin, target: noteable, action: Todo::MENTIONED)
+      should_not_create_todo(user: admin, target: noteable, action: Todo::MENTIONED)
       should_not_create_todo(user: skipped, target: noteable)
     end
 

spec/services/two_factor/destroy_service_spec.rb

@@ -85,7 +85,7 @@ RSpec.describe TwoFactor::DestroyService do
           it_behaves_like 'disables two-factor authentication'
         end
 
-        context 'admin disables the two-factor authentication of another user' do
+        context 'admin disables the two-factor authentication of another user', :enable_admin_mode do
           let(:current_user) { create(:admin) }
           let(:user) { create(:user, :two_factor) }
 

spec/services/users/approve_service_spec.rb

@@ -19,6 +19,14 @@ RSpec.describe Users::ApproveService do
         end
       end
 
+      context 'when the executor user is an admin not in admin mode' do
+        it 'returns error result' do
+          expect(subject[:status]).to eq(:error)
+          expect(subject[:message]).to match(/You are not allowed to approve a user/)
+        end
+      end
+
+      context 'when the executor user is an admin in admin mode', :enable_admin_mode do
         context 'when user is not in pending approval state' do
           let(:user) { create(:user, state: 'active') }
 
@@ -44,8 +52,10 @@ RSpec.describe Users::ApproveService do
           end
         end
       end
+    end
 
     context 'success' do
+      context 'when the executor user is an admin in admin mode', :enable_admin_mode do
         it 'activates the user' do
           expect(subject[:status]).to eq(:success)
           expect(user.reload).to be_active
@@ -69,7 +79,7 @@ RSpec.describe Users::ApproveService do
           end
         end
 
-      context 'pending invitiations' do
+        context 'pending invitations' do
           let!(:project_member_invite) { create(:project_member, :invited, invite_email: user.email) }
           let!(:group_member_invite) { create(:group_member, :invited, invite_email: user.email) }
 
@@ -103,4 +113,5 @@ RSpec.describe Users::ApproveService do
         end
       end
     end
+  end
 end

spec/services/users/destroy_service_spec.rb

@@ -3,7 +3,6 @@
 require 'spec_helper'
 
 RSpec.describe Users::DestroyService do
-  describe "Deletes a user and all their personal projects" do
   let!(:user)      { create(:user) }
   let!(:admin)     { create(:admin) }
   let!(:namespace) { user.namespace }
@@ -11,6 +10,7 @@ RSpec.describe Users::DestroyService do
   let(:service)    { described_class.new(admin) }
   let(:gitlab_shell) { Gitlab::Shell.new }
 
+  describe "Deletes a user and all their personal projects", :enable_admin_mode do
     context 'no options are given' do
       it 'deletes the user' do
         user_data = service.execute(user)
@@ -215,35 +215,6 @@ RSpec.describe Users::DestroyService do
       end
     end
 
-    context "deletion permission checks" do
-      it 'does not delete the user when user is not an admin' do
-        other_user = create(:user)
-
-        expect { described_class.new(other_user).execute(user) }.to raise_error(Gitlab::Access::AccessDeniedError)
-        expect(User.exists?(user.id)).to be(true)
-      end
-
-      it 'allows admins to delete anyone' do
-        described_class.new(admin).execute(user)
-
-        expect(User.exists?(user.id)).to be(false)
-      end
-
-      it 'allows users to delete their own account' do
-        described_class.new(user).execute(user)
-
-        expect(User.exists?(user.id)).to be(false)
-      end
-
-      it 'allows user to be deleted if skip_authorization: true' do
-        other_user = create(:user)
-
-        described_class.new(user).execute(other_user, skip_authorization: true)
-
-        expect(User.exists?(other_user.id)).to be(false)
-      end
-    end
-
     context "migrating associated records" do
       let!(:issue)     { create(:issue, author: user) }
 
@@ -320,4 +291,43 @@ RSpec.describe Users::DestroyService do
       end
     end
   end
+
+  describe "Deletion permission checks" do
+    it 'does not delete the user when user is not an admin' do
+      other_user = create(:user)
+
+      expect { described_class.new(other_user).execute(user) }.to raise_error(Gitlab::Access::AccessDeniedError)
+      expect(User.exists?(user.id)).to be(true)
+    end
+
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it 'allows admins to delete anyone' do
+        described_class.new(admin).execute(user)
+
+        expect(User.exists?(user.id)).to be(false)
+      end
+    end
+
+    context 'when admin mode is disabled' do
+      it 'disallows admins to delete anyone' do
+        expect { described_class.new(admin).execute(user) }.to raise_error(Gitlab::Access::AccessDeniedError)
+
+        expect(User.exists?(user.id)).to be(true)
+      end
+    end
+
+    it 'allows users to delete their own account' do
+      described_class.new(user).execute(user)
+
+      expect(User.exists?(user.id)).to be(false)
+    end
+
+    it 'allows user to be deleted if skip_authorization: true' do
+      other_user = create(:user)
+
+      described_class.new(user).execute(other_user, skip_authorization: true)
+
+      expect(User.exists?(other_user.id)).to be(false)
+    end
+  end
 end

spec/services/users/set_status_service_spec.rb

@@ -52,7 +52,7 @@ RSpec.describe Users::SetStatusService do
           { emoji: 'taurus', message: 'a random status', user: target_user }
         end
 
-        context 'the current user is admin' do
+        context 'the current user is admin', :enable_admin_mode do
           let(:current_user) { create(:admin) }
 
           it 'changes the status when the current user is allowed to do that' do

spec/spec_helper.rb

@@ -283,12 +283,10 @@ RSpec.configure do |config|
       ./ee/spec/lib
       ./ee/spec/requests/admin
       ./ee/spec/serializers
-      ./ee/spec/services
       ./ee/spec/support/protected_tags
       ./ee/spec/support/shared_examples/features
       ./ee/spec/support/shared_examples/finders/geo
       ./ee/spec/support/shared_examples/graphql/geo
-      ./ee/spec/support/shared_examples/services
       ./spec/features
       ./spec/finders
       ./spec/frontend
@@ -296,7 +294,6 @@ RSpec.configure do |config|
       ./spec/lib
       ./spec/requests
       ./spec/serializers
-      ./spec/services
       ./spec/support/protected_tags
       ./spec/support/shared_examples/features
       ./spec/support/shared_examples/requests

spec/support/helpers/admin_mode_helpers.rb

@@ -13,6 +13,8 @@ module AdminModeHelper
   def enable_admin_mode!(user)
     fake_user_mode = instance_double(Gitlab::Auth::CurrentUserMode)
 
+    allow(Gitlab::Auth::CurrentUserMode).to receive(:new).and_call_original
+
     allow(Gitlab::Auth::CurrentUserMode).to receive(:new).with(user).and_return(fake_user_mode)
     allow(fake_user_mode).to receive(:admin_mode?).and_return(user&.admin?)
   end