Deny access for repository coverage info for guests

Repository coverage information should be accessible
for Reporter+ role only

Changelog: security
EE: true

ee/app/controllers/groups/analytics/coverage_reports_controller.rb

@@ -6,7 +6,7 @@ class Groups::Analytics::CoverageReportsController < Groups::Analytics::Applicat
   COVERAGE_PARAM = 'coverage'
 
   before_action :load_group
-  before_action -> { check_feature_availability!(:group_coverage_reports) }
+  before_action -> { authorize_view_by_action!(:read_group_coverage_reports) }
 
   def index
     respond_to do |format|

ee/app/controllers/groups/analytics/repository_analytics_controller.rb

@@ -4,7 +4,6 @@ class Groups::Analytics::RepositoryAnalyticsController < Groups::Analytics::Appl
   layout 'group'
 
   before_action :load_group
-  before_action -> { check_feature_availability!(:group_repository_analytics) }
   before_action -> { authorize_view_by_action!(:read_group_repository_analytics) }
   before_action only: [:show] do
     push_frontend_feature_flag(:usage_data_i_testing_group_code_coverage_visit_total, @group, default_enabled: :yaml)

ee/app/policies/ee/group_policy.rb

@@ -33,6 +33,10 @@ module EE
         @subject.feature_available?(:group_repository_analytics)
       end
 
+      condition(:group_coverage_reports_available) do
+        @subject.feature_available?(:group_coverage_reports)
+      end
+
       condition(:group_activity_analytics_available) do
         @subject.feature_available?(:group_activity_analytics)
       end
@@ -180,6 +184,9 @@ module EE
       rule { reporter & group_repository_analytics_available }
         .enable :read_group_repository_analytics
 
+      rule { reporter & group_coverage_reports_available }
+        .enable :read_group_coverage_reports
+
       rule { reporter & group_merge_request_analytics_available }
         .enable :read_group_merge_request_analytics
 

ee/spec/controllers/groups/analytics/coverage_reports_controller_spec.rb

@@ -26,6 +26,10 @@ RSpec.describe Groups::Analytics::CoverageReportsController do
   end
 
   context 'without permissions' do
+    before do
+      group.add_guest(user)
+    end
+
     describe 'GET index' do
       it 'responds 403' do
         get :index, params: valid_request_params
@@ -37,7 +41,7 @@ RSpec.describe Groups::Analytics::CoverageReportsController do
 
   context 'with permissions' do
     before do
-      group.add_owner(user)
+      group.add_reporter(user)
     end
 
     context 'without a license' do

ee/spec/policies/group_policy_spec.rb

@@ -322,6 +322,34 @@ RSpec.describe GroupPolicy do
     it { is_expected.not_to be_allowed(:read_group_repository_analytics) }
   end
 
+  context 'when group coverage reports is available' do
+    before do
+      stub_licensed_features(group_coverage_reports: true)
+    end
+
+    context 'for guests' do
+      let(:current_user) { guest }
+
+      it { is_expected.not_to be_allowed(:read_group_coverage_reports) }
+    end
+
+    context 'for reporter+' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_allowed(:read_group_coverage_reports) }
+    end
+  end
+
+  context 'when group coverage reports is not available' do
+    let(:current_user) { maintainer }
+
+    before do
+      stub_licensed_features(group_coverage_reports: false)
+    end
+
+    it { is_expected.not_to be_allowed(:read_group_coverage_reports) }
+  end
+
   describe 'per group SAML' do
     def stub_group_saml_config(enabled)
       allow(::Gitlab::Auth::GroupSaml::Config).to receive_messages(enabled?: enabled)