Auto-enable admin mode on privileged environments

changelogs/unreleased/feat-auto-enable-admin-mode-rake-runtime.yml

+---
+title: Auto-enable admin mode on privileged environments
+merge_request: 53015
+author: Diego Louzán
+type: changed

lib/gitlab/auth/current_user_mode.rb

@@ -77,7 +77,7 @@ module Gitlab
         return false unless user
 
         Gitlab::SafeRequestStore.fetch(admin_mode_rs_key) do
-          user.admin? && session_with_admin_mode?
+          user.admin? && (privileged_runtime? || session_with_admin_mode?)
         end
       end
 
@@ -154,6 +154,11 @@ module Gitlab
         Gitlab::SafeRequestStore.delete(admin_mode_rs_key)
         Gitlab::SafeRequestStore.delete(admin_mode_requested_rs_key)
       end
+
+      # Runtimes which imply shell access get admin mode automatically, see Gitlab::Runtime
+      def privileged_runtime?
+        Gitlab::Runtime.rake? || Gitlab::Runtime.rails_runner? || Gitlab::Runtime.console?
+      end
     end
   end
 end

spec/tasks/admin_mode_spec.rb

+# frozen_string_literal: true
+
+require 'rake_helper'
+
+RSpec.describe 'admin mode on tasks' do
+  before do
+    allow(::Gitlab::Runtime).to receive(:test_suite?).and_return(false)
+    allow(::Gitlab::Runtime).to receive(:rake?).and_return(true)
+  end
+
+  shared_examples 'verify admin mode' do |state|
+    it 'matches the expected admin mode' do
+      Rake::Task.define_task :verify_admin_mode do
+        expect(Gitlab::Auth::CurrentUserMode.new(user).admin_mode?).to be(state)
+      end
+
+      run_rake_task('verify_admin_mode')
+    end
+  end
+
+  describe 'with a regular user' do
+    let(:user) { create(:user) }
+
+    include_examples 'verify admin mode', false
+  end
+
+  describe 'with an admin' do
+    let(:user) { create(:admin) }
+
+    include_examples 'verify admin mode', true
+  end
+end