Add customer relations group setting

This MR removes the customer relations feature flag
and introduces a new group setting to enable crm.

Changelog: added

app/controllers/groups_controller.rb

@@ -276,7 +276,8 @@ class GroupsController < Groups::ApplicationController
       :resource_access_token_creation_allowed,
       :prevent_sharing_groups_outside_hierarchy,
       :setup_for_company,
-      :jobs_to_be_done
+      :jobs_to_be_done,
+      :crm_enabled
     ]
   end
 

app/graphql/mutations/issues/set_crm_contacts.rb

@@ -18,7 +18,8 @@ module Mutations
       def resolve(project_path:, iid:, contact_ids:, operation_mode: Types::MutationOperationModeEnum.enum[:replace])
         issue = authorized_find!(project_path: project_path, iid: iid)
         project = issue.project
-        raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless Feature.enabled?(:customer_relations, project.group, default_enabled: :yaml)
+
+        raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless feature_enabled?(project)
 
         contact_ids = contact_ids.compact.map do |contact_id|
           raise Gitlab::Graphql::Errors::ArgumentError, "Contact #{contact_id} is invalid." unless contact_id.respond_to?(:model_id)
@@ -43,6 +44,12 @@ module Mutations
           errors: response.errors
         }
       end
+
+      private
+
+      def feature_enabled?(project)
+        Feature.enabled?(:customer_relations, project.group, default_enabled: :yaml) && project.group&.crm_enabled?
+      end
     end
   end
 end

app/helpers/groups/crm_settings_helper.rb

+# frozen_string_literal: true
+
+module Groups
+  module CrmSettingsHelper
+    def crm_feature_flag_enabled?(group)
+      Feature.enabled?(:customer_relations, group)
+    end
+  end
+end

app/policies/group_policy.rb

@@ -75,7 +75,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   with_scope :subject
   condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
 
-  condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) }
+  condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) && @subject.crm_enabled? }
 
   with_scope :subject
   condition(:group_runner_registration_allowed, score: 0, scope: :subject) do

app/services/groups/update_service.rb

@@ -107,6 +107,7 @@ module Groups
 
     def handle_changes
       handle_settings_update
+      handle_crm_settings_update unless params[:crm_enabled].nil?
     end
 
     def handle_settings_update
@@ -116,6 +117,15 @@ module Groups
       ::NamespaceSettings::UpdateService.new(current_user, group, settings_params).execute
     end
 
+    def handle_crm_settings_update
+      crm_enabled = params.delete(:crm_enabled)
+      return if group.crm_enabled? == crm_enabled
+
+      crm_settings = group.crm_settings || group.build_crm_settings
+      crm_settings.enabled = crm_enabled
+      crm_settings.save
+    end
+
     def allowed_settings_params
       SETTINGS_PARAMS
     end

app/views/groups/edit.html.haml

@@ -20,11 +20,11 @@
 %section.settings.gs-permissions.no-animate#js-permissions-settings{ class: ('expanded' if expanded), data: { qa_selector: 'permission_lfs_2fa_content' } }
   .settings-header
     %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only{ role: 'button' }
-      = _('Permissions, LFS, 2FA')
+      = _('Permissions and group features')
     %button.btn.gl-button.js-settings-toggle{ type: 'button' }
       = expanded ? _('Collapse') : _('Expand')
     %p
-      = _('Configure advanced permissions, Large File Storage, and two-factor authentication settings.')
+      = _('Configure advanced permissions, Large File Storage, two-factor authentication, and customer relations settings.')
   .settings-content
     = render 'groups/settings/permissions'
 

app/views/groups/settings/_permissions.html.haml

@@ -41,4 +41,13 @@
     = render 'groups/settings/two_factor_auth', f: f, group: @group
     = render_if_exists 'groups/personal_access_token_expiration_policy', f: f, group: @group
     = render 'groups/settings/membership', f: f, group: @group
+
+    - if crm_feature_flag_enabled?(@group)
+      %h5= _('Customer relations')
+      .form-group.gl-mb-3
+        = f.gitlab_ui_checkbox_component :crm_enabled,
+            s_('GroupSettings|Enable customer relations'),
+            checkbox_options: { checked: @group.crm_enabled? },
+            help_text: s_('GroupSettings|Allows creating organizations and contacts and associating them with issues.')
+
   = f.submit _('Save changes'), class: 'btn gl-button btn-confirm gl-mt-3 js-dirty-submit', data: { qa_selector: 'save_permissions_changes_button' }

doc/security/two_factor_authentication.md

@@ -49,7 +49,7 @@ Gitlab::CurrentSettings.update!('require_two_factor_authentication': false)
 To enforce 2FA only for certain groups:
 
 1. Go to the group's **Settings > General** page.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Select the **Require all users in this group to set up two-factor authentication** option.
 
 You can also specify a grace period in the **Time before enforced** option.
@@ -76,7 +76,7 @@ The following are important notes about 2FA:
   groups) the shortest grace period is used.
 - It is possible to disallow subgroups from setting up their own 2FA requirements:
   1. Go to the top-level group's **Settings > General**.
-  1. Expand the **Permissions, LFS, 2FA** section.
+  1. Expand the **Permissions and group features** section.
   1. Uncheck the **Allow subgroups to set up their own two-factor authentication rule** field.
 
   This action causes all subgroups with 2FA requirements to stop requiring that from their members.

doc/user/crm/index.md

@@ -6,13 +6,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 # Customer relations management (CRM) **(FREE)**
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/2256) in GitLab 14.6 [with a flag](../../administration/feature_flags.md) named `customer_relations`. Disabled by default.
-
-FLAG:
-On self-managed GitLab, by default this feature is not available. To make it available,
-ask an administrator to [enable the feature flag](../../administration/feature_flags.md) named `customer_relations`.
-On GitLab.com, this feature is not available.
-You should not use this feature for production environments.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/2256) in GitLab 14.6 [with a flag](../../administration/feature_flags.md) named `customer_relations`. Disabled by default.
 
 With customer relations management (CRM) you can create a record of contacts
 (individuals) and organizations (companies) and relate them to issues.
@@ -20,6 +14,16 @@ With customer relations management (CRM) you can create a record of contacts
 You can use contacts and organizations to tie work to customers for billing and reporting purposes.
 To read more about what is planned for the future, see [issue 2256](https://gitlab.com/gitlab-org/gitlab/-/issues/2256).
 
+## Enable customer relations management (CRM)
+
+To enable customer relations management in a group:
+
+1. On the top bar, select **Menu > Groups** and find your group.
+1. On the left sidebar, select **Settings > General**.
+1. Expand the **Permissions and group features** section.
+1. Select **Enable customer relations**.
+1. Select **Save changes**.
+
 ## Contacts
 
 ### View contacts linked to a group

doc/user/group/index.md

@@ -123,7 +123,7 @@ your group.
 1. Select **Your Groups**.
 1. Find the group and select it.
 1. From the left menu, select **Settings > General**.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Clear the **Allow users to request access** checkbox.
 1. Select **Save changes**.
 
@@ -219,7 +219,7 @@ To change this setting for a specific group:
 1. Select **Your Groups**.
 1. Find the group and select it.
 1. From the left menu, select **Settings > General**.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Select the desired option in the **Default branch protection** dropdown list.
 1. Select **Save changes**.
 
@@ -250,7 +250,7 @@ To change this setting for a specific group:
 1. Select **Your Groups**.
 1. Find the group and select it.
 1. From the left menu, select **Settings > General**.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Select the desired option in the **Allowed to create projects** dropdown list.
 1. Select **Save changes**.
 
@@ -489,7 +489,7 @@ If you select this setting in the **Animals** group:
 To prevent sharing outside of the group's hierarchy:
 
 1. Go to the group's **Settings > General** page.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Select **Prevent members from sending invitations to groups outside of `<group_name>` and its subgroups**.
 1. Select **Save changes**.
 
@@ -501,7 +501,7 @@ a project with another group](../project/members/share_project_with_groups.md) t
 To prevent a project from being shared with other groups:
 
 1. Go to the group's **Settings > General** page.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Select **Prevent sharing a project within `<group_name>` with other groups**.
 1. Select **Save changes**.
 
@@ -523,7 +523,7 @@ The setting does not cascade. Projects in subgroups observe the subgroup configu
 To prevent members from being added to projects in a group:
 
 1. Go to the group's **Settings > General** page.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Under **Member lock**, select **Prevent adding new members to project membership within this group**.
 1. Select **Save changes**.
 
@@ -574,7 +574,7 @@ You should consider these security implications before configuring IP address re
 To restrict group access by IP address:
 
 1. Go to the group's **Settings > General** page.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. In the **Allow access to the following IP addresses** field, enter IP address ranges in CIDR notation.
 1. Select **Save changes**.
 
@@ -591,7 +591,7 @@ You can prevent users with email addresses in specific domains from being added
 To restrict group access by domain:
 
 1. Go to the group's **Settings > General** page.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. In the **Restrict membership by email** field, enter the domain names.
 1. Select **Save changes**.
 
@@ -645,7 +645,7 @@ You can disable all email notifications related to the group, which includes its
 To disable email notifications:
 
 1. Go to the group's **Settings > General** page.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Select **Disable email notifications**.
 1. Select **Save changes**.
 
@@ -663,7 +663,7 @@ This is particularly helpful for groups with a large number of users.
 To disable group mentions:
 
 1. Go to the group's **Settings > General** page.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Select **Disable group mentions**.
 1. Select **Save changes**.
 
@@ -688,7 +688,7 @@ the default setting.
 To enable delayed deletion of projects in a group:
 
 1. Go to the group's **Settings > General** page.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Check **Enable delayed project deletion**.
 1. Optional. To prevent subgroups from changing this setting, select **Enforce for all subgroups**.
 1. Select **Save changes**.
@@ -713,7 +713,7 @@ If even one is set to `true`, then the group does not allow outside forks.
 To prevent projects from being forked outside the group:
 
 1. Go to the top-level group's **Settings > General** page.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Check **Prevent project forking outside current group**.
 1. Select **Save changes**.
 

doc/user/group/saml_sso/group_managed_accounts.md

@@ -113,7 +113,7 @@ on the lifetime of personal access tokens apply.
 To set a limit on how long personal access tokens are valid for users in a group managed account:
 
 1. Navigate to the **Settings > General** page in your group's sidebar.
-1. Expand the **Permissions, LFS, 2FA** section.
+1. Expand the **Permissions and group features** section.
 1. Fill in the **Maximum allowable lifetime for personal access tokens (days)** field.
 1. Click **Save changes**.
 

doc/user/group/subgroups/index.md

@@ -101,7 +101,7 @@ You can change this setting:
 - As group owner:
   1. Select the group.
   1. On the left sidebar, select **Settings > General**.
-  1. Expand **Permissions, LFS, 2FA**.
+  1. Expand **Permissions and group features**.
 - As an administrator:
   1. On the top bar, select **Menu > Admin**.
   1. On the left sidebar, select **Overview > Groups**.

doc/user/project/settings/project_access_tokens.md

@@ -78,7 +78,7 @@ To enable or disable project access token creation for all projects in a top-lev
 
 1. On the top bar, select **Menu > Groups** and find your group.
 1. On the left sidebar, select **Settings > General**.
-1. Expand **Permissions, LFS, 2FA**.
+1. Expand **Permissions and group features**.
 1. Under **Permissions**, turn on or off **Allow project access token creation**.
 
 Even when creation is disabled, you can still use and revoke existing project access tokens.

ee/spec/features/groups/navbar_spec.rb

@@ -191,10 +191,11 @@ RSpec.describe 'Group navbar' do
       it_behaves_like 'verified navigation bar'
     end
 
-    context 'when customer_relations feature flag is enabled' do
+    context 'when customer relations feature and flag is enabled' do
+      let(:group) { create(:group, :crm_enabled) }
+
       before do
         stub_feature_flags(customer_relations: true)
-
         insert_customer_relations_nav(_('Analytics'))
 
         visit group_path(group)

locale/gitlab.pot

@@ -9034,7 +9034,7 @@ msgstr ""
 msgid "Configure a %{codeStart}.gitlab-webide.yml%{codeEnd} file in the %{codeStart}.gitlab%{codeEnd} directory to start using the Web Terminal. %{helpStart}Learn more.%{helpEnd}"
 msgstr ""
 
-msgid "Configure advanced permissions, Large File Storage, and two-factor authentication settings."
+msgid "Configure advanced permissions, Large File Storage, two-factor authentication, and customer relations settings."
 msgstr ""
 
 msgid "Configure existing installation"
@@ -17078,6 +17078,9 @@ msgstr ""
 msgid "GroupSettings|Allow project access token creation"
 msgstr ""
 
+msgid "GroupSettings|Allows creating organizations and contacts and associating them with issues."
+msgstr ""
+
 msgid "GroupSettings|Applied to all subgroups unless overridden by a group owner. Groups already added to the project lose access."
 msgstr ""
 
@@ -17123,6 +17126,9 @@ msgstr ""
 msgid "GroupSettings|Disable group mentions"
 msgstr ""
 
+msgid "GroupSettings|Enable customer relations"
+msgstr ""
+
 msgid "GroupSettings|Enable delayed project deletion"
 msgstr ""
 
@@ -25810,7 +25816,7 @@ msgstr ""
 msgid "Permissions Help"
 msgstr ""
 
-msgid "Permissions, LFS, 2FA"
+msgid "Permissions and group features"
 msgstr ""
 
 msgid "Personal Access Token"

spec/factories/groups.rb

@@ -112,5 +112,11 @@ FactoryBot.define do
         )
       end
     end
+
+    trait :crm_enabled do
+      after(:create) do |group|
+        create(:crm_settings, group: group, enabled: true)
+      end
+    end
   end
 end

spec/features/groups/navbar_spec.rb

@@ -9,7 +9,8 @@ RSpec.describe 'Group navbar' do
   include_context 'group navbar structure'
 
   let_it_be(:user) { create(:user) }
-  let_it_be(:group) { create(:group) }
+
+  let(:group) { create(:group) }
 
   before do
     insert_package_nav(_('Kubernetes'))
@@ -40,7 +41,9 @@ RSpec.describe 'Group navbar' do
     it_behaves_like 'verified navigation bar'
   end
 
-  context 'when customer_relations feature flag is enabled' do
+  context 'when customer_relations feature and flag is enabled' do
+    let(:group) { create(:group, :crm_enabled) }
+
     before do
       stub_feature_flags(customer_relations: true)
 

spec/graphql/mutations/customer_relations/contacts/create_spec.rb

@@ -4,8 +4,8 @@ require 'spec_helper'
 
 RSpec.describe Mutations::CustomerRelations::Contacts::Create do
   let_it_be(:user) { create(:user) }
-  let_it_be(:group) { create(:group) }
 
+  let(:group) { create(:group, :crm_enabled) }
   let(:not_found_or_does_not_belong) { 'The specified organization was not found or does not belong to this group' }
   let(:valid_params) do
     attributes_for(:contact,
@@ -34,11 +34,11 @@ RSpec.describe Mutations::CustomerRelations::Contacts::Create do
     end
 
     context 'when the user has permission' do
-      before_all do
+      before do
         group.add_developer(user)
       end
 
-      context 'when the feature is disabled' do
+      context 'when the feature flag is disabled' do
         before do
           stub_feature_flags(customer_relations: false)
         end
@@ -49,6 +49,15 @@ RSpec.describe Mutations::CustomerRelations::Contacts::Create do
         end
       end
 
+      context 'when crm_enabled is false' do
+        let(:group) { create(:group) }
+
+        it 'raises an error' do
+          expect { resolve_mutation }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+            .with_message("The resource that you are attempting to access does not exist or you don't have permission to perform this action")
+        end
+      end
+
       context 'when the params are invalid' do
         it 'returns the validation error' do
           valid_params[:first_name] = nil

spec/graphql/mutations/customer_relations/contacts/update_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Mutations::CustomerRelations::Contacts::Update do
   let_it_be(:user) { create(:user) }
-  let_it_be(:group) { create(:group) }
+  let_it_be(:group) { create(:group, :crm_enabled) }
 
   let(:first_name) { 'Lionel' }
   let(:last_name) { 'Smith' }

spec/graphql/mutations/customer_relations/organizations/create_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Mutations::CustomerRelations::Organizations::Create do
   let_it_be(:user) { create(:user) }
-  let_it_be(:group) { create(:group) }
+  let_it_be(:group) { create(:group, :crm_enabled) }
 
   let(:valid_params) do
     attributes_for(:organization,

spec/graphql/mutations/customer_relations/organizations/update_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Mutations::CustomerRelations::Organizations::Update do
   let_it_be(:user) { create(:user) }
-  let_it_be(:group) { create(:group) }
+  let_it_be(:group) { create(:group, :crm_enabled) }
 
   let(:name) { 'GitLab' }
   let(:default_rate) { 1000.to_f }
@@ -56,7 +56,7 @@ RSpec.describe Mutations::CustomerRelations::Organizations::Update do
         expect(resolve_mutation[:organization]).to have_attributes(attributes)
       end
 
-      context 'when the feature is disabled' do
+      context 'when the feature flag is disabled' do
         before do
           stub_feature_flags(customer_relations: false)
         end
@@ -66,6 +66,15 @@ RSpec.describe Mutations::CustomerRelations::Organizations::Update do
             .with_message("The resource that you are attempting to access does not exist or you don't have permission to perform this action")
         end
       end
+
+      context 'when the feature is disabled' do
+        let_it_be(:group) { create(:group) }
+
+        it 'raises an error' do
+          expect { resolve_mutation }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+            .with_message("The resource that you are attempting to access does not exist or you don't have permission to perform this action")
+        end
+      end
     end
   end
 

spec/helpers/groups/crm_settings_helper_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::CrmSettingsHelper do
+  let_it_be(:group) { create(:group) }
+
+  describe '#crm_feature_flag_enabled?' do
+    subject do
+      helper.crm_feature_flag_enabled?(group)
+    end
+
+    context 'when feature flag is enabled' do
+      it { is_expected.to be_truthy }
+    end
+
+    context 'when feature flag is disabled' do
+      before do
+        stub_feature_flags(customer_relations: false)
+      end
+
+      it { is_expected.to be_falsy }
+    end
+  end
+end

spec/policies/group_policy_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe GroupPolicy do
   include_context 'GroupPolicy context'
 
   context 'public group with no user' do
-    let(:group) { create(:group, :public) }
+    let(:group) { create(:group, :public, :crm_enabled) }
     let(:current_user) { nil }
 
     it do
@@ -1113,7 +1113,7 @@ RSpec.describe GroupPolicy do
     end
   end
 
-  context 'with customer_relations feature flag disabled' do
+  context 'with customer relations feature flag disabled' do
     let(:current_user) { owner }
 
     before do
@@ -1125,4 +1125,14 @@ RSpec.describe GroupPolicy do
     it { is_expected.to be_disallowed(:admin_crm_contact) }
     it { is_expected.to be_disallowed(:admin_crm_organization) }
   end
+
+  context 'when crm_enabled is false' do
+    let(:group) { create(:group) }
+    let(:current_user) { owner }
+
+    it { is_expected.to be_disallowed(:read_crm_contact) }
+    it { is_expected.to be_disallowed(:read_crm_organization) }
+    it { is_expected.to be_disallowed(:admin_crm_contact) }
+    it { is_expected.to be_disallowed(:admin_crm_organization) }
+  end
 end

spec/requests/api/graphql/mutations/issues/set_crm_contacts_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe 'Setting issues crm contacts' do
   include GraphqlHelpers
 
   let_it_be(:user) { create(:user) }
-  let_it_be(:group) { create(:group) }
+  let_it_be(:group) { create(:group, :crm_enabled) }
   let_it_be(:project) { create(:project, group: group) }
   let_it_be(:contacts) { create_list(:contact, 4, group: group) }
 
@@ -42,120 +42,134 @@ RSpec.describe 'Setting issues crm contacts' do
     graphql_mutation_response(:issue_set_crm_contacts)
   end
 
-  before do
-    create(:issue_customer_relations_contact, issue: issue, contact: contacts[0])
-    create(:issue_customer_relations_contact, issue: issue, contact: contacts[1])
-  end
-
-  context 'when the user has no permission' do
-    it 'returns expected error' do
-      error = Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR
-      post_graphql_mutation(mutation, current_user: user)
-
-      expect(graphql_errors).to include(a_hash_including('message' => error))
+  context 'when the feature is enabled' do
+    before do
+      create(:issue_customer_relations_contact, issue: issue, contact: contacts[0])
+      create(:issue_customer_relations_contact, issue: issue, contact: contacts[1])
     end
-  end
 
-  context 'when the user has permission' do
-    before do
-      group.add_reporter(user)
+    context 'when the user has no permission' do
+      it 'returns expected error' do
+        error = Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR
+        post_graphql_mutation(mutation, current_user: user)
+
+        expect(graphql_errors).to include(a_hash_including('message' => error))
+      end
     end
 
-    context 'when the feature is disabled' do
+    context 'when the user has permission' do
       before do
-        stub_feature_flags(customer_relations: false)
+        group.add_reporter(user)
       end
 
-      it 'raises expected error' do
-        post_graphql_mutation(mutation, current_user: user)
+      context 'when the feature is disabled' do
+        before do
+          stub_feature_flags(customer_relations: false)
+        end
+
+        it 'raises expected error' do
+          post_graphql_mutation(mutation, current_user: user)
 
-        expect(graphql_errors).to include(a_hash_including('message' => 'Feature disabled'))
+          expect(graphql_errors).to include(a_hash_including('message' => 'Feature disabled'))
+        end
       end
-    end
 
-    context 'replace' do
-      it 'updates the issue with correct contacts' do
-        post_graphql_mutation(mutation, current_user: user)
+      context 'replace' do
+        it 'updates the issue with correct contacts' do
+          post_graphql_mutation(mutation, current_user: user)
 
-        expect(graphql_data_at(:issue_set_crm_contacts, :issue, :customer_relations_contacts, :nodes, :id))
-          .to match_array([global_id_of(contacts[1]), global_id_of(contacts[2])])
+          expect(graphql_data_at(:issue_set_crm_contacts, :issue, :customer_relations_contacts, :nodes, :id))
+            .to match_array([global_id_of(contacts[1]), global_id_of(contacts[2])])
+        end
       end
-    end
 
-    context 'append' do
-      let(:contact_ids) { [global_id_of(contacts[3])] }
-      let(:operation_mode) { Types::MutationOperationModeEnum.enum[:append] }
+      context 'append' do
+        let(:contact_ids) { [global_id_of(contacts[3])] }
+        let(:operation_mode) { Types::MutationOperationModeEnum.enum[:append] }
 
-      it 'updates the issue with correct contacts' do
-        post_graphql_mutation(mutation, current_user: user)
+        it 'updates the issue with correct contacts' do
+          post_graphql_mutation(mutation, current_user: user)
 
-        expect(graphql_data_at(:issue_set_crm_contacts, :issue, :customer_relations_contacts, :nodes, :id))
-          .to match_array([global_id_of(contacts[0]), global_id_of(contacts[1]), global_id_of(contacts[3])])
+          expect(graphql_data_at(:issue_set_crm_contacts, :issue, :customer_relations_contacts, :nodes, :id))
+            .to match_array([global_id_of(contacts[0]), global_id_of(contacts[1]), global_id_of(contacts[3])])
+        end
       end
-    end
 
-    context 'remove' do
-      let(:contact_ids) { [global_id_of(contacts[0])] }
-      let(:operation_mode) { Types::MutationOperationModeEnum.enum[:remove] }
+      context 'remove' do
+        let(:contact_ids) { [global_id_of(contacts[0])] }
+        let(:operation_mode) { Types::MutationOperationModeEnum.enum[:remove] }
 
-      it 'updates the issue with correct contacts' do
-        post_graphql_mutation(mutation, current_user: user)
+        it 'updates the issue with correct contacts' do
+          post_graphql_mutation(mutation, current_user: user)
 
-        expect(graphql_data_at(:issue_set_crm_contacts, :issue, :customer_relations_contacts, :nodes, :id))
-          .to match_array([global_id_of(contacts[1])])
+          expect(graphql_data_at(:issue_set_crm_contacts, :issue, :customer_relations_contacts, :nodes, :id))
+            .to match_array([global_id_of(contacts[1])])
+        end
       end
-    end
 
-    context 'when the contact does not exist' do
-      let(:contact_ids) { ["gid://gitlab/CustomerRelations::Contact/#{non_existing_record_id}"] }
+      context 'when the contact does not exist' do
+        let(:contact_ids) { ["gid://gitlab/CustomerRelations::Contact/#{non_existing_record_id}"] }
 
-      it 'returns expected error' do
-        post_graphql_mutation(mutation, current_user: user)
+        it 'returns expected error' do
+          post_graphql_mutation(mutation, current_user: user)
 
-        expect(graphql_data_at(:issue_set_crm_contacts, :errors))
-          .to match_array(["Issue customer relations contacts #{non_existing_record_id}: #{does_not_exist_or_no_permission}"])
+          expect(graphql_data_at(:issue_set_crm_contacts, :errors))
+            .to match_array(["Issue customer relations contacts #{non_existing_record_id}: #{does_not_exist_or_no_permission}"])
+        end
       end
-    end
 
-    context 'when the contact belongs to a different group' do
-      let(:group2) { create(:group) }
-      let(:contact) { create(:contact, group: group2) }
-      let(:contact_ids) { [global_id_of(contact)] }
+      context 'when the contact belongs to a different group' do
+        let(:group2) { create(:group, :crm_enabled) }
+        let(:contact) { create(:contact, group: group2) }
+        let(:contact_ids) { [global_id_of(contact)] }
 
-      before do
-        group2.add_reporter(user)
+        before do
+          group2.add_reporter(user)
+        end
+
+        it 'returns expected error' do
+          post_graphql_mutation(mutation, current_user: user)
+
+          expect(graphql_data_at(:issue_set_crm_contacts, :errors))
+          .to match_array(["Issue customer relations contacts #{contact.id}: #{does_not_exist_or_no_permission}"])
+        end
       end
 
-      it 'returns expected error' do
-        post_graphql_mutation(mutation, current_user: user)
+      context 'when attempting to add more than 6' do
+        let(:operation_mode) { Types::MutationOperationModeEnum.enum[:append] }
+        let(:gid) { global_id_of(contacts[0]) }
+        let(:contact_ids) { [gid, gid, gid, gid, gid, gid, gid] }
 
-        expect(graphql_data_at(:issue_set_crm_contacts, :errors))
-        .to match_array(["Issue customer relations contacts #{contact.id}: #{does_not_exist_or_no_permission}"])
+        it 'returns expected error' do
+          post_graphql_mutation(mutation, current_user: user)
+
+          expect(graphql_data_at(:issue_set_crm_contacts, :errors))
+            .to match_array(["You can only add up to 6 contacts at one time"])
+        end
       end
-    end
 
-    context 'when attempting to add more than 6' do
-      let(:operation_mode) { Types::MutationOperationModeEnum.enum[:append] }
-      let(:gid) { global_id_of(contacts[0]) }
-      let(:contact_ids) { [gid, gid, gid, gid, gid, gid, gid] }
+      context 'when trying to remove non-existent contact' do
+        let(:operation_mode) { Types::MutationOperationModeEnum.enum[:remove] }
+        let(:contact_ids) { ["gid://gitlab/CustomerRelations::Contact/#{non_existing_record_id}"] }
 
-      it 'returns expected error' do
-        post_graphql_mutation(mutation, current_user: user)
+        it 'raises expected error' do
+          post_graphql_mutation(mutation, current_user: user)
 
-        expect(graphql_data_at(:issue_set_crm_contacts, :errors))
-          .to match_array(["You can only add up to 6 contacts at one time"])
+          expect(graphql_data_at(:issue_set_crm_contacts, :errors)).to be_empty
+        end
       end
     end
+  end
 
-    context 'when trying to remove non-existent contact' do
-      let(:operation_mode) { Types::MutationOperationModeEnum.enum[:remove] }
-      let(:contact_ids) { ["gid://gitlab/CustomerRelations::Contact/#{non_existing_record_id}"] }
+  context 'when crm_enabled is false' do
+    let(:issue) { create(:issue) }
 
-      it 'raises expected error' do
-        post_graphql_mutation(mutation, current_user: user)
+    it 'raises expected error' do
+      issue.project.add_reporter(user)
 
-        expect(graphql_data_at(:issue_set_crm_contacts, :errors)).to be_empty
-      end
+      post_graphql_mutation(mutation, current_user: user)
+
+      expect(graphql_errors).to include(a_hash_including('message' => 'Feature disabled'))
     end
   end
 end

spec/requests/groups/crm/contacts_controller_spec.rb

@@ -24,7 +24,7 @@ RSpec.describe Groups::Crm::ContactsController do
 
   shared_examples 'ok response with index template if authorized' do
     context 'private group' do
-      let(:group) { create(:group, :private) }
+      let(:group) { create(:group, :private, :crm_enabled) }
 
       context 'with authorized user' do
         before do
@@ -32,11 +32,17 @@ RSpec.describe Groups::Crm::ContactsController do
           sign_in(user)
         end
 
-        context 'when feature flag is enabled' do
+        context 'when crm_enabled is true' do
           it_behaves_like 'ok response with index template'
         end
 
-        context 'when feature flag is not enabled' do
+        context 'when crm_enabled is false' do
+          let(:group) { create(:group, :private) }
+
+          it_behaves_like 'response with 404 status'
+        end
+
+        context 'when feature flag is disabled' do
           before do
             stub_feature_flags(customer_relations: false)
           end
@@ -64,7 +70,7 @@ RSpec.describe Groups::Crm::ContactsController do
     end
 
     context 'public group' do
-      let(:group) { create(:group, :public) }
+      let(:group) { create(:group, :public, :crm_enabled) }
 
       context 'with anonymous user' do
         it_behaves_like 'ok response with index template'

spec/requests/groups/crm/organizations_controller_spec.rb

@@ -24,7 +24,7 @@ RSpec.describe Groups::Crm::OrganizationsController do
 
   shared_examples 'ok response with index template if authorized' do
     context 'private group' do
-      let(:group) { create(:group, :private) }
+      let(:group) { create(:group, :private, :crm_enabled) }
 
       context 'with authorized user' do
         before do
@@ -32,11 +32,17 @@ RSpec.describe Groups::Crm::OrganizationsController do
           sign_in(user)
         end
 
-        context 'when feature flag is enabled' do
+        context 'when crm_enabled is true' do
           it_behaves_like 'ok response with index template'
         end
 
-        context 'when feature flag is not enabled' do
+        context 'when crm_enabled is false' do
+          let(:group) { create(:group, :private) }
+
+          it_behaves_like 'response with 404 status'
+        end
+
+        context 'when feature flag is disabled' do
           before do
             stub_feature_flags(customer_relations: false)
           end
@@ -64,7 +70,7 @@ RSpec.describe Groups::Crm::OrganizationsController do
     end
 
     context 'public group' do
-      let(:group) { create(:group, :public) }
+      let(:group) { create(:group, :public, :crm_enabled) }
 
       context 'with anonymous user' do
         it_behaves_like 'ok response with index template'

spec/services/customer_relations/contacts/create_service_spec.rb

@@ -12,7 +12,7 @@ RSpec.describe CustomerRelations::Contacts::CreateService do
     subject(:response) { described_class.new(group: group, current_user: user, params: params).execute }
 
     context 'when user does not have permission' do
-      let_it_be(:group) { create(:group) }
+      let_it_be(:group) { create(:group, :crm_enabled) }
 
       before_all do
         group.add_reporter(user)
@@ -25,7 +25,7 @@ RSpec.describe CustomerRelations::Contacts::CreateService do
     end
 
     context 'when user has permission' do
-      let_it_be(:group) { create(:group) }
+      let_it_be(:group) { create(:group, :crm_enabled) }
 
       before_all do
         group.add_developer(user)

spec/services/customer_relations/contacts/update_service_spec.rb

@@ -11,7 +11,7 @@ RSpec.describe CustomerRelations::Contacts::UpdateService do
 
   describe '#execute' do
     context 'when the user has no permission' do
-      let_it_be(:group) { create(:group) }
+      let_it_be(:group) { create(:group, :crm_enabled) }
 
       let(:params) { { first_name: 'Gary' } }
 
@@ -24,7 +24,7 @@ RSpec.describe CustomerRelations::Contacts::UpdateService do
     end
 
     context 'when user has permission' do
-      let_it_be(:group) { create(:group) }
+      let_it_be(:group) { create(:group, :crm_enabled) }
 
       before_all do
         group.add_developer(user)

spec/services/customer_relations/organizations/create_service_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe CustomerRelations::Organizations::CreateService do
   describe '#execute' do
     let_it_be(:user) { create(:user) }
 
-    let(:group) { create(:group) }
+    let(:group) { create(:group, :crm_enabled) }
     let(:params) { attributes_for(:organization, group: group) }
 
     subject(:response) { described_class.new(group: group, current_user: user, params: params).execute }

spec/services/customer_relations/organizations/update_service_spec.rb

@@ -11,7 +11,7 @@ RSpec.describe CustomerRelations::Organizations::UpdateService do
 
   describe '#execute' do
     context 'when the user has no permission' do
-      let_it_be(:group) { create(:group) }
+      let_it_be(:group) { create(:group, :crm_enabled) }
 
       let(:params) { { name: 'GitLab' } }
 
@@ -24,7 +24,7 @@ RSpec.describe CustomerRelations::Organizations::UpdateService do
     end
 
     context 'when user has permission' do
-      let_it_be(:group) { create(:group) }
+      let_it_be(:group) { create(:group, :crm_enabled) }
 
       before_all do
         group.add_developer(user)

spec/services/groups/update_service_spec.rb

@@ -163,6 +163,70 @@ RSpec.describe Groups::UpdateService do
         expect(updated_group.parent_id).to be_nil
       end
     end
+
+    context 'crm_enabled param' do
+      context 'when no existing crm_settings' do
+        it 'when param not present, leave crm disabled' do
+          params = {}
+
+          described_class.new(public_group, user, params).execute
+          updated_group = public_group.reload
+
+          expect(updated_group.crm_enabled?).to be_falsey
+        end
+
+        it 'when param set true, enables crm' do
+          params = { crm_enabled: true }
+
+          described_class.new(public_group, user, params).execute
+          updated_group = public_group.reload
+
+          expect(updated_group.crm_enabled?).to be_truthy
+        end
+      end
+
+      context 'with existing crm_settings' do
+        it 'when param set true, enables crm' do
+          params = { crm_enabled: true }
+          create(:crm_settings, group: public_group)
+
+          described_class.new(public_group, user, params).execute
+
+          updated_group = public_group.reload
+          expect(updated_group.crm_enabled?).to be_truthy
+        end
+
+        it 'when param set false, disables crm' do
+          params = { crm_enabled: false }
+          create(:crm_settings, group: public_group, enabled: true)
+
+          described_class.new(public_group, user, params).execute
+
+          updated_group = public_group.reload
+          expect(updated_group.crm_enabled?).to be_falsy
+        end
+
+        it 'when param not present, crm remains disabled' do
+          params = {}
+          create(:crm_settings, group: public_group)
+
+          described_class.new(public_group, user, params).execute
+
+          updated_group = public_group.reload
+          expect(updated_group.crm_enabled?).to be_falsy
+        end
+
+        it 'when param not present, crm remains enabled' do
+          params = {}
+          create(:crm_settings, group: public_group, enabled: true)
+
+          described_class.new(public_group, user, params).execute
+
+          updated_group = public_group.reload
+          expect(updated_group.crm_enabled?).to be_truthy
+        end
+      end
+    end
   end
 
   context "unauthorized visibility_level validation" do

spec/services/issues/create_service_spec.rb

@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Issues::CreateService do
   include AfterNextHelpers
 
-  let_it_be(:group) { create(:group) }
+  let_it_be(:group) { create(:group, :crm_enabled) }
   let_it_be_with_reload(:project) { create(:project, group: group) }
   let_it_be(:user) { create(:user) }
 

spec/services/issues/set_crm_contacts_service_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Issues::SetCrmContactsService do
   let_it_be(:user) { create(:user) }
-  let_it_be(:group) { create(:group) }
+  let_it_be(:group) { create(:group, :crm_enabled) }
   let_it_be(:project) { create(:project, group: group) }
   let_it_be(:contacts) { create_list(:contact, 4, group: group) }
 

spec/services/issues/update_service_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe Issues::UpdateService, :mailer do
   let_it_be(:user2) { create(:user) }
   let_it_be(:user3) { create(:user) }
   let_it_be(:guest) { create(:user) }
-  let_it_be(:group) { create(:group, :public) }
+  let_it_be(:group) { create(:group, :public, :crm_enabled) }
   let_it_be(:project, reload: true) { create(:project, :repository, group: group) }
   let_it_be(:label) { create(:label, project: project) }
   let_it_be(:label2) { create(:label, project: project) }

spec/services/quick_actions/interpret_service_spec.rb

@@ -3,7 +3,7 @@
 require 'spec_helper'
 
 RSpec.describe QuickActions::InterpretService do
-  let_it_be(:group) { create(:group) }
+  let_it_be(:group) { create(:group, :crm_enabled) }
   let_it_be(:public_project) { create(:project, :public, group: group) }
   let_it_be(:repository_project) { create(:project, :repository) }
   let_it_be(:project) { public_project }

spec/support/shared_contexts/policies/group_policy_shared_context.rb

@@ -8,7 +8,7 @@ RSpec.shared_context 'GroupPolicy context' do
   let_it_be(:owner) { create(:user) }
   let_it_be(:admin) { create(:admin) }
   let_it_be(:non_group_member) { create(:user) }
-  let_it_be(:group, refind: true) { create(:group, :private, :owner_subgroup_creation_only) }
+  let_it_be(:group, refind: true) { create(:group, :private, :owner_subgroup_creation_only, :crm_enabled) }
 
   let(:guest_permissions) do
     %i[