Merge branch 'chore/migrate-models-policies-specs-admin-mode' into 'master'

Migrate models and policies specs to consider admin mode

See merge request gitlab-org/gitlab!30430

app/models/issue.rb

@@ -359,7 +359,7 @@ class Issue < ApplicationRecord
   # for performance reasons, check commit: 002ad215818450d2cbbc5fa065850a953dc7ada8
   # Make sure to sync this method with issue_policy.rb
   def readable_by?(user)
-    if user.admin?
+    if user.can_read_all_resources?
       true
     elsif project.owner == user
       true

changelogs/unreleased/chore-migrate-models-policies-specs-admin-mode.yml

+---
+title: Migrate models and policies specs to consider admin mode
+merge_request: 30430
+author: Diego Louzán
+type: other

ee/spec/models/analytics/cycle_analytics/group_level_spec.rb

@@ -3,10 +3,10 @@
 require 'spec_helper'
 
 describe Analytics::CycleAnalytics::GroupLevel do
-  let_it_be(:group) { create(:group)}
+  let_it_be(:group) { create(:group) }
   let_it_be(:project) { create(:project, :repository, namespace: group) }
   let_it_be(:from_date) { 10.days.ago }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { create(:user) }
   let(:issue) { create(:issue, project: project, created_at: 2.days.ago) }
   let_it_be(:milestone) { create(:milestone, project: project) }
   let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") }
@@ -18,6 +18,12 @@ describe Analytics::CycleAnalytics::GroupLevel do
 
   subject { described_class.new(group: group, options: { from: from_date, current_user: user }) }
 
+  before do
+    # Cannot set the owner directly when calling `create(:group)`
+    # See spec/factories/groups.rb#after(:create)
+    group.add_owner(user)
+  end
+
   describe '#permissions' do
     it 'returns true for all stages' do
       expect(subject.permissions.values.uniq).to eq([true])

ee/spec/models/concerns/elastic/note_spec.rb

@@ -152,8 +152,8 @@ describe Note, :elastic do
       expect(Note.elastic_search('term', options: options).total_count).to eq(1)
     end
 
-    [:admin, :auditor].each do |user_type|
-      it "finds note for #{user_type}", :sidekiq_might_not_need_inline do
+    shared_examples 'notes finder' do |user_type, no_of_notes|
+      it "finds #{no_of_notes} notes for #{user_type}", :sidekiq_might_not_need_inline do
         superuser = create(user_type)
         issue = create(:issue, :confidential, author: create(:user))
 
@@ -164,10 +164,18 @@ describe Note, :elastic do
 
         options = { project_ids: [issue.project.id], current_user: superuser }
 
-        expect(Note.elastic_search('term', options: options).total_count).to eq(1)
+        expect(Note.elastic_search('term', options: options).total_count).to eq(no_of_notes)
       end
     end
 
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it_behaves_like 'notes finder', :admin, 1
+    end
+
+    it_behaves_like 'notes finder', :admin, 0
+
+    it_behaves_like 'notes finder', :auditor, 1
+
     it "return notes with matching content for project members", :sidekiq_might_not_need_inline do
       user = create :user
       issue = create :issue, :confidential, author: user

ee/spec/models/ee/event_spec.rb

@@ -66,7 +66,20 @@ describe Event do
 
         expect(event).to be_visible_to(member)
         expect(event).to be_visible_to(guest)
-        expect(event).to be_visible_to(admin)
+      end
+
+      context 'when admin mode enabled', :enable_admin_mode do
+        it 'is visible to admin', :aggregate_failures do
+          expect(event).to be_visible_to(admin)
+        end
+      end
+
+      context 'when admin mode disabled' do
+        # Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
+        # See https://gitlab.com/gitlab-org/gitlab/-/issues/207950
+        xit 'is not visible to admin', :aggregate_failures do
+          expect(event).not_to be_visible_to(admin)
+        end
       end
     end
 

ee/spec/models/issue_spec.rb

@@ -240,7 +240,7 @@ describe Issue do
 
     describe 'when a user cannot read cross project' do
       it 'only returns issues within the same project' do
-        expect(Ability).to receive(:allowed?).with(user, :read_all_resources, :global).and_call_original
+        expect(Ability).to receive(:allowed?).with(user, :read_all_resources, :global).at_least(:once).and_call_original
         expect(Ability).to receive(:allowed?).with(user, :read_cross_project).and_return(false)
 
         expect(authorized_issue_a.related_issues(user))

ee/spec/models/productivity_analytics_spec.rb

@@ -6,13 +6,16 @@ describe ProductivityAnalytics do
   describe 'metrics data' do
     subject(:analytics) { described_class.new(merge_requests: finder_mrs, sort: custom_sort) }
 
-    let(:finder_mrs) { ProductivityAnalyticsFinder.new(create(:admin), finder_options).execute }
+    let(:project) { create(:project) }
+    let(:user) { project.owner }
+
+    let(:finder_mrs) { ProductivityAnalyticsFinder.new(user, finder_options).execute }
     let(:finder_options) { { state: 'merged' } }
 
     let(:custom_sort) { nil }
 
-    let(:label_a) { create(:label) }
-    let(:label_b) { create(:label) }
+    let(:label_a) { create(:label, project: project) }
+    let(:label_b) { create(:label, project: project) }
 
     let(:long_mr) do
       metrics_data = {
@@ -25,6 +28,7 @@ describe ProductivityAnalytics do
       }
       create(:labeled_merge_request, :merged, :with_productivity_metrics,
              labels: [label_a, label_b],
+             source_project: project,
              created_at: 31.days.ago,
              metrics_data: metrics_data)
     end
@@ -40,6 +44,7 @@ describe ProductivityAnalytics do
       }
 
       create(:labeled_merge_request, :merged, :with_productivity_metrics,
+             source_project: project,
              created_at: 15.days.ago,
              metrics_data: metrics_data)
     end
@@ -56,6 +61,7 @@ describe ProductivityAnalytics do
 
       create(:labeled_merge_request, :merged, :with_productivity_metrics,
              labels: [label_a, label_b],
+             source_project: project,
              created_at: 31.days.ago,
              metrics_data: metrics_data)
     end
@@ -72,6 +78,7 @@ describe ProductivityAnalytics do
 
       create(:labeled_merge_request, :merged, :with_productivity_metrics,
              labels: [label_a, label_b],
+             source_project: project,
              created_at: 31.days.ago,
              metrics_data: metrics_data)
     end

ee/spec/policies/base_policy_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe BasePolicy, :do_not_mock_admin_mode do
+describe BasePolicy do
   include ExternalAuthorizationServiceHelpers
 
   let(:auditor) { build(:auditor) }

ee/spec/policies/ci/build_policy_spec.rb

@@ -74,7 +74,13 @@ describe Ci::BuildPolicy do
       context 'with admin' do
         let(:current_user) { admin }
 
-        it { expect_allowed(*build_permissions) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          it { expect_allowed(*build_permissions) }
+        end
+
+        context 'when admin mode disabled' do
+          it { expect_disallowed(*build_permissions) }
+        end
 
         context 'when build is not from a webide pipeline' do
           let(:pipeline) { create(:ci_empty_pipeline, project: project, source: :chat) }
@@ -87,8 +93,15 @@ describe Ci::BuildPolicy do
             allow(build).to receive(:has_terminal?).and_return(false)
           end
 
-          it { expect_allowed(:read_web_ide_terminal, :update_web_ide_terminal) }
-          it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) }
+          context 'when admin mode enabled', :enable_admin_mode do
+            it { expect_allowed(:read_web_ide_terminal, :update_web_ide_terminal) }
+            it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) }
+          end
+
+          context 'when admin mode disabled' do
+            it { expect_disallowed(:read_web_ide_terminal, :update_web_ide_terminal) }
+            it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) }
+          end
         end
 
         context 'feature flag "build_service_proxy" is disabled' do

ee/spec/policies/clusters/instance_policy_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Clusters::InstancePolicy do
+describe Clusters::InstancePolicy, :enable_admin_mode do
   let(:user) { build(:admin) }
   let(:instance) { Clusters::Instance.new }
 

ee/spec/policies/geo/registry_policy_spec.rb

@@ -10,8 +10,16 @@ describe Geo::RegistryPolicy do
   context 'when the user is an admin' do
     let(:current_user) { create(:user, :admin) }
 
-    it 'allows read_geo_registry for any registry' do
-      expect(policy).to be_allowed(:read_geo_registry)
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it 'allows read_geo_registry for any registry' do
+        expect(policy).to be_allowed(:read_geo_registry)
+      end
+    end
+
+    context 'when admin mode is disabled' do
+      it 'disallows read_geo_registry for any registry' do
+        expect(policy).to be_disallowed(:read_geo_registry)
+      end
     end
   end
 

ee/spec/policies/geo_node_policy_spec.rb

@@ -10,8 +10,16 @@ describe GeoNodePolicy do
   context 'when the user is an admin' do
     let(:current_user) { create(:user, :admin) }
 
-    it 'allows read_geo_node for any GeoNode' do
-      expect(policy).to be_allowed(:read_geo_node)
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it 'allows read_geo_node for any GeoNode' do
+        expect(policy).to be_allowed(:read_geo_node)
+      end
+    end
+
+    context 'when admin mode is disabled' do
+      it 'disallows read_geo_node for any GeoNode' do
+        expect(policy).to be_disallowed(:read_geo_node)
+      end
     end
   end
 

ee/spec/policies/global_policy_spec.rb

@@ -5,6 +5,8 @@ require 'spec_helper'
 describe GlobalPolicy do
   include ExternalAuthorizationServiceHelpers
 
+  let_it_be(:admin) { create(:admin) }
+
   let(:current_user) { create(:user) }
   let(:user) { create(:user) }
 
@@ -38,9 +40,17 @@ describe GlobalPolicy do
   it { is_expected.to be_disallowed(:destroy_licenses) }
   it { is_expected.to be_disallowed(:read_all_geo) }
 
-  it { expect(described_class.new(create(:admin), [user])).to be_allowed(:read_licenses) }
-  it { expect(described_class.new(create(:admin), [user])).to be_allowed(:destroy_licenses) }
-  it { expect(described_class.new(create(:admin), [user])).to be_allowed(:read_all_geo) }
+  context 'when admin mode enabled', :enable_admin_mode do
+    it { expect(described_class.new(admin, [user])).to be_allowed(:read_licenses) }
+    it { expect(described_class.new(admin, [user])).to be_allowed(:destroy_licenses) }
+    it { expect(described_class.new(admin, [user])).to be_allowed(:read_all_geo) }
+  end
+
+  context 'when admin mode disabled' do
+    it { expect(described_class.new(admin, [user])).to be_disallowed(:read_licenses) }
+    it { expect(described_class.new(admin, [user])).to be_disallowed(:destroy_licenses) }
+    it { expect(described_class.new(admin, [user])).to be_disallowed(:read_all_geo) }
+  end
 
   shared_examples 'analytics policy' do |action|
     context 'anonymous user' do
@@ -69,15 +79,22 @@ describe GlobalPolicy do
       end
 
       it { is_expected.to be_disallowed(:update_max_pages_size) }
-      it { expect(described_class.new(create(:admin), [user])).to be_allowed(:update_max_pages_size) }
+
+      context 'when admin mode enabled', :enable_admin_mode do
+        it { expect(described_class.new(admin, [user])).to be_allowed(:update_max_pages_size) }
+      end
+
+      context 'when admin mode disabled' do
+        it { expect(described_class.new(admin, [user])).to be_disallowed(:update_max_pages_size) }
+      end
     end
 
-    it { expect(described_class.new(create(:admin), [user])).to be_disallowed(:update_max_pages_size) }
+    it { expect(described_class.new(admin, [user])).to be_disallowed(:update_max_pages_size) }
   end
 
   describe 'create_group_with_default_branch_protection' do
     context 'for an admin' do
-      let(:current_user) { create(:admin) }
+      let(:current_user) { admin }
 
       context 'when the `default_branch_protection_restriction_in_groups` feature is available' do
         before do
@@ -97,7 +114,13 @@ describe GlobalPolicy do
             stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false)
           end
 
-          it { is_expected.to be_allowed(:create_group_with_default_branch_protection) }
+          context 'when admin mode is enabled', :enable_admin_mode do
+            it { is_expected.to be_allowed(:create_group_with_default_branch_protection) }
+          end
+
+          context 'when admin mode is disabled' do
+            it { is_expected.to be_disallowed(:create_group_with_default_branch_protection) }
+          end
         end
       end
 

ee/spec/policies/group_policy_spec.rb

@@ -418,8 +418,15 @@ describe GroupPolicy do
       context 'admin' do
         let(:current_user) { admin }
 
-        it { is_expected.to be_allowed(:override_group_member) }
-        it { is_expected.to be_allowed(:update_group_member) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          it { is_expected.to be_allowed(:override_group_member) }
+          it { is_expected.to be_allowed(:update_group_member) }
+        end
+
+        context 'when admin mode disabled' do
+          it { is_expected.to be_disallowed(:override_group_member) }
+          it { is_expected.to be_disallowed(:update_group_member) }
+        end
       end
 
       context 'owner' do
@@ -801,7 +808,13 @@ describe GroupPolicy do
             stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false)
           end
 
-          it { is_expected.to be_allowed(:update_default_branch_protection) }
+          context 'when admin mode is enabled', :enable_admin_mode do
+            it { is_expected.to be_allowed(:update_default_branch_protection) }
+          end
+
+          context 'when admin mode is disabled' do
+            it { is_expected.to be_disallowed(:update_default_branch_protection) }
+          end
         end
       end
 

ee/spec/policies/namespace_policy_spec.rb

@@ -27,7 +27,13 @@ describe NamespacePolicy do
     context 'admin' do
       let(:current_user) { build_stubbed(:admin) }
 
-      it { is_expected.to be_allowed(:create_jira_connect_subscription) }
+      context 'when admin mode enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:create_jira_connect_subscription) }
+      end
+
+      context 'when admin mode disabled' do
+        it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
+      end
     end
 
     context 'owner' do

ee/spec/policies/user_policy_spec.rb

@@ -22,14 +22,26 @@ describe UserPolicy do
     context 'when an admin user tries to update a regular user' do
       let(:current_user) { create(:user, :admin) }
 
-      it { is_expected.to be_allowed(ability) }
+      context 'when admin mode enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(ability) }
+      end
+
+      context 'when admin mode disabled' do
+        it { is_expected.not_to be_allowed(ability) }
+      end
     end
 
     context 'when an admin user tries to update a ghost user' do
       let(:current_user) { create(:user, :admin) }
       let(:user) { create(:user, :ghost) }
 
-      it { is_expected.not_to be_allowed(ability) }
+      context 'when admin mode enabled', :enable_admin_mode do
+        it { is_expected.not_to be_allowed(ability) }
+      end
+
+      context 'when admin mode disabled' do
+        it { is_expected.not_to be_allowed(ability) }
+      end
     end
   end
 
@@ -65,7 +77,13 @@ describe UserPolicy do
         context 'for an admin user' do
           let(:current_user) { create(:admin) }
 
-          it { is_expected.to be_allowed(:update_name) }
+          context 'when admin mode enabled', :enable_admin_mode do
+            it { is_expected.to be_allowed(:update_name) }
+          end
+
+          context 'when admin mode disabled' do
+            it { is_expected.not_to be_allowed(:update_name) }
+          end
         end
       end
     end

ee/spec/support/shared_examples/policies/protected_environments_shared_examples.rb

@@ -3,6 +3,8 @@
 RSpec.shared_examples 'protected environments access' do |developer_access = true|
   using RSpec::Parameterized::TableSyntax
 
+  include AdminModeHelper
+
   before do
     allow(License).to receive(:feature_available?).and_call_original
     allow(License).to receive(:feature_available?).with(:protected_environments).and_return(feature_available)
@@ -11,19 +13,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
   context 'when Protected Environments feature is not available in the project' do
     let(:feature_available) { false }
 
-    where(:access_level, :result) do
-      :guest      | false
-      :reporter   | false
-      :developer  | developer_access
-      :maintainer | true
-      :admin      | true
+    where(:access_level, :admin_mode, :result) do
+      :guest      | nil   | false
+      :reporter   | nil   | false
+      :developer  | nil   | developer_access
+      :maintainer | nil   | true
+      :admin      | false | false
+      :admin      | true  | true
     end
 
     with_them do
       before do
         environment
 
-        update_user_access(access_level, user, project)
+        update_user_access(access_level, admin_mode, user, project)
       end
 
       it { is_expected.to eq(result) }
@@ -37,19 +40,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
       let(:protected_environment) { create(:protected_environment, name: environment.name, project: project) }
 
       context 'when user does not have access to the environment' do
-        where(:access_level, :result) do
-          :guest      | false
-          :reporter   | false
-          :developer  | false
-          :maintainer | false
-          :admin      | true
+        where(:access_level, :admin_mode, :result) do
+          :guest      | nil   | false
+          :reporter   | nil   | false
+          :developer  | nil   | false
+          :maintainer | nil   | false
+          :admin      | false | false
+          :admin      | true  | true
         end
 
         with_them do
           before do
             protected_environment
 
-            update_user_access(access_level, user, project)
+            update_user_access(access_level, admin_mode, user, project)
           end
 
           it { is_expected.to eq(result) }
@@ -57,19 +61,20 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
       end
 
       context 'when user has access to the environment' do
-        where(:access_level, :result) do
-          :guest      | false
-          :reporter   | false
-          :developer  | developer_access
-          :maintainer | true
-          :admin      | true
+        where(:access_level, :admin_mode, :result) do
+          :guest      | nil   | false
+          :reporter   | nil   | false
+          :developer  | nil   | developer_access
+          :maintainer | nil   | true
+          :admin      | false | false
+          :admin      | true  | true
         end
 
         with_them do
           before do
             protected_environment.deploy_access_levels.create(user: user)
 
-            update_user_access(access_level, user, project)
+            update_user_access(access_level, admin_mode, user, project)
           end
 
           it { is_expected.to eq(result) }
@@ -78,17 +83,18 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
     end
 
     context 'when environment is not protected' do
-      where(:access_level, :result) do
-        :guest      | false
-        :reporter   | false
-        :developer  | developer_access
-        :maintainer | true
-        :admin      | true
+      where(:access_level, :admin_mode, :result) do
+        :guest      | nil   | false
+        :reporter   | nil   | false
+        :developer  | nil   | developer_access
+        :maintainer | nil   | true
+        :admin      | false | false
+        :admin      | true  | true
       end
 
       with_them do
         before do
-          update_user_access(access_level, user, project)
+          update_user_access(access_level, admin_mode, user, project)
         end
 
         it { is_expected.to eq(result) }
@@ -96,9 +102,10 @@ RSpec.shared_examples 'protected environments access' do |developer_access = tru
     end
   end
 
-  def update_user_access(access_level, user, project)
+  def update_user_access(access_level, admin_mode, user, project)
     if access_level == :admin
       user.update_attribute(:admin, true)
+      enable_admin_mode!(user) if admin_mode
     elsif access_level.present?
       project.add_user(user, access_level)
     end

spec/controllers/ldap/omniauth_callbacks_controller_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Ldap::OmniauthCallbacksController, :do_not_mock_admin_mode do
+describe Ldap::OmniauthCallbacksController do
   include_context 'Ldap::OmniauthCallbacksController'
 
   it 'allows sign in' do

spec/controllers/omniauth_callbacks_controller_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe OmniauthCallbacksController, type: :controller, do_not_mock_admin_mode: true do
+describe OmniauthCallbacksController, type: :controller do
   include LoginHelpers
 
   describe 'omniauth' do

spec/models/ability_spec.rb

@@ -74,13 +74,20 @@ describe Ability do
     context 'using a private project' do
       let(:project) { create(:project, :private) }
 
-      it 'returns users that are administrators' do
+      it 'returns users that are administrators when admin mode is enabled', :enable_admin_mode do
         user = build(:user, admin: true)
 
         expect(described_class.users_that_can_read_project([user], project))
           .to eq([user])
       end
 
+      it 'does not return users that are administrators when admin mode is disabled' do
+        user = build(:user, admin: true)
+
+        expect(described_class.users_that_can_read_project([user], project))
+            .to eq([])
+      end
+
       it 'returns external users if they are the project owner' do
         user1 = build(:user, external: true)
         user2 = build(:user, external: true)
@@ -145,7 +152,7 @@ describe Ability do
   end
 
   describe '.merge_requests_readable_by_user' do
-    context 'with an admin' do
+    context 'with an admin when admin mode is enabled', :enable_admin_mode do
       it 'returns all merge requests' do
         user = build(:user, admin: true)
         merge_request = build(:merge_request)
@@ -155,6 +162,19 @@ describe Ability do
       end
     end
 
+    context 'with an admin when admin mode is disabled' do
+      it 'returns merge_requests that are publicly visible' do
+        user = build(:user, admin: true)
+        hidden_merge_request = build(:merge_request)
+        visible_merge_request = build(:merge_request, source_project: build(:project, :public))
+
+        merge_requests = described_class
+            .merge_requests_readable_by_user([hidden_merge_request, visible_merge_request], user)
+
+        expect(merge_requests).to eq([visible_merge_request])
+      end
+    end
+
     context 'without a user' do
       it 'returns merge_requests that are publicly visible' do
         hidden_merge_request = build(:merge_request)
@@ -217,7 +237,7 @@ describe Ability do
   end
 
   describe '.issues_readable_by_user' do
-    context 'with an admin user' do
+    context 'with an admin when admin mode is enabled', :enable_admin_mode do
       it 'returns all given issues' do
         user = build(:user, admin: true)
         issue = build(:issue)
@@ -227,6 +247,26 @@ describe Ability do
       end
     end
 
+    context 'with an admin when admin mode is disabled' do
+      it 'returns the issues readable by the admin' do
+        user = build(:user, admin: true)
+        issue = build(:issue)
+
+        expect(issue).to receive(:readable_by?).with(user).and_return(true)
+
+        expect(described_class.issues_readable_by_user([issue], user))
+          .to eq([issue])
+      end
+
+      it 'returns no issues when not given access' do
+        user = build(:user, admin: true)
+        issue = build(:issue)
+
+        expect(described_class.issues_readable_by_user([issue], user))
+          .to be_empty
+      end
+    end
+
     context 'with a regular user' do
       it 'returns the issues readable by the user' do
         user = build(:user)

spec/models/cycle_analytics/code_spec.rb

@@ -7,7 +7,7 @@ describe 'CycleAnalytics#code' do
 
   let_it_be(:project) { create(:project, :repository) }
   let_it_be(:from_date) { 10.days.ago }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { project.owner }
   let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
 
   subject { project_level }

spec/models/cycle_analytics/issue_spec.rb

@@ -7,7 +7,7 @@ describe 'CycleAnalytics#issue' do
 
   let_it_be(:project) { create(:project, :repository) }
   let_it_be(:from_date) { 10.days.ago }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { project.owner }
   let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
 
   subject { project_level }

spec/models/cycle_analytics/plan_spec.rb

@@ -7,7 +7,7 @@ describe 'CycleAnalytics#plan' do
 
   let_it_be(:project) { create(:project, :repository) }
   let_it_be(:from_date) { 10.days.ago }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { project.owner }
   let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
 
   subject { project_level }

spec/models/cycle_analytics/production_spec.rb

@@ -7,7 +7,7 @@ describe 'CycleAnalytics#production' do
 
   let_it_be(:project) { create(:project, :repository) }
   let_it_be(:from_date) { 10.days.ago }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { project.owner }
   let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
 
   subject { project_level }

spec/models/cycle_analytics/project_level_spec.rb

@@ -5,7 +5,7 @@ require 'spec_helper'
 describe CycleAnalytics::ProjectLevel do
   let_it_be(:project) { create(:project, :repository) }
   let_it_be(:from_date) { 10.days.ago }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { project.owner }
   let_it_be(:issue) { create(:issue, project: project, created_at: 2.days.ago) }
   let_it_be(:milestone) { create(:milestone, project: project) }
   let(:mr) { create_merge_request_closing_issue(user, project, issue, commit_message: "References #{issue.to_reference}") }

spec/models/cycle_analytics/review_spec.rb

@@ -7,7 +7,7 @@ describe 'CycleAnalytics#review' do
 
   let_it_be(:project) { create(:project, :repository) }
   let_it_be(:from_date) { 10.days.ago }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { project.owner }
 
   subject { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
 

spec/models/cycle_analytics/staging_spec.rb

@@ -7,7 +7,7 @@ describe 'CycleAnalytics#staging' do
 
   let_it_be(:project) { create(:project, :repository) }
   let_it_be(:from_date) { 10.days.ago }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { project.owner }
   let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
 
   subject { project_level }

spec/models/cycle_analytics/test_spec.rb

@@ -7,7 +7,7 @@ describe 'CycleAnalytics#test' do
 
   let_it_be(:project) { create(:project, :repository) }
   let_it_be(:from_date) { 10.days.ago }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { project.owner }
   let_it_be(:issue) { create(:issue, project: project) }
   let_it_be(:project_level) { CycleAnalytics::ProjectLevel.new(project, options: { from: from_date }) }
   let!(:merge_request) { create_merge_request_closing_issue(user, project, issue) }

spec/models/event_spec.rb

@@ -287,8 +287,16 @@ describe Event do
       context 'private project' do
         let(:project) { create(:project, :private, :repository) }
 
-        include_examples 'visibility examples' do
-          let(:visibility) { visible_to_none_except(:member, :admin) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none_except(:member, :admin) }
+          end
+        end
+
+        context 'when admin mode disabled' do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none_except(:member) }
+          end
         end
       end
     end
@@ -340,8 +348,16 @@ describe Event do
         let(:project) { private_project }
         let(:target) { note_on_issue }
 
-        include_examples 'visibility examples' do
-          let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
+          end
+        end
+
+        context 'when admin mode disabled' do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none_except(:guest, :member) }
+          end
         end
 
         include_examples 'visible to assignee and author', false
@@ -366,8 +382,16 @@ describe Event do
       context 'private project' do
         let(:project) { private_project }
 
-        include_examples 'visibility examples' do
-          let(:visibility) { visible_to_none_except(:member, :admin) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none_except(:member, :admin) }
+          end
+        end
+
+        context 'when admin mode disabled' do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none_except(:member) }
+          end
         end
 
         include_examples 'visible to assignee', false
@@ -384,16 +408,32 @@ describe Event do
       context 'on public project with private issue tracker and merge requests' do
         let(:project) { create(:project, :public, :issues_private, :merge_requests_private) }
 
-        include_examples 'visibility examples' do
-          let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
+          end
+        end
+
+        context 'when admin mode disabled' do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
+          end
         end
       end
 
       context 'on private project' do
         let(:project) { create(:project, :private) }
 
-        include_examples 'visibility examples' do
-          let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
+          end
+        end
+
+        context 'when admin mode disabled' do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
+          end
         end
       end
     end
@@ -404,8 +444,16 @@ describe Event do
       context 'on private project', :aggregate_failures do
         let(:project) { create(:project, :wiki_repo) }
 
-        include_examples 'visibility examples' do
-          let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_all_except(:logged_out, :non_member) }
+          end
+        end
+
+        context 'when admin mode disabled' do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_all_except(:logged_out, :non_member, :admin) }
+          end
         end
       end
 
@@ -428,9 +476,18 @@ describe Event do
       context 'on public project with private snippets' do
         let(:project) { create(:project, :public, :snippets_private) }
 
-        include_examples 'visibility examples' do
-          let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
+          end
+        end
+
+        context 'when admin mode disabled' do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none_except(:guest, :member) }
+          end
         end
+
         # Normally, we'd expect the author of a comment to be able to view it.
         # However, this doesn't seem to be the case for comments on snippets.
 
@@ -440,9 +497,18 @@ describe Event do
       context 'on private project' do
         let(:project) { create(:project, :private) }
 
-        include_examples 'visibility examples' do
-          let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none_except(:guest, :member, :admin) }
+          end
+        end
+
+        context 'when admin mode disabled' do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none_except(:guest, :member) }
+          end
         end
+
         # Normally, we'd expect the author of a comment to be able to view it.
         # However, this doesn't seem to be the case for comments on snippets.
 
@@ -470,8 +536,16 @@ describe Event do
       context 'on private snippet' do
         let(:personal_snippet) { create(:personal_snippet, :private, author: author) }
 
-        include_examples 'visibility examples' do
-          let(:visibility) { visible_to_none_except(:admin) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none_except(:admin) }
+          end
+        end
+
+        context 'when admin mode disabled' do
+          include_examples 'visibility examples' do
+            let(:visibility) { visible_to_none }
+          end
         end
 
         include_examples 'visible to author', true

spec/models/issue_spec.rb

@@ -612,8 +612,15 @@ describe Issue do
       context 'with an admin user' do
         let(:user) { build(:admin) }
 
-        it_behaves_like 'issue readable by user'
-        it_behaves_like 'confidential issue readable by user'
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it_behaves_like 'issue readable by user'
+          it_behaves_like 'confidential issue readable by user'
+        end
+
+        context 'when admin mode is disabled' do
+          it_behaves_like 'issue not readable by user'
+          it_behaves_like 'confidential issue not readable by user'
+        end
       end
 
       context 'with an owner' do
@@ -732,13 +739,29 @@ describe Issue do
           expect(issue.visible_to_user?(user)).to be_falsy
         end
 
-        it 'does not check the external webservice for admins' do
-          issue = build(:issue)
-          user = build(:admin)
+        context 'with an admin' do
+          context 'when admin mode is enabled', :enable_admin_mode do
+            it 'does not check the external webservice' do
+              issue = build(:issue)
+              user = build(:admin)
 
-          expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
+              expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
+
+              issue.visible_to_user?(user)
+            end
+          end
+
+          context 'when admin mode is disabled' do
+            it 'checks the external service to determine if an issue is readable by the admin' do
+              project = build(:project, :public,
+                              external_authorization_classification_label: 'a-label')
+              issue = build(:issue, project: project)
+              user = build(:admin)
 
-          issue.visible_to_user?(user)
+              expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?).with(user, 'a-label') { false }
+              expect(issue.visible_to_user?(user)).to be_falsy
+            end
+          end
         end
       end
 

spec/models/member_spec.rb

@@ -241,10 +241,22 @@ describe Member do
           expect(member).to be_persisted
         end
 
-        it 'sets members.created_by to the given current_user' do
-          member = described_class.add_user(source, user, :maintainer, current_user: admin)
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it 'sets members.created_by to the given admin current_user' do
+            member = described_class.add_user(source, user, :maintainer, current_user: admin)
 
-          expect(member.created_by).to eq(admin)
+            expect(member.created_by).to eq(admin)
+          end
+        end
+
+        context 'when admin mode is disabled' do
+          # Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
+          # https://gitlab.com/gitlab-org/gitlab/-/issues/207950
+          xit 'rejects setting members.created_by to the given admin current_user' do
+            member = described_class.add_user(source, user, :maintainer, current_user: admin)
+
+            expect(member.created_by).not_to be_persisted
+          end
         end
 
         it 'sets members.expires_at to the given expires_at' do
@@ -353,7 +365,7 @@ describe Member do
           end
         end
 
-        context 'when current_user can update member' do
+        context 'when current_user can update member', :enable_admin_mode do
           it 'creates the member' do
             expect(source.users).not_to include(user)
 
@@ -421,7 +433,7 @@ describe Member do
             end
           end
 
-          context 'when current_user can update member' do
+          context 'when current_user can update member', :enable_admin_mode do
             it 'updates the member' do
               expect(source.users).to include(user)
 

spec/models/project_feature_spec.rb

@@ -31,27 +31,30 @@ describe ProjectFeature do
 
     context 'when features are disabled' do
       it "returns false" do
+        update_all_project_features(project, features, ProjectFeature::DISABLED)
+
         features.each do |feature|
-          project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::DISABLED)
-          expect(project.feature_available?(:issues, user)).to eq(false)
+          expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
         end
       end
     end
 
     context 'when features are enabled only for team members' do
       it "returns false when user is not a team member" do
+        update_all_project_features(project, features, ProjectFeature::PRIVATE)
+
         features.each do |feature|
-          project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
-          expect(project.feature_available?(:issues, user)).to eq(false)
+          expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
         end
       end
 
       it "returns true when user is a team member" do
         project.add_developer(user)
 
+        update_all_project_features(project, features, ProjectFeature::PRIVATE)
+
         features.each do |feature|
-          project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
-          expect(project.feature_available?(:issues, user)).to eq(true)
+          expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
         end
       end
 
@@ -60,27 +63,41 @@ describe ProjectFeature do
         project = create(:project, namespace: group)
         group.add_developer(user)
 
+        update_all_project_features(project, features, ProjectFeature::PRIVATE)
+
         features.each do |feature|
-          project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
-          expect(project.feature_available?(:issues, user)).to eq(true)
+          expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
         end
       end
 
-      it "returns true if user is an admin" do
-        user.update_attribute(:admin, true)
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it "returns true if user is an admin" do
+          user.update_attribute(:admin, true)
 
-        features.each do |feature|
-          project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
-          expect(project.feature_available?(:issues, user)).to eq(true)
+          update_all_project_features(project, features, ProjectFeature::PRIVATE)
+
+          features.each do |feature|
+            expect(project.feature_available?(feature.to_sym, user)).to eq(true), "#{feature} failed"
+          end
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it "returns false when user is an admin" do
+          user.update_attribute(:admin, true)
+
+          update_all_project_features(project, features, ProjectFeature::PRIVATE)
+
+          features.each do |feature|
+            expect(project.feature_available?(feature.to_sym, user)).to eq(false), "#{feature} failed"
+          end
         end
       end
     end
 
     context 'when feature is enabled for everyone' do
       it "returns true" do
-        features.each do |feature|
-          expect(project.feature_available?(:issues, user)).to eq(true)
-        end
+        expect(project.feature_available?(:issues, user)).to eq(true)
       end
     end
 
@@ -117,7 +134,7 @@ describe ProjectFeature do
       features.each do |feature|
         field = "#{feature}_access_level".to_sym
         project_feature.update_attribute(field, ProjectFeature::ENABLED)
-        expect(project_feature.valid?).to be_falsy
+        expect(project_feature.valid?).to be_falsy, "#{field} failed"
       end
     end
   end
@@ -131,7 +148,7 @@ describe ProjectFeature do
         field = "#{feature}_access_level".to_sym
         project_feature.update_attribute(field, ProjectFeature::PUBLIC)
 
-        expect(project_feature.valid?).to be_falsy
+        expect(project_feature.valid?).to be_falsy, "#{field} failed"
       end
     end
   end
@@ -140,22 +157,24 @@ describe ProjectFeature do
     let(:features) { %w(wiki builds merge_requests) }
 
     it "returns false when feature is disabled" do
+      update_all_project_features(project, features, ProjectFeature::DISABLED)
+
       features.each do |feature|
-        project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::DISABLED)
-        expect(project.public_send("#{feature}_enabled?")).to eq(false)
+        expect(project.public_send("#{feature}_enabled?")).to eq(false), "#{feature} failed"
       end
     end
 
     it "returns true when feature is enabled only for team members" do
+      update_all_project_features(project, features, ProjectFeature::PRIVATE)
+
       features.each do |feature|
-        project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
-        expect(project.public_send("#{feature}_enabled?")).to eq(true)
+        expect(project.public_send("#{feature}_enabled?")).to eq(true), "#{feature} failed"
       end
     end
 
     it "returns true when feature is enabled for everyone" do
       features.each do |feature|
-        expect(project.public_send("#{feature}_enabled?")).to eq(true)
+        expect(project.public_send("#{feature}_enabled?")).to eq(true), "#{feature} failed"
       end
     end
   end
@@ -198,7 +217,7 @@ describe ProjectFeature do
   end
 
   describe '#public_pages?' do
-    it 'returns true if Pages access controll is not enabled' do
+    it 'returns true if Pages access control is not enabled' do
       stub_config(pages: { access_control: false })
 
       project_feature = described_class.new(pages_access_level: described_class::PRIVATE)
@@ -281,7 +300,7 @@ describe ProjectFeature do
     it 'raises error if feature is invalid' do
       expect do
         described_class.required_minimum_access_level(:foos)
-      end.to raise_error
+      end.to raise_error(ArgumentError)
     end
   end
 
@@ -294,4 +313,9 @@ describe ProjectFeature do
       expect(described_class.required_minimum_access_level_for_private_project(:issues)).to eq(Gitlab::Access::GUEST)
     end
   end
+
+  def update_all_project_features(project, features, value)
+    project_feature_attributes = features.map { |f| ["#{f}_access_level", value] }.to_h
+    project.project_feature.update(project_feature_attributes)
+  end
 end

spec/models/project_spec.rb

@@ -3777,7 +3777,7 @@ describe Project do
     end
   end
 
-  describe '.filter_by_feature_visibility' do
+  describe '.filter_by_feature_visibility', :enable_admin_mode do
     include_context 'ProjectPolicyTable context'
     include ProjectHelpers
     using RSpec::Parameterized::TableSyntax

spec/models/spam_log_spec.rb

@@ -20,15 +20,30 @@ describe SpamLog do
       expect { spam_log.remove_user(deleted_by: admin) }.to change { spam_log.user.blocked? }.to(true)
     end
 
-    it 'removes the user', :sidekiq_might_not_need_inline do
-      spam_log = build(:spam_log)
-      user = spam_log.user
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it 'removes the user', :sidekiq_might_not_need_inline do
+        spam_log = build(:spam_log)
+        user = spam_log.user
+
+        perform_enqueued_jobs do
+          spam_log.remove_user(deleted_by: admin)
+        end
 
-      perform_enqueued_jobs do
-        spam_log.remove_user(deleted_by: admin)
+        expect { User.find(user.id) }.to raise_error(ActiveRecord::RecordNotFound)
       end
+    end
 
-      expect { User.find(user.id) }.to raise_error(ActiveRecord::RecordNotFound)
+    context 'when admin mode is disabled' do
+      it 'does not allow to remove the user', :sidekiq_might_not_need_inline do
+        spam_log = build(:spam_log)
+        user = spam_log.user
+
+        perform_enqueued_jobs do
+          spam_log.remove_user(deleted_by: admin)
+        end
+
+        expect(User.exists?(user.id)).to be(true)
+      end
     end
   end
 

spec/models/user_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe User, :do_not_mock_admin_mode do
+describe User do
   include ProjectForksHelper
   include TermsHelper
   include ExclusiveLeaseHelpers

spec/policies/base_policy_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe BasePolicy, :do_not_mock_admin_mode do
+describe BasePolicy do
   include ExternalAuthorizationServiceHelpers
   include AdminModeHelper
 

spec/policies/blob_policy_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe BlobPolicy do
+describe BlobPolicy, :enable_admin_mode do
   include_context 'ProjectPolicyTable context'
   include ProjectHelpers
   using RSpec::Parameterized::TableSyntax

spec/policies/clusters/cluster_policy_spec.rb

@@ -80,8 +80,15 @@ describe Clusters::ClusterPolicy, :models do
       context 'when admin' do
         let(:user) { create(:admin) }
 
-        it { expect(policy).to be_allowed :update_cluster }
-        it { expect(policy).to be_allowed :admin_cluster }
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it { expect(policy).to be_allowed :update_cluster }
+          it { expect(policy).to be_allowed :admin_cluster }
+        end
+
+        context 'when admin mode is disabled' do
+          it { expect(policy).to be_disallowed :update_cluster }
+          it { expect(policy).to be_disallowed :admin_cluster }
+        end
       end
     end
   end

spec/policies/clusters/instance_policy_spec.rb

@@ -18,11 +18,21 @@ describe Clusters::InstancePolicy do
     context 'when admin' do
       let(:user) { create(:admin) }
 
-      it { expect(policy).to be_allowed :read_cluster }
-      it { expect(policy).to be_allowed :add_cluster }
-      it { expect(policy).to be_allowed :create_cluster }
-      it { expect(policy).to be_allowed :update_cluster }
-      it { expect(policy).to be_allowed :admin_cluster }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { expect(policy).to be_allowed :read_cluster }
+        it { expect(policy).to be_allowed :add_cluster }
+        it { expect(policy).to be_allowed :create_cluster }
+        it { expect(policy).to be_allowed :update_cluster }
+        it { expect(policy).to be_allowed :admin_cluster }
+      end
+
+      context 'when admin mode is disabled' do
+        it { expect(policy).to be_disallowed :read_cluster }
+        it { expect(policy).to be_disallowed :add_cluster }
+        it { expect(policy).to be_disallowed :create_cluster }
+        it { expect(policy).to be_disallowed :update_cluster }
+        it { expect(policy).to be_disallowed :admin_cluster }
+      end
     end
   end
 end

spec/policies/deploy_key_policy_spec.rb

@@ -42,16 +42,28 @@ describe DeployKeyPolicy do
     context 'when an admin user' do
       let(:current_user) { create(:user, :admin) }
 
-      context ' tries to update private deploy key' do
+      context 'tries to update private deploy key' do
         let(:deploy_key) { create(:deploy_key, public: false) }
 
-        it { is_expected.to be_allowed(:update_deploy_key) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          it { is_expected.to be_allowed(:update_deploy_key) }
+        end
+
+        context 'when admin mode disabled' do
+          it { is_expected.to be_disallowed(:update_deploy_key) }
+        end
       end
 
       context 'when an admin user tries to update public deploy key' do
         let(:deploy_key) { create(:another_deploy_key, public: true) }
 
-        it { is_expected.to be_allowed(:update_deploy_key) }
+        context 'when admin mode enabled', :enable_admin_mode do
+          it { is_expected.to be_allowed(:update_deploy_key) }
+        end
+
+        context 'when admin mode disabled' do
+          it { is_expected.to be_disallowed(:update_deploy_key) }
+        end
       end
     end
   end

spec/policies/design_management/design_policy_spec.rb

@@ -71,7 +71,14 @@ describe DesignManagement::DesignPolicy do
     context "for admins" do
       let(:current_user) { admin }
 
-      it { is_expected.to be_allowed(*design_abilities) }
+      context 'when admin mode enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(*design_abilities) }
+      end
+
+      context 'when admin mode disabled' do
+        it { is_expected.to be_allowed(*guest_design_abilities) }
+        it { is_expected.to be_disallowed(*developer_design_abilities) }
+      end
     end
 
     context "for maintainers" do

spec/policies/environment_policy_spec.rb

@@ -37,7 +37,13 @@ describe EnvironmentPolicy do
         context 'when an admin user' do
           let(:user) { create(:user, :admin) }
 
-          it { expect(policy).to be_allowed :stop_environment }
+          context 'when admin mode is enabled', :enable_admin_mode do
+            it { expect(policy).to be_allowed :stop_environment }
+          end
+
+          context 'when admin mode is disabled' do
+            it { expect(policy).to be_disallowed :stop_environment }
+          end
         end
 
         context 'with protected branch' do
@@ -54,7 +60,13 @@ describe EnvironmentPolicy do
           context 'when an admin user' do
             let(:user) { create(:user, :admin) }
 
-            it { expect(policy).to be_allowed :stop_environment }
+            context 'when admin mode is enabled', :enable_admin_mode do
+              it { expect(policy).to be_allowed :stop_environment }
+            end
+
+            context 'when admin mode is disabled' do
+              it { expect(policy).to be_disallowed :stop_environment }
+            end
           end
         end
       end
@@ -83,7 +95,13 @@ describe EnvironmentPolicy do
         context 'when an admin user' do
           let(:user) { create(:user, :admin) }
 
-          it { expect(policy).to be_allowed :stop_environment }
+          context 'when admin mode is enabled', :enable_admin_mode do
+            it { expect(policy).to be_allowed :stop_environment }
+          end
+
+          context 'when admin mode is disabled' do
+            it { expect(policy).to be_disallowed :stop_environment }
+          end
         end
       end
 
@@ -126,7 +144,13 @@ describe EnvironmentPolicy do
               environment.stop!
             end
 
-            it { expect(policy).to be_allowed :destroy_environment }
+            context 'when admin mode is enabled', :enable_admin_mode do
+              it { expect(policy).to be_allowed :destroy_environment }
+            end
+
+            context 'when admin mode is disabled' do
+              it { expect(policy).to be_disallowed :destroy_environment }
+            end
           end
         end
       end

spec/policies/global_policy_spec.rb

@@ -118,8 +118,15 @@ describe GlobalPolicy do
     context 'admin' do
       let(:current_user) { create(:user, :admin) }
 
-      it { is_expected.to be_allowed(:read_custom_attribute) }
-      it { is_expected.to be_allowed(:update_custom_attribute) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:read_custom_attribute) }
+        it { is_expected.to be_allowed(:update_custom_attribute) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:read_custom_attribute) }
+        it { is_expected.to be_disallowed(:update_custom_attribute) }
+      end
     end
   end
 
@@ -368,7 +375,13 @@ describe GlobalPolicy do
           stub_application_setting(instance_statistics_visibility_private: true)
         end
 
-        it { is_expected.to be_allowed(:read_instance_statistics) }
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it { is_expected.to be_allowed(:read_instance_statistics) }
+        end
+
+        context 'when admin mode is disabled' do
+          it { is_expected.to be_disallowed(:read_instance_statistics) }
+        end
       end
     end
 

spec/policies/group_policy_spec.rb

@@ -644,7 +644,13 @@ describe GroupPolicy do
     context 'admin' do
       let(:current_user) { admin }
 
-      it { expect_allowed(:update_max_artifacts_size) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { expect_allowed(:update_max_artifacts_size) }
+      end
+
+      context 'when admin mode is enabled' do
+        it { expect_disallowed(:update_max_artifacts_size) }
+      end
     end
 
     %w(guest reporter developer maintainer owner).each do |role|

spec/policies/issue_policy_spec.rb

@@ -206,11 +206,25 @@ describe IssuePolicy do
       it 'allows guests to comment' do
         expect(permissions(guest, issue)).to be_allowed(:create_note)
       end
-      it 'allows admins to view' do
-        expect(permissions(admin, issue)).to be_allowed(:read_issue)
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it 'allows admins to view' do
+          expect(permissions(admin, issue)).to be_allowed(:read_issue)
+        end
+
+        it 'allows admins to comment' do
+          expect(permissions(admin, issue)).to be_allowed(:create_note)
+        end
       end
-      it 'allows admins to comment' do
-        expect(permissions(admin, issue)).to be_allowed(:create_note)
+
+      context 'when admin mode is disabled' do
+        it 'forbids admins to view' do
+          expect(permissions(admin, issue)).to be_disallowed(:read_issue)
+        end
+
+        it 'forbids admins to comment' do
+          expect(permissions(admin, issue)).to be_disallowed(:create_note)
+        end
       end
     end
 

spec/policies/namespace_policy_spec.rb

@@ -40,6 +40,12 @@ describe NamespacePolicy do
   context 'admin' do
     let(:current_user) { admin }
 
-    it { is_expected.to be_allowed(*owner_permissions) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed(*owner_permissions) }
+    end
+
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_disallowed(*owner_permissions) }
+    end
   end
 end

spec/policies/note_policy_spec.rb

@@ -295,8 +295,16 @@ describe NotePolicy do
             expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
           end
 
-          it 'allows admins to read all notes and admin them' do
-            expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+          context 'when admin mode is enabled', :enable_admin_mode do
+            it 'allows admins to read all notes and admin them' do
+              expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+            end
+          end
+
+          context 'when admin mode is disabled' do
+            it 'does not allow non members to read confidential notes and replies' do
+              expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :resolve_note, :award_emoji)
+            end
           end
 
           it 'allows noteable author to read and resolve all notes' do

spec/policies/personal_snippet_policy_spec.rb

@@ -19,8 +19,8 @@ describe PersonalSnippetPolicy do
     described_class.new(user, snippet)
   end
 
-  shared_examples 'admin access' do
-    context 'admin user' do
+  shared_examples 'admin access with admin mode' do
+    context 'admin user', :enable_admin_mode do
       subject { permissions(admin_user) }
 
       it do
@@ -68,7 +68,7 @@ describe PersonalSnippetPolicy do
       end
     end
 
-    it_behaves_like 'admin access'
+    it_behaves_like 'admin access with admin mode'
   end
 
   context 'internal snippet' do
@@ -118,7 +118,7 @@ describe PersonalSnippetPolicy do
       end
     end
 
-    it_behaves_like 'admin access'
+    it_behaves_like 'admin access with admin mode'
   end
 
   context 'private snippet' do
@@ -168,6 +168,6 @@ describe PersonalSnippetPolicy do
       end
     end
 
-    it_behaves_like 'admin access'
+    it_behaves_like 'admin access with admin mode'
   end
 end

spec/policies/project_policy_spec.rb

@@ -275,7 +275,8 @@ describe ProjectPolicy do
   it_behaves_like 'project policies as developer'
   it_behaves_like 'project policies as maintainer'
   it_behaves_like 'project policies as owner'
-  it_behaves_like 'project policies as admin'
+  it_behaves_like 'project policies as admin with admin mode'
+  it_behaves_like 'project policies as admin without admin mode'
 
   context 'when a public project has merge requests allowing access' do
     include ProjectForksHelper
@@ -306,7 +307,7 @@ describe ProjectPolicy do
       expect_allowed(*maintainer_abilities)
     end
 
-    it 'dissallows abilities to a maintainer if the merge request was closed' do
+    it 'disallows abilities to a maintainer if the merge request was closed' do
       target_project.add_developer(user)
       merge_request.close!
 
@@ -350,10 +351,24 @@ describe ProjectPolicy do
         expect(described_class.new(developer, project)).to be_allowed(:read_project)
       end
 
-      it 'does not check the external service for admins and allows access' do
-        expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
+      context 'with an admin' do
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it 'does not check the external service and allows access' do
+            expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
 
-        expect(described_class.new(admin, project)).to be_allowed(:read_project)
+            expect(described_class.new(admin, project)).to be_allowed(:read_project)
+          end
+        end
+
+        context 'when admin mode is disabled' do
+          it 'checks the external service and allows access' do
+            external_service_allow_access(admin, project)
+
+            expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?)
+
+            expect(described_class.new(admin, project)).to be_allowed(:read_project)
+          end
+        end
       end
 
       it 'prevents all but seeing a public project in a list when access is denied' do
@@ -416,7 +431,13 @@ describe ProjectPolicy do
     context 'admin' do
       let(:current_user) { admin }
 
-      it { expect_allowed(:update_max_artifacts_size) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { expect_allowed(:update_max_artifacts_size) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { expect_disallowed(:update_max_artifacts_size) }
+      end
     end
 
     %w(guest reporter developer maintainer owner).each do |role|
@@ -448,7 +469,13 @@ describe ProjectPolicy do
     context 'with admin' do
       let(:current_user) { admin }
 
-      it { is_expected.to be_allowed(:read_prometheus_alerts) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:read_prometheus_alerts) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+      end
     end
 
     context 'with owner' do

spec/policies/project_snippet_policy_spec.rb

@@ -235,9 +235,18 @@ describe ProjectSnippetPolicy do
       let(:snippet_visibility) { :private }
       let(:current_user) { create(:admin) }
 
-      it do
-        expect_allowed(:read_snippet, :create_note)
-        expect_allowed(*author_permissions)
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it do
+          expect_allowed(:read_snippet, :create_note)
+          expect_allowed(*author_permissions)
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it do
+          expect_disallowed(:read_snippet, :create_note)
+          expect_disallowed(*author_permissions)
+        end
       end
     end
   end

spec/policies/user_policy_spec.rb

@@ -26,7 +26,13 @@ describe UserPolicy do
     context "when an admin user tries to destroy a regular user" do
       let(:current_user) { create(:user, :admin) }
 
-      it { is_expected.to be_allowed(ability) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(ability) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(ability) }
+      end
     end
 
     context "when an admin user tries to destroy a ghost user" do

spec/policies/wiki_page_policy_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe WikiPagePolicy do
+describe WikiPagePolicy, :enable_admin_mode do
   include_context 'ProjectPolicyTable context'
   include ProjectHelpers
   using RSpec::Parameterized::TableSyntax

spec/spec_helper.rb

@@ -229,26 +229,25 @@ RSpec.configure do |config|
       ./ee/spec/features
       ./ee/spec/finders
       ./ee/spec/lib
-      ./ee/spec/models
-      ./ee/spec/policies
       ./ee/spec/requests/admin
       ./ee/spec/serializers
       ./ee/spec/services
       ./ee/spec/support/protected_tags
-      ./ee/spec/support/shared_examples
+      ./ee/spec/support/shared_examples/features
+      ./ee/spec/support/shared_examples/finders/geo
+      ./ee/spec/support/shared_examples/graphql/geo
+      ./ee/spec/support/shared_examples/services
       ./spec/features
       ./spec/finders
       ./spec/frontend
       ./spec/helpers
       ./spec/lib
-      ./spec/models
-      ./spec/policies
       ./spec/requests
       ./spec/serializers
       ./spec/services
-      ./spec/support/cycle_analytics_helpers
       ./spec/support/protected_tags
-      ./spec/support/shared_examples
+      ./spec/support/shared_examples/features
+      ./spec/support/shared_examples/requests
       ./spec/views
       ./spec/workers
     )

spec/support/cycle_analytics_helpers/test_generation.rb

@@ -29,6 +29,10 @@ module CycleAnalyticsHelpers
       scenarios.each do |start_time_conditions, end_time_conditions|
         let_it_be(:other_project) { create(:project, :repository) }
 
+        before do
+          other_project.add_developer(self.user)
+        end
+
         context "start condition: #{start_time_conditions.map(&:first).to_sentence}" do
           context "end condition: #{end_time_conditions.map(&:first).to_sentence}" do
             it "finds the median of available durations between the two conditions", :sidekiq_might_not_need_inline do

spec/support/helpers/admin_mode_helpers.rb

@@ -7,6 +7,9 @@ module AdminModeHelper
   # mode for accessing any administrative functionality. This helper lets a user
   # be in admin mode without requiring a second authentication step (provided
   # the user is an admin)
+  #
+  # See also tag :enable_admin_mode in spec/spec_helper.rb for a spec-wide
+  # alternative
   def enable_admin_mode!(user)
     fake_user_mode = instance_double(Gitlab::Auth::CurrentUserMode)
 

spec/support/helpers/login_helpers.rb

@@ -50,9 +50,7 @@ module LoginHelpers
 
   def gitlab_enable_admin_mode_sign_in(user)
     visit new_admin_session_path
-
     fill_in 'user_password', with: user.password
-
     click_button 'Enter Admin Mode'
   end
 

spec/support/shared_examples/controllers/instance_statistics_controllers_shared_examples.rb

@@ -27,12 +27,24 @@ RSpec.shared_examples 'instance statistics availability' do
     context 'for admins' do
       let(:user) { create(:admin) }
 
-      it 'allows access when the feature is not available publicly' do
-        stub_application_setting(instance_statistics_visibility_private: true)
+      context 'when admin mode disabled' do
+        it 'forbids access when the feature is not available publicly' do
+          stub_application_setting(instance_statistics_visibility_private: true)
 
-        get :index
+          get :index
 
-        expect(response).to have_gitlab_http_status(:success)
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'when admin mode enabled', :enable_admin_mode do
+        it 'allows access when the feature is not available publicly' do
+          stub_application_setting(instance_statistics_visibility_private: true)
+
+          get :index
+
+          expect(response).to have_gitlab_http_status(:success)
+        end
       end
     end
   end

spec/support/shared_examples/policies/project_policy_shared_examples.rb

@@ -212,8 +212,8 @@ RSpec.shared_examples 'project policies as owner' do
   end
 end
 
-RSpec.shared_examples 'project policies as admin' do
-  context 'abilities for non-public projects' do
+RSpec.shared_examples 'project policies as admin with admin mode' do
+  context 'abilities for non-public projects', :enable_admin_mode do
     let(:project) { create(:project, namespace: owner.namespace) }
 
     subject { described_class.new(admin, project) }
@@ -232,3 +232,13 @@ RSpec.shared_examples 'project policies as admin' do
     end
   end
 end
+
+RSpec.shared_examples 'project policies as admin without admin mode' do
+  context 'abilities for non-public projects' do
+    let(:project) { create(:project, namespace: owner.namespace) }
+
+    subject { described_class.new(admin, project) }
+
+    it { is_expected.to be_banned }
+  end
+end

spec/support/shared_examples/policies/wiki_policies_shared_examples.rb

@@ -2,6 +2,7 @@
 
 RSpec.shared_examples 'model with wiki policies' do
   include ProjectHelpers
+  include AdminModeHelper
 
   let(:container) { raise NotImplementedError }
   let(:user) { raise NotImplementedError }
@@ -94,6 +95,7 @@ RSpec.shared_examples 'model with wiki policies' do
     before do
       container.visibility = container_level.to_s
       set_access_level(ProjectFeature.access_level_from_str(access_level.to_s))
+      enable_admin_mode!(user) if user&.admin?
 
       if allowed_permissions.any? && [container_level, access_level, membership] != [:private, :private, :guest]
         allowed_permissions << :download_wiki_code