Add minimal access user test for UI

qa/qa/resource/members.rb

@@ -31,12 +31,13 @@ module QA
       end
 
       class AccessLevel
-        NO_ACCESS  = 0
-        GUEST      = 10
-        REPORTER   = 20
-        DEVELOPER  = 30
-        MAINTAINER = 40
-        OWNER      = 50
+        NO_ACCESS      = 0
+        MINIMAL_ACCESS = 5
+        GUEST          = 10
+        REPORTER       = 20
+        DEVELOPER      = 30
+        MAINTAINER     = 40
+        OWNER          = 50
       end
     end
   end

qa/qa/specs/features/ee/api/1_manage/user/minimal_access_user_spec.rb

+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Manage' do
+    describe 'User with minimal access to group', :requires_admin do
+      before(:all) do
+        @user_with_minimal_access = Resource::User.fabricate_via_api!
+
+        @user_api_client = Runtime::API::Client.new(:gitlab, user: @user_with_minimal_access)
+
+        @group = Resource::Group.fabricate_via_api!
+
+        @group.sandbox.add_member(@user_with_minimal_access, Resource::Members::AccessLevel::MINIMAL_ACCESS)
+
+        @project = Resource::Project.fabricate_via_api! do |project|
+          project.group = @group
+          project.name = "project-for-minimal-access"
+          project.initialize_with_readme = true
+        end
+      end
+
+      it 'is not allowed to push code via the CLI', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1134' do
+        expect do
+          Resource::Repository::Push.fabricate! do |push|
+            push.repository_http_uri = @project.repository_http_location.uri
+            push.file_name = 'test.txt'
+            push.file_content = "# This is a test project named #{@project.name}"
+            push.commit_message = 'Add test.txt'
+            push.branch_name = 'new_branch'
+            push.user = @user_with_minimal_access
+          end
+        end.to raise_error(QA::Support::Run::CommandError, /You are not allowed to push code to this project/)
+      end
+
+      it 'is not allowed to create a file via the API', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1135' do
+        expect do
+          Resource::File.fabricate_via_api! do |file|
+            file.api_client = @user_api_client
+            file.project = @project
+            file.branch = 'new_branch'
+            file.commit_message = 'Add new file'
+            file.name = 'test.txt'
+            file.content = "New file"
+          end
+        end.to raise_error(Resource::ApiFabricator::ResourceFabricationFailedError, /403 Forbidden/)
+      end
+
+      it 'is not allowed to commit via the API' do
+        expect do
+          Resource::Repository::Commit.fabricate_via_api! do |commit|
+            commit.api_client = @user_api_client
+            commit.project = @project
+            commit.branch = 'new_branch'
+            commit.start_branch = @project.default_branch
+            commit.commit_message = 'Add new file'
+            commit.add_files([
+              { file_path: 'test.txt', content: 'new file' }
+            ])
+          end
+        end.to raise_error(Resource::ApiFabricator::ResourceFabricationFailedError, /403 Forbidden - You are not allowed to push into this branch/)
+      end
+
+      after(:all) do
+        @user_with_minimal_access.remove_via_api!
+        @project.remove_via_api!
+        @group.remove_via_api!
+      end
+    end
+  end
+end

qa/qa/specs/features/ee/browser_ui/1_manage/user/minimal_access_user_spec.rb

+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Manage' do
+    describe 'User with minimal access to group', :requires_admin do
+      let(:user_with_minimal_access) { Resource::User.fabricate_via_api! }
+
+      let(:group) do
+        group = Resource::Group.fabricate_via_api!
+        group.sandbox.add_member(user_with_minimal_access, Resource::Members::AccessLevel::MINIMAL_ACCESS)
+        group
+      end
+
+      let(:project) do
+        Resource::Project.fabricate_via_api! do |project|
+          project.group = group
+          project.name = "project-for-minimal-access"
+          project.initialize_with_readme = true
+        end
+      end
+
+      it 'is not allowed to edit files via the UI', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1071' do
+        Flow::Login.sign_in(as: user_with_minimal_access)
+        project.visit!
+
+        Page::Project::Show.perform do |project|
+          project.click_file('README.md')
+        end
+
+        Page::File::Show.perform(&:click_edit)
+
+        expect(page).to have_text("You're not allowed to edit files in this project directly.")
+      end
+
+      after do
+        user_with_minimal_access.remove_via_api!
+        project.remove_via_api!
+        group.remove_via_api!
+      end
+    end
+  end
+end