Implement review comments from maintainer (@DouweM)

1. `add_column_with_default` needs a `down` block

2. Add specs for the auditor user to `spec/features/security`. This directory
   contains a series of feature specs to test the access various user roles have
   to various project/admin pages, which is the perfect place to test auditor
   user access.

3. Other minor changes (views, typos)

app/views/projects/notes/_notes_with_form.html.haml

@@ -13,9 +13,7 @@
           = image_tag avatar_icon(current_user), alt: current_user.to_reference, class: 'avatar s40'
       .timeline-content.timeline-content-form
         = render "projects/notes/form", view: diff_view
-    - elsif current_user.present? && current_user.auditor?
-      -# Display nothing
-    - else
+    - elsif !current_user
       .disabled-comment.text-center
         .disabled-comment-text.inline
           Please

db/migrate/20170120123345_add_column_auditor_to_users.rb

@@ -8,7 +8,11 @@ class AddColumnAuditorToUsers < ActiveRecord::Migration
 
   disable_ddl_transaction!
 
-  def change
+  def up
     add_column_with_default :users, :auditor, :boolean, default: false, allow_null: false
   end
+
+  def down
+    remove_column :users, :auditor
+  end
 end

doc/administration/auditor_users.md

 # Auditor Users
 
->**Note:** [Introduced][998] in GitLab 8.16.
+>**Note:** [Introduced][998] in GitLab 8.17.
 
 With Gitlab Enterprise Edition Premium, you can create *auditor* users, who 
 are given read-only access to all projects, groups, and other resources on the 

spec/features/security/admin_access_spec.rb

@@ -9,6 +9,7 @@ describe "Admin::Projects", feature: true  do
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :auditor }
   end
 
   describe "GET /admin/users" do
@@ -17,6 +18,7 @@ describe "Admin::Projects", feature: true  do
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :auditor }
   end
 
   describe "GET /admin/hooks" do
@@ -25,5 +27,6 @@ describe "Admin::Projects", feature: true  do
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :auditor }
   end
 end

spec/features/security/dashboard_access_spec.rb

@@ -8,6 +8,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -16,6 +17,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -24,6 +26,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -32,6 +35,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -40,6 +44,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_allowed_for :visitor }
   end
 
@@ -53,6 +58,7 @@ describe "Dashboard access", feature: true  do
 
       it { is_expected.to be_allowed_for :admin }
       it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for :auditor }
       it { is_expected.to be_denied_for :visitor }
     end
   end
@@ -60,12 +66,14 @@ describe "Dashboard access", feature: true  do
   describe "GET /projects/new" do
     it { expect(new_project_path).to be_allowed_for :admin }
     it { expect(new_project_path).to be_allowed_for :user }
+    it { expect(new_project_path).to be_allowed_for :auditor }
     it { expect(new_project_path).to be_denied_for :visitor }
   end
 
   describe "GET /groups/new" do
     it { expect(new_group_path).to be_allowed_for :admin }
     it { expect(new_group_path).to be_allowed_for :user }
+    it { expect(new_group_path).to be_allowed_for :auditor }
     it { expect(new_group_path).to be_denied_for :visitor }
   end
 
@@ -74,6 +82,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 end

spec/features/security/group/internal_access_spec.rb

@@ -22,6 +22,7 @@ describe 'Internal Group access', feature: true do
     subject { group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -37,6 +38,7 @@ describe 'Internal Group access', feature: true do
     subject { issues_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -52,6 +54,7 @@ describe 'Internal Group access', feature: true do
     subject { merge_requests_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -67,6 +70,7 @@ describe 'Internal Group access', feature: true do
     subject { group_group_members_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -82,6 +86,7 @@ describe 'Internal Group access', feature: true do
     subject { edit_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_denied_for(:master).of(group) }
     it { is_expected.to be_denied_for(:developer).of(group) }

spec/features/security/group/private_access_spec.rb

@@ -22,6 +22,7 @@ describe 'Private Group access', feature: true do
     subject { group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -37,6 +38,7 @@ describe 'Private Group access', feature: true do
     subject { issues_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -52,6 +54,7 @@ describe 'Private Group access', feature: true do
     subject { merge_requests_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -67,6 +70,7 @@ describe 'Private Group access', feature: true do
     subject { group_group_members_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -82,6 +86,7 @@ describe 'Private Group access', feature: true do
     subject { edit_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_denied_for(:master).of(group) }
     it { is_expected.to be_denied_for(:developer).of(group) }

spec/features/security/group/public_access_spec.rb

@@ -22,6 +22,7 @@ describe 'Public Group access', feature: true do
     subject { group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -37,6 +38,7 @@ describe 'Public Group access', feature: true do
     subject { issues_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -52,6 +54,7 @@ describe 'Public Group access', feature: true do
     subject { merge_requests_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -67,6 +70,7 @@ describe 'Public Group access', feature: true do
     subject { group_group_members_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -82,6 +86,7 @@ describe 'Public Group access', feature: true do
     subject { edit_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_denied_for(:master).of(group) }
     it { is_expected.to be_denied_for(:developer).of(group) }

spec/features/security/profile_access_spec.rb

@@ -8,6 +8,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -16,6 +17,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -24,6 +26,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -32,6 +35,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -40,6 +44,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -48,6 +53,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 end

spec/features/security/project/internal_access_spec.rb

@@ -16,6 +16,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -30,6 +31,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -44,6 +46,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -58,6 +61,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -72,6 +76,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_compare_index_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -86,6 +91,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_settings_members_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -101,6 +107,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -115,6 +122,7 @@ describe "Internal Project Access", feature: true  do
     subject { edit_namespace_project_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_denied_for(:developer).of(project) }
@@ -129,6 +137,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_deploy_keys_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_denied_for(:developer).of(project) }
@@ -143,6 +152,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_issues_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -158,6 +168,7 @@ describe "Internal Project Access", feature: true  do
     subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -172,6 +183,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -186,6 +198,7 @@ describe "Internal Project Access", feature: true  do
     subject { new_namespace_project_snippet_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -200,6 +213,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_merge_requests_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -214,6 +228,7 @@ describe "Internal Project Access", feature: true  do
     subject { new_namespace_project_merge_request_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -233,6 +248,7 @@ describe "Internal Project Access", feature: true  do
     end
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -252,6 +268,7 @@ describe "Internal Project Access", feature: true  do
     end
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -266,6 +283,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_settings_integrations_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_denied_for(:developer).of(project) }
@@ -280,6 +298,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_pipelines_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -295,6 +314,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_pipeline_path(project.namespace, project, pipeline) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -312,6 +332,7 @@ describe "Internal Project Access", feature: true  do
       before { project.update(public_builds: true) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -326,6 +347,7 @@ describe "Internal Project Access", feature: true  do
       before { project.update(public_builds: false) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -346,6 +368,7 @@ describe "Internal Project Access", feature: true  do
       before { project.update(public_builds: true) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -360,6 +383,7 @@ describe "Internal Project Access", feature: true  do
       before { project.update(public_builds: false) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -375,6 +399,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_environments_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -390,6 +415,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_environment_path(project.namespace, project, environment) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -404,6 +430,7 @@ describe "Internal Project Access", feature: true  do
     subject { new_namespace_project_environment_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -427,6 +454,7 @@ describe "Internal Project Access", feature: true  do
       it { is_expected.to be_denied_for(:admin) }
       it { is_expected.to be_denied_for(:guest).of(project) }
       it { is_expected.to be_denied_for(:user) }
+      it { is_expected.to be_denied_for(:auditor) }
       it { is_expected.to be_denied_for(:visitor) }
     end
 
@@ -438,6 +466,7 @@ describe "Internal Project Access", feature: true  do
       it { is_expected.to be_denied_for(:admin) }
       it { is_expected.to be_denied_for(:guest).of(project) }
       it { is_expected.to be_denied_for(:user) }
+      it { is_expected.to be_denied_for(:auditor) }
       it { is_expected.to be_denied_for(:visitor) }
     end
   end
@@ -451,6 +480,7 @@ describe "Internal Project Access", feature: true  do
     subject { namespace_project_container_registry_index_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }

spec/features/security/project/private_access_spec.rb

@@ -16,6 +16,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -30,6 +31,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -44,6 +46,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -58,6 +61,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -72,6 +76,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_compare_index_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -86,6 +91,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_settings_members_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -101,6 +107,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore'))}
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -115,6 +122,7 @@ describe "Private Project Access", feature: true  do
     subject { edit_namespace_project_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_denied_for(:developer).of(project) }
@@ -129,6 +137,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_deploy_keys_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_denied_for(:developer).of(project) }
@@ -143,6 +152,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_issues_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -158,6 +168,7 @@ describe "Private Project Access", feature: true  do
     subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -172,6 +183,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -186,6 +198,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_merge_requests_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -205,6 +218,7 @@ describe "Private Project Access", feature: true  do
     end
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -224,6 +238,7 @@ describe "Private Project Access", feature: true  do
     end
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -238,6 +253,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_settings_integrations_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_denied_for(:developer).of(project) }
@@ -252,6 +268,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_pipelines_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -279,6 +296,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_pipeline_path(project.namespace, project, pipeline) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -305,6 +323,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_builds_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -333,6 +352,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_build_path(project.namespace, project, build.id) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -364,6 +384,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_environments_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -379,6 +400,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_environment_path(project.namespace, project, environment) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -393,6 +415,7 @@ describe "Private Project Access", feature: true  do
     subject { new_namespace_project_environment_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -416,6 +439,7 @@ describe "Private Project Access", feature: true  do
       it { is_expected.to be_denied_for(:admin) }
       it { is_expected.to be_denied_for(:guest).of(project) }
       it { is_expected.to be_denied_for(:user) }
+      it { is_expected.to be_denied_for(:auditor) }
       it { is_expected.to be_denied_for(:visitor) }
     end
 
@@ -427,6 +451,7 @@ describe "Private Project Access", feature: true  do
       it { is_expected.to be_denied_for(:admin) }
       it { is_expected.to be_denied_for(:guest).of(project) }
       it { is_expected.to be_denied_for(:user) }
+      it { is_expected.to be_denied_for(:auditor) }
       it { is_expected.to be_denied_for(:visitor) }
     end
   end
@@ -440,6 +465,7 @@ describe "Private Project Access", feature: true  do
     subject { namespace_project_container_registry_index_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }

spec/features/security/project/public_access_spec.rb

@@ -16,6 +16,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -30,6 +31,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -44,6 +46,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -58,6 +61,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -72,6 +76,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_compare_index_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -86,6 +91,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_settings_members_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -100,6 +106,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_pipelines_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -115,6 +122,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_pipeline_path(project.namespace, project, pipeline) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -132,6 +140,7 @@ describe "Public Project Access", feature: true  do
       before { project.update(public_builds: true) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -146,6 +155,7 @@ describe "Public Project Access", feature: true  do
       before { project.update(public_builds: false) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -166,6 +176,7 @@ describe "Public Project Access", feature: true  do
       before { project.update(public_builds: true) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -180,6 +191,7 @@ describe "Public Project Access", feature: true  do
       before { project.update(public_builds: false) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -195,6 +207,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_environments_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -210,6 +223,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_environment_path(project.namespace, project, environment) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -224,6 +238,7 @@ describe "Public Project Access", feature: true  do
     subject { new_namespace_project_environment_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -240,6 +255,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -253,6 +269,7 @@ describe "Public Project Access", feature: true  do
     subject { edit_namespace_project_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_denied_for(:developer).of(project) }
@@ -267,6 +284,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_deploy_keys_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_denied_for(:developer).of(project) }
@@ -281,6 +299,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_issues_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -296,6 +315,7 @@ describe "Public Project Access", feature: true  do
     subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -310,6 +330,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -324,6 +345,7 @@ describe "Public Project Access", feature: true  do
     subject { new_namespace_project_snippet_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -338,6 +360,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_merge_requests_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -352,6 +375,7 @@ describe "Public Project Access", feature: true  do
     subject { new_namespace_project_merge_request_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -371,6 +395,7 @@ describe "Public Project Access", feature: true  do
     end
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -390,6 +415,7 @@ describe "Public Project Access", feature: true  do
     end
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -404,6 +430,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_settings_integrations_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_denied_for(:developer).of(project) }
@@ -427,6 +454,7 @@ describe "Public Project Access", feature: true  do
       it { is_expected.to be_denied_for(:admin) }
       it { is_expected.to be_denied_for(:guest).of(project) }
       it { is_expected.to be_denied_for(:user) }
+      it { is_expected.to be_denied_for(:auditor) }
       it { is_expected.to be_denied_for(:visitor) }
     end
 
@@ -438,6 +466,7 @@ describe "Public Project Access", feature: true  do
       it { is_expected.to be_denied_for(:admin) }
       it { is_expected.to be_denied_for(:guest).of(project) }
       it { is_expected.to be_denied_for(:user) }
+      it { is_expected.to be_denied_for(:auditor) }
       it { is_expected.to be_denied_for(:visitor) }
     end
   end
@@ -451,6 +480,7 @@ describe "Public Project Access", feature: true  do
     subject { namespace_project_container_registry_index_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }

spec/features/security/project/snippet/internal_access_spec.rb

@@ -12,6 +12,7 @@ describe "Internal Project Snippets Access", feature: true  do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -26,6 +27,7 @@ describe "Internal Project Snippets Access", feature: true  do
     subject { new_namespace_project_snippet_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -41,6 +43,7 @@ describe "Internal Project Snippets Access", feature: true  do
       subject { namespace_project_snippet_path(project.namespace, project, internal_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -55,6 +58,7 @@ describe "Internal Project Snippets Access", feature: true  do
       subject { namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -71,6 +75,7 @@ describe "Internal Project Snippets Access", feature: true  do
       subject { raw_namespace_project_snippet_path(project.namespace, project, internal_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -85,6 +90,7 @@ describe "Internal Project Snippets Access", feature: true  do
       subject { raw_namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }

spec/features/security/project/snippet/private_access_spec.rb

@@ -11,6 +11,7 @@ describe "Private Project Snippets Access", feature: true  do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -25,6 +26,7 @@ describe "Private Project Snippets Access", feature: true  do
     subject { new_namespace_project_snippet_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -39,6 +41,7 @@ describe "Private Project Snippets Access", feature: true  do
     subject { namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -53,6 +56,7 @@ describe "Private Project Snippets Access", feature: true  do
     subject { raw_namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }

spec/features/security/project/snippet/public_access_spec.rb

@@ -13,6 +13,7 @@ describe "Public Project Snippets Access", feature: true  do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -27,6 +28,7 @@ describe "Public Project Snippets Access", feature: true  do
     subject { new_namespace_project_snippet_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -42,6 +44,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { namespace_project_snippet_path(project.namespace, project, public_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -56,6 +59,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { namespace_project_snippet_path(project.namespace, project, internal_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -70,6 +74,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -86,6 +91,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { raw_namespace_project_snippet_path(project.namespace, project, public_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -100,6 +106,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { raw_namespace_project_snippet_path(project.namespace, project, internal_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -114,6 +121,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { raw_namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }

spec/support/matchers/access_matchers.rb

@@ -15,6 +15,8 @@ module AccessMatchers
       logout
     when :admin
       login_as(create(:admin))
+    when :auditor
+      login_as(create(:user, :auditor))
     when :external
       login_as(create(:user, external: true))
     when User