Merge branch 'requirements-perms' into 'master'

Add Requirement policy

See merge request gitlab-org/gitlab!26618

ee/app/models/license.rb

@@ -125,6 +125,7 @@ class License < ApplicationRecord
     prometheus_alerts
     pseudonymizer
     report_approver_rules
+    requirements
     sast
     security_dashboard
     status_page

ee/app/policies/ee/project_policy.rb

@@ -33,6 +33,9 @@ module EE
       with_scope :subject
       condition(:packages_disabled) { !@subject.packages_enabled }
 
+      with_scope :subject
+      condition(:requirements_available) { @subject.feature_available?(:requirements) }
+
       with_scope :global
       condition(:is_development) { Rails.env.development? }
 
@@ -359,6 +362,16 @@ module EE
       rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
 
       rule { can?(:read_merge_request) & code_review_analytics_enabled }.enable :read_code_review_analytics
+
+      rule { can?(:read_project) & requirements_available }.enable :read_requirement
+
+      rule { requirements_available & reporter }.policy do
+        enable :create_requirement
+        enable :admin_requirement
+        enable :update_requirement
+      end
+
+      rule { requirements_available & owner }.enable :destroy_requirement
     end
 
     override :lookup_access_level!

ee/app/policies/requirement_policy.rb

+# frozen_string_literal: true
+
+class RequirementPolicy < BasePolicy
+  delegate { @subject.resource_parent }
+end

ee/spec/policies/project_policy_spec.rb

@@ -1397,4 +1397,8 @@ describe ProjectPolicy do
       end
     end
   end
+
+  it_behaves_like 'resource with requirement permissions' do
+    let(:resource) { project }
+  end
 end

ee/spec/policies/requirement_policy_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe RequirementPolicy do
+  let_it_be(:owner) { create(:user) }
+  let_it_be(:admin) { create(:admin) }
+  let_it_be(:reporter) { create(:user) }
+  let_it_be(:developer) { create(:user) }
+  let_it_be(:maintainer) { create(:user) }
+  let_it_be(:guest) { create(:user) }
+  let_it_be(:project) { create(:project, :public, namespace: owner.namespace) }
+  let_it_be(:resource, reload: true) { create(:requirement, project: project) }
+
+  before do
+    project.add_reporter(reporter)
+    project.add_developer(developer)
+    project.add_maintainer(maintainer)
+    project.add_guest(guest)
+  end
+
+  it_behaves_like 'resource with requirement permissions'
+end

ee/spec/support/shared_examples/policies/requirement_policy_shared_examples.rb

+# frozen_string_literal: true
+
+RSpec.shared_examples 'resource with requirement permissions' do
+  let(:all_permissions) { [:read_requirement, :create_requirement, :admin_requirement, :update_requirement, :destroy_requirement] }
+  let(:manage_permissions) { all_permissions - [:destroy_requirement] }
+  let(:non_read_permissions) { all_permissions - [:read_requirement] }
+
+  subject { described_class.new(current_user, resource) }
+
+  shared_examples 'user with manage permissions' do
+    it { is_expected.to be_allowed(*manage_permissions) }
+    it { is_expected.to be_disallowed(:destroy_requirement) }
+  end
+
+  shared_examples 'user with read only permissions' do
+    it { is_expected.to be_allowed(:read_requirement) }
+    it { is_expected.to be_disallowed(*non_read_permissions) }
+  end
+
+  context 'when requirements feature is enabled' do
+    before do
+      stub_licensed_features(requirements: true)
+    end
+
+    context 'with admin' do
+      let(:current_user) { admin }
+
+      it_behaves_like 'user with read only permissions'
+    end
+
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_allowed(*all_permissions) }
+    end
+
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+
+      it_behaves_like 'user with manage permissions'
+    end
+
+    context 'with developer' do
+      let(:current_user) { developer }
+
+      it_behaves_like 'user with manage permissions'
+    end
+
+    context 'with reporter' do
+      let(:current_user) { reporter }
+
+      it_behaves_like 'user with manage permissions'
+    end
+
+    context 'with guest' do
+      let(:current_user) { guest }
+
+      it_behaves_like 'user with read only permissions'
+    end
+
+    context 'with non member' do
+      let(:current_user) { create(:user) }
+
+      it_behaves_like 'user with read only permissions'
+
+      context 'with private resource parent' do
+        before do
+          parent = resource.is_a?(Project) ? resource : resource.resource_parent
+          parent.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+        end
+
+        it { is_expected.to be_disallowed(*all_permissions) }
+      end
+    end
+  end
+
+  context 'when requirements feature is disabled' do
+    before do
+      stub_licensed_features(requirements: false)
+    end
+
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_disallowed(*all_permissions) }
+    end
+
+    context 'with admin' do
+      let(:current_user) { admin }
+
+      it { is_expected.to be_disallowed(*all_permissions) }
+    end
+  end
+end