chore: disable auto admin mode in features

85f4d508 · Diego Louzán · Bob Van Landuyt · 79573b91 · 85f4d508 · 85f4d508
Commit 85f4d508 authored Nov 23, 2020 by Diego Louzán Committed by Bob Van Landuyt Nov 23, 2020
93 changed files
--- a/changelogs/unreleased/chore-disable-admin-mode-in-features.yml
+++ b/changelogs/unreleased/chore-disable-admin-mode-in-features.yml
+---
+title: 'Disable auto admin mode in features'
+merge_request: 47670
+author: Diego Louzán
+type: other
--- a/ee/spec/features/admin/admin_audit_logs_spec.rb
+++ b/ee/spec/features/admin/admin_audit_logs_spec.rb
@@ -4,12 +4,14 @@ require 'spec_helper'
 RSpec.describe 'Admin::AuditLogs', :js do
  include Select2Helper
+  include AdminModeHelper
  let(:user) { create(:user) }
  let(:admin) { create(:admin, name: 'Bruce Wayne') }
  before do
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  context 'unlicensed' do
@@ -131,6 +133,7 @@ RSpec.describe 'Admin::AuditLogs', :js do
        context 'when creation succeeds' do
          before do
+            enable_admin_mode!(admin)
            personal_access_token
          end
@@ -157,6 +160,7 @@ RSpec.describe 'Admin::AuditLogs', :js do
        context 'when revocation succeeds' do
          before do
+            enable_admin_mode!(admin)
            PersonalAccessTokens::RevokeService.new(admin, token: personal_access_token).execute
          end

--- a/ee/spec/features/admin/admin_credentials_inventory_spec.rb
+++ b/ee/spec/features/admin/admin_credentials_inventory_spec.rb
@@ -6,7 +6,9 @@ RSpec.describe 'Admin::CredentialsInventory' do
  include Spec::Support::Helpers::Features::ResponsiveTableHelpers
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  context 'unlicensed' do

--- a/ee/spec/features/admin/admin_dashboard_spec.rb
+++ b/ee/spec/features/admin/admin_dashboard_spec.rb
@@ -7,7 +7,9 @@ RSpec.describe 'Admin Dashboard' do
    let_it_be(:users_statistics) { create(:users_statistics) }
    before do
-      sign_in(create(:admin))
+      admin = create(:admin)
+      sign_in(admin)
+      gitlab_enable_admin_mode_sign_in(admin)
    end
    describe 'license' do

--- a/ee/spec/features/admin/admin_dev_ops_report_spec.rb
+++ b/ee/spec/features/admin/admin_dev_ops_report_spec.rb
@@ -8,7 +8,9 @@ RSpec.describe 'DevOps Report page', :js do
  active_tab_selector = '.nav-link.active'
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  context 'with devops_adoption_feature feature flag disabled' do

--- a/ee/spec/features/admin/admin_emails_spec.rb
+++ b/ee/spec/features/admin/admin_emails_spec.rb
@@ -6,7 +6,9 @@ RSpec.describe 'Admin::Emails', :clean_gitlab_redis_shared_state do
  include ExclusiveLeaseHelpers
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  context 'when `send_emails_from_admin_area` feature is not licensed' do

--- a/ee/spec/features/admin/admin_interacts_with_push_rules_spec.rb
+++ b/ee/spec/features/admin/admin_interacts_with_push_rules_spec.rb
@@ -10,6 +10,7 @@ RSpec.describe "Admin interacts with push rules" do
  before do
    stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
    sign_in(user)
+    gitlab_enable_admin_mode_sign_in(user)
  end
  push_rules_with_titles = {

--- a/ee/spec/features/admin/admin_merge_requests_approvals_spec.rb
+++ b/ee/spec/features/admin/admin_merge_requests_approvals_spec.rb
@@ -10,10 +10,12 @@ RSpec.describe 'Admin interacts with merge requests approvals settings' do
  let_it_be(:project) { create(:project, creator: user) }
  before do
+    sign_in(user)
+    gitlab_enable_admin_mode_sign_in(user)
    stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
    allow(License).to receive(:feature_available?).and_return(true)
-    sign_in(user)
    visit(admin_push_rule_path)
  end

--- a/ee/spec/features/admin/admin_reset_pipeline_minutes_spec.rb
+++ b/ee/spec/features/admin/admin_reset_pipeline_minutes_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe 'Reset namespace pipeline minutes', :js do
  before do
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  shared_examples 'resetting pipeline minutes' do

--- a/ee/spec/features/admin/admin_sends_notification_spec.rb
+++ b/ee/spec/features/admin/admin_sends_notification_spec.rb
@@ -14,6 +14,7 @@ RSpec.describe "Admin sends notification", :js, :sidekiq_might_not_need_inline d
    group.add_developer(user)
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    visit(admin_email_path)

--- a/ee/spec/features/admin/admin_settings_spec.rb
+++ b/ee/spec/features/admin/admin_settings_spec.rb
@@ -7,7 +7,9 @@ RSpec.describe 'Admin updates EE-only settings' do
  before do
    stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    allow(License).to receive(:feature_available?).and_return(true)
    allow(Gitlab::Elastic::Helper.default).to receive(:index_exists?).and_return(true)
  end

--- a/ee/spec/features/admin/admin_users_spec.rb
+++ b/ee/spec/features/admin/admin_users_spec.rb
@@ -13,6 +13,7 @@ RSpec.describe "Admin::Users" do
  before do
    sign_in(current_user)
+    gitlab_enable_admin_mode_sign_in(current_user)
  end
  describe 'GET /admin/users' do

--- a/ee/spec/features/admin/geo/admin_geo_nodes_spec.rb
+++ b/ee/spec/features/admin/geo/admin_geo_nodes_spec.rb
@@ -27,7 +27,9 @@ RSpec.describe 'admin Geo Nodes', :js, :geo do
  before do
    allow(Gitlab::Geo).to receive(:license_allows?).and_return(true)
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  describe 'index' do

--- a/ee/spec/features/admin/geo/admin_geo_projects_spec.rb
+++ b/ee/spec/features/admin/geo/admin_geo_projects_spec.rb
@@ -15,7 +15,9 @@ RSpec.describe 'admin Geo Projects', :js, :geo do
  before do
    allow(Gitlab::Geo).to receive(:license_allows?).and_return(true)
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  describe 'visiting geo projects initial page' do

--- a/ee/spec/features/admin/geo/admin_geo_replication_nav_spec.rb
+++ b/ee/spec/features/admin/geo/admin_geo_replication_nav_spec.rb
@@ -11,6 +11,7 @@ RSpec.describe 'admin Geo Replication Nav', :js, :geo do
  before do
    stub_licensed_features(geo: true)
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    stub_secondary_node
  end

--- a/ee/spec/features/admin/geo/admin_geo_sidebar_spec.rb
+++ b/ee/spec/features/admin/geo/admin_geo_sidebar_spec.rb
@@ -11,6 +11,7 @@ RSpec.describe 'admin Geo Sidebar', :js, :geo do
  before do
    stub_licensed_features(geo: true)
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  shared_examples 'active sidebar link' do |link_name|

--- a/ee/spec/features/admin/geo/admin_geo_uploads_spec.rb
+++ b/ee/spec/features/admin/geo/admin_geo_uploads_spec.rb
@@ -8,7 +8,9 @@ RSpec.describe 'admin Geo Uploads', :js, :geo do
  before do
    allow(Gitlab::Geo).to receive(:license_allows?).and_return(true)
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  describe 'visiting geo uploads initial page' do

--- a/ee/spec/features/admin/groups/admin_changes_plan_spec.rb
+++ b/ee/spec/features/admin/groups/admin_changes_plan_spec.rb
@@ -12,6 +12,7 @@ RSpec.describe 'Changes GL.com plan for group' do
    allow(Gitlab::CurrentSettings).to receive(:should_check_namespace_plan?) { true }
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  describe 'for group namespace' do

--- a/ee/spec/features/admin/licenses/admin_uploads_license_spec.rb
+++ b/ee/spec/features/admin/licenses/admin_uploads_license_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe "Admin uploads license", :js do
  before do
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  context 'default state' do

--- a/ee/spec/features/admin/licenses/admin_views_license_spec.rb
+++ b/ee/spec/features/admin/licenses/admin_views_license_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe "Admin views license" do
  before do
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    allow_any_instance_of(Gitlab::ExpiringSubscriptionMessage).to receive(:grace_period_effective_from).and_return(Date.today - 45.days)
  end

--- a/ee/spec/features/admin/licenses/show_user_count_threshold_spec.rb
+++ b/ee/spec/features/admin/licenses/show_user_count_threshold_spec.rb
@@ -41,10 +41,14 @@ RSpec.describe 'Display approaching user count limit banner', :js do
    context 'when admin is logged in' do
      before do
-        gitlab_sign_in(admin)
+        sign_in(admin)
      end
      context 'in admin area' do
+        before do
+          gitlab_enable_admin_mode_sign_in(admin)
+        end
        let(:visit_path) { admin_root_path }
        it_behaves_like 'a visible banner'

--- a/ee/spec/features/ci_shared_runner_settings_spec.rb
+++ b/ee/spec/features/ci_shared_runner_settings_spec.rb
@@ -12,6 +12,7 @@ RSpec.describe 'CI shared runner settings' do
  before do
    stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  context 'without global shared runners quota' do

--- a/ee/spec/features/clusters/cluster_detail_page_spec.rb
+++ b/ee/spec/features/clusters/cluster_detail_page_spec.rb
@@ -52,6 +52,10 @@ RSpec.describe 'Clusterable > Show page' do
    let(:cluster_path) { admin_cluster_path(cluster) }
    let(:cluster) { create(:cluster, :provided_by_gcp, :instance) }
+    before do
+      gitlab_enable_admin_mode_sign_in(current_user)
+    end
    it 'shows the environments tab' do
      visit cluster_path

--- a/ee/spec/features/geo_node_spec.rb
+++ b/ee/spec/features/geo_node_spec.rb
@@ -42,6 +42,7 @@ RSpec.describe 'GEO Nodes', :geo do
      stub_licensed_features(geo: true)
      sign_in(admin_user)
+      gitlab_enable_admin_mode_sign_in(admin_user)
    end
    describe 'Geo Nodes admin screen' do

--- a/ee/spec/features/projects/kerberos_clone_instructions_spec.rb
+++ b/ee/spec/features/projects/kerberos_clone_instructions_spec.rb
@@ -5,10 +5,10 @@ RSpec.describe 'Kerberos clone instructions', :js do
  include MobileHelpers
  let(:project) { create(:project, :empty_repo) }
-  let(:admin) { create(:admin) }
+  let(:user) { project.owner }
  before do
-    sign_in(admin)
+    sign_in(user)
    allow(Gitlab.config.kerberos).to receive(:enabled).and_return(true)
  end

--- a/ee/spec/features/protected_branches_spec.rb
+++ b/ee/spec/features/protected_branches_spec.rb
@@ -5,8 +5,8 @@ require 'spec_helper'
 RSpec.describe 'Protected Branches', :js do
  include ProtectedBranchHelpers
-  let(:user) { create(:user, :admin) }
  let(:project) { create(:project, :repository) }
+  let(:user) { project.owner }
  before do
    stub_feature_flags(deploy_keys_on_protected_branches: false)

--- a/ee/spec/features/protected_tags_spec.rb
+++ b/ee/spec/features/protected_tags_spec.rb
@@ -5,8 +5,8 @@ require 'spec_helper'
 RSpec.describe 'Protected Tags', :js do
  include ProtectedTagHelpers
-  let(:user) { create(:user, :admin) }
  let(:project) { create(:project, :repository) }
+  let(:user) { project.owner }
  before do
    sign_in(user)

--- a/ee/spec/features/search/elastic/snippet_search_spec.rb
+++ b/ee/spec/features/search/elastic/snippet_search_spec.rb
@@ -109,6 +109,7 @@ RSpec.describe 'Snippet elastic search', :js, :elastic, :aggregate_failures, :si
    context 'as administrator' do
      let(:current_user) { create(:admin) }
+      context 'when admin mode is enabled', :enable_admin_mode do
        it 'finds all snippets' do
          within('.results') do
            expect(page).to have_content('public personal snippet')
@@ -125,6 +126,25 @@ RSpec.describe 'Snippet elastic search', :js, :elastic, :aggregate_failures, :si
          end
        end
      end
+      context 'when admin mode is disabled' do
+        it 'finds only public and internal snippets' do
+          within('.results') do
+            expect(page).to have_content('public personal snippet')
+            expect(page).not_to have_content('public project snippet')
+            expect(page).to have_content('internal personal snippet')
+            expect(page).not_to have_content('internal project snippet')
+            expect(page).not_to have_content('private personal snippet')
+            expect(page).not_to have_content('private project snippet')
+            expect(page).not_to have_content('authorized personal snippet')
+            expect(page).not_to have_content('authorized project snippet')
+          end
+        end
+      end
+    end
  end
  context 'when searching titles' do

--- a/ee/spec/features/security/project/private_access_spec.rb
+++ b/ee/spec/features/security/project/private_access_spec.rb
@@ -14,7 +14,8 @@ RSpec.describe '[EE] Private Project Access' do
    subject { project_insights_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:auditor) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }

--- a/spec/features/admin/admin_abuse_reports_spec.rb
+++ b/spec/features/admin/admin_abuse_reports_spec.rb
@@ -7,7 +7,9 @@ RSpec.describe "Admin::AbuseReports", :js do
  context 'as an admin' do
    before do
-      sign_in(create(:admin))
+      admin = create(:admin)
+      sign_in(admin)
+      gitlab_enable_admin_mode_sign_in(admin)
    end
    describe 'if a user has been reported for abuse' do

--- a/spec/features/admin/admin_appearance_spec.rb
+++ b/spec/features/admin/admin_appearance_spec.rb
@@ -4,9 +4,11 @@ require 'spec_helper'
 RSpec.describe 'Admin Appearance' do
  let!(:appearance) { create(:appearance) }
+  let(:admin) { create(:admin) }
  it 'Create new appearance' do
-    sign_in(create(:admin))
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    visit admin_appearances_path
    fill_in 'appearance_title', with: 'MyCompany'
@@ -26,7 +28,8 @@ RSpec.describe 'Admin Appearance' do
  end
  it 'Preview sign-in page appearance' do
-    sign_in(create(:admin))
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    visit admin_appearances_path
    click_link "Sign-in page"
@@ -35,7 +38,8 @@ RSpec.describe 'Admin Appearance' do
  end
  it 'Preview new project page appearance' do
-    sign_in(create(:admin))
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    visit admin_appearances_path
    click_link "New project page"
@@ -45,7 +49,8 @@ RSpec.describe 'Admin Appearance' do
  context 'Custom system header and footer' do
    before do
-      sign_in(create(:admin))
+      sign_in(admin)
+      gitlab_enable_admin_mode_sign_in(admin)
    end
    context 'when system header and footer messages are empty' do
@@ -82,7 +87,8 @@ RSpec.describe 'Admin Appearance' do
  end
  it 'Custom new project page' do
-    sign_in create(:user)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    visit new_project_path
    expect_custom_new_project_appearance(appearance)
@@ -91,6 +97,7 @@ RSpec.describe 'Admin Appearance' do
  context 'Profile page with custom profile image guidelines' do
    before do
      sign_in(create(:admin))
+      gitlab_enable_admin_mode_sign_in(admin)
      visit admin_appearances_path
      fill_in 'appearance_profile_image_guidelines', with: 'Custom profile image guidelines, please :smile:!'
      click_button 'Update appearance settings'
@@ -105,7 +112,8 @@ RSpec.describe 'Admin Appearance' do
  end
  it 'Appearance logo' do
-    sign_in(create(:admin))
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    visit admin_appearances_path
    attach_file(:appearance_logo, logo_fixture)
@@ -117,7 +125,8 @@ RSpec.describe 'Admin Appearance' do
  end
  it 'Header logos' do
-    sign_in(create(:admin))
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    visit admin_appearances_path
    attach_file(:appearance_header_logo, logo_fixture)
@@ -129,7 +138,8 @@ RSpec.describe 'Admin Appearance' do
  end
  it 'Favicon' do
-    sign_in(create(:admin))
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    visit admin_appearances_path
    attach_file(:appearance_favicon, logo_fixture)

--- a/spec/features/admin/admin_broadcast_messages_spec.rb
+++ b/spec/features/admin/admin_broadcast_messages_spec.rb
@@ -4,7 +4,9 @@ require 'spec_helper'
 RSpec.describe 'Admin Broadcast Messages' do
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    create(:broadcast_message, :expired, message: 'Migration to new server')
    visit admin_broadcast_messages_path
  end

--- a/spec/features/admin/admin_browse_spam_logs_spec.rb
+++ b/spec/features/admin/admin_browse_spam_logs_spec.rb
@@ -6,7 +6,9 @@ RSpec.describe 'Admin browse spam logs' do
  let!(:spam_log) { create(:spam_log, description: 'abcde ' * 20) }
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  it 'Browse spam logs' do

--- a/spec/features/admin/admin_builds_spec.rb
+++ b/spec/features/admin/admin_builds_spec.rb
@@ -4,7 +4,9 @@ require 'spec_helper'
 RSpec.describe 'Admin Builds' do
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  describe 'GET /admin/builds' do

--- a/spec/features/admin/admin_cohorts_spec.rb
+++ b/spec/features/admin/admin_cohorts_spec.rb
@@ -4,7 +4,9 @@ require 'spec_helper'
 RSpec.describe 'Cohorts page' do
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  context 'with usage ping enabled' do

--- a/spec/features/admin/admin_deploy_keys_spec.rb
+++ b/spec/features/admin/admin_deploy_keys_spec.rb
@@ -7,7 +7,9 @@ RSpec.describe 'admin deploy keys' do
  let!(:another_deploy_key) { create(:another_deploy_key, public: true) }
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  it 'show all public deploy keys' do

--- a/spec/features/admin/admin_dev_ops_report_spec.rb
+++ b/spec/features/admin/admin_dev_ops_report_spec.rb
@@ -4,7 +4,9 @@ require 'spec_helper'
 RSpec.describe 'DevOps Report page', :js do
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  context 'with devops_adoption feature flag disabled' do

--- a/spec/features/admin/admin_disables_git_access_protocol_spec.rb
+++ b/spec/features/admin/admin_disables_git_access_protocol_spec.rb
@@ -12,6 +12,7 @@ RSpec.describe 'Admin disables Git access protocol', :js do
  before do
    stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  context 'with HTTP disabled' do

--- a/spec/features/admin/admin_disables_two_factor_spec.rb
+++ b/spec/features/admin/admin_disables_two_factor_spec.rb
@@ -4,7 +4,9 @@ require 'spec_helper'
 RSpec.describe 'Admin disables 2FA for a user' do
  it 'successfully', :js do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    user = create(:user, :two_factor)
    edit_user(user)
@@ -19,7 +21,9 @@ RSpec.describe 'Admin disables 2FA for a user' do
  end
  it 'for a user without 2FA enabled' do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    user = create(:user)
    edit_user(user)

--- a/spec/features/admin/admin_groups_spec.rb
+++ b/spec/features/admin/admin_groups_spec.rb
@@ -13,6 +13,7 @@ RSpec.describe 'Admin Groups' do
  before do
    sign_in(current_user)
+    gitlab_enable_admin_mode_sign_in(current_user)
    stub_application_setting(default_group_visibility: internal)
  end

--- a/spec/features/admin/admin_health_check_spec.rb
+++ b/spec/features/admin/admin_health_check_spec.rb
@@ -9,6 +9,7 @@ RSpec.describe "Admin Health Check", :feature do
  before do
    stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  describe '#show' do

--- a/spec/features/admin/admin_hook_logs_spec.rb
+++ b/spec/features/admin/admin_hook_logs_spec.rb
@@ -8,7 +8,9 @@ RSpec.describe 'Admin::HookLogs' do
  let(:hook_log) { create(:web_hook_log, web_hook: system_hook, internal_error_message: 'some error') }
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  it 'show list of hook logs' do

--- a/spec/features/admin/admin_hooks_spec.rb
+++ b/spec/features/admin/admin_hooks_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe 'Admin::Hooks' do
  before do
    sign_in(user)
+    gitlab_enable_admin_mode_sign_in(user)
  end
  describe 'GET /admin/hooks' do

--- a/spec/features/admin/admin_labels_spec.rb
+++ b/spec/features/admin/admin_labels_spec.rb
@@ -7,7 +7,9 @@ RSpec.describe 'admin issues labels' do
  let!(:feature_label) { Label.create(title: 'feature', template: true) }
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  describe 'list' do

--- a/spec/features/admin/admin_manage_applications_spec.rb
+++ b/spec/features/admin/admin_manage_applications_spec.rb
@@ -4,7 +4,9 @@ require 'spec_helper'
 RSpec.describe 'admin manage applications' do
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  it 'creates new oauth application' do

--- a/spec/features/admin/admin_mode/login_spec.rb
+++ b/spec/features/admin/admin_mode/login_spec.rb
@@ -2,7 +2,7 @@
 require 'spec_helper'
-RSpec.describe 'Admin Mode Login', :clean_gitlab_redis_shared_state, :do_not_mock_admin_mode do
+RSpec.describe 'Admin Mode Login' do
  include TermsHelper
  include UserLoginHelper
  include LdapHelpers

--- a/spec/features/admin/admin_mode/logout_spec.rb
+++ b/spec/features/admin/admin_mode/logout_spec.rb
@@ -2,7 +2,7 @@
 require 'spec_helper'
-RSpec.describe 'Admin Mode Logout', :js, :clean_gitlab_redis_shared_state, :do_not_mock_admin_mode do
+RSpec.describe 'Admin Mode Logout', :js do
  include TermsHelper
  include UserLoginHelper

--- a/spec/features/admin/admin_mode/workers_spec.rb
+++ b/spec/features/admin/admin_mode/workers_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'
 # Test an operation that triggers background jobs requiring administrative rights
-RSpec.describe 'Admin mode for workers', :do_not_mock_admin_mode, :request_store, :clean_gitlab_redis_shared_state do
+RSpec.describe 'Admin mode for workers', :request_store do
  let(:user) { create(:user) }
  let(:user_to_delete) { create(:user) }

--- a/spec/features/admin/admin_mode_spec.rb
+++ b/spec/features/admin/admin_mode_spec.rb
@@ -2,7 +2,7 @@
 require 'spec_helper'
-RSpec.describe 'Admin mode', :clean_gitlab_redis_shared_state, :do_not_mock_admin_mode do
+RSpec.describe 'Admin mode' do
  include MobileHelpers
  include StubENV

--- a/spec/features/admin/admin_projects_spec.rb
+++ b/spec/features/admin/admin_projects_spec.rb
@@ -11,6 +11,7 @@ RSpec.describe "Admin::Projects" do
  before do
    sign_in(current_user)
+    gitlab_enable_admin_mode_sign_in(current_user)
  end
  describe "GET /admin/projects" do

--- a/spec/features/admin/admin_requests_profiles_spec.rb
+++ b/spec/features/admin/admin_requests_profiles_spec.rb
@@ -7,7 +7,9 @@ RSpec.describe 'Admin::RequestsProfilesController' do
  before do
    stub_const('Gitlab::RequestProfiler::PROFILES_DIR', tmpdir)
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  after do

--- a/spec/features/admin/admin_runners_spec.rb
+++ b/spec/features/admin/admin_runners_spec.rb
@@ -9,7 +9,9 @@ RSpec.describe "Admin Runners" do
  before do
    stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  describe "Runners page" do

--- a/spec/features/admin/admin_sees_project_statistics_spec.rb
+++ b/spec/features/admin/admin_sees_project_statistics_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe "Admin > Admin sees project statistics" do
  before do
    sign_in(current_user)
+    gitlab_enable_admin_mode_sign_in(current_user)
    visit admin_project_path(project)
  end

--- a/spec/features/admin/admin_sees_projects_statistics_spec.rb
+++ b/spec/features/admin/admin_sees_projects_statistics_spec.rb
@@ -10,6 +10,7 @@ RSpec.describe "Admin > Admin sees projects statistics" do
    create(:project, :repository) { |project| project.statistics.destroy }
    sign_in(current_user)
+    gitlab_enable_admin_mode_sign_in(current_user)
    visit admin_projects_path
  end

--- a/spec/features/admin/admin_serverless_domains_spec.rb
+++ b/spec/features/admin/admin_serverless_domains_spec.rb
@@ -7,7 +7,9 @@ RSpec.describe 'Admin Serverless Domains', :js do
  before do
    allow(Gitlab.config.pages).to receive(:enabled).and_return(true)
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  it 'Add domain with certificate' do

--- a/spec/features/admin/admin_settings_spec.rb
+++ b/spec/features/admin/admin_settings_spec.rb
@@ -2,7 +2,7 @@
 require 'spec_helper'
-RSpec.describe 'Admin updates settings', :clean_gitlab_redis_shared_state, :do_not_mock_admin_mode do
+RSpec.describe 'Admin updates settings' do
  include StubENV
  include TermsHelper
  include UsageDataHelpers

--- a/spec/features/admin/admin_system_info_spec.rb
+++ b/spec/features/admin/admin_system_info_spec.rb
@@ -4,7 +4,9 @@ require 'spec_helper'
 RSpec.describe 'Admin System Info' do
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  describe 'GET /admin/system_info' do

--- a/spec/features/admin/admin_users_impersonation_tokens_spec.rb
+++ b/spec/features/admin/admin_users_impersonation_tokens_spec.rb
@@ -20,6 +20,7 @@ RSpec.describe 'Admin > Users > Impersonation Tokens', :js do
  before do
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  describe "token creation" do

--- a/spec/features/admin/admin_users_spec.rb
+++ b/spec/features/admin/admin_users_spec.rb
@@ -13,6 +13,7 @@ RSpec.describe "Admin::Users" do
  before do
    sign_in(current_user)
+    gitlab_enable_admin_mode_sign_in(current_user)
  end
  describe "GET /admin/users" do

--- a/spec/features/admin/admin_uses_repository_checks_spec.rb
+++ b/spec/features/admin/admin_uses_repository_checks_spec.rb
@@ -2,7 +2,7 @@
 require 'spec_helper'
-RSpec.describe 'Admin uses repository checks', :request_store, :clean_gitlab_redis_shared_state, :do_not_mock_admin_mode do
+RSpec.describe 'Admin uses repository checks', :request_store do
  include StubENV
  let(:admin) { create(:admin) }

--- a/spec/features/admin/clusters/applications_spec.rb
+++ b/spec/features/admin/clusters/applications_spec.rb
@@ -10,6 +10,7 @@ RSpec.describe 'Instance-level Cluster Applications', :js do
  before do
    sign_in(user)
+    gitlab_enable_admin_mode_sign_in(user)
  end
  describe 'Installing applications' do

--- a/spec/features/admin/clusters/eks_spec.rb
+++ b/spec/features/admin/clusters/eks_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe 'Instance-level AWS EKS Cluster', :js do
  before do
    sign_in(user)
+    gitlab_enable_admin_mode_sign_in(user)
  end
  context 'when user does not have a cluster and visits group clusters page' do

--- a/spec/features/admin/dashboard_spec.rb
+++ b/spec/features/admin/dashboard_spec.rb
@@ -6,7 +6,9 @@ RSpec.describe 'admin visits dashboard' do
  include ProjectForksHelper
  before do
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
  end
  context 'counting forks', :js do

--- a/spec/features/admin/services/admin_activates_prometheus_spec.rb
+++ b/spec/features/admin/services/admin_activates_prometheus_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe 'Admin activates Prometheus', :js do
  before do
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    visit(admin_application_settings_services_path)

--- a/spec/features/admin/services/admin_visits_service_templates_spec.rb
+++ b/spec/features/admin/services/admin_visits_service_templates_spec.rb
@@ -8,6 +8,7 @@ RSpec.describe 'Admin visits service templates' do
  before do
    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    visit(admin_application_settings_services_path)
  end

--- a/spec/features/boards/keyboard_shortcut_spec.rb
+++ b/spec/features/boards/keyboard_shortcut_spec.rb
@@ -9,7 +9,9 @@ RSpec.describe 'Issue Boards shortcut', :js do
    before do
      create(:board, project: project)
-      sign_in(create(:admin))
+      admin = create(:admin)
+      sign_in(admin)
+      gitlab_enable_admin_mode_sign_in(admin)
      visit project_path(project)
    end
@@ -26,7 +28,9 @@ RSpec.describe 'Issue Boards shortcut', :js do
    let(:project) { create(:project, :issues_disabled) }
    before do
-      sign_in(create(:admin))
+      admin = create(:admin)
+      sign_in(admin)
+      gitlab_enable_admin_mode_sign_in(admin)
      visit project_path(project)
    end

--- a/spec/features/clusters/cluster_detail_page_spec.rb
+++ b/spec/features/clusters/cluster_detail_page_spec.rb
@@ -168,6 +168,10 @@ RSpec.describe 'Clusterable > Show page' do
    let(:cluster_path) { admin_cluster_path(cluster) }
    let(:cluster) { create(:cluster, :provided_by_gcp, :instance) }
+    before do
+      gitlab_enable_admin_mode_sign_in(current_user)
+    end
    it_behaves_like 'show page' do
      let(:cluster_type_label) { 'Instance cluster' }
    end

--- a/spec/features/expand_collapse_diffs_spec.rb
+++ b/spec/features/expand_collapse_diffs_spec.rb
@@ -10,7 +10,9 @@ RSpec.describe 'Expand and collapse diffs', :js do
    stub_feature_flags(increased_diff_limits: false)
    allow(Gitlab::CurrentSettings).to receive(:diff_max_patch_bytes).and_return(100.kilobytes)
-    sign_in(create(:admin))
+    admin = create(:admin)
+    sign_in(admin)
+    gitlab_enable_admin_mode_sign_in(admin)
    # Ensure that undiffable.md is in .gitattributes
    project.repository.copy_gitattributes(branch)

--- a/spec/features/file_uploads/git_lfs_spec.rb
+++ b/spec/features/file_uploads/git_lfs_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe 'Upload a git lfs object', :js do
  include_context 'file upload requests helpers'
  let_it_be(:project) { create(:project) }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { project.owner }
  let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
  let(:file) { fixture_file_upload('spec/fixtures/banana_sample.gif') }

--- a/spec/features/groups_spec.rb
+++ b/spec/features/groups_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'
 RSpec.describe 'Group' do
-  let(:user) { create(:admin) }
+  let(:user) { create(:user) }
  before do
    sign_in(user)
@@ -21,8 +21,6 @@ RSpec.describe 'Group' do
    end
    describe 'as a non-admin' do
-      let(:user) { create(:user) }
      it 'creates a group and persists visibility radio selection', :js do
        stub_application_setting(default_group_visibility: :private)
@@ -140,6 +138,8 @@ RSpec.describe 'Group' do
    let(:group) { create(:group, path: 'foo') }
    context 'as admin' do
+      let(:user) { create(:admin) }
      before do
        visit new_group_path(group, parent_id: group.id)
      end
@@ -190,6 +190,8 @@ RSpec.describe 'Group' do
    let(:new_name) { 'new-name' }
    before do
+      group.add_owner(user)
      visit path
    end
@@ -200,6 +202,8 @@ RSpec.describe 'Group' do
    it 'saves new settings' do
      page.within('.gs-general') do
+        # Have to reset it to '' so it overwrites rather than appends
+        fill_in('group_name', with: '')
        fill_in 'group_name', with: new_name
        click_button 'Save changes'
      end
@@ -229,6 +233,10 @@ RSpec.describe 'Group' do
    let(:group) { create(:group) }
    let(:path)  { group_path(group) }
+    before do
+      group.add_owner(user)
+    end
    it 'parses Markdown' do
      group.update_attribute(:description, 'This is **my** group')
@@ -267,6 +275,10 @@ RSpec.describe 'Group' do
    let!(:nested_group) { create(:group, parent: group) }
    let!(:project) { create(:project, namespace: group) }
+    before do
+      group.add_owner(user)
+    end
    it 'renders projects and groups on the page' do
      visit group_path(group)
      wait_for_requests
@@ -294,6 +306,10 @@ RSpec.describe 'Group' do
  describe 'new subgroup / project button' do
    let(:group) { create(:group, project_creation_level: Gitlab::Access::NO_ONE_PROJECT_ACCESS, subgroup_creation_level: Gitlab::Access::OWNER_SUBGROUP_ACCESS) }
+    before do
+      group.add_owner(user)
+    end
    context 'when user has subgroup creation permissions but not project creation permissions' do
      it 'only displays "New subgroup" button' do
        visit group_path(group)

--- a/spec/features/issues/keyboard_shortcut_spec.rb
+++ b/spec/features/issues/keyboard_shortcut_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe 'Issues shortcut', :js do
      let(:project) { create(:project) }
      before do
-        sign_in(create(:admin))
+        sign_in(project.owner)
        visit project_path(project)
      end
@@ -23,7 +23,7 @@ RSpec.describe 'Issues shortcut', :js do
      let(:project) { create(:project, :issues_disabled) }
      before do
-        sign_in(create(:admin))
+        sign_in(project.owner)
        visit project_path(project)
      end

--- a/spec/features/markdown/copy_as_gfm_spec.rb
+++ b/spec/features/markdown/copy_as_gfm_spec.rb
@@ -7,10 +7,6 @@ RSpec.describe 'Copy as GFM', :js do
  include RepoHelpers
  include ActionView::Helpers::JavaScriptHelper
-  before do
-    sign_in(create(:admin))
-  end
  describe 'Copying rendered GFM' do
    before do
      @feat = MarkdownFeature.new
@@ -18,6 +14,9 @@ RSpec.describe 'Copy as GFM', :js do
      # `markdown` helper expects a `@project` variable
      @project = @feat.project
+      user = create(:user)
+      @project.add_maintainer(user)
+      sign_in(user)
      visit project_issue_path(@project, @feat.issue)
    end
@@ -650,6 +649,10 @@ RSpec.describe 'Copy as GFM', :js do
  describe 'Copying code' do
    let(:project) { create(:project, :repository) }
+    before do
+      sign_in(project.owner)
+    end
    context 'from a diff' do
      shared_examples 'copying code from a diff' do
        context 'selecting one word of text' do

--- a/spec/features/profiles/active_sessions_spec.rb
+++ b/spec/features/profiles/active_sessions_spec.rb
@@ -45,6 +45,7 @@ RSpec.describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do
        )
        gitlab_sign_in(admin)
+        gitlab_enable_admin_mode_sign_in(admin)
        visit admin_user_path(user)

--- a/spec/features/projects/blobs/user_creates_new_blob_in_new_project_spec.rb
+++ b/spec/features/projects/blobs/user_creates_new_blob_in_new_project_spec.rb
@@ -9,12 +9,9 @@ RSpec.describe 'User creates new blob', :js do
  let(:project) { create(:project, :empty_repo) }
  shared_examples 'creating a file' do
-    before do
+    it 'allows the user to add a new file in Web IDE' do
-      sign_in(user)
      visit project_path(project)
-    end
-    it 'allows the user to add a new file in Web IDE' do
      click_link 'New file'
      wait_for_requests
@@ -31,6 +28,7 @@ RSpec.describe 'User creates new blob', :js do
  describe 'as a maintainer' do
    before do
      project.add_maintainer(user)
+      sign_in(user)
    end
    it_behaves_like 'creating a file'
@@ -39,6 +37,11 @@ RSpec.describe 'User creates new blob', :js do
  describe 'as an admin' do
    let(:user) { create(:user, :admin) }
+    before do
+      sign_in(user)
+      gitlab_enable_admin_mode_sign_in(user)
+    end
    it_behaves_like 'creating a file'
  end

--- a/spec/features/projects/blobs/user_follows_pipeline_suggest_nudge_spec.rb
+++ b/spec/features/projects/blobs/user_follows_pipeline_suggest_nudge_spec.rb
@@ -5,8 +5,8 @@ require 'spec_helper'
 RSpec.describe 'User follows pipeline suggest nudge spec when feature is enabled', :js do
  include CookieHelper
-  let(:user) { create(:user, :admin) }
  let(:project) { create(:project, :empty_repo) }
+  let(:user) { project.owner }
  describe 'viewing the new blob page' do
    before do

--- a/spec/features/projects/clusters/gcp_spec.rb
+++ b/spec/features/projects/clusters/gcp_spec.rb
@@ -2,7 +2,7 @@
 require 'spec_helper'
-RSpec.describe 'Gcp Cluster', :js, :do_not_mock_admin_mode do
+RSpec.describe 'Gcp Cluster', :js do
  include GoogleApi::CloudPlatformHelpers
  let(:project) { create(:project) }

--- a/spec/features/projects/features_visibility_spec.rb
+++ b/spec/features/projects/features_visibility_spec.rb
@@ -150,6 +150,7 @@ RSpec.describe 'Edit Project Settings' do
      before do
        non_member.update_attribute(:admin, true)
        sign_in(non_member)
+        gitlab_enable_admin_mode_sign_in(non_member)
      end
      it 'renders 404 if feature is disabled' do

--- a/spec/features/projects/gfm_autocomplete_load_spec.rb
+++ b/spec/features/projects/gfm_autocomplete_load_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe 'GFM autocomplete loading', :js do
  let(:project) { create(:project) }
  before do
-    sign_in(create(:admin))
+    sign_in(project.owner)
    visit project_path(project)
  end

--- a/spec/features/projects/settings/repository_settings_spec.rb
+++ b/spec/features/projects/settings/repository_settings_spec.rb
@@ -289,13 +289,13 @@ RSpec.describe 'Projects > Settings > Repository settings' do
      visit project_settings_repository_path(project)
    end
-    context 'when project mirroring is enabled' do
+    context 'when project mirroring is enabled', :enable_admin_mode do
      let(:mirror_available) { true }
      include_examples 'shows mirror settings'
    end
-    context 'when project mirroring is disabled' do
+    context 'when project mirroring is disabled', :enable_admin_mode do
      let(:mirror_available) { false }
      include_examples 'shows mirror settings'

--- a/spec/features/projects/user_views_empty_project_spec.rb
+++ b/spec/features/projects/user_views_empty_project_spec.rb
@@ -7,12 +7,9 @@ RSpec.describe 'User views an empty project' do
  let(:user) { create(:user) }
  shared_examples 'allowing push to default branch' do
-    before do
+    it 'shows push-to-master instructions' do
-      sign_in(user)
      visit project_path(project)
-    end
-    it 'shows push-to-master instructions' do
      expect(page).to have_content('git push -u origin master')
    end
  end
@@ -20,6 +17,7 @@ RSpec.describe 'User views an empty project' do
  describe 'as a maintainer' do
    before do
      project.add_maintainer(user)
+      sign_in(user)
    end
    it_behaves_like 'allowing push to default branch'
@@ -28,17 +26,33 @@ RSpec.describe 'User views an empty project' do
  describe 'as an admin' do
    let(:user) { create(:user, :admin) }
+    context 'when admin mode is enabled' do
+      before do
+        sign_in(user)
+        gitlab_enable_admin_mode_sign_in(user)
+      end
      it_behaves_like 'allowing push to default branch'
    end
+    context 'when admin mode is disabled' do
+      it 'does not show push-to-master instructions' do
+        visit project_path(project)
+        expect(page).not_to have_content('git push -u origin master')
+      end
+    end
+  end
  describe 'as a developer' do
    before do
      project.add_developer(user)
      sign_in(user)
-      visit project_path(project)
    end
    it 'does not show push-to-master instructions' do
+      visit project_path(project)
      expect(page).not_to have_content('git push -u origin master')
    end
  end

--- a/spec/features/projects_spec.rb
+++ b/spec/features/projects_spec.rb
@@ -61,7 +61,7 @@ RSpec.describe 'Project' do
    let(:path)    { project_path(project) }
    before do
-      sign_in(create(:admin))
+      sign_in(project.owner)
    end
    it 'parses Markdown' do
@@ -125,7 +125,7 @@ RSpec.describe 'Project' do
    let(:path)    { project_path(project) }
    before do
-      sign_in(create(:admin))
+      sign_in(project.owner)
      visit path
    end
@@ -156,7 +156,7 @@ RSpec.describe 'Project' do
    let(:path)    { project_path(project) }
    before do
-      sign_in(create(:admin))
+      sign_in(project.owner)
      visit path
    end

--- a/spec/features/protected_branches_spec.rb
+++ b/spec/features/protected_branches_spec.rb
@@ -73,6 +73,7 @@ RSpec.describe 'Protected Branches', :js do
  context 'logged in as admin' do
    before do
      sign_in(admin)
+      gitlab_enable_admin_mode_sign_in(admin)
    end
    describe "explicit protected branches" do

--- a/spec/features/protected_tags_spec.rb
+++ b/spec/features/protected_tags_spec.rb
@@ -5,8 +5,8 @@ require 'spec_helper'
 RSpec.describe 'Protected Tags', :js do
  include ProtectedTagHelpers
-  let(:user) { create(:user, :admin) }
  let(:project) { create(:project, :repository) }
+  let(:user) { project.owner }
  before do
    sign_in(user)

--- a/spec/features/security/admin_access_spec.rb
+++ b/spec/features/security/admin_access_spec.rb
@@ -8,7 +8,14 @@ RSpec.describe "Admin::Projects" do
  describe "GET /admin/projects" do
    subject { admin_projects_path }
+    context 'when admin mode is enabled', :enable_admin_mode do
      it { is_expected.to be_allowed_for :admin }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for :admin }
+    end
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end
@@ -16,7 +23,14 @@ RSpec.describe "Admin::Projects" do
  describe "GET /admin/users" do
    subject { admin_users_path }
+    context 'when admin mode is enabled', :enable_admin_mode do
      it { is_expected.to be_allowed_for :admin }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for :admin }
+    end
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end
@@ -24,7 +38,14 @@ RSpec.describe "Admin::Projects" do
  describe "GET /admin/hooks" do
    subject { admin_hooks_path }
+    context 'when admin mode is enabled', :enable_admin_mode do
      it { is_expected.to be_allowed_for :admin }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for :admin }
+    end
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :visitor }
  end

--- a/spec/features/security/project/internal_access_spec.rb
+++ b/spec/features/security/project/internal_access_spec.rb
@@ -102,7 +102,8 @@ RSpec.describe "Internal Project Access" do
  describe "GET /:project_path/-/settings/ci_cd" do
    subject { project_settings_ci_cd_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -116,7 +117,8 @@ RSpec.describe "Internal Project Access" do
  describe "GET /:project_path/-/settings/repository" do
    subject { project_settings_repository_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -146,7 +148,8 @@ RSpec.describe "Internal Project Access" do
  describe "GET /:project_path/edit" do
    subject { edit_project_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -160,7 +163,8 @@ RSpec.describe "Internal Project Access" do
  describe "GET /:project_path/deploy_keys" do
    subject { project_deploy_keys_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -190,7 +194,8 @@ RSpec.describe "Internal Project Access" do
    subject { edit_project_issue_path(project, issue) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -218,7 +223,8 @@ RSpec.describe "Internal Project Access" do
  describe "GET /:project_path/snippets/new" do
    subject { new_project_snippet_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -246,7 +252,8 @@ RSpec.describe "Internal Project Access" do
  describe "GET /:project_path/-/merge_requests/new" do
    subject { project_new_merge_request_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -302,7 +309,8 @@ RSpec.describe "Internal Project Access" do
  describe "GET /:project_path/-/settings/integrations" do
    subject { project_settings_integrations_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -367,7 +375,8 @@ RSpec.describe "Internal Project Access" do
        project.update(public_builds: false)
      end
-      it { is_expected.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
      it { is_expected.to be_allowed_for(:owner).of(project) }
      it { is_expected.to be_allowed_for(:maintainer).of(project) }
      it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -406,7 +415,8 @@ RSpec.describe "Internal Project Access" do
        project.update(public_builds: false)
      end
-      it { is_expected.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
      it { is_expected.to be_allowed_for(:owner).of(project) }
      it { is_expected.to be_allowed_for(:maintainer).of(project) }
      it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -445,7 +455,8 @@ RSpec.describe "Internal Project Access" do
        project.update(public_builds: false)
      end
-      it { is_expected.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
      it { is_expected.to be_allowed_for(:owner).of(project) }
      it { is_expected.to be_allowed_for(:maintainer).of(project) }
      it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -460,7 +471,8 @@ RSpec.describe "Internal Project Access" do
  describe "GET /:project_path/pipeline_schedules" do
    subject { project_pipeline_schedules_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is disabled') { is_expected.to be_allowed_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -474,7 +486,8 @@ RSpec.describe "Internal Project Access" do
  describe "GET /:project_path/-/environments" do
    subject { project_environments_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is disabled') { is_expected.to be_allowed_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -490,7 +503,8 @@ RSpec.describe "Internal Project Access" do
    subject { project_environment_path(project, environment) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is disabled') { is_expected.to be_allowed_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -506,7 +520,8 @@ RSpec.describe "Internal Project Access" do
    subject { project_environment_deployments_path(project, environment) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is disabled') { is_expected.to be_allowed_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -520,7 +535,8 @@ RSpec.describe "Internal Project Access" do
  describe "GET /:project_path/-/environments/new" do
    subject { new_project_environment_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }

--- a/spec/features/security/project/private_access_spec.rb
+++ b/spec/features/security/project/private_access_spec.rb
@@ -18,7 +18,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path" do
    subject { project_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -32,7 +33,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/tree/master" do
    subject { project_tree_path(project, project.repository.root_ref) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -46,7 +48,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/commits/master" do
    subject { project_commits_path(project, project.repository.root_ref, limit: 1) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -60,7 +63,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/commit/:sha" do
    subject { project_commit_path(project, project.repository.commit) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -74,7 +78,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/compare" do
    subject { project_compare_index_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -88,7 +93,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/project_members" do
    subject { project_project_members_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -102,7 +108,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/settings/ci_cd" do
    subject { project_settings_ci_cd_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -116,7 +123,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/settings/repository" do
    subject { project_settings_repository_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -132,7 +140,8 @@ RSpec.describe "Private Project Access" do
    subject { project_blob_path(project, File.join(commit.id, '.gitignore')) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -146,7 +155,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/edit" do
    subject { edit_project_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -160,7 +170,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/deploy_keys" do
    subject { project_deploy_keys_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -174,7 +185,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/issues" do
    subject { project_issues_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -190,7 +202,8 @@ RSpec.describe "Private Project Access" do
    subject { edit_project_issue_path(project, issue) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -204,7 +217,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/snippets" do
    subject { project_snippets_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -218,7 +232,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/merge_requests" do
    subject { project_merge_requests_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -239,7 +254,8 @@ RSpec.describe "Private Project Access" do
      end
    end
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -260,7 +276,8 @@ RSpec.describe "Private Project Access" do
      end
    end
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -274,7 +291,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/settings/integrations" do
    subject { project_settings_integrations_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -288,7 +306,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/pipelines" do
    subject { project_pipelines_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -316,7 +335,8 @@ RSpec.describe "Private Project Access" do
    subject { project_pipeline_path(project, pipeline) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -342,7 +362,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/builds" do
    subject { project_jobs_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -371,7 +392,8 @@ RSpec.describe "Private Project Access" do
    subject { project_job_path(project, build.id) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -405,7 +427,8 @@ RSpec.describe "Private Project Access" do
    subject { trace_project_job_path(project, build.id) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -435,7 +458,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/environments" do
    subject { project_environments_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -451,7 +475,8 @@ RSpec.describe "Private Project Access" do
    subject { project_environment_path(project, environment) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -467,7 +492,8 @@ RSpec.describe "Private Project Access" do
    subject { project_environment_deployments_path(project, environment) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -481,7 +507,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/environments/new" do
    subject { new_project_environment_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -495,7 +522,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/pipeline_schedules" do
    subject { project_pipeline_schedules_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -509,7 +537,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/pipeline_schedules/new" do
    subject { new_project_pipeline_schedule_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -523,7 +552,8 @@ RSpec.describe "Private Project Access" do
  describe "GET /:project_path/-/environments/new" do
    subject { new_project_pipeline_schedule_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -545,7 +575,8 @@ RSpec.describe "Private Project Access" do
    subject { project_container_registry_index_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }

--- a/spec/features/security/project/public_access_spec.rb
+++ b/spec/features/security/project/public_access_spec.rb
@@ -102,7 +102,8 @@ RSpec.describe "Public Project Access" do
  describe "GET /:project_path/-/settings/ci_cd" do
    subject { project_settings_ci_cd_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -116,7 +117,8 @@ RSpec.describe "Public Project Access" do
  describe "GET /:project_path/-/settings/repository" do
    subject { project_settings_repository_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -181,7 +183,8 @@ RSpec.describe "Public Project Access" do
        project.update(public_builds: false)
      end
-      it { is_expected.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
      it { is_expected.to be_allowed_for(:owner).of(project) }
      it { is_expected.to be_allowed_for(:maintainer).of(project) }
      it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -220,7 +223,8 @@ RSpec.describe "Public Project Access" do
        project.update(public_builds: false)
      end
-      it { is_expected.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
      it { is_expected.to be_allowed_for(:owner).of(project) }
      it { is_expected.to be_allowed_for(:maintainer).of(project) }
      it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -259,7 +263,8 @@ RSpec.describe "Public Project Access" do
        project.update(public_builds: false)
      end
-      it { is_expected.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
      it { is_expected.to be_allowed_for(:owner).of(project) }
      it { is_expected.to be_allowed_for(:maintainer).of(project) }
      it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -274,7 +279,8 @@ RSpec.describe "Public Project Access" do
  describe "GET /:project_path/pipeline_schedules" do
    subject { project_pipeline_schedules_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is disabled') { is_expected.to be_allowed_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -288,7 +294,8 @@ RSpec.describe "Public Project Access" do
  describe "GET /:project_path/-/environments" do
    subject { project_environments_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is disabled') { is_expected.to be_allowed_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -304,7 +311,8 @@ RSpec.describe "Public Project Access" do
    subject { project_environment_path(project, environment) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is disabled') { is_expected.to be_allowed_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -320,7 +328,8 @@ RSpec.describe "Public Project Access" do
    subject { project_environment_deployments_path(project, environment) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is disabled') { is_expected.to be_allowed_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -334,7 +343,8 @@ RSpec.describe "Public Project Access" do
  describe "GET /:project_path/-/environments/new" do
    subject { new_project_environment_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -363,7 +373,8 @@ RSpec.describe "Public Project Access" do
  describe "GET /:project_path/edit" do
    subject { edit_project_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -377,7 +388,8 @@ RSpec.describe "Public Project Access" do
  describe "GET /:project_path/deploy_keys" do
    subject { project_deploy_keys_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }
@@ -407,7 +419,8 @@ RSpec.describe "Public Project Access" do
    subject { edit_project_issue_path(project, issue) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -435,7 +448,8 @@ RSpec.describe "Public Project Access" do
  describe "GET /:project_path/snippets/new" do
    subject { new_project_snippet_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -463,7 +477,8 @@ RSpec.describe "Public Project Access" do
  describe "GET /:project_path/-/merge_requests/new" do
    subject { project_new_merge_request_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -519,7 +534,8 @@ RSpec.describe "Public Project Access" do
  describe "GET /:project_path/-/settings/integrations" do
    subject { project_settings_integrations_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_denied_for(:developer).of(project) }

--- a/spec/features/security/project/snippet/internal_access_spec.rb
+++ b/spec/features/security/project/snippet/internal_access_spec.rb
@@ -26,7 +26,8 @@ RSpec.describe "Internal Project Snippets Access" do
  describe "GET /:project_path/snippets/new" do
    subject { new_project_snippet_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -55,7 +56,8 @@ RSpec.describe "Internal Project Snippets Access" do
    context "for a private snippet" do
      subject { project_snippet_path(project, private_snippet) }
-      it { is_expected.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
      it { is_expected.to be_allowed_for(:owner).of(project) }
      it { is_expected.to be_allowed_for(:maintainer).of(project) }
      it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -85,7 +87,8 @@ RSpec.describe "Internal Project Snippets Access" do
    context "for a private snippet" do
      subject { raw_project_snippet_path(project, private_snippet) }
-      it { is_expected.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
      it { is_expected.to be_allowed_for(:owner).of(project) }
      it { is_expected.to be_allowed_for(:maintainer).of(project) }
      it { is_expected.to be_allowed_for(:developer).of(project) }

--- a/spec/features/security/project/snippet/private_access_spec.rb
+++ b/spec/features/security/project/snippet/private_access_spec.rb
@@ -12,7 +12,8 @@ RSpec.describe "Private Project Snippets Access" do
  describe "GET /:project_path/snippets" do
    subject { project_snippets_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -26,7 +27,8 @@ RSpec.describe "Private Project Snippets Access" do
  describe "GET /:project_path/snippets/new" do
    subject { new_project_snippet_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -40,7 +42,8 @@ RSpec.describe "Private Project Snippets Access" do
  describe "GET /:project_path/snippets/:id for a private snippet" do
    subject { project_snippet_path(project, private_snippet) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -54,7 +57,8 @@ RSpec.describe "Private Project Snippets Access" do
  describe "GET /:project_path/snippets/:id/raw for a private snippet" do
    subject { raw_project_snippet_path(project, private_snippet) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }

--- a/spec/features/security/project/snippet/public_access_spec.rb
+++ b/spec/features/security/project/snippet/public_access_spec.rb
@@ -27,7 +27,8 @@ RSpec.describe "Public Project Snippets Access" do
  describe "GET /:project_path/snippets/new" do
    subject { new_project_snippet_path(project) }
-    it { is_expected.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
    it { is_expected.to be_allowed_for(:owner).of(project) }
    it { is_expected.to be_allowed_for(:maintainer).of(project) }
    it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -70,7 +71,8 @@ RSpec.describe "Public Project Snippets Access" do
    context "for a private snippet" do
      subject { project_snippet_path(project, private_snippet) }
-      it { is_expected.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
      it { is_expected.to be_allowed_for(:owner).of(project) }
      it { is_expected.to be_allowed_for(:maintainer).of(project) }
      it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -114,7 +116,8 @@ RSpec.describe "Public Project Snippets Access" do
    context "for a private snippet" do
      subject { raw_project_snippet_path(project, private_snippet) }
-      it { is_expected.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { is_expected.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { is_expected.to be_denied_for(:admin) }
      it { is_expected.to be_allowed_for(:owner).of(project) }
      it { is_expected.to be_allowed_for(:maintainer).of(project) }
      it { is_expected.to be_allowed_for(:developer).of(project) }

--- a/spec/features/usage_stats_consent_spec.rb
+++ b/spec/features/usage_stats_consent_spec.rb
@@ -19,6 +19,7 @@ RSpec.describe 'Usage stats consent' do
      end
      gitlab_sign_in(user)
+      gitlab_enable_admin_mode_sign_in(user)
    end
    it 'hides the banner permanently when sets usage stats' do

--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -278,24 +278,18 @@ RSpec.configure do |config|
    # context 'some test in mocked dir', :do_not_mock_admin_mode do ... end
    admin_mode_mock_dirs = %w(
      ./ee/spec/elastic_integration
-      ./ee/spec/features
      ./ee/spec/finders
      ./ee/spec/lib
      ./ee/spec/requests/admin
      ./ee/spec/serializers
-      ./ee/spec/support/protected_tags
-      ./ee/spec/support/shared_examples/features
      ./ee/spec/support/shared_examples/finders/geo
      ./ee/spec/support/shared_examples/graphql/geo
-      ./spec/features
      ./spec/finders
      ./spec/frontend
      ./spec/helpers
      ./spec/lib
      ./spec/requests
      ./spec/serializers
-      ./spec/support/protected_tags
-      ./spec/support/shared_examples/features
      ./spec/support/shared_examples/requests
      ./spec/support/shared_examples/lib/gitlab
      ./spec/views

--- a/spec/support/matchers/access_matchers.rb
+++ b/spec/support/matchers/access_matchers.rb
@@ -52,7 +52,7 @@ module AccessMatchers
      emulate_user(user, @membership)
      visit(url)
-      status_code == 200 && current_path != new_user_session_path
+      status_code == 200 && !current_path.in?([new_user_session_path, new_admin_session_path])
    end
    chain :of do |membership|
@@ -67,7 +67,7 @@ module AccessMatchers
      emulate_user(user, @membership)
      visit(url)
-      [401, 404].include?(status_code) || current_path == new_user_session_path
+      [401, 404].include?(status_code) || current_path.in?([new_user_session_path, new_admin_session_path])
    end
    chain :of do |membership|