Merge branch '2256-check-crm-ff-in-policy' into 'master'

Rename crm related policies and consider feature flag status

See merge request gitlab-org/gitlab!73209

app/graphql/mutations/customer_relations/contacts/create.rb

@@ -42,13 +42,11 @@ module Mutations
                  required: false,
                  description: 'Description of or notes for the contact.'
 
-        authorize :admin_contact
+        authorize :admin_crm_contact
 
         def resolve(args)
           group = authorized_find!(id: args[:group_id])
 
-          raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless Feature.enabled?(:customer_relations, group, default_enabled: :yaml)
-
           set_organization!(args)
           result = ::CustomerRelations::Contacts::CreateService.new(group: group, current_user: current_user, params: args).execute
           { contact: result.payload, errors: result.errors }

app/graphql/mutations/customer_relations/contacts/update.rb

@@ -8,7 +8,7 @@ module Mutations
 
         graphql_name 'CustomerRelationsContactUpdate'
 
-        authorize :admin_contact
+        authorize :admin_crm_contact
 
         field :contact,
               Types::CustomerRelations::ContactType,
@@ -48,8 +48,6 @@ module Mutations
           raise_resource_not_available_error! unless contact
 
           group = contact.group
-          raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless Feature.enabled?(:customer_relations, group, default_enabled: :yaml)
-
           authorize!(group)
 
           result = ::CustomerRelations::Contacts::UpdateService.new(group: group, current_user: current_user, params: args).execute(contact)

app/graphql/mutations/customer_relations/organizations/create.rb

@@ -33,13 +33,11 @@ module Mutations
                  required: false,
                  description: 'Description of or notes for the organization.'
 
-        authorize :admin_organization
+        authorize :admin_crm_organization
 
         def resolve(args)
           group = authorized_find!(id: args[:group_id])
 
-          raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless Feature.enabled?(:customer_relations, group, default_enabled: :yaml)
-
           result = ::CustomerRelations::Organizations::CreateService.new(group: group, current_user: current_user, params: args).execute
           { organization: result.payload, errors: result.errors }
         end

app/graphql/mutations/customer_relations/organizations/update.rb

@@ -8,7 +8,7 @@ module Mutations
 
         graphql_name 'CustomerRelationsOrganizationUpdate'
 
-        authorize :admin_organization
+        authorize :admin_crm_organization
 
         field :organization,
               Types::CustomerRelations::OrganizationType,
@@ -39,8 +39,6 @@ module Mutations
           raise_resource_not_available_error! unless organization
 
           group = organization.group
-          raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless Feature.enabled?(:customer_relations, group, default_enabled: :yaml)
-
           authorize!(group)
 
           result = ::CustomerRelations::Organizations::UpdateService.new(group: group, current_user: current_user, params: args).execute(organization)

app/graphql/types/customer_relations/contact_type.rb

@@ -5,7 +5,7 @@ module Types
     class ContactType < BaseObject
       graphql_name 'CustomerRelationsContact'
 
-      authorize :read_contact
+      authorize :read_crm_contact
 
       field :id,
             GraphQL::Types::ID,

app/graphql/types/customer_relations/organization_type.rb

@@ -5,7 +5,7 @@ module Types
     class OrganizationType < BaseObject
       graphql_name 'CustomerRelationsOrganization'
 
-      authorize :read_organization
+      authorize :read_crm_organization
 
       field :id,
             GraphQL::Types::ID,

app/policies/group_policy.rb

@@ -75,6 +75,8 @@ class GroupPolicy < BasePolicy
   with_scope :subject
   condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
 
+  condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) }
+
   rule { can?(:read_group) & design_management_enabled }.policy do
     enable :read_design_activity
   end
@@ -113,8 +115,8 @@ class GroupPolicy < BasePolicy
     enable :read_group_member
     enable :read_custom_emoji
     enable :read_counts
-    enable :read_organization
-    enable :read_contact
+    enable :read_crm_organization
+    enable :read_crm_contact
   end
 
   rule { ~public_group & ~has_access }.prevent :read_counts
@@ -134,8 +136,8 @@ class GroupPolicy < BasePolicy
     enable :create_package
     enable :create_package_settings
     enable :developer_access
-    enable :admin_organization
-    enable :admin_contact
+    enable :admin_crm_organization
+    enable :admin_crm_contact
   end
 
   rule { reporter }.policy do
@@ -252,6 +254,13 @@ class GroupPolicy < BasePolicy
     enable :read_label
   end
 
+  rule { ~crm_enabled }.policy do
+    prevent :read_crm_contact
+    prevent :read_crm_organization
+    prevent :admin_crm_contact
+    prevent :admin_crm_organization
+  end
+
   def access_level(for_any_session: false)
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?

app/services/customer_relations/contacts/base_service.rb

@@ -6,7 +6,7 @@ module CustomerRelations
       private
 
       def allowed?
-        current_user&.can?(:admin_contact, group)
+        current_user&.can?(:admin_crm_contact, group)
       end
 
       def error(message)

app/services/customer_relations/organizations/base_service.rb

@@ -6,7 +6,7 @@ module CustomerRelations
       private
 
       def allowed?
-        current_user&.can?(:admin_organization, group)
+        current_user&.can?(:admin_crm_organization, group)
       end
 
       def error(message)

spec/graphql/mutations/customer_relations/contacts/create_spec.rb

@@ -45,7 +45,7 @@ RSpec.describe Mutations::CustomerRelations::Contacts::Create do
 
         it 'raises an error' do
           expect { resolve_mutation }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-            .with_message('Feature disabled')
+            .with_message("The resource that you are attempting to access does not exist or you don't have permission to perform this action")
         end
       end
 
@@ -97,5 +97,5 @@ RSpec.describe Mutations::CustomerRelations::Contacts::Create do
     end
   end
 
-  specify { expect(described_class).to require_graphql_authorizations(:admin_contact) }
+  specify { expect(described_class).to require_graphql_authorizations(:admin_crm_contact) }
 end

spec/graphql/mutations/customer_relations/contacts/update_spec.rb

@@ -65,11 +65,11 @@ RSpec.describe Mutations::CustomerRelations::Contacts::Update do
 
         it 'raises an error' do
           expect { resolve_mutation }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-            .with_message('Feature disabled')
+            .with_message("The resource that you are attempting to access does not exist or you don't have permission to perform this action")
         end
       end
     end
   end
 
-  specify { expect(described_class).to require_graphql_authorizations(:admin_contact) }
+  specify { expect(described_class).to require_graphql_authorizations(:admin_crm_contact) }
 end

spec/graphql/mutations/customer_relations/organizations/create_spec.rb

@@ -46,7 +46,7 @@ RSpec.describe Mutations::CustomerRelations::Organizations::Create do
 
           it 'raises an error' do
             expect { resolve_mutation }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-              .with_message('Feature disabled')
+              .with_message("The resource that you are attempting to access does not exist or you don't have permission to perform this action")
           end
         end
 
@@ -69,5 +69,5 @@ RSpec.describe Mutations::CustomerRelations::Organizations::Create do
     end
   end
 
-  specify { expect(described_class).to require_graphql_authorizations(:admin_organization) }
+  specify { expect(described_class).to require_graphql_authorizations(:admin_crm_organization) }
 end

spec/graphql/mutations/customer_relations/organizations/update_spec.rb

@@ -63,11 +63,11 @@ RSpec.describe Mutations::CustomerRelations::Organizations::Update do
 
         it 'raises an error' do
           expect { resolve_mutation }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-            .with_message('Feature disabled')
+            .with_message("The resource that you are attempting to access does not exist or you don't have permission to perform this action")
         end
       end
     end
   end
 
-  specify { expect(described_class).to require_graphql_authorizations(:admin_organization) }
+  specify { expect(described_class).to require_graphql_authorizations(:admin_crm_organization) }
 end

spec/graphql/types/customer_relations/contact_type_spec.rb

@@ -7,5 +7,5 @@ RSpec.describe GitlabSchema.types['CustomerRelationsContact'] do
 
   it { expect(described_class.graphql_name).to eq('CustomerRelationsContact') }
   it { expect(described_class).to have_graphql_fields(fields) }
-  it { expect(described_class).to require_graphql_authorizations(:read_contact) }
+  it { expect(described_class).to require_graphql_authorizations(:read_crm_contact) }
 end

spec/graphql/types/customer_relations/organization_type_spec.rb

@@ -7,5 +7,5 @@ RSpec.describe GitlabSchema.types['CustomerRelationsOrganization'] do
 
   it { expect(described_class.graphql_name).to eq('CustomerRelationsOrganization') }
   it { expect(described_class).to have_graphql_fields(fields) }
-  it { expect(described_class).to require_graphql_authorizations(:read_organization) }
+  it { expect(described_class).to require_graphql_authorizations(:read_crm_organization) }
 end

spec/policies/group_policy_spec.rb

@@ -11,8 +11,8 @@ RSpec.describe GroupPolicy do
 
     it do
       expect_allowed(:read_group)
-      expect_allowed(:read_organization)
-      expect_allowed(:read_contact)
+      expect_allowed(:read_crm_organization)
+      expect_allowed(:read_crm_contact)
       expect_allowed(:read_counts)
       expect_allowed(*read_group_permissions)
       expect_disallowed(:upload_file)
@@ -33,8 +33,8 @@ RSpec.describe GroupPolicy do
     end
 
     it { expect_disallowed(:read_group) }
-    it { expect_disallowed(:read_organization) }
-    it { expect_disallowed(:read_contact) }
+    it { expect_disallowed(:read_crm_organization) }
+    it { expect_disallowed(:read_crm_contact) }
     it { expect_disallowed(:read_counts) }
     it { expect_disallowed(*read_group_permissions) }
   end
@@ -48,8 +48,8 @@ RSpec.describe GroupPolicy do
     end
 
     it { expect_disallowed(:read_group) }
-    it { expect_disallowed(:read_organization) }
-    it { expect_disallowed(:read_contact) }
+    it { expect_disallowed(:read_crm_organization) }
+    it { expect_disallowed(:read_crm_contact) }
     it { expect_disallowed(:read_counts) }
     it { expect_disallowed(*read_group_permissions) }
   end
@@ -933,8 +933,8 @@ RSpec.describe GroupPolicy do
 
       it { is_expected.to be_allowed(:read_package) }
       it { is_expected.to be_allowed(:read_group) }
-      it { is_expected.to be_allowed(:read_organization) }
-      it { is_expected.to be_allowed(:read_contact) }
+      it { is_expected.to be_allowed(:read_crm_organization) }
+      it { is_expected.to be_allowed(:read_crm_contact) }
       it { is_expected.to be_disallowed(:create_package) }
     end
 
@@ -944,8 +944,8 @@ RSpec.describe GroupPolicy do
       it { is_expected.to be_allowed(:create_package) }
       it { is_expected.to be_allowed(:read_package) }
       it { is_expected.to be_allowed(:read_group) }
-      it { is_expected.to be_allowed(:read_organization) }
-      it { is_expected.to be_allowed(:read_contact) }
+      it { is_expected.to be_allowed(:read_crm_organization) }
+      it { is_expected.to be_allowed(:read_crm_contact) }
       it { is_expected.to be_disallowed(:destroy_package) }
     end
 
@@ -1032,4 +1032,17 @@ RSpec.describe GroupPolicy do
       it { is_expected.to be_disallowed(:update_runners_registration_token) }
     end
   end
+
+  context 'with customer_relations feature flag disabled' do
+    let(:current_user) { owner }
+
+    before do
+      stub_feature_flags(customer_relations: false)
+    end
+
+    it { is_expected.to be_disallowed(:read_crm_contact) }
+    it { is_expected.to be_disallowed(:read_crm_organization) }
+    it { is_expected.to be_disallowed(:admin_crm_contact) }
+    it { is_expected.to be_disallowed(:admin_crm_organization) }
+  end
 end