Allow auditor users to create groups and projects.

1. Projects under the groups they belong to, or under their own personal namespace. They cannot create projects under groups they don't have explicit control over. 2. Since we're thinking of auditor users as "regular users with readonly access to everything they wouldn't normally see", it makes sense to let them do anything a regular user would do, including creating projects and groups.

Allow auditor users to create groups and projects.
1. Projects under the groups they belong to, or under their own personal namespace. They cannot create projects under groups they don't have explicit control over. 2. Since we're thinking of auditor users as "regular users with readonly access to everything they wouldn't normally see", it makes sense to let them do anything a regular user would do, including creating projects and groups.
ac299a0e · Timothy Andrew · 2bacfd48 · ac299a0e · ac299a0e · ac299a0e
Commit ac299a0e authored Feb 02, 2017 by Timothy Andrew
4 changed files
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -2,7 +2,7 @@ class GlobalPolicy < BasePolicy
  def rules
    return unless @user

-    can! :create_group if @user.can_create_group && !@user.auditor?
+    can! :create_group if @user.can_create_group
    can! :read_users_list
  end
 end
--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
 class NamespacePolicy < BasePolicy
  def rules
    return unless @user
-    return if @user.auditor?

    if @subject.owner == @user || @user.admin?
      can! :create_projects

--- a/spec/controllers/groups_controller_spec.rb
+++ b/spec/controllers/groups_controller_spec.rb
@@ -159,14 +159,14 @@ describe GroupsController do
        expect(response).to have_http_status(404)
      end

-      it 'does not allow an auditor with "can_create_group" set to true to create a group' do
+      it 'allows an auditor with "can_create_group" set to true to create a group' do
        sign_in(create(:user, :auditor, can_create_group: true))

        expect do
          post :create, group: { name: 'new_group', path: "new_group" }
-        end.not_to change { Group.count }
+        end.to change { Group.count }.by(1)

-        expect(response).to have_http_status(404)
+        expect(response).to have_http_status(302)
      end
    end
  end

--- a/spec/policies/namespace_policy_spec.rb
+++ b/spec/policies/namespace_policy_spec.rb
@@ -34,7 +34,15 @@ describe NamespacePolicy, models: true do
  context 'auditor' do
    let(:current_user) { auditor }

-    it { is_expected.to be_empty }
+    context 'owner' do
+      let(:namespace) { create(:namespace, owner: auditor) }
+
+      it { is_expected.to include(*owner_permissions) }
+    end
+
+    context 'non-owner' do
+      it { is_expected.to be_empty }
+    end
  end

  context 'admin' do