Remove superfluous permission check for alerts

The policy `read_prometheus_alerts` already makes sure that the user has
at least maintainer access.

Add some missing specs to cover unprivileged access.

ee/app/controllers/projects/prometheus/alerts_controller.rb

@@ -12,7 +12,6 @@ module Projects
       prepend_before_action :repository, :project_without_auth, only: [:notify]
 
       before_action :authorize_read_prometheus_alerts!, except: [:notify]
-      before_action :authorize_admin_project!, except: [:notify]
       before_action :alert, only: [:update, :show, :destroy]
 
       def index

ee/spec/controllers/projects/prometheus/alerts_controller_spec.rb

@@ -10,10 +10,22 @@ describe Projects::Prometheus::AlertsController do
 
   before do
     stub_licensed_features(prometheus_alerts: true)
-    project.add_master(user)
+    project.add_maintainer(user)
     sign_in(user)
   end
 
+  shared_examples 'unprivileged' do
+    before do
+      project.add_developer(user)
+    end
+
+    it 'returns not_found' do
+      make_request
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+  end
+
   shared_examples 'unlicensed' do
     before do
       stub_licensed_features(prometheus_alerts: false)
@@ -105,6 +117,7 @@ describe Projects::Prometheus::AlertsController do
       end
     end
 
+    it_behaves_like 'unprivileged'
     it_behaves_like 'unlicensed'
     it_behaves_like 'project non-specific environment', :ok
   end
@@ -152,6 +165,7 @@ describe Projects::Prometheus::AlertsController do
         expect(json_response).to include(alert_params)
       end
 
+      it_behaves_like 'unprivileged'
       it_behaves_like 'unlicensed'
       it_behaves_like 'project non-specific environment', :not_found
       it_behaves_like 'project non-specific metric', :not_found
@@ -254,6 +268,7 @@ describe Projects::Prometheus::AlertsController do
       expect(response).to have_gitlab_http_status(:no_content)
     end
 
+    it_behaves_like 'unprivileged'
     it_behaves_like 'unlicensed'
     it_behaves_like 'project non-specific environment', :no_content
   end
@@ -302,6 +317,7 @@ describe Projects::Prometheus::AlertsController do
       expect(json_response).to include(alert_params)
     end
 
+    it_behaves_like 'unprivileged'
     it_behaves_like 'unlicensed'
     it_behaves_like 'project non-specific environment', :not_found
     it_behaves_like 'project non-specific metric', :not_found
@@ -333,6 +349,7 @@ describe Projects::Prometheus::AlertsController do
       expect(schedule_update_service).to have_received(:execute)
     end
 
+    it_behaves_like 'unprivileged'
     it_behaves_like 'unlicensed'
     it_behaves_like 'project non-specific environment', :not_found
     it_behaves_like 'project non-specific metric', :not_found

ee/spec/policies/project_policy_spec.rb

@@ -493,6 +493,66 @@ describe ProjectPolicy do
     end
   end
 
+  describe 'read_prometheus_alerts' do
+    context 'with prometheus_alerts available' do
+      before do
+        stub_licensed_features(prometheus_alerts: true)
+      end
+
+      context 'with admin' do
+        let(:current_user) { admin }
+
+        it { is_expected.to be_allowed(:read_prometheus_alerts) }
+      end
+
+      context 'with owner' do
+        let(:current_user) { owner }
+
+        it { is_expected.to be_allowed(:read_prometheus_alerts) }
+      end
+
+      context 'with maintainer' do
+        let(:current_user) { maintainer }
+
+        it { is_expected.to be_allowed(:read_prometheus_alerts) }
+      end
+
+      context 'with developer' do
+        let(:current_user) { developer }
+
+        it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+      end
+
+      context 'with reporter' do
+        let(:current_user) { reporter }
+
+        it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+      end
+
+      context 'with guest' do
+        let(:current_user) { guest }
+
+        it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+      end
+
+      context 'with anonymous' do
+        let(:current_user) { nil }
+
+        it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+      end
+    end
+
+    context 'without prometheus_alerts available' do
+      before do
+        stub_licensed_features(prometheus_alerts: false)
+      end
+
+      let(:current_user) { admin }
+
+      it { is_expected.to be_disallowed(:read_prometheus_alerts) }
+    end
+  end
+
   it_behaves_like 'ee clusterable policies' do
     let(:clusterable) { create(:project, :repository) }