Merge branch 'respect-protected-tag-for-release-premissions' into 'master'

Respect protected tag in release permissions

See merge request gitlab-org/gitlab!64693

app/policies/release_policy.rb

@@ -2,4 +2,32 @@
 
 class ReleasePolicy < BasePolicy
   delegate { @subject.project }
+
+  condition(:protected_tag) do
+    access = ::Gitlab::UserAccess.new(@user, container: @subject.project)
+
+    !access.can_create_tag?(@subject.tag)
+  end
+
+  condition(:respect_protected_tag) do
+    ::Feature.enabled?(:evalute_protected_tag_for_release_permissions, @subject.project, default_enabled: :yaml)
+  end
+
+  condition(:project_developer) do
+    can?(:developer_access, @subject.project)
+  end
+
+  rule { respect_protected_tag & protected_tag }.policy do
+    prevent :create_release
+    prevent :update_release
+    prevent :destroy_release
+  end
+
+  # NOTE: Developer role (or above) can create, update and destroy release entries.
+  # When we remove the `evalute_protected_tag_for_release_permissions` feature flag,
+  # we should move `enable :destroy_release` to ProjectPolicy alongside with .
+  # See https://gitlab.com/gitlab-org/gitlab/-/issues/327505 for more information.
+  rule { respect_protected_tag & project_developer }.policy do
+    enable :destroy_release
+  end
 end

config/feature_flags/development/evalute_protected_tag_for_release_permissions.yml

+---
+name: evalute_protected_tag_for_release_permissions
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/64693
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/334368
+milestone: '14.1'
+type: development
+group: group::release
+default_enabled: false

spec/policies/release_policy_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ReleasePolicy, :request_store do
+  let_it_be(:developer) { create(:user) }
+  let_it_be(:maintainer) { create(:user) }
+  let_it_be(:project) { create(:project, :repository) }
+  let_it_be(:release, reload: true) { create(:release, project: project) }
+
+  let(:user) { developer }
+
+  before_all do
+    project.add_developer(developer)
+    project.add_maintainer(maintainer)
+  end
+
+  subject { described_class.new(user, release) }
+
+  context 'when the evalute_protected_tag_for_release_permissions feature flag is disabled' do
+    before do
+      stub_feature_flags(evalute_protected_tag_for_release_permissions: false)
+    end
+
+    it 'allows the user to create and update a release' do
+      is_expected.to be_allowed(:create_release)
+      is_expected.to be_allowed(:update_release)
+    end
+
+    it 'prevents the user from destroying a release' do
+      is_expected.to be_disallowed(:destroy_release)
+    end
+
+    context 'when the user is maintainer' do
+      let(:user) { maintainer }
+
+      it 'allows the user to destroy a release' do
+        is_expected.to be_allowed(:destroy_release)
+      end
+    end
+  end
+
+  context 'when the user has access to the protected tag' do
+    let_it_be(:protected_tag) { create(:protected_tag, :developers_can_create, name: release.tag, project: project) }
+
+    it 'allows the user to create, update and destroy a release' do
+      is_expected.to be_allowed(:create_release)
+      is_expected.to be_allowed(:update_release)
+      is_expected.to be_allowed(:destroy_release)
+    end
+  end
+
+  context 'when the user does not have access to the protected tag' do
+    let_it_be(:protected_tag) { create(:protected_tag, :maintainers_can_create, name: release.tag, project: project) }
+
+    it 'prevents the user from creating, updating and destroying a release' do
+      is_expected.to be_disallowed(:create_release)
+      is_expected.to be_disallowed(:update_release)
+      is_expected.to be_disallowed(:destroy_release)
+    end
+  end
+end