Merge branch 'jejacks0n/experiment/security_reports_mr_widget_prompt_exclusions' into 'master'

Exclude users who wouldn’t be able to take action from the `security_reports_mr_widget_prompt` experiment

See merge request gitlab-org/gitlab!71432

ee/app/controllers/ee/projects/merge_requests_controller.rb

@@ -9,7 +9,10 @@ module EE
         include DescriptionDiffActions
 
         before_action only: [:show] do
-          experiment(:security_reports_mr_widget_prompt, namespace: @project.namespace).publish
+          if @project.licensed_feature_available?(:sast) && can?(current_user, :developer_access, @project)
+            experiment(:security_reports_mr_widget_prompt, namespace: @project.namespace).publish
+          end
+
           push_frontend_feature_flag(:anonymous_visual_review_feedback)
           push_frontend_feature_flag(:missing_mr_security_scan_types, @project)
           push_frontend_feature_flag(:refactor_mr_widgets_extensions, @project, default_enabled: :yaml)

ee/spec/requests/projects/merge_requests_controller_spec.rb

@@ -11,6 +11,54 @@ RSpec.describe Projects::MergeRequestsController do
     login_as(user)
   end
 
+  describe 'GET #show' do
+    before do
+      # To avoid adjusting this controller, we just want to allow these tests to pass. This action wasn't tested before
+      # these were added for the experiment, and already exceeded the threshold.
+      # Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/343375
+      # More: https://docs.gitlab.com/ee/development/query_count_limits.html#disable-query-limiting
+      stub_const('Gitlab::QueryLimiting::Transaction::THRESHOLD', 103)
+
+      stub_licensed_features(sast: true)
+    end
+
+    def get_show
+      get project_merge_request_path(project, merge_request)
+    end
+
+    context 'when the user has developer access' do
+      it 'publishes the security_reports_mr_widget_prompt experiment' do
+        expect_next_instance_of(SecurityReportsMrWidgetPromptExperiment) do |instance|
+          expect(instance).to receive(:publish)
+        end
+
+        get_show
+      end
+    end
+
+    context 'when the user does not have developer access' do
+      let(:user) { create(:user) }
+
+      it 'does not publish the security_reports_mr_widget_prompt experiment' do
+        expect(SecurityReportsMrWidgetPromptExperiment).not_to receive(:new)
+
+        get_show
+      end
+    end
+
+    context 'when the project is not licensed for sast' do
+      before do
+        expect(License).to receive(:feature_available?).with(:sast).and_return(false)
+      end
+
+      it 'does not publish the security_reports_mr_widget_prompt experiment' do
+        expect(SecurityReportsMrWidgetPromptExperiment).not_to receive(:new)
+
+        get_show
+      end
+    end
+  end
+
   describe 'GET #edit' do
     def get_edit
       get edit_project_merge_request_path(project, merge_request)