Use policies framework for determining admin access to groups

f539b03a · Diego Louzán · Bob Van Landuyt · 3c0902c7 · f539b03a · f539b03a
Commit f539b03a authored Mar 09, 2021 by Diego Louzán Committed by Bob Van Landuyt Mar 09, 2021
33 changed files
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -505,7 +505,7 @@ class Group < Namespace
  # @param only_concrete_membership [Bool] whether require admin concrete membership status
  def max_member_access_for_user(user, only_concrete_membership: false)
    return GroupMember::NO_ACCESS unless user
-    return GroupMember::OWNER if user.admin? && !only_concrete_membership
+    return GroupMember::OWNER if user.can_admin_all_resources? && !only_concrete_membership
    max_member_access = members_with_parents.where(user_id: user)
                                            .reorder(access_level: :desc)

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1704,6 +1704,10 @@ class User < ApplicationRecord
    can?(:read_all_resources)
  end
+  def can_admin_all_resources?
+    can?(:admin_all_resources)
+  end
  def update_two_factor_requirement
    periods = expanded_groups_requiring_two_factor_authentication.pluck(:two_factor_grace_period)

--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -55,14 +55,17 @@ class BasePolicy < DeclarativePolicy::Base
    prevent :read_cross_project
  end
-  # Policy extended in EE to also enable auditors
+  rule { admin }.policy do
-  rule { admin }.enable :read_all_resources
+    # Only for actual administrator accounts, behaviour affected by admin mode application setting
+    enable :admin_all_resources
+    # Policy extended in EE to also enable auditors
+    enable :read_all_resources
+    enable :change_repository_storage
+  end
  rule { default }.enable :read_cross_project
  condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? }
-  rule { admin }.enable :change_repository_storage
 end
 BasePolicy.prepend_if_ee('EE::BasePolicy')
--- a/changelogs/unreleased/refactor-use-policies-framework-for-admin.yml
+++ b/changelogs/unreleased/refactor-use-policies-framework-for-admin.yml
+---
+title: Use policies for group access rights as admin
+merge_request: 55349
+author: Diego Louzán
+type: changed
--- a/ee/spec/controllers/groups/clusters_controller_spec.rb
+++ b/ee/spec/controllers/groups/clusters_controller_spec.rb
@@ -41,7 +41,12 @@ RSpec.describe Groups::ClustersController do
        allow(controller).to receive(:prometheus_adapter).and_return(prometheus_adapter)
      end
-      it { expect { go }.to be_allowed_for(:admin) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { expect { go }.to be_allowed_for(:admin) }
+      end
+      context 'when admin mode is disabled' do
+        it { expect { go }.to be_denied_for(:admin) }
+      end
      it { expect { go }.to be_allowed_for(:owner).of(clusterable) }
      it { expect { go }.to be_allowed_for(:maintainer).of(clusterable) }
      it { expect { go }.to be_denied_for(:developer).of(clusterable) }
@@ -78,7 +83,12 @@ RSpec.describe Groups::ClustersController do
    end
    describe 'security' do
-      it { expect { get_cluster_environments }.to be_allowed_for(:admin) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { expect { get_cluster_environments }.to be_allowed_for(:admin) }
+      end
+      context 'when admin mode is disabled' do
+        it { expect { get_cluster_environments }.to be_denied_for(:admin) }
+      end
      it { expect { get_cluster_environments }.to be_allowed_for(:owner).of(group) }
      it { expect { get_cluster_environments }.to be_allowed_for(:maintainer).of(group) }
      it { expect { get_cluster_environments }.to be_denied_for(:developer).of(group) }

--- a/ee/spec/features/security/group/private_access_spec.rb
+++ b/ee/spec/features/security/group/private_access_spec.rb
@@ -20,7 +20,12 @@ RSpec.describe '[EE] Private Group access' do
    subject { group_insights_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:auditor) }
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }

--- a/ee/spec/models/ee/event_spec.rb
+++ b/ee/spec/models/ee/event_spec.rb
@@ -75,9 +75,7 @@ RSpec.describe Event do
      end
      context 'when admin mode disabled' do
-        # Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
+        it 'is not visible to admin', :aggregate_failures do
-        # See https://gitlab.com/gitlab-org/gitlab/-/issues/207950
-        xit 'is not visible to admin', :aggregate_failures do
          expect(event).not_to be_visible_to(admin)
        end
      end

--- a/ee/spec/models/ee/user_spec.rb
+++ b/ee/spec/models/ee/user_spec.rb
@@ -265,6 +265,14 @@ RSpec.describe User do
    end
  end
+  describe '#can_admin_all_resources?' do
+    it 'returns false for auditor user' do
+      user = build(:user, :auditor)
+      expect(user.can_admin_all_resources?).to be_falsy
+    end
+  end
  describe '#forget_me!' do
    subject { create(:user, remember_created_at: Time.current) }

--- a/ee/spec/policies/base_policy_spec.rb
+++ b/ee/spec/policies/base_policy_spec.rb
@@ -26,4 +26,10 @@ RSpec.describe BasePolicy do
      is_expected.to be_allowed(:read_all_resources)
    end
  end
+  describe 'admin all resources' do
+    it 'forbids auditors' do
+      is_expected.to be_disallowed(:admin_all_resources)
+    end
+  end
 end
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
--- a/ee/spec/services/epics/transfer_service_spec.rb
+++ b/ee/spec/services/epics/transfer_service_spec.rb
@@ -4,9 +4,14 @@ require 'spec_helper'
 RSpec.describe Epics::TransferService do
  describe '#execute' do
-    let_it_be(:user) { create(:admin) }
+    let_it_be(:user) { create(:user) }
    let_it_be(:new_group, refind: true) { create(:group) }
    let_it_be(:old_group, refind: true) { create(:group) }
+    before do
+      old_group.add_maintainer(user) if old_group
+    end
    subject(:service) { described_class.new(user, old_group, project) }
    context 'when old_group is present' do

--- a/ee/spec/services/todo_service_spec.rb
+++ b/ee/spec/services/todo_service_spec.rb
@@ -114,7 +114,7 @@ RSpec.describe TodoService do
          context 'for mentioned users' do
            let(:todo_params) { { action: Todo::MENTIONED } }
-            let(:todos_for) { [member, author, guest, admin] }
+            let(:todos_for) { [member, author, guest] }
            let(:todos_not_for) { [non_member, john_doe, skipped] }
            include_examples 'todos creation'
@@ -126,7 +126,7 @@ RSpec.describe TodoService do
            end
            let(:todo_params) { { action: Todo::DIRECTLY_ADDRESSED } }
-            let(:todos_for) { [member, author, guest, admin] }
+            let(:todos_for) { [member, author, guest] }
            let(:todos_not_for) { [non_member, john_doe, skipped] }
            include_examples 'todos creation'

--- a/ee/spec/views/groups/compliance_frameworks/edit.html.haml_spec.rb
+++ b/ee/spec/views/groups/compliance_frameworks/edit.html.haml_spec.rb
@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/edit.html.haml' do
    assign(:group, group)
    allow(view).to receive(:current_user).and_return(user)
+    allow(user).to receive(:can_admin_all_resources?).and_return(false)
    allow(user).to receive(:can?).with(:admin_compliance_pipeline_configuration, group).and_return(true)
    allow(view).to receive(:params).and_return(id: 1)
  end

--- a/ee/spec/views/groups/compliance_frameworks/new.html.haml_spec.rb
+++ b/ee/spec/views/groups/compliance_frameworks/new.html.haml_spec.rb
@@ -10,6 +10,7 @@ RSpec.describe 'groups/compliance_frameworks/new.html.haml' do
    assign(:group, group)
    allow(view).to receive(:current_user).and_return(user)
+    allow(user).to receive(:can_admin_all_resources?).and_return(false)
    allow(user).to receive(:can?).with(:admin_compliance_pipeline_configuration, group).and_return(true)
  end

--- a/lib/declarative_policy/policy_dsl.rb
+++ b/lib/declarative_policy/policy_dsl.rb
@@ -6,7 +6,7 @@ module DeclarativePolicy
  # Policy class (context_class here). See Base.rule
  #
  # Note that the #policy method just performs an #instance_eval,
-  # which is useful for multiple #enable or #prevent callse.
+  # which is useful for multiple #enable or #prevent calls.
  #
  # Also provides a #method_missing proxy to the context
  # class's class methods, so that helper methods can be

--- a/spec/controllers/groups/clusters/applications_controller_spec.rb
+++ b/spec/controllers/groups/clusters/applications_controller_spec.rb
@@ -10,7 +10,8 @@ RSpec.describe Groups::Clusters::ApplicationsController do
  end
  shared_examples 'a secure endpoint' do
-    it { expect { subject }.to be_allowed_for(:admin) }
+    it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { subject }.to be_allowed_for(:admin) }
+    it('is denied for admin when admin mode is disabled') { expect { subject }.to be_denied_for(:admin) }
    it { expect { subject }.to be_allowed_for(:owner).of(group) }
    it { expect { subject }.to be_allowed_for(:maintainer).of(group) }
    it { expect { subject }.to be_denied_for(:developer).of(group) }

--- a/spec/controllers/groups/clusters_controller_spec.rb
+++ b/spec/controllers/groups/clusters_controller_spec.rb
@@ -99,7 +99,8 @@ RSpec.describe Groups::ClustersController do
    describe 'security' do
      let(:cluster) { create(:cluster, :provided_by_gcp, cluster_type: :group_type, groups: [group]) }
-      it { expect { go }.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
      it { expect { go }.to be_allowed_for(:owner).of(group) }
      it { expect { go }.to be_allowed_for(:maintainer).of(group) }
      it { expect { go }.to be_denied_for(:developer).of(group) }
@@ -183,7 +184,8 @@ RSpec.describe Groups::ClustersController do
    include_examples 'GET new cluster shared examples'
    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
      it { expect { go }.to be_allowed_for(:owner).of(group) }
      it { expect { go }.to be_allowed_for(:maintainer).of(group) }
      it { expect { go }.to be_denied_for(:developer).of(group) }
@@ -316,7 +318,8 @@ RSpec.describe Groups::ClustersController do
        allow(WaitForClusterCreationWorker).to receive(:perform_in).and_return(nil)
      end
-      it { expect { go }.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
      it { expect { go }.to be_allowed_for(:owner).of(group) }
      it { expect { go }.to be_allowed_for(:maintainer).of(group) }
      it { expect { go }.to be_denied_for(:developer).of(group) }
@@ -418,7 +421,8 @@ RSpec.describe Groups::ClustersController do
    end
    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
      it { expect { go }.to be_allowed_for(:owner).of(group) }
      it { expect { go }.to be_allowed_for(:maintainer).of(group) }
      it { expect { go }.to be_denied_for(:developer).of(group) }
@@ -486,7 +490,8 @@ RSpec.describe Groups::ClustersController do
        allow(WaitForClusterCreationWorker).to receive(:perform_in)
      end
-      it { expect { post_create_aws }.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { post_create_aws }.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { expect { post_create_aws }.to be_denied_for(:admin) }
      it { expect { post_create_aws }.to be_allowed_for(:owner).of(group) }
      it { expect { post_create_aws }.to be_allowed_for(:maintainer).of(group) }
      it { expect { post_create_aws }.to be_denied_for(:developer).of(group) }
@@ -544,7 +549,8 @@ RSpec.describe Groups::ClustersController do
        end
      end
-      it { expect { go }.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
      it { expect { go }.to be_allowed_for(:owner).of(group) }
      it { expect { go }.to be_allowed_for(:maintainer).of(group) }
      it { expect { go }.to be_denied_for(:developer).of(group) }
@@ -580,7 +586,8 @@ RSpec.describe Groups::ClustersController do
    end
    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
      it { expect { go }.to be_allowed_for(:owner).of(group) }
      it { expect { go }.to be_allowed_for(:maintainer).of(group) }
      it { expect { go }.to be_denied_for(:developer).of(group) }
@@ -619,7 +626,8 @@ RSpec.describe Groups::ClustersController do
    end
    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
      it { expect { go }.to be_allowed_for(:owner).of(group) }
      it { expect { go }.to be_allowed_for(:maintainer).of(group) }
      it { expect { go }.to be_denied_for(:developer).of(group) }
@@ -651,7 +659,8 @@ RSpec.describe Groups::ClustersController do
    end
    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
      it { expect { go }.to be_allowed_for(:owner).of(group) }
      it { expect { go }.to be_allowed_for(:maintainer).of(group) }
      it { expect { go }.to be_denied_for(:developer).of(group) }
@@ -759,7 +768,8 @@ RSpec.describe Groups::ClustersController do
    describe 'security' do
      let_it_be(:cluster) { create(:cluster, :provided_by_gcp, cluster_type: :group_type, groups: [group]) }
-      it { expect { go }.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
      it { expect { go }.to be_allowed_for(:owner).of(group) }
      it { expect { go }.to be_allowed_for(:maintainer).of(group) }
      it { expect { go }.to be_denied_for(:developer).of(group) }
@@ -827,7 +837,8 @@ RSpec.describe Groups::ClustersController do
    describe 'security' do
      let_it_be(:cluster) { create(:cluster, :provided_by_gcp, :production_environment, cluster_type: :group_type, groups: [group]) }
-      it { expect { go }.to be_allowed_for(:admin) }
+      it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+      it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
      it { expect { go }.to be_allowed_for(:owner).of(group) }
      it { expect { go }.to be_allowed_for(:maintainer).of(group) }
      it { expect { go }.to be_denied_for(:developer).of(group) }

--- a/spec/controllers/groups_controller_spec.rb
+++ b/spec/controllers/groups_controller_spec.rb
@@ -4,17 +4,23 @@ require 'spec_helper'
 RSpec.describe GroupsController, factory_default: :keep do
  include ExternalAuthorizationServiceHelpers
+  include AdminModeHelper
  let_it_be_with_refind(:group) { create_default(:group, :public) }
  let_it_be_with_refind(:project) { create(:project, namespace: group) }
  let_it_be(:user) { create(:user) }
-  let_it_be(:admin) { create(:admin) }
+  let_it_be(:admin_with_admin_mode) { create(:admin) }
+  let_it_be(:admin_without_admin_mode) { create(:admin) }
  let_it_be(:group_member) { create(:group_member, group: group, user: user) }
  let_it_be(:owner) { group.add_owner(create(:user)).user }
  let_it_be(:maintainer) { group.add_maintainer(create(:user)).user }
  let_it_be(:developer) { group.add_developer(create(:user)).user }
  let_it_be(:guest) { group.add_guest(create(:user)).user }
+  before do
+    enable_admin_mode!(admin_with_admin_mode)
+  end
  shared_examples 'member with ability to create subgroups' do
    it 'renders the new page' do
      sign_in(member)
@@ -105,10 +111,10 @@ RSpec.describe GroupsController, factory_default: :keep do
      [true, false].each do |can_create_group_status|
        context "and can_create_group is #{can_create_group_status}" do
          before do
-            User.where(id: [admin, owner, maintainer, developer, guest]).update_all(can_create_group: can_create_group_status)
+            User.where(id: [admin_with_admin_mode, admin_without_admin_mode, owner, maintainer, developer, guest]).update_all(can_create_group: can_create_group_status)
          end
-          [:admin, :owner, :maintainer].each do |member_type|
+          [:admin_with_admin_mode, :owner, :maintainer].each do |member_type|
            context "and logged in as #{member_type.capitalize}" do
              it_behaves_like 'member with ability to create subgroups' do
                let(:member) { send(member_type) }
@@ -116,7 +122,7 @@ RSpec.describe GroupsController, factory_default: :keep do
            end
          end
-          [:guest, :developer].each do |member_type|
+          [:guest, :developer, :admin_without_admin_mode].each do |member_type|
            context "and logged in as #{member_type.capitalize}" do
              it_behaves_like 'member without ability to create subgroups' do
                let(:member) { send(member_type) }
@@ -856,6 +862,12 @@ RSpec.describe GroupsController, factory_default: :keep do
  end
  describe 'POST #export' do
+    let(:admin) { create(:admin) }
+    before do
+      enable_admin_mode!(admin)
+    end
    context 'when the group export feature flag is not enabled' do
      before do
        sign_in(admin)
@@ -918,6 +930,12 @@ RSpec.describe GroupsController, factory_default: :keep do
  end
  describe 'GET #download_export' do
+    let(:admin) { create(:admin) }
+    before do
+      enable_admin_mode!(admin)
+    end
    context 'when there is a file available to download' do
      let(:export_file) { fixture_file_upload('spec/fixtures/group_export.tar.gz') }
@@ -934,8 +952,6 @@ RSpec.describe GroupsController, factory_default: :keep do
    end
    context 'when there is no file available to download' do
-      let(:admin) { create(:admin) }
      before do
        sign_in(admin)
      end

--- a/spec/features/groups_spec.rb
+++ b/spec/features/groups_spec.rb
@@ -143,7 +143,7 @@ RSpec.describe 'Group' do
    end
  end
-  describe 'create a nested group', :js do
+  describe 'create a nested group' do
    let_it_be(:group) { create(:group, path: 'foo') }
    context 'as admin' do
@@ -153,13 +153,21 @@ RSpec.describe 'Group' do
        visit new_group_path(group, parent_id: group.id)
      end
-      it 'creates a nested group' do
+      context 'when admin mode is enabled', :enable_admin_mode do
-        fill_in 'Group name', with: 'bar'
+        it 'creates a nested group' do
-        fill_in 'Group URL', with: 'bar'
+          fill_in 'Group name', with: 'bar'
-        click_button 'Create group'
+          fill_in 'Group URL', with: 'bar'
+          click_button 'Create group'
-        expect(current_path).to eq(group_path('foo/bar'))
+          expect(current_path).to eq(group_path('foo/bar'))
-        expect(page).to have_content("Group 'bar' was successfully created.")
+          expect(page).to have_content("Group 'bar' was successfully created.")
+        end
+      end
+      context 'when admin mode is disabled' do
+        it 'is not allowed' do
+          expect(page).to have_gitlab_http_status(:not_found)
+        end
      end
    end

--- a/spec/features/projects/new_project_spec.rb
+++ b/spec/features/projects/new_project_spec.rb
@@ -95,33 +95,55 @@ RSpec.describe 'New project', :js do
      end
      context 'when group visibility is private but default is internal' do
+        let_it_be(:group) { create(:group, visibility_level: Gitlab::VisibilityLevel::PRIVATE) }
        before do
          stub_application_setting(default_project_visibility: Gitlab::VisibilityLevel::INTERNAL)
        end
-        it 'has private selected' do
+        context 'when admin mode is enabled', :enable_admin_mode do
-          group = create(:group, visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+          it 'has private selected' do
-          visit new_project_path(namespace_id: group.id)
+            visit new_project_path(namespace_id: group.id)
-          find('[data-qa-selector="blank_project_link"]').click
+            find('[data-qa-selector="blank_project_link"]').click
-          page.within('#blank-project-pane') do
+            page.within('#blank-project-pane') do
-            expect(find_field("project_visibility_level_#{Gitlab::VisibilityLevel::PRIVATE}")).to be_checked
+              expect(find_field("project_visibility_level_#{Gitlab::VisibilityLevel::PRIVATE}")).to be_checked
+            end
+          end
+        end
+        context 'when admin mode is disabled' do
+          it 'is not allowed' do
+            visit new_project_path(namespace_id: group.id)
+            expect(page).to have_content('Not Found')
          end
        end
      end
      context 'when group visibility is public but user requests private' do
+        let_it_be(:group) { create(:group, visibility_level: Gitlab::VisibilityLevel::PUBLIC) }
        before do
          stub_application_setting(default_project_visibility: Gitlab::VisibilityLevel::INTERNAL)
        end
-        it 'has private selected' do
+        context 'when admin mode is enabled', :enable_admin_mode do
-          group = create(:group, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+          it 'has private selected' do
-          visit new_project_path(namespace_id: group.id, project: { visibility_level: Gitlab::VisibilityLevel::PRIVATE })
+            visit new_project_path(namespace_id: group.id, project: { visibility_level: Gitlab::VisibilityLevel::PRIVATE })
-          find('[data-qa-selector="blank_project_link"]').click
+            find('[data-qa-selector="blank_project_link"]').click
-          page.within('#blank-project-pane') do
+            page.within('#blank-project-pane') do
-            expect(find_field("project_visibility_level_#{Gitlab::VisibilityLevel::PRIVATE}")).to be_checked
+              expect(find_field("project_visibility_level_#{Gitlab::VisibilityLevel::PRIVATE}")).to be_checked
+            end
+          end
+        end
+        context 'when admin mode is disabled' do
+          it 'is not allowed' do
+            visit new_project_path(namespace_id: group.id, project: { visibility_level: Gitlab::VisibilityLevel::PRIVATE })
+            expect(page).to have_content('Not Found')
          end
        end
      end

--- a/spec/features/security/group/internal_access_spec.rb
+++ b/spec/features/security/group/internal_access_spec.rb
@@ -24,7 +24,12 @@ RSpec.describe 'Internal Group access' do
  describe 'GET /groups/:path' do
    subject { group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -39,7 +44,12 @@ RSpec.describe 'Internal Group access' do
  describe 'GET /groups/:path/-/issues' do
    subject { issues_group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -56,7 +66,12 @@ RSpec.describe 'Internal Group access' do
    subject { merge_requests_group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -71,7 +86,12 @@ RSpec.describe 'Internal Group access' do
  describe 'GET /groups/:path/-/group_members' do
    subject { group_group_members_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -86,7 +106,12 @@ RSpec.describe 'Internal Group access' do
  describe 'GET /groups/:path/-/edit' do
    subject { edit_group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_denied_for(:maintainer).of(group) }
    it { is_expected.to be_denied_for(:developer).of(group) }

--- a/spec/features/security/group/private_access_spec.rb
+++ b/spec/features/security/group/private_access_spec.rb
@@ -24,7 +24,12 @@ RSpec.describe 'Private Group access' do
  describe 'GET /groups/:path' do
    subject { group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -39,7 +44,12 @@ RSpec.describe 'Private Group access' do
  describe 'GET /groups/:path/-/issues' do
    subject { issues_group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -56,7 +66,12 @@ RSpec.describe 'Private Group access' do
    subject { merge_requests_group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -71,7 +86,12 @@ RSpec.describe 'Private Group access' do
  describe 'GET /groups/:path/-/group_members' do
    subject { group_group_members_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -86,7 +106,12 @@ RSpec.describe 'Private Group access' do
  describe 'GET /groups/:path/-/edit' do
    subject { edit_group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_denied_for(:maintainer).of(group) }
    it { is_expected.to be_denied_for(:developer).of(group) }
@@ -107,7 +132,12 @@ RSpec.describe 'Private Group access' do
    subject { group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }

--- a/spec/features/security/group/public_access_spec.rb
+++ b/spec/features/security/group/public_access_spec.rb
@@ -24,7 +24,12 @@ RSpec.describe 'Public Group access' do
  describe 'GET /groups/:path' do
    subject { group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -39,7 +44,12 @@ RSpec.describe 'Public Group access' do
  describe 'GET /groups/:path/-/issues' do
    subject { issues_group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -56,7 +66,12 @@ RSpec.describe 'Public Group access' do
    subject { merge_requests_group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -71,7 +86,12 @@ RSpec.describe 'Public Group access' do
  describe 'GET /groups/:path/-/group_members' do
    subject { group_group_members_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_allowed_for(:maintainer).of(group) }
    it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -86,7 +106,12 @@ RSpec.describe 'Public Group access' do
  describe 'GET /groups/:path/-/edit' do
    subject { edit_group_path(group) }
-    it { is_expected.to be_allowed_for(:admin) }
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it { is_expected.to be_allowed_for(:admin) }
+    end
+    context 'when admin mode is disabled' do
+      it { is_expected.to be_denied_for(:admin) }
+    end
    it { is_expected.to be_allowed_for(:owner).of(group) }
    it { is_expected.to be_denied_for(:maintainer).of(group) }
    it { is_expected.to be_denied_for(:developer).of(group) }

--- a/spec/helpers/namespaces_helper_spec.rb
+++ b/spec/helpers/namespaces_helper_spec.rb
@@ -46,13 +46,26 @@ RSpec.describe NamespacesHelper do
  end
  describe '#namespaces_options' do
-    it 'returns groups without being a member for admin' do
+    context 'when admin mode is enabled', :enable_admin_mode do
-      allow(helper).to receive(:current_user).and_return(admin)
+      it 'returns groups without being a member for admin' do
+        allow(helper).to receive(:current_user).and_return(admin)
-      options = helper.namespaces_options(user_group.id, display_path: true, extra_group: user_group.id)
+        options = helper.namespaces_options(user_group.id, display_path: true, extra_group: user_group.id)
-      expect(options).to include(admin_group.name)
+        expect(options).to include(admin_group.name)
-      expect(options).to include(user_group.name)
+        expect(options).to include(user_group.name)
+      end
+    end
+    context 'when admin mode is disabled' do
+      it 'returns only allowed namespaces for admin' do
+        allow(helper).to receive(:current_user).and_return(admin)
+        options = helper.namespaces_options(user_group.id, display_path: true, extra_group: user_group.id)
+        expect(options).to include(admin_group.name)
+        expect(options).not_to include(user_group.name)
+      end
    end
    it 'returns only allowed namespaces for user' do
@@ -74,13 +87,16 @@ RSpec.describe NamespacesHelper do
      expect(options).to include(admin_group.name)
    end
-    it 'selects existing group' do
+    context 'when admin mode is disabled' do
-      allow(helper).to receive(:current_user).and_return(admin)
+      it 'selects existing group' do
+        allow(helper).to receive(:current_user).and_return(admin)
+        user_group.add_owner(admin)
-      options = helper.namespaces_options(:extra_group, display_path: true, extra_group: user_group)
+        options = helper.namespaces_options(:extra_group, display_path: true, extra_group: user_group)
-      expect(options).to include("selected=\"selected\" value=\"#{user_group.id}\"")
+        expect(options).to include("selected=\"selected\" value=\"#{user_group.id}\"")
-      expect(options).to include(admin_group.name)
+        expect(options).to include(admin_group.name)
+      end
    end
    it 'selects the new group by default' do

--- a/spec/lib/gitlab/import_export/project/tree_saver_spec.rb
+++ b/spec/lib/gitlab/import_export/project/tree_saver_spec.rb
@@ -349,14 +349,22 @@ RSpec.describe Gitlab::ImportExport::Project::TreeSaver do
            project_tree_saver.save
          end
-          it 'exports group members as admin' do
+          context 'when admin mode is enabled', :enable_admin_mode do
-            expect(member_emails).to include('group@member.com')
+            it 'exports group members as admin' do
-          end
+              expect(member_emails).to include('group@member.com')
+            end
-          it 'exports group members as project members' do
+            it 'exports group members as project members' do
-            member_types = subject.map { |pm| pm['source_type'] }
+              member_types = subject.map { |pm| pm['source_type'] }
+              expect(member_types).to all(eq('Project'))
+            end
+          end
-            expect(member_types).to all(eq('Project'))
+          context 'when admin mode is disabled' do
+            it 'does not export group members' do
+              expect(member_emails).not_to include('group@member.com')
+            end
          end
        end
      end

--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -781,8 +781,16 @@ RSpec.describe Group do
    context 'evaluating admin access level' do
      let_it_be(:admin) { create(:admin) }
-      it 'returns OWNER by default' do
+      context 'when admin mode is enabled', :enable_admin_mode do
-        expect(group.max_member_access_for_user(admin)).to eq(Gitlab::Access::OWNER)
+        it 'returns OWNER by default' do
+          expect(group.max_member_access_for_user(admin)).to eq(Gitlab::Access::OWNER)
+        end
+      end
+      context 'when admin mode is disabled' do
+        it 'returns NO_ACCESS' do
+          expect(group.max_member_access_for_user(admin)).to eq(Gitlab::Access::NO_ACCESS)
+        end
      end
      it 'returns NO_ACCESS when only concrete membership should be considered' do

--- a/spec/models/member_spec.rb
+++ b/spec/models/member_spec.rb
@@ -425,12 +425,10 @@ RSpec.describe Member do
        end
        context 'when admin mode is disabled' do
-          # Skipped because `Group#max_member_access_for_user` needs to be migrated to use admin mode
+          it 'rejects setting members.created_by to the given admin current_user' do
-          # https://gitlab.com/gitlab-org/gitlab/-/issues/207950
-          xit 'rejects setting members.created_by to the given admin current_user' do
            member = described_class.add_user(source, user, :maintainer, current_user: admin)
-            expect(member.created_by).not_to be_persisted
+            expect(member.created_by).to be_nil
          end
        end

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -3961,6 +3961,37 @@ RSpec.describe User do
    end
  end
+  describe '#can_admin_all_resources?', :request_store do
+    it 'returns false for regular user' do
+      user = build_stubbed(:user)
+      expect(user.can_admin_all_resources?).to be_falsy
+    end
+    context 'for admin user' do
+      include_context 'custom session'
+      let(:user) { build_stubbed(:user, :admin) }
+      context 'when admin mode is disabled' do
+        it 'returns false' do
+          expect(user.can_admin_all_resources?).to be_falsy
+        end
+      end
+      context 'when admin mode is enabled' do
+        before do
+          Gitlab::Auth::CurrentUserMode.new(user).request_admin_mode!
+          Gitlab::Auth::CurrentUserMode.new(user).enable_admin_mode!(password: user.password)
+        end
+        it 'returns true' do
+          expect(user.can_admin_all_resources?).to be_truthy
+        end
+      end
+    end
+  end
  describe '.ghost' do
    it "creates a ghost user if one isn't already present" do
      ghost = described_class.ghost

--- a/spec/policies/base_policy_spec.rb
+++ b/spec/policies/base_policy_spec.rb
@@ -73,10 +73,14 @@ RSpec.describe BasePolicy do
    end
  end
-  describe 'full private access' do
+  describe 'full private access: read_all_resources' do
    it_behaves_like 'admin only access', :read_all_resources
  end
+  describe 'full private access: admin_all_resources' do
+    it_behaves_like 'admin only access', :admin_all_resources
+  end
  describe 'change_repository_storage' do
    it_behaves_like 'admin only access', :change_repository_storage
  end

--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -193,16 +193,24 @@ RSpec.describe GroupPolicy do
    let(:current_user) { admin }
    specify do
-      expect_allowed(*read_group_permissions)
+      expect_disallowed(*read_group_permissions)
-      expect_allowed(*guest_permissions)
+      expect_disallowed(*guest_permissions)
-      expect_allowed(*reporter_permissions)
+      expect_disallowed(*reporter_permissions)
-      expect_allowed(*developer_permissions)
+      expect_disallowed(*developer_permissions)
-      expect_allowed(*maintainer_permissions)
+      expect_disallowed(*maintainer_permissions)
-      expect_allowed(*owner_permissions)
+      expect_disallowed(*owner_permissions)
    end
    context 'with admin mode', :enable_admin_mode do
-      specify { expect_allowed(*admin_permissions) }
+      specify do
+        expect_allowed(*read_group_permissions)
+        expect_allowed(*guest_permissions)
+        expect_allowed(*reporter_permissions)
+        expect_allowed(*developer_permissions)
+        expect_allowed(*maintainer_permissions)
+        expect_allowed(*owner_permissions)
+        expect_allowed(*admin_permissions)
+      end
    end
    it_behaves_like 'deploy token does not get confused with user' do
@@ -773,7 +781,13 @@ RSpec.describe GroupPolicy do
    context 'admin' do
      let(:current_user) { admin }
-      it { is_expected.to be_allowed(:create_jira_connect_subscription) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:create_jira_connect_subscription) }
+      end
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
+      end
    end
    context 'with owner' do
@@ -817,7 +831,13 @@ RSpec.describe GroupPolicy do
    context 'admin' do
      let(:current_user) { admin }
-      it { is_expected.to be_allowed(:read_package) }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:read_package) }
+      end
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:read_package) }
+      end
    end
    context 'with owner' do

--- a/spec/presenters/projects/import_export/project_export_presenter_spec.rb
+++ b/spec/presenters/projects/import_export/project_export_presenter_spec.rb
@@ -86,14 +86,22 @@ RSpec.describe Projects::ImportExport::ProjectExportPresenter do
    context 'as admin' do
      let(:user) { create(:admin) }
-      it 'exports group members as admin' do
+      context 'when admin mode is enabled', :enable_admin_mode do
-        expect(member_emails).to include('group@member.com')
+        it 'exports group members as admin' do
-      end
+          expect(member_emails).to include('group@member.com')
+        end
+        it 'exports group members as project members' do
+          member_types = subject.project_members.map { |pm| pm.source_type }
-      it 'exports group members as project members' do
+          expect(member_types).to all(eq('Project'))
-        member_types = subject.project_members.map { |pm| pm.source_type }
+        end
+      end
-        expect(member_types).to all(eq('Project'))
+      context 'when admin mode is disabled' do
+        it 'does not export group members' do
+          expect(member_emails).not_to include('group@member.com')
+        end
      end
    end
  end

--- a/spec/services/groups/import_export/import_service_spec.rb
+++ b/spec/services/groups/import_export/import_service_spec.rb
@@ -54,7 +54,7 @@ RSpec.describe Groups::ImportExport::ImportService do
  end
  context 'with group_import_ndjson feature flag disabled' do
-    let(:user) { create(:admin) }
+    let(:user) { create(:user) }
    let(:group) { create(:group) }
    let(:import_logger) { instance_double(Gitlab::Import::Logger) }
@@ -63,6 +63,8 @@ RSpec.describe Groups::ImportExport::ImportService do
    before do
      stub_feature_flags(group_import_ndjson: false)
+      group.add_owner(user)
      ImportExportUpload.create!(group: group, import_file: import_file)
      allow(Gitlab::Import::Logger).to receive(:build).and_return(import_logger)
@@ -95,7 +97,7 @@ RSpec.describe Groups::ImportExport::ImportService do
    end
    context 'when importing a ndjson export' do
-      let(:user) { create(:admin) }
+      let(:user) { create(:user) }
      let(:group) { create(:group) }
      let(:service) { described_class.new(group: group, user: user) }
      let(:import_file) { fixture_file_upload('spec/fixtures/group_export.tar.gz') }
@@ -115,6 +117,10 @@ RSpec.describe Groups::ImportExport::ImportService do
      end
      context 'when user has correct permissions' do
+        before do
+          group.add_owner(user)
+        end
        it 'imports group structure successfully' do
          expect(subject).to be_truthy
        end
@@ -147,8 +153,6 @@ RSpec.describe Groups::ImportExport::ImportService do
      end
      context 'when user does not have correct permissions' do
-        let(:user) { create(:user) }
        it 'logs the error and raises an exception' do
          expect(import_logger).to receive(:error).with(
            group_id:   group.id,
@@ -188,6 +192,10 @@ RSpec.describe Groups::ImportExport::ImportService do
      context 'when there are errors with the sub-relations' do
        let(:import_file) { fixture_file_upload('spec/fixtures/group_export_invalid_subrelations.tar.gz') }
+        before do
+          group.add_owner(user)
+        end
        it 'successfully imports the group' do
          expect(subject).to be_truthy
        end
@@ -207,7 +215,7 @@ RSpec.describe Groups::ImportExport::ImportService do
    end
    context 'when importing a json export' do
-      let(:user) { create(:admin) }
+      let(:user) { create(:user) }
      let(:group) { create(:group) }
      let(:service) { described_class.new(group: group, user: user) }
      let(:import_file) { fixture_file_upload('spec/fixtures/legacy_group_export.tar.gz') }
@@ -227,6 +235,10 @@ RSpec.describe Groups::ImportExport::ImportService do
      end
      context 'when user has correct permissions' do
+        before do
+          group.add_owner(user)
+        end
        it 'imports group structure successfully' do
          expect(subject).to be_truthy
        end
@@ -259,8 +271,6 @@ RSpec.describe Groups::ImportExport::ImportService do
      end
      context 'when user does not have correct permissions' do
-        let(:user) { create(:user) }
        it 'logs the error and raises an exception' do
          expect(import_logger).to receive(:error).with(
            group_id:   group.id,
@@ -300,6 +310,10 @@ RSpec.describe Groups::ImportExport::ImportService do
      context 'when there are errors with the sub-relations' do
        let(:import_file) { fixture_file_upload('spec/fixtures/legacy_group_export_invalid_subrelations.tar.gz') }
+        before do
+          group.add_owner(user)
+        end
        it 'successfully imports the group' do
          expect(subject).to be_truthy
        end

--- a/spec/workers/purge_dependency_proxy_cache_worker_spec.rb
+++ b/spec/workers/purge_dependency_proxy_cache_worker_spec.rb
@@ -26,19 +26,25 @@ RSpec.describe PurgeDependencyProxyCacheWorker do
    end
    context 'an admin user' do
-      include_examples 'an idempotent worker' do
+      context 'when admin mode is enabled', :enable_admin_mode do
-        let(:job_args) { [user.id, group_id] }
+        include_examples 'an idempotent worker' do
+          let(:job_args) { [user.id, group_id] }
-        it 'deletes the blobs and returns ok', :aggregate_failures do
+          it 'deletes the blobs and returns ok', :aggregate_failures do
-          expect(group.dependency_proxy_blobs.size).to eq(1)
+            expect(group.dependency_proxy_blobs.size).to eq(1)
-          expect(group.dependency_proxy_manifests.size).to eq(1)
+            expect(group.dependency_proxy_manifests.size).to eq(1)
-          subject
+            subject
-          expect(group.dependency_proxy_blobs.size).to eq(0)
+            expect(group.dependency_proxy_blobs.size).to eq(0)
-          expect(group.dependency_proxy_manifests.size).to eq(0)
+            expect(group.dependency_proxy_manifests.size).to eq(0)
+          end
        end
      end
+      context 'when admin mode is disabled' do
+        it_behaves_like 'returns nil'
+      end
    end
    context 'a non-admin user' do