Added permissions per stage to cycle analytics endpoint

app/controllers/projects/cycle_analytics_controller.rb

@@ -6,7 +6,7 @@ class Projects::CycleAnalyticsController < Projects::ApplicationController
   before_action :authorize_read_cycle_analytics!
 
   def show
-    @cycle_analytics = ::CycleAnalytics.new(@project, from: start_date(cycle_analytics_params))
+    @cycle_analytics = ::CycleAnalytics.new(@project, from: start_date(cycle_analytics_params), user: current_user)
 
     respond_to do |format|
       format.html
@@ -54,7 +54,8 @@ class Projects::CycleAnalyticsController < Projects::ApplicationController
 
     {
       summary: summary,
-      stats: stats
+      stats: stats,
+      permissions: @cycle_analytics.permissions
     }
   end
 end

app/models/cycle_analytics.rb

 class CycleAnalytics
-  def initialize(project, from:)
+  STAGES = %i[issue plan code test review staging production].freeze
+
+  def initialize(project, from:, user:)
     @project = project
     @from = from
+    @user = user
     @fetcher = Gitlab::CycleAnalytics::MetricsFetcher.new(project: project, from: from, branch: nil)
   end
 
@@ -9,6 +12,10 @@ class CycleAnalytics
     @summary ||= Summary.new(@project, from: @from)
   end
 
+  def permissions
+    Gitlab::CycleAnalytics::Permissions.get(user: @user, project: @project)
+  end
+
   def issue
     @fetcher.calculate_metric(:issue,
                      Issue.arel_table[:created_at],

changelogs/unreleased/fix-cycle-analytics-permissions.yml

+---
+title: Added permissions per stage to cycle analytics endpoint
+merge_request: 
+author: 

lib/gitlab/cycle_analytics/permissions.rb

+module Gitlab
+  module CycleAnalytics
+    class Permissions
+      STAGE_PERMISSIONS = {
+        read_build: [:test, :staging],
+        read_issue: [:issue, :production],
+        read_merge_request: [:code, :review]
+      }.freeze
+
+      def self.get(*args)
+        new(*args).get
+      end
+
+      def initialize(user:, project:)
+        @user = user
+        @project = project
+        @stage_permission_hash = {}
+      end
+
+      def get
+        ::CycleAnalytics::STAGES.each do |stage|
+          @stage_permission_hash[stage] = authorized_stage?(stage)
+        end
+
+        @stage_permission_hash
+      end
+
+      private
+
+      def authorized_stage?(stage)
+        return false unless authorize_project(:read_cycle_analytics)
+
+        permissions_for_stage(stage).keys.each do |permission|
+          return false unless authorize_project(permission)
+        end
+
+        true
+      end
+
+      def permissions_for_stage(stage)
+        STAGE_PERMISSIONS.select { |_permission, stages| stages.include?(stage) }
+      end
+
+      def authorize_project(permission)
+        Ability.allowed?(@user, permission, @project)
+      end
+    end
+  end
+end

spec/lib/gitlab/cycle_analytics/permissions_spec.rb

+require 'spec_helper'
+
+describe Gitlab::CycleAnalytics::Permissions do
+  let(:project) { create(:empty_project) }
+  let(:user) { create(:user) }
+
+  subject { described_class.get(user: user, project: project) }
+
+  context 'user with no relation to the project' do
+    it 'has no permissions to issue stage' do
+      expect(subject[:issue]).to eq(false)
+    end
+
+    it 'has no permissions to test stage' do
+      expect(subject[:test]).to eq(false)
+    end
+
+    it 'has no permissions to staging stage' do
+      expect(subject[:staging]).to eq(false)
+    end
+
+    it 'has no permissions to production stage' do
+      expect(subject[:production]).to eq(false)
+    end
+
+    it 'has no permissions to code stage' do
+      expect(subject[:code]).to eq(false)
+    end
+
+    it 'has no permissions to review stage' do
+      expect(subject[:review]).to eq(false)
+    end
+
+    it 'has no permissions to plan stage' do
+      expect(subject[:plan]).to eq(false)
+    end
+  end
+
+  context 'user is master' do
+    before do
+      project.team << [user, :master]
+    end
+
+    it 'has permissions to issue stage' do
+      expect(subject[:issue]).to eq(true)
+    end
+
+    it 'has permissions to test stage' do
+      expect(subject[:test]).to eq(true)
+    end
+
+    it 'has permissions to staging stage' do
+      expect(subject[:staging]).to eq(true)
+    end
+
+    it 'has permissions to production stage' do
+      expect(subject[:production]).to eq(true)
+    end
+
+    it 'has permissions to code stage' do
+      expect(subject[:code]).to eq(true)
+    end
+
+    it 'has permissions to review stage' do
+      expect(subject[:review]).to eq(true)
+    end
+
+    it 'has permissions to plan stage' do
+      expect(subject[:plan]).to eq(true)
+    end
+  end
+
+  context 'user has no build permissions' do
+    before do
+      project.team << [user, :guest]
+    end
+
+    it 'has permissions to issue stage' do
+      expect(subject[:issue]).to eq(true)
+    end
+
+    it 'has no permissions to test stage' do
+      expect(subject[:test]).to eq(false)
+    end
+
+    it 'has no permissions to staging stage' do
+      expect(subject[:staging]).to eq(false)
+    end
+  end
+
+  context 'user has no merge request permissions' do
+    before do
+      project.team << [user, :guest]
+    end
+
+    it 'has permissions to issue stage' do
+      expect(subject[:issue]).to eq(true)
+    end
+
+    it 'has no permissions to code stage' do
+      expect(subject[:code]).to eq(false)
+    end
+
+    it 'has no permissions to review stage' do
+      expect(subject[:review]).to eq(false)
+    end
+  end
+
+  context 'user has no issue permissions' do
+    before do
+      project.team << [user, :developer]
+      project.project_feature.update_attribute(:issues_access_level, ProjectFeature::DISABLED)
+    end
+
+    it 'has permissions to code stage' do
+      expect(subject[:code]).to eq(true)
+    end
+
+    it 'has no permissions to issue stage' do
+      expect(subject[:issue]).to eq(false)
+    end
+
+    it 'has no permissions to production stage' do
+      expect(subject[:production]).to eq(false)
+    end
+  end
+end

spec/models/cycle_analytics/code_spec.rb

@@ -6,7 +6,7 @@ describe 'CycleAnalytics#code', feature: true do
   let(:project) { create(:project) }
   let(:from_date) { 10.days.ago }
   let(:user) { create(:user, :admin) }
-  subject { CycleAnalytics.new(project, from: from_date) }
+  subject { CycleAnalytics.new(project, from: from_date, user: user) }
 
   context 'with deployment' do
     generate_cycle_analytics_spec(

spec/models/cycle_analytics/issue_spec.rb

@@ -6,7 +6,7 @@ describe 'CycleAnalytics#issue', models: true do
   let(:project) { create(:project) }
   let(:from_date) { 10.days.ago }
   let(:user) { create(:user, :admin) }
-  subject { CycleAnalytics.new(project, from: from_date) }
+  subject { CycleAnalytics.new(project, from: from_date, user: user) }
 
   generate_cycle_analytics_spec(
     phase: :issue,

spec/models/cycle_analytics/plan_spec.rb

@@ -6,7 +6,7 @@ describe 'CycleAnalytics#plan', feature: true do
   let(:project) { create(:project) }
   let(:from_date) { 10.days.ago }
   let(:user) { create(:user, :admin) }
-  subject { CycleAnalytics.new(project, from: from_date) }
+  subject { CycleAnalytics.new(project, from: from_date, user: user) }
 
   generate_cycle_analytics_spec(
     phase: :plan,

spec/models/cycle_analytics/production_spec.rb

@@ -6,7 +6,7 @@ describe 'CycleAnalytics#production', feature: true do
   let(:project) { create(:project) }
   let(:from_date) { 10.days.ago }
   let(:user) { create(:user, :admin) }
-  subject { CycleAnalytics.new(project, from: from_date) }
+  subject { CycleAnalytics.new(project, from: from_date, user: user) }
 
   generate_cycle_analytics_spec(
     phase: :production,

spec/models/cycle_analytics/review_spec.rb

@@ -6,7 +6,7 @@ describe 'CycleAnalytics#review', feature: true do
   let(:project) { create(:project) }
   let(:from_date) { 10.days.ago }
   let(:user) { create(:user, :admin) }
-  subject { CycleAnalytics.new(project, from: from_date) }
+  subject { CycleAnalytics.new(project, from: from_date, user: user) }
 
   generate_cycle_analytics_spec(
     phase: :review,

spec/models/cycle_analytics/staging_spec.rb

@@ -6,7 +6,7 @@ describe 'CycleAnalytics#staging', feature: true do
   let(:project) { create(:project) }
   let(:from_date) { 10.days.ago }
   let(:user) { create(:user, :admin) }
-  subject { CycleAnalytics.new(project, from: from_date) }
+  subject { CycleAnalytics.new(project, from: from_date, user: user) }
 
   generate_cycle_analytics_spec(
     phase: :staging,

spec/models/cycle_analytics/summary_spec.rb

@@ -4,7 +4,7 @@ describe CycleAnalytics::Summary, models: true do
   let(:project) { create(:project) }
   let(:from) { Time.now }
   let(:user) { create(:user, :admin) }
-  subject { described_class.new(project, from: from) }
+  subject { described_class.new(project, from: from, user: user) }
 
   describe "#new_issues" do
     it "finds the number of issues created after the 'from date'" do

spec/models/cycle_analytics/test_spec.rb

@@ -6,7 +6,7 @@ describe 'CycleAnalytics#test', feature: true do
   let(:project) { create(:project) }
   let(:from_date) { 10.days.ago }
   let(:user) { create(:user, :admin) }
-  subject { CycleAnalytics.new(project, from: from_date) }
+  subject { CycleAnalytics.new(project, from: from_date, user: user) }
 
   generate_cycle_analytics_spec(
     phase: :test,