Merge branch 'rs-project-security-spec-speed' into 'master'

Speed up Project security access specs Prior, every single test was creating four `ProjectMember` objects, each of which created one `User` record, even though each test only used _one_ of those Users, if any. Now each test only creates the single user record it needs, if it needs one. This shaves minutes off of each spec file changed here. Part of https://gitlab.com/gitlab-org/gitlab-ce/issues/24899 See merge request !7779

Merge branch 'rs-project-security-spec-speed' into 'master'
Speed up Project security access specs Prior, every single test was creating four `ProjectMember` objects, each of which created one `User` record, even though each test only used _one_ of those Users, if any. Now each test only creates the single user record it needs, if it needs one. This shaves minutes off of each spec file changed here. Part of https://gitlab.com/gitlab-org/gitlab-ce/issues/24899 See merge request !7779
6ea0b8d5 · Rémy Coutable · bcc03024 · 13ad9a74 · 6ea0b8d5 · 6ea0b8d5
Commit 6ea0b8d5 authored Nov 28, 2016 by Rémy Coutable
4 changed files
--- a/spec/features/security/project/internal_access_spec.rb
+++ b/spec/features/security/project/internal_access_spec.rb
@@ -5,19 +5,6 @@ describe "Internal Project Access", feature: true  do
  let(:project) { create(:project, :internal) }
-  let(:owner)     { project.owner }
-  let(:master)    { create(:user) }
-  let(:developer) { create(:user) }
-  let(:reporter)  { create(:user) }
-  let(:guest)     { create(:user) }
-  before do
-    project.team << [master, :master]
-    project.team << [developer, :developer]
-    project.team << [reporter, :reporter]
-    project.team << [guest, :guest]
-  end
  describe "Project should be internal" do
    describe '#internal?' do
      subject { project.internal? }
@@ -28,213 +15,213 @@ describe "Internal Project Access", feature: true  do
  describe "GET /:project_path" do
    subject { namespace_project_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/tree/master" do
    subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/commits/master" do
    subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/commit/:sha" do
    subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/compare" do
    subject { namespace_project_compare_index_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/project_members" do
    subject { namespace_project_project_members_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
  end
  describe "GET /:project_path/blob" do
    let(:commit) { project.repository.commit }
    subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/edit" do
    subject { edit_namespace_project_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/deploy_keys" do
    subject { namespace_project_deploy_keys_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/issues" do
    subject { namespace_project_issues_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/issues/:id/edit" do
    let(:issue) { create(:issue, project: project) }
    subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/snippets" do
    subject { namespace_project_snippets_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/snippets/new" do
    subject { new_namespace_project_snippet_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/merge_requests" do
    subject { namespace_project_merge_requests_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/merge_requests/new" do
    subject { new_namespace_project_merge_request_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/branches" do
@@ -245,15 +232,15 @@ describe "Internal Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:branches).and_return([])
    end
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/tags" do
@@ -264,58 +251,58 @@ describe "Internal Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:tags).and_return([])
    end
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/hooks" do
    subject { namespace_project_hooks_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/pipelines" do
    subject { namespace_project_pipelines_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/pipelines/:id" do
    let(:pipeline) { create(:ci_pipeline, project: project) }
    subject { namespace_project_pipeline_path(project.namespace, project, pipeline) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/builds" do
@@ -324,29 +311,29 @@ describe "Internal Project Access", feature: true  do
    context "when allowed for public and internal" do
      before { project.update(public_builds: true) }
-      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for(:admin) }
-      it { is_expected.to be_allowed_for owner }
+      it { is_expected.to be_allowed_for(:owner).of(project) }
-      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for(:master).of(project) }
-      it { is_expected.to be_allowed_for developer }
+      it { is_expected.to be_allowed_for(:developer).of(project) }
-      it { is_expected.to be_allowed_for reporter }
+      it { is_expected.to be_allowed_for(:reporter).of(project) }
-      it { is_expected.to be_allowed_for guest }
+      it { is_expected.to be_allowed_for(:guest).of(project) }
-      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for(:user) }
-      it { is_expected.to be_denied_for :external }
+      it { is_expected.to be_denied_for(:external) }
-      it { is_expected.to be_denied_for :visitor }
+      it { is_expected.to be_denied_for(:visitor) }
    end
    context "when disallowed for public and internal" do
      before { project.update(public_builds: false) }
-      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for(:admin) }
-      it { is_expected.to be_allowed_for owner }
+      it { is_expected.to be_allowed_for(:owner).of(project) }
-      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for(:master).of(project) }
-      it { is_expected.to be_allowed_for developer }
+      it { is_expected.to be_allowed_for(:developer).of(project) }
-      it { is_expected.to be_allowed_for reporter }
+      it { is_expected.to be_allowed_for(:reporter).of(project) }
-      it { is_expected.to be_denied_for guest }
+      it { is_expected.to be_denied_for(:guest).of(project) }
-      it { is_expected.to be_denied_for :user }
+      it { is_expected.to be_denied_for(:user) }
-      it { is_expected.to be_denied_for :external }
+      it { is_expected.to be_denied_for(:external) }
-      it { is_expected.to be_denied_for :visitor }
+      it { is_expected.to be_denied_for(:visitor) }
    end
  end
@@ -358,73 +345,73 @@ describe "Internal Project Access", feature: true  do
    context "when allowed for public and internal" do
      before { project.update(public_builds: true) }
-      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for(:admin) }
-      it { is_expected.to be_allowed_for owner }
+      it { is_expected.to be_allowed_for(:owner).of(project) }
-      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for(:master).of(project) }
-      it { is_expected.to be_allowed_for developer }
+      it { is_expected.to be_allowed_for(:developer).of(project) }
-      it { is_expected.to be_allowed_for reporter }
+      it { is_expected.to be_allowed_for(:reporter).of(project) }
-      it { is_expected.to be_allowed_for guest }
+      it { is_expected.to be_allowed_for(:guest).of(project) }
-      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for(:user) }
-      it { is_expected.to be_denied_for :external }
+      it { is_expected.to be_denied_for(:external) }
-      it { is_expected.to be_denied_for :visitor }
+      it { is_expected.to be_denied_for(:visitor) }
    end
    context "when disallowed for public and internal" do
      before { project.update(public_builds: false) }
-      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for(:admin) }
-      it { is_expected.to be_allowed_for owner }
+      it { is_expected.to be_allowed_for(:owner).of(project) }
-      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for(:master).of(project) }
-      it { is_expected.to be_allowed_for developer }
+      it { is_expected.to be_allowed_for(:developer).of(project) }
-      it { is_expected.to be_allowed_for reporter }
+      it { is_expected.to be_allowed_for(:reporter).of(project) }
-      it { is_expected.to be_denied_for guest }
+      it { is_expected.to be_denied_for(:guest).of(project) }
-      it { is_expected.to be_denied_for :user }
+      it { is_expected.to be_denied_for(:user) }
-      it { is_expected.to be_denied_for :external }
+      it { is_expected.to be_denied_for(:external) }
-      it { is_expected.to be_denied_for :visitor }
+      it { is_expected.to be_denied_for(:visitor) }
    end
  end
  describe "GET /:project_path/environments" do
    subject { namespace_project_environments_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/environments/:id" do
    let(:environment) { create(:environment, project: project) }
    subject { namespace_project_environment_path(project.namespace, project, environment) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/environments/new" do
    subject { new_namespace_project_environment_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/container_registry" do
@@ -435,14 +422,14 @@ describe "Internal Project Access", feature: true  do
    subject { namespace_project_container_registry_index_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
 end
--- a/spec/features/security/project/private_access_spec.rb
+++ b/spec/features/security/project/private_access_spec.rb
@@ -5,19 +5,6 @@ describe "Private Project Access", feature: true  do
  let(:project) { create(:project, :private) }
-  let(:owner)     { project.owner }
-  let(:master)    { create(:user) }
-  let(:developer) { create(:user) }
-  let(:reporter)  { create(:user) }
-  let(:guest)     { create(:user) }
-  before do
-    project.team << [master, :master]
-    project.team << [developer, :developer]
-    project.team << [reporter, :reporter]
-    project.team << [guest, :guest]
-  end
  describe "Project should be private" do
    describe '#private?' do
      subject { project.private? }
@@ -28,185 +15,185 @@ describe "Private Project Access", feature: true  do
  describe "GET /:project_path" do
    subject { namespace_project_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/tree/master" do
    subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/commits/master" do
    subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/commit/:sha" do
    subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/compare" do
    subject { namespace_project_compare_index_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/project_members" do
    subject { namespace_project_project_members_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/blob" do
    let(:commit) { project.repository.commit }
    subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore'))}
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/edit" do
    subject { edit_namespace_project_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/deploy_keys" do
    subject { namespace_project_deploy_keys_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/issues" do
    subject { namespace_project_issues_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/issues/:id/edit" do
    let(:issue) { create(:issue, project: project) }
    subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/snippets" do
    subject { namespace_project_snippets_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/merge_requests" do
    subject { namespace_project_merge_requests_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for  guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/branches" do
@@ -217,15 +204,15 @@ describe "Private Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:branches).and_return([])
    end
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/tags" do
@@ -236,72 +223,72 @@ describe "Private Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:tags).and_return([])
    end
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/hooks" do
    subject { namespace_project_hooks_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/pipelines" do
    subject { namespace_project_pipelines_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/pipelines/:id" do
    let(:pipeline) { create(:ci_pipeline, project: project) }
    subject { namespace_project_pipeline_path(project.namespace, project, pipeline) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/builds" do
    subject { namespace_project_builds_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/builds/:id" do
@@ -309,58 +296,58 @@ describe "Private Project Access", feature: true  do
    let(:build) { create(:ci_build, pipeline: pipeline) }
    subject { namespace_project_build_path(project.namespace, project, build.id) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/environments" do
    subject { namespace_project_environments_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/environments/:id" do
    let(:environment) { create(:environment, project: project) }
    subject { namespace_project_environment_path(project.namespace, project, environment) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/environments/new" do
    subject { new_namespace_project_environment_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/container_registry" do
@@ -371,14 +358,14 @@ describe "Private Project Access", feature: true  do
    subject { namespace_project_container_registry_index_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
 end
--- a/spec/features/security/project/public_access_spec.rb
+++ b/spec/features/security/project/public_access_spec.rb
@@ -5,19 +5,6 @@ describe "Public Project Access", feature: true  do
  let(:project) { create(:project, :public) }
-  let(:owner)     { project.owner }
-  let(:master)    { create(:user) }
-  let(:developer) { create(:user) }
-  let(:reporter)  { create(:user) }
-  let(:guest)     { create(:user) }
-  before do
-    project.team << [master, :master]
-    project.team << [developer, :developer]
-    project.team << [reporter, :reporter]
-    project.team << [guest, :guest]
-  end
  describe "Project should be public" do
    describe '#public?' do
      subject { project.public? }
@@ -28,114 +15,114 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path" do
    subject { namespace_project_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/tree/master" do
    subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/commits/master" do
    subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/commit/:sha" do
    subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/compare" do
    subject { namespace_project_compare_index_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/project_members" do
    subject { namespace_project_project_members_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
  end
  describe "GET /:project_path/pipelines" do
    subject { namespace_project_pipelines_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/pipelines/:id" do
    let(:pipeline) { create(:ci_pipeline, project: project) }
    subject { namespace_project_pipeline_path(project.namespace, project, pipeline) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/builds" do
@@ -144,29 +131,29 @@ describe "Public Project Access", feature: true  do
    context "when allowed for public" do
      before { project.update(public_builds: true) }
-      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for(:admin) }
-      it { is_expected.to be_allowed_for owner }
+      it { is_expected.to be_allowed_for(:owner).of(project) }
-      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for(:master).of(project) }
-      it { is_expected.to be_allowed_for developer }
+      it { is_expected.to be_allowed_for(:developer).of(project) }
-      it { is_expected.to be_allowed_for reporter }
+      it { is_expected.to be_allowed_for(:reporter).of(project) }
-      it { is_expected.to be_allowed_for guest }
+      it { is_expected.to be_allowed_for(:guest).of(project) }
-      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for(:user) }
-      it { is_expected.to be_allowed_for :external }
+      it { is_expected.to be_allowed_for(:external) }
-      it { is_expected.to be_allowed_for :visitor }
+      it { is_expected.to be_allowed_for(:visitor) }
    end
    context "when disallowed for public" do
      before { project.update(public_builds: false) }
-      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for(:admin) }
-      it { is_expected.to be_allowed_for owner }
+      it { is_expected.to be_allowed_for(:owner).of(project) }
-      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for(:master).of(project) }
-      it { is_expected.to be_allowed_for developer }
+      it { is_expected.to be_allowed_for(:developer).of(project) }
-      it { is_expected.to be_allowed_for reporter }
+      it { is_expected.to be_allowed_for(:reporter).of(project) }
-      it { is_expected.to be_denied_for guest }
+      it { is_expected.to be_denied_for(:guest).of(project) }
-      it { is_expected.to be_denied_for :user }
+      it { is_expected.to be_denied_for(:user) }
-      it { is_expected.to be_denied_for :external }
+      it { is_expected.to be_denied_for(:external) }
-      it { is_expected.to be_denied_for :visitor }
+      it { is_expected.to be_denied_for(:visitor) }
    end
  end
@@ -178,73 +165,73 @@ describe "Public Project Access", feature: true  do
    context "when allowed for public" do
      before { project.update(public_builds: true) }
-      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for(:admin) }
-      it { is_expected.to be_allowed_for owner }
+      it { is_expected.to be_allowed_for(:owner).of(project) }
-      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for(:master).of(project) }
-      it { is_expected.to be_allowed_for developer }
+      it { is_expected.to be_allowed_for(:developer).of(project) }
-      it { is_expected.to be_allowed_for reporter }
+      it { is_expected.to be_allowed_for(:reporter).of(project) }
-      it { is_expected.to be_allowed_for guest }
+      it { is_expected.to be_allowed_for(:guest).of(project) }
-      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for(:user) }
-      it { is_expected.to be_allowed_for :external }
+      it { is_expected.to be_allowed_for(:external) }
-      it { is_expected.to be_allowed_for :visitor }
+      it { is_expected.to be_allowed_for(:visitor) }
    end
    context "when disallowed for public" do
      before { project.update(public_builds: false) }
-      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for(:admin) }
-      it { is_expected.to be_allowed_for owner }
+      it { is_expected.to be_allowed_for(:owner).of(project) }
-      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for(:master).of(project) }
-      it { is_expected.to be_allowed_for developer }
+      it { is_expected.to be_allowed_for(:developer).of(project) }
-      it { is_expected.to be_allowed_for reporter }
+      it { is_expected.to be_allowed_for(:reporter).of(project) }
-      it { is_expected.to be_denied_for guest }
+      it { is_expected.to be_denied_for(:guest).of(project) }
-      it { is_expected.to be_denied_for :user }
+      it { is_expected.to be_denied_for(:user) }
-      it { is_expected.to be_denied_for :external }
+      it { is_expected.to be_denied_for(:external) }
-      it { is_expected.to be_denied_for :visitor }
+      it { is_expected.to be_denied_for(:visitor) }
    end
  end
  describe "GET /:project_path/environments" do
    subject { namespace_project_environments_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/environments/:id" do
    let(:environment) { create(:environment, project: project) }
    subject { namespace_project_environment_path(project.namespace, project, environment) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/environments/new" do
    subject { new_namespace_project_environment_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/blob" do
@@ -252,127 +239,127 @@ describe "Public Project Access", feature: true  do
    subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/edit" do
    subject { edit_namespace_project_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/deploy_keys" do
    subject { namespace_project_deploy_keys_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/issues" do
    subject { namespace_project_issues_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/issues/:id/edit" do
    let(:issue) { create(:issue, project: project) }
    subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/snippets" do
    subject { namespace_project_snippets_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/snippets/new" do
    subject { new_namespace_project_snippet_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/merge_requests" do
    subject { namespace_project_merge_requests_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/merge_requests/new" do
    subject { new_namespace_project_merge_request_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/branches" do
@@ -383,15 +370,15 @@ describe "Public Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:branches).and_return([])
    end
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/tags" do
@@ -402,29 +389,29 @@ describe "Public Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:tags).and_return([])
    end
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
  describe "GET /:project_path/hooks" do
    subject { namespace_project_hooks_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for(:developer).of(project) }
-    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for(:reporter).of(project) }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for(:guest).of(project) }
-    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for(:user) }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for(:external) }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for(:visitor) }
  end
  describe "GET /:project_path/container_registry" do
@@ -435,14 +422,14 @@ describe "Public Project Access", feature: true  do
    subject { namespace_project_container_registry_index_path(project.namespace, project) }
-    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for(:admin) }
-    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for(:owner).of(project) }
-    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for(:master).of(project) }
-    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for(:developer).of(project) }
-    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for(:reporter).of(project) }
-    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for(:guest).of(project) }
-    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for(:user) }
-    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for(:external) }
-    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for(:visitor) }
  end
 end
--- a/spec/support/matchers/access_matchers.rb
+++ b/spec/support/matchers/access_matchers.rb
@@ -7,7 +7,7 @@ module AccessMatchers
  extend RSpec::Matchers::DSL
  include Warden::Test::Helpers
-  def emulate_user(user)
+  def emulate_user(user, project = nil)
    case user
    when :user
      login_as(create(:user))
@@ -18,6 +18,18 @@ module AccessMatchers
    when :external
      login_as(create(:user, external: true))
    when User
+      login_as(user)
+    when :owner
+      raise ArgumentError, "cannot emulate owner without project" unless project
+      login_as(project.owner)
+    when *Gitlab::Access.sym_options.keys
+      raise ArgumentError, "cannot emulate user #{user} without project" unless project
+      role = user
+      user = create(:user)
+      project.public_send(:"add_#{role}", user)
      login_as(user)
    else
      raise ArgumentError, "cannot emulate user #{user}"
@@ -26,8 +38,7 @@ module AccessMatchers
  def description_for(user, type)
    if user.kind_of?(User)
-      # User#inspect displays too much information for RSpec's description
+      # User#inspect displays too much information for RSpec's descriptions
-      # messages
      "be #{type} for the specified user"
    else
      "be #{type} for #{user}"
@@ -36,21 +47,31 @@ module AccessMatchers
  matcher :be_allowed_for do |user|
    match do |url|
-      emulate_user(user)
+      emulate_user(user, @project)
-      visit url
+      visit(url)
      status_code != 404 && current_path != new_user_session_path
    end
+    chain :of do |project|
+      @project = project
+    end
    description { description_for(user, 'allowed') }
  end
  matcher :be_denied_for do |user|
    match do |url|
-      emulate_user(user)
+      emulate_user(user, @project)
-      visit url
+      visit(url)
      status_code == 404 || current_path == new_user_session_path
    end
+    chain :of do |project|
+      @project = project
+    end
    description { description_for(user, 'denied') }
  end
 end