Merge branch '300455-auditor-role-not-bypassing-sso-enforce-with-ip-restrictions-on' into 'master'

Exempt auditor from ip restriction

See merge request gitlab-org/gitlab!55073

ee/app/policies/ee/group_policy.rb

@@ -288,7 +288,7 @@ module EE
         prevent :read_group
       end
 
-      rule { ip_enforcement_prevents_access & ~owner }.policy do
+      rule { ip_enforcement_prevents_access & ~owner & ~auditor }.policy do
         prevent :read_group
       end
 

ee/app/policies/ee/project_policy.rb

@@ -366,7 +366,7 @@ module EE
         prevent :owner_access
       end
 
-      rule { ip_enforcement_prevents_access & ~admin }.policy do
+      rule { ip_enforcement_prevents_access & ~admin & ~auditor }.policy do
         prevent :read_project
       end
 

ee/changelogs/unreleased/300455-auditor-role-not-bypassing-sso-enforce-with-ip-restrictions-on.yml

+---
+title: Exempt auditor from ip restriction
+merge_request: 55073
+author:
+type: changed

ee/spec/policies/group_policy_spec.rb

@@ -567,6 +567,12 @@ RSpec.describe GroupPolicy do
 
           it { is_expected.to be_allowed(:read_group) }
         end
+
+        context 'as auditor' do
+          let(:current_user) { create(:user, :auditor) }
+
+          it { is_expected.to be_allowed(:read_group) }
+        end
       end
     end
   end

ee/spec/policies/project_policy_spec.rb

@@ -439,6 +439,12 @@ RSpec.describe ProjectPolicy do
           context 'with admin disabled' do
             it { is_expected.to be_disallowed(:read_project) }
           end
+
+          context 'with auditor' do
+            let(:current_user) { create(:user, :auditor) }
+
+            it { is_expected.to be_allowed(:read_project) }
+          end
         end
       end