Add read_group_runners permissions

Replaces admin_group usage

Add read_group_runners permissions
Replaces admin_group usage
2ca4981a · Pedro Pombeiro · 4328f801 · 2ca4981a · 2ca4981a · 2ca4981a
Commit 2ca4981a authored Dec 29, 2021 by Pedro Pombeiro
5 changed files
--- a/app/finders/ci/runners_finder.rb
+++ b/app/finders/ci/runners_finder.rb
@@ -47,7 +47,7 @@ module Ci
    end

    def group_runners
-      raise Gitlab::Access::AccessDeniedError unless can?(@current_user, :admin_group, @group)
+      raise Gitlab::Access::AccessDeniedError unless can?(@current_user, :read_group_runners, @group)

      @runners = case @params[:membership]
                 when :direct

--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -180,6 +180,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
    enable :admin_group_member
    enable :change_visibility_level

+    enable :read_group_runners
+
    enable :set_note_created_at
    enable :set_emails_disabled
    enable :change_prevent_sharing_groups_outside_hierarchy

--- a/lib/sidebars/groups/menus/ci_cd_menu.rb
+++ b/lib/sidebars/groups/menus/ci_cd_menu.rb
@@ -34,10 +34,8 @@ module Sidebars
          )
        end

-        # TODO Proper policies, such as `read_group_runners`, should be implemented per
-        # See https://gitlab.com/gitlab-org/gitlab/-/issues/334802
        def show_runners?
-          can?(context.current_user, :admin_group, context.group) &&
+          can?(context.current_user, :read_group_runners, context.group) &&
            Feature.enabled?(:runner_list_group_view_vue_ui, context.group, default_enabled: :yaml)
        end
      end

--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -36,6 +36,7 @@ RSpec.describe GroupPolicy do
    it { expect_disallowed(:read_crm_organization) }
    it { expect_disallowed(:read_crm_contact) }
    it { expect_disallowed(:read_counts) }
+    it { expect_disallowed(:read_group_runners) }
    it { expect_disallowed(*read_group_permissions) }
  end

@@ -51,6 +52,7 @@ RSpec.describe GroupPolicy do
    it { expect_disallowed(:read_crm_organization) }
    it { expect_disallowed(:read_crm_contact) }
    it { expect_disallowed(:read_counts) }
+    it { expect_disallowed(:read_group_runners) }
    it { expect_disallowed(*read_group_permissions) }
  end


--- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
@@ -53,17 +53,18 @@ RSpec.shared_context 'GroupPolicy context' do
  end

  let(:owner_permissions) do
-    [
-      :owner_access,
-      :admin_group,
-      :admin_namespace,
-      :admin_group_member,
-      :change_visibility_level,
-      :set_note_created_at,
-      :create_subgroup,
-      :read_statistics,
-      :update_default_branch_protection
-    ].compact
+    %i[
+      owner_access
+      admin_group
+      admin_namespace
+      admin_group_member
+      change_visibility_level
+      set_note_created_at
+      create_subgroup
+      read_statistics
+      update_default_branch_protection
+      read_group_runners
+    ]
  end

  let(:admin_permissions) { %i[read_confidential_issues] }