Add read_group_runners permissions

Replaces admin_group usage

Add read_group_runners permissions
Replaces admin_group usage
2ca4981a · Pedro Pombeiro · 4328f801 · 2ca4981a · 2ca4981a · 2ca4981a
Commit 2ca4981a authored Dec 29, 2021 by Pedro Pombeiro
5 changed files
--- a/app/finders/ci/runners_finder.rb
+++ b/app/finders/ci/runners_finder.rb
@@ -47,7 +47,7 @@ module Ci
    end
    def group_runners
-      raise Gitlab::Access::AccessDeniedError unless can?(@current_user, :admin_group, @group)
+      raise Gitlab::Access::AccessDeniedError unless can?(@current_user, :read_group_runners, @group)
      @runners = case @params[:membership]
                 when :direct

--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -180,6 +180,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
    enable :admin_group_member
    enable :change_visibility_level
+    enable :read_group_runners
    enable :set_note_created_at
    enable :set_emails_disabled
    enable :change_prevent_sharing_groups_outside_hierarchy

--- a/lib/sidebars/groups/menus/ci_cd_menu.rb
+++ b/lib/sidebars/groups/menus/ci_cd_menu.rb
@@ -34,10 +34,8 @@ module Sidebars
          )
        end
-        # TODO Proper policies, such as `read_group_runners`, should be implemented per
-        # See https://gitlab.com/gitlab-org/gitlab/-/issues/334802
        def show_runners?
-          can?(context.current_user, :admin_group, context.group) &&
+          can?(context.current_user, :read_group_runners, context.group) &&
            Feature.enabled?(:runner_list_group_view_vue_ui, context.group, default_enabled: :yaml)
        end
      end

--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -36,6 +36,7 @@ RSpec.describe GroupPolicy do
    it { expect_disallowed(:read_crm_organization) }
    it { expect_disallowed(:read_crm_contact) }
    it { expect_disallowed(:read_counts) }
+    it { expect_disallowed(:read_group_runners) }
    it { expect_disallowed(*read_group_permissions) }
  end
@@ -51,6 +52,7 @@ RSpec.describe GroupPolicy do
    it { expect_disallowed(:read_crm_organization) }
    it { expect_disallowed(:read_crm_contact) }
    it { expect_disallowed(:read_counts) }
+    it { expect_disallowed(:read_group_runners) }
    it { expect_disallowed(*read_group_permissions) }
  end

--- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
@@ -53,17 +53,18 @@ RSpec.shared_context 'GroupPolicy context' do
  end
  let(:owner_permissions) do
-    [
+    %i[
-      :owner_access,
+      owner_access
-      :admin_group,
+      admin_group
-      :admin_namespace,
+      admin_namespace
-      :admin_group_member,
+      admin_group_member
-      :change_visibility_level,
+      change_visibility_level
-      :set_note_created_at,
+      set_note_created_at
-      :create_subgroup,
+      create_subgroup
-      :read_statistics,
+      read_statistics
-      :update_default_branch_protection
+      update_default_branch_protection
-    ].compact
+      read_group_runners
+    ]
  end
  let(:admin_permissions) { %i[read_confidential_issues] }