Add policy for metrics dashboard

This adds a policy that controls access to viewing the metrics
dashboard.

app/controllers/projects/environments_controller.rb

@@ -4,7 +4,7 @@ class Projects::EnvironmentsController < Projects::ApplicationController
   include MetricsDashboard
 
   layout 'project'
-  before_action :authorize_read_environment!
+  before_action :authorize_read_environment!, except: [:metrics, :additional_metrics, :metrics_dashboard]
   before_action :authorize_create_environment!, only: [:new, :create]
   before_action :authorize_stop_environment!, only: [:stop]
   before_action :authorize_update_environment!, only: [:edit, :update, :cancel_auto_stop]
@@ -13,6 +13,8 @@ class Projects::EnvironmentsController < Projects::ApplicationController
   before_action :verify_api_request!, only: :terminal_websocket_authorize
   before_action :expire_etag_cache, only: [:index], unless: -> { request.format.json? }
   before_action only: [:metrics, :additional_metrics, :metrics_dashboard] do
+    authorize_metrics_dashboard!
+
     push_frontend_feature_flag(:prometheus_computed_alerts)
     push_frontend_feature_flag(:metrics_dashboard_annotations, project)
   end

app/controllers/projects_controller.rb

@@ -403,6 +403,7 @@ class ProjectsController < Projects::ApplicationController
         snippets_access_level
         wiki_access_level
         pages_access_level
+        metrics_dashboard_access_level
       ]
     ]
   end

app/helpers/projects_helper.rb

@@ -589,7 +589,8 @@ module ProjectsHelper
       pagesAccessLevel: feature.pages_access_level,
       containerRegistryEnabled: !!project.container_registry_enabled,
       lfsEnabled: !!project.lfs_enabled,
-      emailsDisabled: project.emails_disabled?
+      emailsDisabled: project.emails_disabled?,
+      metricsAccessLevel: feature.metrics_dashboard_access_level
     }
   end
 

app/models/project.rb

@@ -2398,6 +2398,14 @@ class Project < ApplicationRecord
   def after_wiki_activity
     touch(:last_activity_at, :last_repository_updated_at)
   end
+  
+  def metrics_dashboard_allowed?(user)
+    if (public? && metrics_dashboard_access_level >= 20) || feature_available?(:metrics_dashboard, user)
+      true
+    else
+      false
+    end
+  end
 
   private
 

app/policies/project_policy.rb

@@ -88,6 +88,11 @@ class ProjectPolicy < BasePolicy
     @subject.feature_available?(:forking, @user)
   end
 
+  with_scope :subject
+  condition(:metrics_dashboard_allowed) do
+    @subject.metrics_dashboard_allowed?(@user)
+  end
+
   with_scope :global
   condition(:mirror_available, score: 0) do
     ::Gitlab::CurrentSettings.current_application_settings.mirror_available
@@ -134,6 +139,7 @@ class ProjectPolicy < BasePolicy
     wiki
     builds
     pages
+    metrics_dashboard
   ]
 
   features.each do |f|
@@ -249,6 +255,13 @@ class ProjectPolicy < BasePolicy
     enable :fork_project
   end
 
+  rule { metrics_dashboard_allowed }.policy do
+    enable :metrics_dashboard
+    enable :read_prometheus
+    enable :read_environment
+    enable :read_deployment
+  end
+
   rule { owner | admin | guest | group_member }.prevent :request_access
   rule { ~request_access_enabled }.prevent :request_access
 

app/services/metrics/dashboard/base_service.rb

@@ -40,9 +40,7 @@ module Metrics
       # Determines whether users should be able to view
       # dashboards at all.
       def allowed?
-        return false unless params[:environment]
-
-        Ability.allowed?(current_user, :read_environment, project)
+        project.metrics_dashboard_allowed?(current_user)
       end
 
       # Returns a new dashboard Hash, supplemented with DB info