Add policy tests for update_runners_registration_token

spec/policies/global_policy_spec.rb

@@ -565,4 +565,34 @@ RSpec.describe GlobalPolicy do
       it { is_expected.not_to be_allowed(:log_in) }
     end
   end
+
+  describe 'update_runners_registration_token' do
+    context 'when anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
+    end
+
+    context 'regular user' do
+      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
+    end
+
+    context 'when external' do
+      let(:current_user) { build(:user, :external) }
+
+      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
+    end
+
+    context 'admin' do
+      let(:current_user) { create(:admin) }
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:update_runners_registration_token) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:update_runners_registration_token) }
+      end
+    end
+  end
 end

spec/policies/group_policy_spec.rb

@@ -923,4 +923,54 @@ RSpec.describe GroupPolicy do
       it { expect(described_class.new(current_user, subgroup)).to be_allowed(:read_label) }
     end
   end
+
+  describe 'update_runners_registration_token' do
+    context 'admin' do
+      let(:current_user) { admin }
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:update_runners_registration_token) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:update_runners_registration_token) }
+      end
+    end
+
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_allowed(:update_runners_registration_token) }
+    end
+
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+
+      it { is_expected.to be_allowed(:update_runners_registration_token) }
+    end
+
+    context 'with reporter' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_disallowed(:update_runners_registration_token) }
+    end
+
+    context 'with guest' do
+      let(:current_user) { guest }
+
+      it { is_expected.to be_disallowed(:update_runners_registration_token) }
+    end
+
+    context 'with non member' do
+      let(:current_user) { create(:user) }
+
+      it { is_expected.to be_disallowed(:update_runners_registration_token) }
+    end
+
+    context 'with anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.to be_disallowed(:update_runners_registration_token) }
+    end
+  end
 end

spec/policies/project_policy_spec.rb

@@ -1595,4 +1595,40 @@ RSpec.describe ProjectPolicy do
       end
     end
   end
+
+  describe 'update_runners_registration_token' do
+    context 'when anonymous' do
+      let(:current_user) { anonymous }
+
+      it { is_expected.not_to be_allowed(:update_runners_registration_token) }
+    end
+
+    context 'admin' do
+      let(:current_user) { create(:admin) }
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:update_runners_registration_token) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:update_runners_registration_token) }
+      end
+    end
+
+    %w(guest reporter developer).each do |role|
+      context role do
+        let(:current_user) { send(role) }
+
+        it { is_expected.to be_disallowed(:update_runners_registration_token) }
+      end
+    end
+
+    %w(maintainer owner).each do |role|
+      context role do
+        let(:current_user) { send(role) }
+
+        it { is_expected.to be_allowed(:update_runners_registration_token) }
+      end
+    end
+  end
 end