Merge branch '1439-read-only-user' into 'master'

Implement backend for a read-only "Auditor" user

Closes #1439

See merge request !998

.flayignore

@@ -3,3 +3,4 @@ lib/gitlab/sanitizers/svg/whitelist.rb
 lib/gitlab/diff/position_tracer.rb
 app/controllers/projects/approver_groups_controller.rb
 app/controllers/projects/approvers_controller.rb
+app/policies/project_policy.rb
\ No newline at end of file

app/controllers/admin/users_controller.rb

@@ -175,7 +175,7 @@ class Admin::UsersController < Admin::ApplicationController
 
   def user_params_ce
     [
-      :admin,
+      :access_level,
       :avatar,
       :bio,
       :can_create_group,

app/finders/group_projects_finder.rb

@@ -18,7 +18,7 @@ class GroupProjectsFinder < UnionFinder
     projects = []
 
     if current_user
-      if @group.users.include?(current_user) || current_user.admin?
+      if @group.users.include?(current_user)
         projects << @group.projects unless only_shared
         projects << @group.shared_projects unless only_owned
       else

app/finders/issues_finder.rb

@@ -33,7 +33,7 @@ class IssuesFinder < IssuableFinder
   def self.not_restricted_by_confidentiality(user)
     return Issue.where('issues.confidential IS NULL OR issues.confidential IS FALSE') if user.blank?
 
-    return Issue.all if user.admin?
+    return Issue.all if user.admin_or_auditor?
 
     Issue.where('
       issues.confidential IS NULL

app/finders/snippets_finder.rb

@@ -44,7 +44,7 @@ class SnippetsFinder
     snippets = project.snippets.fresh
 
     if current_user
-      include_private = project.team.member?(current_user) || current_user.admin?
+      include_private = project.team.member?(current_user) || current_user.admin_or_auditor?
       by_scope(snippets, scope, include_private)
     else
       snippets.are_public

app/helpers/auditor_user_helper.rb

+module AuditorUserHelper
+  def license_allows_auditor_user?
+    @license_allows_auditor_user ||= (::License.current && ::License.current.add_on?('GitLab_Auditor_User'))
+  end
+end

app/models/ee/user.rb

+module EE
+  # User EE mixin
+  #
+  # This module is intended to encapsulate EE-specific model logic
+  # and be prepended in the `User` model
+  module User
+    extend ActiveSupport::Concern
+    include AuditorUserHelper
+
+    included do
+      # We aren't using the `auditor?` method for the `if` condition here
+      # because `auditor?` returns `false` when the `auditor` column is `true`
+      # and the auditor add-on absent. We want to run this validation
+      # regardless of the add-on's presence, so we need to check the `auditor`
+      # column directly.
+      validate :auditor_requires_license_add_on, if: :auditor
+      validate :cannot_be_admin_and_auditor
+    end
+
+    def cannot_be_admin_and_auditor
+      if admin? && auditor?
+        errors.add(:admin, "user cannot also be an Auditor.")
+      end
+    end
+
+    def auditor_requires_license_add_on
+      unless license_allows_auditor_user?
+        errors.add(:auditor, 'user cannot be created without the "GitLab_Auditor_User" addon')
+      end
+    end
+
+    def auditor?
+      license_allows_auditor_user? && self.auditor
+    end
+
+    def admin_or_auditor?
+      admin? || auditor?
+    end
+  end
+end

app/models/project_feature.rb

@@ -83,7 +83,7 @@ class ProjectFeature < ActiveRecord::Base
     when DISABLED
       false
     when PRIVATE
-      user && (project.team.member?(user) || user.admin?)
+      user && (project.team.member?(user) || user.admin_or_auditor?)
     when ENABLED
       true
     else

app/models/user.rb

@@ -10,6 +10,7 @@ class User < ActiveRecord::Base
   include CaseSensitivity
   include TokenAuthenticatable
   prepend EE::GeoAwareAvatar
+  prepend EE::User
 
   DEFAULT_NOTIFICATION_LEVEL = :participating
 
@@ -933,6 +934,24 @@ class User < ActiveRecord::Base
     Gitlab::UserActivities::ActivitySet.record(self)
   end
 
+  def access_level
+    if admin?
+      :admin
+    elsif auditor?
+      :auditor
+    else
+      :regular
+    end
+  end
+
+  def access_level=(new_level)
+    new_level = new_level.to_s
+    return unless %w(admin auditor regular).include?(new_level)
+
+    self.admin = (new_level == 'admin')
+    self.auditor = (new_level == 'auditor')
+  end
+
   private
 
   def ci_projects_union

app/policies/group_policy.rb

@@ -12,6 +12,7 @@ class GroupPolicy < BasePolicy
     can_read ||= globally_viewable
     can_read ||= member
     can_read ||= @user.admin?
+    can_read ||= @user.auditor?
     can_read ||= GroupProjectsFinder.new(@subject).execute(@user).any?
     can! :read_group if can_read
 
@@ -40,6 +41,7 @@ class GroupPolicy < BasePolicy
   def can_read_group?
     return true if @subject.public?
     return true if @user.admin?
+    return true if @user.auditor?
     return true if @subject.internal? && !@user.external?
     return true if @subject.users.include?(@user)
 

app/policies/project_policy.rb

@@ -8,6 +8,7 @@ class ProjectPolicy < BasePolicy
       (project.group && project.group.has_owner?(user))
 
     owner_access! if user.admin? || owner
+    auditor_access! if user.auditor?
     team_member_owner_access! if owner
 
     if project.public? || (project.internal? && !user.external?)
@@ -182,6 +183,16 @@ class ProjectPolicy < BasePolicy
     cannot! :admin_merge_request
   end
 
+  # An auditor user has read-only access to all projects
+  def auditor_access!
+    base_readonly_access!
+
+    can! :read_build
+    can! :read_environment
+    can! :read_deployment
+    can! :read_pages
+  end
+
   def disabled_features!
     repository_enabled = project.feature_available?(:repository, user)
 
@@ -228,25 +239,7 @@ class ProjectPolicy < BasePolicy
   def anonymous_rules
     return unless project.public?
 
-    can! :read_project
-    can! :read_board
-    can! :read_list
-    can! :read_wiki
-    can! :read_label
-    can! :read_milestone
-    can! :read_project_snippet
-    can! :read_project_member
-    can! :read_merge_request
-    can! :read_note
-    can! :read_pipeline
-    can! :read_commit_status
-    can! :read_container_image
-    can! :download_code
-    can! :download_wiki_code
-    can! :read_cycle_analytics
-
-    # NOTE: may be overridden by IssuePolicy
-    can! :read_issue
+    base_readonly_access!
 
     # Allow to read builds by anonymous user if guests are allowed
     can! :read_build if project.public_builds?
@@ -279,4 +272,31 @@ class ProjectPolicy < BasePolicy
       :"admin_#{name}"
     ]
   end
+
+  private
+
+  # A base set of abilities for read-only users, which
+  # is then augmented as necessary for anonymous and other
+  # read-only users.
+  def base_readonly_access!
+    can! :read_project
+    can! :read_board
+    can! :read_list
+    can! :read_wiki
+    can! :read_label
+    can! :read_milestone
+    can! :read_project_snippet
+    can! :read_project_member
+    can! :read_merge_request
+    can! :read_note
+    can! :read_pipeline
+    can! :read_commit_status
+    can! :read_container_image
+    can! :download_code
+    can! :download_wiki_code
+    can! :read_cycle_analytics
+
+    # NOTE: may be overridden by IssuePolicy
+    can! :read_issue
+  end
 end

app/policies/project_snippet_policy.rb

@@ -3,12 +3,16 @@ class ProjectSnippetPolicy < BasePolicy
     can! :read_project_snippet if @subject.public?
     return unless @user
 
-    if @user && @subject.author == @user || @user.admin?
+    if @user && (@subject.author == @user || @user.admin?)
       can! :read_project_snippet
       can! :update_project_snippet
       can! :admin_project_snippet
     end
 
+    if @user.auditor?
+      can! :read_project_snippet
+    end
+
     if @subject.internal? && !@user.external?
       can! :read_project_snippet
     end

app/views/admin/users/_access_levels.html.haml

+%fieldset
+  %legend Access
+  .form-group
+    = f.label :projects_limit, class: 'control-label'
+    .col-sm-10= f.number_field :projects_limit, min: 0, class: 'form-control'
+
+  .form-group
+    = f.label :can_create_group, class: 'control-label'
+    .col-sm-10= f.check_box :can_create_group
+
+  .form-group
+    = f.label :access_level, class: 'control-label'
+    .col-sm-10
+      - editing_current_user = (current_user == @user)
+
+      = f.radio_button :access_level, :regular, disabled: editing_current_user
+      = label_tag :regular do
+        Regular
+      %p.light
+        Regular users have access to their groups and projects
+
+      - if license_allows_auditor_user?
+        = f.radio_button :access_level, :auditor, disabled: editing_current_user
+        = label_tag :auditor do
+          Auditor
+        %p.light
+          Auditors have read-only access to all groups, projects and users
+
+      = f.radio_button :access_level, :admin, disabled: editing_current_user
+      = label_tag :admin do
+        Admin
+      %p.light
+        Administrators have access to all groups, projects and users and can manage all features in this installation
+      - if editing_current_user
+        %p.light
+          You cannot remove your own admin rights.
+
+  .form-group
+    = f.label :external, class: 'control-label'
+    .col-sm-10
+      = f.check_box :external do
+        External
+      %p.light
+        External users cannot see internal or private projects unless access is explicitly granted. Also, external users cannot create projects or groups.

app/views/admin/users/_form.html.haml

@@ -40,28 +40,7 @@
           = f.label :password_confirmation, class: 'control-label'
           .col-sm-10= f.password_field :password_confirmation, disabled: f.object.force_random_password, class: 'form-control'
 
-    %fieldset
-      %legend Access
-      .form-group
-        = f.label :projects_limit, class: 'control-label'
-        .col-sm-10= f.number_field :projects_limit, min: 0, class: 'form-control'
-
-      .form-group
-        = f.label :can_create_group, class: 'control-label'
-        .col-sm-10= f.check_box :can_create_group
-
-      .form-group
-        = f.label :admin, class: 'control-label'
-        - if current_user == @user
-          .col-sm-10= f.check_box :admin, disabled: true
-          .col-sm-10 You cannot remove your own admin rights.
-        - else
-          .col-sm-10= f.check_box :admin
-
-      .form-group
-        = f.label :external, class: 'control-label'
-        .col-sm-10= f.check_box :external
-        .col-sm-10 External users cannot see internal or private projects unless access is explicitly granted. Also, external users cannot create projects or groups.
+    = render partial: 'access_levels', locals: { f: f }
 
     %fieldset
       %legend Profile

app/views/admin/users/_head.html.haml

@@ -4,6 +4,8 @@
     %span.cred (Blocked)
   - if @user.admin
     %span.cred (Admin)
+  - if @user.auditor
+    %span.cred (Auditor)
 
   .pull-right
     - unless @user == current_user || @user.blocked?

app/views/projects/notes/_notes_with_form.html.haml

@@ -13,7 +13,7 @@
           = image_tag avatar_icon(current_user), alt: current_user.to_reference, class: 'avatar s40'
       .timeline-content.timeline-content-form
         = render "projects/notes/form", view: diff_view
-    - else
+    - elsif !current_user
       .disabled-comment.text-center
         .disabled-comment-text.inline
           Please

changelogs/unreleased-ee/1439-read-only-user.yml

+---
+title: Read-only "auditor" user role
+merge_request: 998
+author:

db/migrate/20170120123345_add_column_auditor_to_users.rb

+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddColumnAuditorToUsers < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default :users, :auditor, :boolean, default: false, allow_null: false
+  end
+
+  def down
+    remove_column :users, :auditor
+  end
+end

db/schema.rb

@@ -1454,6 +1454,7 @@ ActiveRecord::Schema.define(version: 20170204181513) do
     t.string "incoming_email_token"
     t.string "organization"
     t.boolean "authorized_projects_populated"
+    t.boolean "auditor", default: false, null: false
   end
 
   add_index "users", ["admin"], name: "index_users_on_admin", using: :btree

doc/README.md

@@ -77,6 +77,7 @@
 - [High Availability](administration/high_availability/README.md) Configure multiple servers for scaling or high availability.
 - [Container Registry](administration/container_registry.md) Configure Docker Registry with GitLab.
 - [Repository restrictions](user/admin_area/settings/account_and_limit_settings.md#repository-size-limit) Define size restrictions for your repositories to limit the space they occupy in your storage device. Includes LFS objects.
+- [Auditor users](administration/auditor_users.md) Create auditor users, with read-only access to the entire system.
 
 ## Contributor documentation
 

doc/administration/auditor_users.md

+# Auditor Users
+
+>**Note:** [Introduced][998] in GitLab 8.17.
+
+With Gitlab Enterprise Edition Premium, you can create *auditor* users, who
+are given read-only access to all projects, groups, and other resources on the
+GitLab instance.
+
+First and foremost, an auditor user can perform all the actions that a regular user can.
+In projects that the auditor user owns, or has been added to, they can be added to
+groups, mentioned in comments, or have issues assigned to them. The one exception is
+that auditor users cannot _create_ projects or groups.
+
+In addition, the auditor will be granted read-only access to all other projects/groups/etc.
+on the GitLab instance.
+
+The `auditor` role is _not_ a read-only version of the `admin` role. The auditor will not be
+able to access the project settings pages, or the Admin Area.
+
+A user's access level can be set to ‘Auditor’ in the Admin Area
+
+![Admin Area Form](auditor_access_form.png)
+
+[998]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/998

lib/gitlab/visibility_level.rb

@@ -13,7 +13,19 @@ module Gitlab
       scope :public_and_internal_only,  -> { where(visibility_level: [PUBLIC, INTERNAL] ) }
       scope :non_public_only,           -> { where.not(visibility_level: PUBLIC) }
 
-      scope :public_to_user, -> (user) { user && !user.external ? public_and_internal_only : public_only }
+      scope :public_to_user, -> (user) do
+        if user
+          if user.admin_or_auditor?
+            all
+          elsif !user.external?
+            public_and_internal_only
+          else
+            public_only
+          end
+        else
+          public_only
+        end
+      end
     end
 
     PRIVATE  = 0 unless const_defined?(:PRIVATE)

spec/controllers/admin/dashboard_controller_spec.rb

+require 'spec_helper'
+
+describe Admin::DashboardController do
+  describe '#index' do
+    it "allows an admin user to access the page" do
+      sign_in(create(:user, :admin))
+      get :index
+
+      expect(response).to have_http_status(200)
+    end
+
+    it "does not allow an auditor user to access the page" do
+      sign_in(create(:user, :auditor))
+      get :index
+
+      expect(response).to have_http_status(404)
+    end
+
+    it "does not allow a regular user to access the page" do
+      sign_in(create(:user))
+      get :index
+
+      expect(response).to have_http_status(404)
+    end
+  end
+end

spec/controllers/groups_controller_spec.rb

@@ -126,4 +126,48 @@ describe GroupsController do
       expect(assigns(:group).path).not_to eq('new_path')
     end
   end
+
+  describe 'POST create' do
+    it 'allows creating a group' do
+      sign_in(user)
+
+      expect do
+        post :create, group: { name: 'new_group', path: "new_group" }
+      end.to change { Group.count }.by(1)
+
+      expect(response).to have_http_status(302)
+    end
+
+    context 'authorization' do
+      it 'allows an admin to create a group' do
+        sign_in(create(:admin))
+
+        expect do
+          post :create, group: { name: 'new_group', path: "new_group" }
+        end.to change { Group.count }.by(1)
+
+        expect(response).to have_http_status(302)
+      end
+
+      it 'does not allow a user with "can_create_group" set to false to create a group' do
+        sign_in(create(:user, can_create_group: false))
+
+        expect do
+          post :create, group: { name: 'new_group', path: "new_group" }
+        end.not_to change { Group.count }
+
+        expect(response).to have_http_status(404)
+      end
+
+      it 'allows an auditor with "can_create_group" set to true to create a group' do
+        sign_in(create(:user, :auditor, can_create_group: true))
+
+        expect do
+          post :create, group: { name: 'new_group', path: "new_group" }
+        end.to change { Group.count }.by(1)
+
+        expect(response).to have_http_status(302)
+      end
+    end
+  end
 end

spec/controllers/projects_controller_spec.rb

@@ -425,4 +425,26 @@ describe ProjectsController do
       expect(parsed_body["Commits"]).to include("123456")
     end
   end
+
+  describe 'GET edit' do
+    it 'does not allow an auditor user to access the page' do
+      sign_in(create(:user, :auditor))
+
+      get :edit,
+          namespace_id: project.namespace.path,
+          id: project.path
+
+      expect(response).to have_http_status(404)
+    end
+
+    it 'allows an admin user to access the page' do
+      sign_in(create(:user, :admin))
+
+      get :edit,
+          namespace_id: project.namespace.path,
+          id: project.path
+
+      expect(response).to have_http_status(200)
+    end
+  end
 end

spec/factories/licenses.rb

@@ -6,7 +6,12 @@ FactoryGirl.define do
       { "Name" => FFaker::Name.name }
     end
     restrictions do
-      { add_ons: { 'GitLab_FileLocks' => 1 } }
+      {
+        add_ons: {
+          'GitLab_FileLocks' => 1,
+          'GitLab_Auditor_User' => 1
+        }
+      }
     end
     notify_users_at   { |l| l.expires_at }
     notify_admins_at  { |l| l.expires_at }

spec/factories/users.rb

@@ -14,6 +14,10 @@ FactoryGirl.define do
       admin true
     end
 
+    trait :auditor do
+      auditor true
+    end
+
     trait :external do
       external true
     end

spec/features/admin/admin_users_spec.rb

@@ -211,7 +211,7 @@ describe "Admin::Users", feature: true do
         fill_in "user_email", with: "bigbang@mail.com"
         fill_in "user_password", with: "AValidPassword1"
         fill_in "user_password_confirmation", with: "AValidPassword1"
-        check "user_admin"
+        choose "user_access_level_admin"
         click_button "Save changes"
       end
 
@@ -228,6 +228,21 @@ describe "Admin::Users", feature: true do
       end
     end
 
+    describe "Update user account type" do
+      before do
+        allow_any_instance_of(AuditorUserHelper).to receive(:license_allows_auditor_user?).and_return(true)
+        choose "user_access_level_auditor"
+        click_button "Save changes"
+      end
+
+      it "changes account type to be auditor" do
+        user.reload
+
+        expect(user).not_to be_admin
+        expect(user).to be_auditor
+      end
+    end
+
     describe 'update username to non ascii char' do
       it do
         fill_in 'user_username', with: '\u3042\u3044'

spec/features/security/admin_access_spec.rb

@@ -9,6 +9,7 @@ describe "Admin::Projects", feature: true  do
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :auditor }
   end
 
   describe "GET /admin/users" do
@@ -17,6 +18,7 @@ describe "Admin::Projects", feature: true  do
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :auditor }
   end
 
   describe "GET /admin/hooks" do
@@ -25,5 +27,6 @@ describe "Admin::Projects", feature: true  do
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :auditor }
   end
 end

spec/features/security/dashboard_access_spec.rb

@@ -8,6 +8,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -16,6 +17,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -24,6 +26,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -32,6 +35,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -40,6 +44,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_allowed_for :visitor }
   end
 
@@ -53,6 +58,7 @@ describe "Dashboard access", feature: true  do
 
       it { is_expected.to be_allowed_for :admin }
       it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for :auditor }
       it { is_expected.to be_denied_for :visitor }
     end
   end
@@ -60,12 +66,14 @@ describe "Dashboard access", feature: true  do
   describe "GET /projects/new" do
     it { expect(new_project_path).to be_allowed_for :admin }
     it { expect(new_project_path).to be_allowed_for :user }
+    it { expect(new_project_path).to be_allowed_for :auditor }
     it { expect(new_project_path).to be_denied_for :visitor }
   end
 
   describe "GET /groups/new" do
     it { expect(new_group_path).to be_allowed_for :admin }
     it { expect(new_group_path).to be_allowed_for :user }
+    it { expect(new_group_path).to be_allowed_for :auditor }
     it { expect(new_group_path).to be_denied_for :visitor }
   end
 
@@ -74,6 +82,7 @@ describe "Dashboard access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 end

spec/features/security/group/internal_access_spec.rb

@@ -22,6 +22,7 @@ describe 'Internal Group access', feature: true do
     subject { group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -37,6 +38,7 @@ describe 'Internal Group access', feature: true do
     subject { issues_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -52,6 +54,7 @@ describe 'Internal Group access', feature: true do
     subject { merge_requests_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -67,6 +70,7 @@ describe 'Internal Group access', feature: true do
     subject { group_group_members_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -82,6 +86,7 @@ describe 'Internal Group access', feature: true do
     subject { edit_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_denied_for(:master).of(group) }
     it { is_expected.to be_denied_for(:developer).of(group) }

spec/features/security/group/private_access_spec.rb

@@ -22,6 +22,7 @@ describe 'Private Group access', feature: true do
     subject { group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -37,6 +38,7 @@ describe 'Private Group access', feature: true do
     subject { issues_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -52,6 +54,7 @@ describe 'Private Group access', feature: true do
     subject { merge_requests_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -67,6 +70,7 @@ describe 'Private Group access', feature: true do
     subject { group_group_members_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -82,6 +86,7 @@ describe 'Private Group access', feature: true do
     subject { edit_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_denied_for(:master).of(group) }
     it { is_expected.to be_denied_for(:developer).of(group) }

spec/features/security/group/public_access_spec.rb

@@ -22,6 +22,7 @@ describe 'Public Group access', feature: true do
     subject { group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -37,6 +38,7 @@ describe 'Public Group access', feature: true do
     subject { issues_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -52,6 +54,7 @@ describe 'Public Group access', feature: true do
     subject { merge_requests_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -67,6 +70,7 @@ describe 'Public Group access', feature: true do
     subject { group_group_members_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_allowed_for(:master).of(group) }
     it { is_expected.to be_allowed_for(:developer).of(group) }
@@ -82,6 +86,7 @@ describe 'Public Group access', feature: true do
     subject { edit_group_path(group) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(group) }
     it { is_expected.to be_denied_for(:master).of(group) }
     it { is_expected.to be_denied_for(:developer).of(group) }

spec/features/security/profile_access_spec.rb

@@ -8,6 +8,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -16,6 +17,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -24,6 +26,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -32,6 +35,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -40,6 +44,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -48,6 +53,7 @@ describe "Profile access", feature: true  do
 
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :auditor }
     it { is_expected.to be_denied_for :visitor }
   end
 end

spec/features/security/project/snippet/internal_access_spec.rb

@@ -12,6 +12,7 @@ describe "Internal Project Snippets Access", feature: true  do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -26,6 +27,7 @@ describe "Internal Project Snippets Access", feature: true  do
     subject { new_namespace_project_snippet_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -41,6 +43,7 @@ describe "Internal Project Snippets Access", feature: true  do
       subject { namespace_project_snippet_path(project.namespace, project, internal_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -55,6 +58,7 @@ describe "Internal Project Snippets Access", feature: true  do
       subject { namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -71,6 +75,7 @@ describe "Internal Project Snippets Access", feature: true  do
       subject { raw_namespace_project_snippet_path(project.namespace, project, internal_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -85,6 +90,7 @@ describe "Internal Project Snippets Access", feature: true  do
       subject { raw_namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }

spec/features/security/project/snippet/private_access_spec.rb

@@ -11,6 +11,7 @@ describe "Private Project Snippets Access", feature: true  do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -25,6 +26,7 @@ describe "Private Project Snippets Access", feature: true  do
     subject { new_namespace_project_snippet_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -39,6 +41,7 @@ describe "Private Project Snippets Access", feature: true  do
     subject { namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -53,6 +56,7 @@ describe "Private Project Snippets Access", feature: true  do
     subject { raw_namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }

spec/features/security/project/snippet/public_access_spec.rb

@@ -13,6 +13,7 @@ describe "Public Project Snippets Access", feature: true  do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_allowed_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -27,6 +28,7 @@ describe "Public Project Snippets Access", feature: true  do
     subject { new_namespace_project_snippet_path(project.namespace, project) }
 
     it { is_expected.to be_allowed_for(:admin) }
+    it { is_expected.to be_denied_for(:auditor) }
     it { is_expected.to be_allowed_for(:owner).of(project) }
     it { is_expected.to be_allowed_for(:master).of(project) }
     it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -42,6 +44,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { namespace_project_snippet_path(project.namespace, project, public_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -56,6 +59,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { namespace_project_snippet_path(project.namespace, project, internal_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -70,6 +74,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -86,6 +91,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { raw_namespace_project_snippet_path(project.namespace, project, public_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -100,6 +106,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { raw_namespace_project_snippet_path(project.namespace, project, internal_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }
@@ -114,6 +121,7 @@ describe "Public Project Snippets Access", feature: true  do
       subject { raw_namespace_project_snippet_path(project.namespace, project, private_snippet) }
 
       it { is_expected.to be_allowed_for(:admin) }
+      it { is_expected.to be_allowed_for(:auditor) }
       it { is_expected.to be_allowed_for(:owner).of(project) }
       it { is_expected.to be_allowed_for(:master).of(project) }
       it { is_expected.to be_allowed_for(:developer).of(project) }

spec/finders/group_projects_finder_spec.rb

@@ -76,6 +76,44 @@ describe GroupProjectsFinder do
     end
   end
 
+  describe 'with an admin current user' do
+    let(:current_user) { create(:admin) }
+
+    context "only shared" do
+      subject { described_class.new(group, only_shared: true).execute(current_user) }
+      it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1]) }
+    end
+
+    context "only owned" do
+      subject { described_class.new(group, only_owned: true).execute(current_user) }
+      it      { is_expected.to eq([private_project, public_project]) }
+    end
+
+    context "all" do
+      subject { described_class.new(group).execute(current_user) }
+      it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1, private_project, public_project]) }
+    end
+  end
+
+  describe 'with an auditor current user' do
+    let(:current_user) { create(:user, :auditor) }
+
+    context "only shared" do
+      subject { described_class.new(group, only_shared: true).execute(current_user) }
+      it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1]) }
+    end
+
+    context "only owned" do
+      subject { described_class.new(group, only_owned: true).execute(current_user) }
+      it      { is_expected.to eq([private_project, public_project]) }
+    end
+
+    context "all" do
+      subject { described_class.new(group).execute(current_user) }
+      it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1, private_project, public_project]) }
+    end
+  end
+
   describe "no user" do
     context "only shared" do
       subject { described_class.new(group, only_shared: true).execute(current_user) }

spec/finders/issues_finder_spec.rb

@@ -258,6 +258,8 @@ describe IssuesFinder do
 
   describe '.not_restricted_by_confidentiality' do
     let(:authorized_user) { create(:user) }
+    let(:admin_user) { create(:admin) }
+    let(:auditor_user) { create(:user, :auditor) }
     let(:project) { create(:empty_project, namespace: authorized_user.namespace) }
     let!(:public_issue) { create(:issue, project: project) }
     let!(:confidential_issue) { create(:issue, project: project, confidential: true) }
@@ -273,5 +275,13 @@ describe IssuesFinder do
     it 'returns all issues for user authorized for the issues projects' do
       expect(IssuesFinder.send(:not_restricted_by_confidentiality, authorized_user)).to include(public_issue, confidential_issue)
     end
+
+    it 'returns all issues for an admin user' do
+      expect(IssuesFinder.send(:not_restricted_by_confidentiality, admin_user)).to include(public_issue, confidential_issue)
+    end
+
+    it 'returns all issues for an auditor user' do
+      expect(IssuesFinder.send(:not_restricted_by_confidentiality, auditor_user)).to include(public_issue, confidential_issue)
+    end
   end
 end

spec/finders/snippets_finder_spec.rb

@@ -15,12 +15,14 @@ describe SnippetsFinder do
 
     it "returns all private and internal snippets" do
       snippets = SnippetsFinder.new.execute(user, filter: :all)
+
       expect(snippets).to include(snippet2, snippet3)
       expect(snippets).not_to include(snippet1)
     end
 
     it "returns all public snippets" do
       snippets = SnippetsFinder.new.execute(nil, filter: :all)
+
       expect(snippets).to include(snippet3)
       expect(snippets).not_to include(snippet1, snippet2)
     end
@@ -46,6 +48,7 @@ describe SnippetsFinder do
 
     it "returns all public and internal snippets" do
       snippets = SnippetsFinder.new.execute(user1, filter: :by_user, user: user)
+
       expect(snippets).to include(snippet2, snippet3)
       expect(snippets).not_to include(snippet1)
     end
@@ -58,23 +61,27 @@ describe SnippetsFinder do
 
     it "returns private snippets" do
       snippets = SnippetsFinder.new.execute(user, filter: :by_user, user: user, scope: "are_private")
+
       expect(snippets).to include(snippet1)
       expect(snippets).not_to include(snippet2, snippet3)
     end
 
     it "returns public snippets" do
       snippets = SnippetsFinder.new.execute(user, filter: :by_user, user: user, scope: "are_public")
+
       expect(snippets).to include(snippet3)
       expect(snippets).not_to include(snippet1, snippet2)
     end
 
     it "returns all snippets" do
       snippets = SnippetsFinder.new.execute(user, filter: :by_user, user: user)
+
       expect(snippets).to include(snippet1, snippet2, snippet3)
     end
 
     it "returns only public snippets if unauthenticated user" do
       snippets = SnippetsFinder.new.execute(nil, filter: :by_user, user: user)
+
       expect(snippets).to include(snippet3)
       expect(snippets).not_to include(snippet2, snippet1)
     end
@@ -89,43 +96,68 @@ describe SnippetsFinder do
 
     it "returns public snippets for unauthorized user" do
       snippets = SnippetsFinder.new.execute(nil, filter: :by_project, project: project1)
+
       expect(snippets).to include(@snippet3)
       expect(snippets).not_to include(@snippet1, @snippet2)
     end
 
     it "returns public and internal snippets for non project members" do
       snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1)
+
       expect(snippets).to include(@snippet2, @snippet3)
       expect(snippets).not_to include(@snippet1)
     end
 
     it "returns public snippets for non project members" do
       snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1, scope: "are_public")
+
       expect(snippets).to include(@snippet3)
       expect(snippets).not_to include(@snippet1, @snippet2)
     end
 
     it "returns internal snippets for non project members" do
       snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1, scope: "are_internal")
+
       expect(snippets).to include(@snippet2)
       expect(snippets).not_to include(@snippet1, @snippet3)
     end
 
     it "does not return private snippets for non project members" do
       snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1, scope: "are_private")
+
       expect(snippets).not_to include(@snippet1, @snippet2, @snippet3)
     end
 
     it "returns all snippets for project members" do
       project1.team << [user, :developer]
+
       snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1)
+
       expect(snippets).to include(@snippet1, @snippet2, @snippet3)
     end
 
     it "returns private snippets for project members" do
       project1.team << [user, :developer]
+
       snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1, scope: "are_private")
+
       expect(snippets).to include(@snippet1)
     end
+
+    it "returns all snippets for admin users" do
+      user = create(:user, :admin)
+
+      snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1)
+
+      expect(snippets).to include(@snippet1, @snippet2, @snippet3)
+    end
+
+    it "returns all snippets for auditor users" do
+      user = create(:user, :auditor)
+
+      snippets = SnippetsFinder.new.execute(user, filter: :by_project, project: project1)
+
+      expect(snippets).to include(@snippet1, @snippet2, @snippet3)
+    end
   end
 end

spec/models/project_feature_spec.rb

@@ -52,6 +52,15 @@ describe ProjectFeature do
           expect(project.feature_available?(:issues, user)).to eq(true)
         end
       end
+
+      it "returns true if user is an auditor" do
+        user.update_attribute(:auditor, true)
+
+        features.each do |feature|
+          project.project_feature.update_attribute("#{feature}_access_level".to_sym, ProjectFeature::PRIVATE)
+          expect(project.feature_available?(:issues, user)).to eq(true)
+        end
+      end
     end
 
     context 'when feature is enabled for everyone' do

spec/models/user_spec.rb

@@ -198,6 +198,12 @@ describe User, models: true do
         end
       end
     end
+
+    it 'does not allow a user to be both an auditor and an admin' do
+      user = build(:user, :admin, :auditor)
+
+      expect(user).to be_invalid
+    end
   end
 
   describe "non_ldap" do
@@ -1486,4 +1492,141 @@ describe User, models: true do
       expect(user.project_authorizations.where(access_level: Gitlab::Access::REPORTER).exists?).to eq(true)
     end
   end
+
+  describe '#access_level=' do
+    let(:user) { build(:user) }
+
+    before do
+      # `auditor?` returns true only when the user is an auditor _and_ the auditor license
+      # add-on is present. We aren't testing this here, so we can assume that the add-on exists.
+      allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
+    end
+
+    it 'does nothing for an invalid access level' do
+      user.access_level = :invalid_access_level
+
+      expect(user.access_level).to eq(:regular)
+      expect(user.admin).to be false
+      expect(user.auditor).to be false
+    end
+
+    it "assigns the 'admin' access level" do
+      user.access_level = :admin
+
+      expect(user.access_level).to eq(:admin)
+      expect(user.admin).to be true
+      expect(user.auditor).to be false
+    end
+
+    it "assigns the 'auditor' access level" do
+      user.access_level = :auditor
+
+      expect(user.access_level).to eq(:auditor)
+      expect(user.admin).to be false
+      expect(user.auditor).to be true
+    end
+
+    it "assigns the 'auditor' access level" do
+      user.access_level = :regular
+
+      expect(user.access_level).to eq(:regular)
+      expect(user.admin).to be false
+      expect(user.auditor).to be false
+    end
+
+    it "clears the 'admin' access level when a user is made an auditor" do
+      user.access_level = :admin
+      user.access_level = :auditor
+
+      expect(user.access_level).to eq(:auditor)
+      expect(user.admin).to be false
+      expect(user.auditor).to be true
+    end
+
+    it "clears the 'auditor' access level when a user is made an admin" do
+      user.access_level = :auditor
+      user.access_level = :admin
+
+      expect(user.access_level).to eq(:admin)
+      expect(user.admin).to be true
+      expect(user.auditor).to be false
+    end
+
+    it "doesn't clear existing access levels when an invalid access level is passed in" do
+      user.access_level = :admin
+      user.access_level = :invalid_access_level
+
+      expect(user.access_level).to eq(:admin)
+      expect(user.admin).to be true
+      expect(user.auditor).to be false
+    end
+
+    it "accepts string values in addition to symbols" do
+      user.access_level = 'admin'
+
+      expect(user.access_level).to eq(:admin)
+      expect(user.admin).to be true
+      expect(user.auditor).to be false
+    end
+  end
+
+  describe 'the GitLab_Auditor_User add-on' do
+    let(:license) { build(:license) }
+
+    before do
+      allow(::License).to receive(:current).and_return(license)
+    end
+
+    context 'creating an auditor user' do
+      it "does not allow creating an auditor user if the addon isn't enabled" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
+
+        expect(build(:user, :auditor)).to be_invalid
+      end
+
+      it "does not allow creating an auditor user if no license is present" do
+        allow(License).to receive(:current).and_return nil
+
+        expect(build(:user, :auditor)).to be_invalid
+      end
+
+      it "allows creating an auditor user if the addon is enabled" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
+
+        expect(build(:user, :auditor)).to be_valid
+      end
+
+      it "allows creating a regular user if the addon isn't enabled" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
+
+        expect(build(:user)).to be_valid
+      end
+    end
+
+    context '#auditor?' do
+      it "returns true for an auditor user if the addon is enabled" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
+
+        expect(build(:user, :auditor)).to be_auditor
+      end
+
+      it "returns false for an auditor user if the addon is not enabled" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
+
+        expect(build(:user, :auditor)).not_to be_auditor
+      end
+
+      it "returns false for an auditor user if a license is not present" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
+
+        expect(build(:user, :auditor)).not_to be_auditor
+      end
+
+      it "returns false for a non-auditor user even if the addon is present" do
+        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
+
+        expect(build(:user)).not_to be_auditor
+      end
+    end
+  end
 end

spec/policies/group_policy_spec.rb

@@ -6,6 +6,7 @@ describe GroupPolicy, models: true do
   let(:developer) { create(:user) }
   let(:master) { create(:user) }
   let(:owner) { create(:user) }
+  let(:auditor) { create(:user, :auditor) }
   let(:admin) { create(:admin) }
   let(:group) { create(:group) }
 
@@ -170,5 +171,16 @@ describe GroupPolicy, models: true do
         is_expected.to include(*owner_permissions)
       end
     end
+
+    context 'auditor' do
+      let(:current_user) { auditor }
+
+      it do
+        is_expected.to include(:read_group)
+        is_expected.to all(start_with("read"))
+        is_expected.not_to include(*master_permissions)
+        is_expected.not_to include(*owner_permissions)
+      end
+    end
   end
 end

spec/policies/namespace_policy_spec.rb

+require 'spec_helper'
+
+describe NamespacePolicy, models: true do
+  let(:user) { create(:user) }
+  let(:owner) { create(:user) }
+  let(:auditor) { create(:user, :auditor) }
+  let(:admin) { create(:admin) }
+  let(:namespace) { create(:namespace, owner: owner) }
+
+  let(:owner_permissions) { [:create_projects, :admin_namespace] }
+
+  let(:admin_permissions) { owner_permissions }
+
+  subject { described_class.abilities(current_user, namespace).to_set }
+
+  context 'with no user' do
+    let(:current_user) { nil }
+
+    it { is_expected.to be_empty }
+  end
+
+  context 'regular user' do
+    let(:current_user) { user }
+
+    it { is_expected.to be_empty }
+  end
+
+  context 'owner' do
+    let(:current_user) { owner }
+
+    it { is_expected.to include(*owner_permissions) }
+  end
+
+  context 'auditor' do
+    let(:current_user) { auditor }
+
+    context 'owner' do
+      let(:namespace) { create(:namespace, owner: auditor) }
+
+      it { is_expected.to include(*owner_permissions) }
+    end
+
+    context 'non-owner' do
+      it { is_expected.to be_empty }
+    end
+  end
+
+  context 'admin' do
+    let(:current_user) { admin }
+
+    it { is_expected.to include(*owner_permissions) }
+  end
+end

spec/policies/project_policy_spec.rb

@@ -6,65 +6,74 @@ describe ProjectPolicy, models: true do
   let(:dev) { create(:user) }
   let(:master) { create(:user) }
   let(:owner) { create(:user) }
+  let(:auditor) { create(:user, :auditor) }
   let(:admin) { create(:admin) }
   let(:project) { create(:empty_project, :public, namespace: owner.namespace) }
 
   let(:guest_permissions) do
-    [
-      :read_project, :read_board, :read_list, :read_wiki, :read_issue, :read_label,
-      :read_milestone, :read_project_snippet, :read_project_member,
-      :read_note, :create_project, :create_issue, :create_note,
-      :upload_file
+    %i[
+      read_project read_board read_list read_wiki read_issue read_label
+      read_milestone read_project_snippet read_project_member
+      read_note create_project create_issue create_note
+      upload_file
     ]
   end
 
   let(:reporter_permissions) do
-    [
-      :download_code, :fork_project, :create_project_snippet, :update_issue,
-      :admin_issue, :admin_label, :admin_list, :read_commit_status, :read_build,
-      :read_container_image, :read_pipeline, :read_environment, :read_deployment,
-      :read_merge_request, :download_wiki_code
+    %i[
+      download_code fork_project create_project_snippet update_issue
+      admin_issue admin_label admin_list read_commit_status read_build
+      read_container_image read_pipeline read_environment read_deployment
+      read_merge_request download_wiki_code
     ]
   end
 
   let(:team_member_reporter_permissions) do
-    [
-      :build_download_code, :build_read_container_image
-    ]
+    %i[build_download_code build_read_container_image]
   end
 
   let(:developer_permissions) do
-    [
-      :admin_merge_request, :update_merge_request, :create_commit_status,
-      :update_commit_status, :create_build, :update_build, :create_pipeline,
-      :update_pipeline, :create_merge_request, :create_wiki, :push_code,
-      :resolve_note, :create_container_image, :update_container_image,
-      :create_environment, :create_deployment
+    %i[
+      admin_merge_request update_merge_request create_commit_status
+      update_commit_status create_build update_build create_pipeline
+      update_pipeline create_merge_request create_wiki push_code
+      resolve_note create_container_image update_container_image
+      create_environment create_deployment
     ]
   end
 
   let(:master_permissions) do
-    [
-      :push_code_to_protected_branches, :update_project_snippet, :update_environment,
-      :update_deployment, :admin_milestone, :admin_project_snippet,
-      :admin_project_member, :admin_note, :admin_wiki, :admin_project,
-      :admin_commit_status, :admin_build, :admin_container_image,
-      :admin_pipeline, :admin_environment, :admin_deployment
+    %i[
+      push_code_to_protected_branches update_project_snippet update_environment
+      update_deployment admin_milestone admin_project_snippet
+      admin_project_member admin_note admin_wiki admin_project
+      admin_commit_status admin_build admin_container_image
+      admin_pipeline admin_environment admin_deployment
     ]
   end
 
   let(:public_permissions) do
-    [
-      :download_code, :fork_project, :read_commit_status, :read_pipeline,
-      :read_container_image, :build_download_code, :build_read_container_image,
-      :download_wiki_code
+    %i[
+      download_code fork_project read_commit_status read_pipeline
+      read_container_image build_download_code build_read_container_image
+      download_wiki_code
     ]
   end
 
   let(:owner_permissions) do
-    [
-      :change_namespace, :change_visibility_level, :rename_project, :remove_project,
-      :archive_project, :remove_fork_project, :destroy_merge_request, :destroy_issue
+    %i[
+      change_namespace change_visibility_level rename_project remove_project
+      archive_project remove_fork_project destroy_merge_request destroy_issue
+    ]
+  end
+
+  let(:auditor_permissions) do
+    %i[
+      download_code download_wiki_code read_project read_board read_list
+      read_wiki read_issue read_label read_milestone read_project_snippet
+      read_project_member read_note read_cycle_analytics read_pipeline
+      read_build read_commit_status read_container_image read_environment
+      read_deployment read_merge_request read_pages
     ]
   end
 
@@ -207,5 +216,16 @@ describe ProjectPolicy, models: true do
         is_expected.to include(*owner_permissions)
       end
     end
+
+    context 'auditor' do
+      let(:current_user) { auditor }
+
+      it do
+        is_expected.not_to include(*developer_permissions)
+        is_expected.not_to include(*master_permissions)
+        is_expected.not_to include(*owner_permissions)
+        is_expected.to include(*auditor_permissions)
+      end
+    end
   end
 end

spec/policies/project_snippet_policy_spec.rb

+require 'spec_helper'
+
+describe ProjectSnippetPolicy, models: true do
+  let(:current_user) { create(:user) }
+
+  let(:author_permissions) do
+    [
+      :update_project_snippet,
+      :admin_project_snippet
+    ]
+  end
+
+  subject { described_class.abilities(current_user, project_snippet).to_set }
+
+  context 'public snippet' do
+    let(:project_snippet) { create(:project_snippet, :public) }
+
+    context 'no user' do
+      let(:current_user) { nil }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'regular user' do
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+  end
+
+  context 'internal snippet' do
+    let(:project_snippet) { create(:project_snippet, :internal) }
+
+    context 'no user' do
+      let(:current_user) { nil }
+
+      it do
+        is_expected.not_to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'regular user' do
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'external user' do
+      let(:current_user) { create(:user, :external) }
+
+      it do
+        is_expected.not_to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+  end
+
+  context 'private snippet' do
+    let(:project_snippet) { create(:project_snippet, :private) }
+
+    context 'no user' do
+      let(:current_user) { nil }
+
+      it do
+        is_expected.not_to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'regular user' do
+      it do
+        is_expected.not_to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'snippet author' do
+      let(:project_snippet) { create(:project_snippet, :private, author: current_user) }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.to include(*author_permissions)
+      end
+    end
+
+    context 'project team member' do
+      before { project_snippet.project.team << [current_user, :developer] }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'auditor user' do
+      let(:current_user) { create(:user, :auditor) }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.not_to include(*author_permissions)
+      end
+    end
+
+    context 'admin user' do
+      let(:current_user) { create(:admin) }
+
+      it do
+        is_expected.to include(:read_project_snippet)
+        is_expected.to include(*author_permissions)
+      end
+    end
+  end
+end

spec/requests/api/license_spec.rb

@@ -17,7 +17,7 @@ describe API::License, api: true  do
       expect(Date.parse(json_response['expires_at'])).to eq Date.today + 11.months
       expect(json_response['active_users']).to eq 1
       expect(json_response['licensee']).not_to be_empty
-      expect(json_response['add_ons']).to eq({ 'GitLab_FileLocks' => 1 })
+      expect(json_response['add_ons']).to eq({ 'GitLab_FileLocks' => 1, 'GitLab_Auditor_User' => 1 })
     end
 
     it 'denies access if not admin' do

spec/services/groups/update_service_spec.rb

@@ -76,7 +76,7 @@ describe Groups::UpdateService, services: true do
   end
 
   context 'rename group' do
-    let!(:service) { described_class.new(internal_group, user, path: 'new_path') }
+    let!(:service) { described_class.new(internal_group, user, path: SecureRandom.hex) }
 
     before do
       internal_group.add_user(user, Gitlab::Access::MASTER)

spec/support/db_cleaner.rb

@@ -12,7 +12,7 @@ RSpec.configure do |config|
   end
 
   config.before(:each, truncate: true) do
-    DatabaseCleaner.strategy = :truncation
+    DatabaseCleaner.strategy = :truncation, { except: ['licenses'] }
   end
 
   config.before(:each) do

spec/support/matchers/access_matchers.rb

@@ -15,6 +15,8 @@ module AccessMatchers
       logout
     when :admin
       login_as(create(:admin))
+    when :auditor
+      login_as(create(:user, :auditor))
     when :external
       login_as(create(:user, external: true))
     when User