Grant support_bot guest access

for projects with ProjectFeature::PRIVATE

ee/app/policies/ee/project_policy.rb

@@ -275,6 +275,7 @@ module EE
     def lookup_access_level!
       return ::Gitlab::Access::NO_ACCESS if needs_new_sso_session?
       return ::Gitlab::Access::REPORTER if alert_bot?
+      return ::Gitlab::Access::GUEST if support_bot? && service_desk_enabled?
 
       super
     end

ee/changelogs/unreleased/31815-service-desk-email-rejections.yml

+---
+title: Fix replies to service desk emails for projects with issue access as Only Project Members
+merge_request: 17401
+author:
+type: fixed

ee/spec/lib/gitlab/email/handler/create_note_handler_spec.rb

@@ -113,4 +113,58 @@ describe Gitlab::Email::Handler::CreateNoteHandler do
       end
     end
   end
+
+  context 'when the service desk' do
+    let(:project) { create(:project, :public, service_desk_enabled: true) }
+    let(:support_bot) { User.support_bot }
+    let(:noteable) { create(:issue, project: project, author: support_bot) }
+    let(:note) { create(:note, project: project, noteable: noteable) }
+
+    let!(:sent_notification) do
+      SentNotification.record_note(note, support_bot.id, mail_key)
+    end
+
+    context 'is enabled' do
+      before do
+        allow(::EE::Gitlab::ServiceDesk).to receive(:enabled?).and_return(true)
+        allow(::EE::Gitlab::ServiceDesk).to receive(:enabled?).with(project: project).and_return(true)
+        project.project_feature.update!(issues_access_level: issues_access_level)
+      end
+
+      context 'when issues are enabled for everyone' do
+        let(:issues_access_level) { ProjectFeature::ENABLED }
+
+        it 'creates a comment' do
+          expect { receiver.execute }.to change { noteable.notes.count }.by(1)
+        end
+      end
+
+      context 'when issues are protected members only' do
+        let(:issues_access_level) { ProjectFeature::PRIVATE }
+
+        it 'creates a comment' do
+          expect { receiver.execute }.to change { noteable.notes.count }.by(1)
+        end
+      end
+
+      context 'when issues are disabled' do
+        let(:issues_access_level) { ProjectFeature::DISABLED }
+
+        it 'does not create a comment' do
+          expect { receiver.execute }.to raise_error(::Gitlab::Email::UserNotAuthorizedError)
+        end
+      end
+    end
+
+    context 'is disabled' do
+      before do
+        allow(::EE::Gitlab::ServiceDesk).to receive(:enabled?).and_return(false)
+        allow(::EE::Gitlab::ServiceDesk).to receive(:enabled?).with(project: project).and_return(false)
+      end
+
+      it 'does not create a comment' do
+        expect { receiver.execute }.to raise_error(::Gitlab::Email::ProjectNotFound)
+      end
+    end
+  end
 end

ee/spec/policies/project_policy_spec.rb

@@ -924,6 +924,34 @@ describe ProjectPolicy do
     end
   end
 
+  context 'support bot' do
+    let(:current_user) { User.support_bot }
+
+    context 'with service desk disabled' do
+      it { expect_allowed(:guest_access) }
+      it { expect_disallowed(:create_note, :read_project) }
+    end
+
+    context 'with service desk enabled' do
+      let(:project) { create(:project, :public, service_desk_enabled: true) }
+
+      before do
+        allow(::EE::Gitlab::ServiceDesk).to receive(:enabled?).and_return(true)
+        allow(::EE::Gitlab::ServiceDesk).to receive(:enabled?).with(project: project).and_return(true)
+      end
+
+      it { expect_allowed(:guest_access, :create_note, :read_issue) }
+
+      context 'when issues are protected members only' do
+        before do
+          project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
+        end
+
+        it { expect_allowed(:guest_access, :create_note, :read_issue) }
+      end
+    end
+  end
+
   context 'commit_committer_check is not enabled by the current license' do
     before do
       stub_licensed_features(commit_committer_check: false)