Merge branch '343494-change-ci-minutes-policy' into 'master'

Only allow owners & admins to access CI minutes

See merge request gitlab-org/gitlab!77118

ee/app/models/ci/minutes/context.rb

@@ -3,15 +3,13 @@
 module Ci
   module Minutes
     class Context
-      delegate :shared_runners_minutes_limit_enabled?, to: :level
+      delegate :shared_runners_minutes_limit_enabled?, to: :namespace
       delegate :name, to: :namespace, prefix: true
 
-      attr_reader :level
+      attr_reader :namespace
 
       def initialize(project, namespace, tracking_strategy: nil)
-        @project = project
         @namespace = project&.shared_runners_limit_namespace || namespace
-        @level = project || namespace
         @tracking_strategy = tracking_strategy
       end
 
@@ -21,8 +19,6 @@ module Ci
 
       private
 
-      attr_reader :project, :namespace
-
       def quota
         @quota ||= ::Ci::Minutes::Quota.new(namespace, tracking_strategy: @tracking_strategy)
       end

ee/app/models/ci/minutes/notification.rb

@@ -17,10 +17,10 @@ module Ci
 
       def show?(current_user, cookies = false)
         return false unless @stage
-        return false unless @context.level
+        return false unless @context.namespace
         return false if alert_has_been_dismissed?(cookies)
 
-        Ability.allowed?(current_user, :read_ci_minutes_quota, @context.level)
+        Ability.allowed?(current_user, :read_ci_minutes_quota, @context.namespace)
       end
 
       def text

ee/app/policies/ee/group_policy.rb

@@ -298,7 +298,6 @@ module EE
       rule { developer }.policy do
         enable :create_wiki
         enable :admin_merge_request
-        enable :read_ci_minutes_quota
         enable :read_group_audit_events
       end
 
@@ -316,6 +315,7 @@ module EE
         enable :read_group_compliance_dashboard
         enable :read_group_credentials_inventory
         enable :admin_group_credentials_inventory
+        enable :read_ci_minutes_quota
       end
 
       rule { (admin | owner) & group_merge_request_approval_settings_enabled }.policy do

ee/app/policies/ee/project_policy.rb

@@ -183,11 +183,14 @@ module EE
         enable :create_vulnerability_feedback
         enable :destroy_vulnerability_feedback
         enable :update_vulnerability_feedback
-        enable :read_ci_minutes_quota
         enable :admin_feature_flags_issue_links
         enable :read_project_audit_events
       end
 
+      rule { can?(:owner_access) }.policy do
+        enable :read_ci_minutes_quota
+      end
+
       rule { can?(:developer_access) & iterations_available }.policy do
         enable :create_iteration
         enable :admin_iteration

ee/spec/features/ci_shared_runner_warnings_spec.rb

@@ -13,12 +13,24 @@ RSpec.describe 'CI shared runner limits' do
   let!(:job) { create(:ci_build, pipeline: pipeline) }
 
   before do
+    group.add_user(user, membership_level)
     sign_in(user)
   end
 
+  where(:membership_level, :visible) do
+    :owner | true
+    :developer | false
+  end
+
+  with_them do
     context 'when on a project related page' do
+      where(:membership_level, :visible) do
+        :owner | true
+        :developer | false
+      end
+
       before do
-      group.add_developer(user)
+        group.add_user(user, membership_level)
       end
 
       where(:case_name, :percent_threshold, :minutes_limit, :minutes_used) do
@@ -41,19 +53,19 @@ RSpec.describe 'CI shared runner limits' do
           it 'displays a warning message on pipelines page' do
             visit project_pipelines_path(project)
 
-          expect_quota_exceeded_alert(message)
+            alerts_according_to_role(visible: visible, message: message)
           end
 
           it 'displays a warning message on project homepage' do
             visit project_path(project)
 
-          expect_quota_exceeded_alert(message)
+            alerts_according_to_role(visible: visible, message: message)
           end
 
           it 'displays a warning message on a job page' do
             visit project_job_path(project, job)
 
-          expect_quota_exceeded_alert(message)
+            alerts_according_to_role(visible: visible, message: message)
           end
         end
       end
@@ -68,19 +80,19 @@ RSpec.describe 'CI shared runner limits' do
         it 'displays a warning message on project homepage' do
           visit project_path(project)
 
-        expect_quota_exceeded_alert(message)
+          alerts_according_to_role(visible: visible, message: message)
         end
 
         it 'displays a warning message on pipelines page' do
           visit project_pipelines_path(project)
 
-        expect_quota_exceeded_alert(message)
+          alerts_according_to_role(visible: visible, message: message)
         end
 
         it 'displays a warning message on a job page' do
           visit project_job_path(project, job)
 
-        expect_quota_exceeded_alert(message)
+          alerts_according_to_role(visible: visible, message: message)
         end
       end
 
@@ -108,10 +120,6 @@ RSpec.describe 'CI shared runner limits' do
     end
 
     context 'when on a group related page' do
-    before do
-      group.add_owner(user)
-    end
-
       where(:case_name, :percent_threshold, :minutes_limit, :minutes_used) do
         'warning level' | 30 | 1000 | 800
         'danger level'  | 5  | 1000 | 980
@@ -132,7 +140,7 @@ RSpec.describe 'CI shared runner limits' do
           it 'displays a warning message on group information page' do
             visit group_path(group)
 
-          expect_quota_exceeded_alert(message)
+            alerts_according_to_role(visible: visible, message: message)
           end
         end
       end
@@ -147,7 +155,7 @@ RSpec.describe 'CI shared runner limits' do
         it 'displays a warning message on group information page' do
           visit group_path(group)
 
-        expect_quota_exceeded_alert(message)
+          alerts_according_to_role(visible: visible, message: message)
         end
       end
 
@@ -161,6 +169,11 @@ RSpec.describe 'CI shared runner limits' do
         end
       end
     end
+  end
+
+  def alerts_according_to_role(visible: false, message: '')
+    visible ? expect_quota_exceeded_alert(message) : expect_no_quota_exceeded_alert
+  end
 
   def expect_quota_exceeded_alert(message)
     expect(page).to have_selector('.shared-runner-quota-message', count: 1)

ee/spec/models/ci/minutes/context_spec.rb

@@ -9,7 +9,7 @@ RSpec.describe Ci::Minutes::Context do
   describe 'delegation' do
     subject { described_class.new(project, group) }
 
-    it { is_expected.to delegate_method(:shared_runners_minutes_limit_enabled?).to(:level) }
+    it { is_expected.to delegate_method(:shared_runners_minutes_limit_enabled?).to(:namespace) }
     it { is_expected.to delegate_method(:name).to(:namespace).with_prefix }
   end
 end

ee/spec/models/ci/minutes/notification_spec.rb

@@ -189,7 +189,7 @@ RSpec.describe Ci::Minutes::Notification do
   context 'when at project level' do
     context 'when eligible to see notifications' do
       before do
-        group.add_developer(user)
+        group.add_owner(user)
       end
 
       describe '#show?' do
@@ -217,12 +217,22 @@ RSpec.describe Ci::Minutes::Notification do
         subject { described_class.new(injected_project, nil) }
       end
     end
+
+    context 'when user is not in the correct role' do
+      before do
+        group.add_developer user
+      end
+
+      it_behaves_like 'not eligible to see notifications' do
+        subject { described_class.new(injected_project, nil) }
+      end
+    end
   end
 
   context 'when at namespace level' do
     context 'when eligible to see notifications' do
       before do
-        group.add_developer(user)
+        group.add_owner(user)
       end
 
       context 'with a project that has runners enabled inside namespace' do
@@ -259,5 +269,15 @@ RSpec.describe Ci::Minutes::Notification do
         subject { described_class.new(injected_project, nil) }
       end
     end
+
+    context 'when user is not in the correct role' do
+      before do
+        group.add_developer user
+      end
+
+      it_behaves_like 'not eligible to see notifications' do
+        subject { described_class.new(injected_project, nil) }
+      end
+    end
   end
 end

ee/spec/policies/group_policy_spec.rb

@@ -1349,8 +1349,8 @@ RSpec.describe GroupPolicy do
     where(:role, :admin_mode, :allowed) do
       :guest      | nil   | false
       :reporter   | nil   | false
-      :developer  | nil   | true
-      :maintainer | nil   | true
+      :developer  | nil   | false
+      :maintainer | nil   | false
       :owner      | nil   | true
       :admin      | true  | true
       :admin      | false | false

ee/spec/policies/project_policy_spec.rb

@@ -1542,8 +1542,8 @@ RSpec.describe ProjectPolicy do
     where(:role, :admin_mode, :allowed) do
       :guest      | nil   | false
       :reporter   | nil   | false
-      :developer  | nil   | true
-      :maintainer | nil   | true
+      :developer  | nil   | false
+      :maintainer | nil   | false
       :owner      | nil   | true
       :admin      | false | false
       :admin      | true  | true