Merge branch '326676-fix-devops-adoption-admin-resource-access-problem' into 'master'

[Devops Adoption] Fix access error

See merge request gitlab-org/gitlab!58684

ee/app/models/license.rb

@@ -25,7 +25,6 @@ class License < ApplicationRecord
     group_activity_analytics
     group_bulk_edit
     group_webhooks
-    group_level_devops_adoption
     instance_level_devops_adoption
     group_level_devops_adoption
     issuable_default_templates

ee/app/policies/ee/group_policy.rb

@@ -38,10 +38,14 @@ module EE
       end
 
       condition(:group_devops_adoption_available) do
-        ::Feature.enabled?(:group_devops_adoption, @subject, default_enabled: :yaml) &&
         @subject.feature_available?(:group_level_devops_adoption)
       end
 
+      condition(:group_devops_adoption_enabled) do
+        ::Feature.enabled?(:group_devops_adoption, @subject, default_enabled: :yaml) &&
+        ::License.feature_available?(:group_level_devops_adoption)
+      end
+
       condition(:dora4_analytics_available) do
         @subject.feature_available?(:dora4_analytics)
       end
@@ -191,11 +195,15 @@ module EE
         enable :view_group_ci_cd_analytics
       end
 
-      rule { reporter & group_devops_adoption_available }.policy do
+      rule { reporter & group_devops_adoption_enabled & group_devops_adoption_available }.policy do
         enable :manage_devops_adoption_segments
         enable :view_group_devops_adoption
       end
 
+      rule { admin & group_devops_adoption_enabled }.policy do
+        enable :manage_devops_adoption_segments
+      end
+
       rule { owner & ~has_parent & prevent_group_forking_available }.policy do
         enable :change_prevent_group_forking
       end

ee/changelogs/unreleased/326676-fix-devops-adoption-admin-resource-access-problem.yml

+---
+title: Fix access bug for DevOps Adoption page and free tier groups
+merge_request: 58684
+author:
+type: fixed

ee/spec/policies/group_policy_spec.rb

@@ -1606,32 +1606,34 @@ RSpec.describe GroupPolicy do
     end
 
     context 'when license does not include the feature' do
+      let(:current_user) { admin }
+
       before do
         stub_feature_flags(group_devops_adoption: true)
         stub_licensed_features(group_level_devops_adoption: false)
+        enable_admin_mode!(current_user)
       end
 
       it { is_expected.to be_disallowed(policy) }
     end
 
-    context 'when feature is enabled and license include the feature' do
+    context 'when feature is enabled and license includes the feature' do
       using RSpec::Parameterized::TableSyntax
 
-      where(:role, :admin_mode, :allowed) do
-        :admin            | true  | true
-        :admin            | false | false
-        :owner            | nil   | true
-        :maintainer       | nil   | true
-        :developer        | nil   | true
-        :reporter         | nil   | true
-        :guest            | nil   | false
-        :non_group_member | nil   | false
+      where(:role, :allowed) do
+        :admin            | true
+        :owner            | true
+        :maintainer       | true
+        :developer        | true
+        :reporter         | true
+        :guest            | false
+        :non_group_member | false
       end
 
       before do
         stub_feature_flags(group_devops_adoption: true)
         stub_licensed_features(group_level_devops_adoption: true)
-        enable_admin_mode!(current_user) if admin_mode
+        enable_admin_mode!(current_user) if current_user.admin?
       end
 
       with_them do
@@ -1641,4 +1643,85 @@ RSpec.describe GroupPolicy do
       end
     end
   end
+
+  describe 'manage_devops_adoption_segments' do
+    let(:current_user) { owner }
+    let(:policy) { :manage_devops_adoption_segments }
+
+    context 'when feature is disabled' do
+      before do
+        stub_feature_flags(group_devops_adoption: false)
+      end
+
+      it { is_expected.to be_disallowed(policy) }
+    end
+
+    context 'when license does not include the feature' do
+      let(:current_user) { admin }
+
+      before do
+        stub_feature_flags(group_devops_adoption: true)
+        stub_licensed_features(group_level_devops_adoption: false)
+        enable_admin_mode!(current_user)
+      end
+
+      it { is_expected.to be_disallowed(policy) }
+    end
+
+    context 'when feature is enabled' do
+      before do
+        stub_feature_flags(group_devops_adoption: true)
+      end
+
+      context 'when license includes the feature' do
+        using RSpec::Parameterized::TableSyntax
+
+        where(:role, :allowed) do
+          :admin            | true
+          :owner            | true
+          :maintainer       | true
+          :developer        | true
+          :reporter         | true
+          :guest            | false
+          :non_group_member | false
+        end
+
+        before do
+          stub_licensed_features(group_level_devops_adoption: true)
+          enable_admin_mode!(current_user) if current_user.admin?
+        end
+
+        with_them do
+          let(:current_user) { public_send(role) }
+
+          it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
+        end
+      end
+
+      context 'when license plan does not include the feature' do
+        using RSpec::Parameterized::TableSyntax
+
+        where(:role, :allowed) do
+          :admin            | true
+          :owner            | false
+          :maintainer       | false
+          :developer        | false
+          :reporter         | false
+          :guest            | false
+          :non_group_member | false
+        end
+
+        before do
+          allow(group).to receive(:feature_available?).with(:group_level_devops_adoption).and_return(false)
+          enable_admin_mode!(current_user) if current_user.admin?
+        end
+
+        with_them do
+          let(:current_user) { public_send(role) }
+
+          it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
+        end
+      end
+    end
+  end
 end