Merge branch 'security-ag-contribution-analytics-2nd-attempt' into 'master'

Hide Contribution Analytics from non-group members

See merge request gitlab-org/security/gitlab!297

ee/app/controllers/groups/contribution_analytics_controller.rb

@@ -3,6 +3,7 @@
 class Groups::ContributionAnalyticsController < Groups::ApplicationController
   before_action :group
   before_action :check_contribution_analytics_available!
+  before_action :authorize_read_contribution_analytics!
 
   layout 'group'
 
@@ -27,6 +28,28 @@ class Groups::ContributionAnalyticsController < Groups::ApplicationController
   end
 
   def check_contribution_analytics_available!
-    render_404 unless @group.feature_available?(:contribution_analytics) || LicenseHelper.show_promotions?(current_user)
+    return if group_has_access_to_feature?
+
+    show_promotions? ? render_promotion : render_404
+  end
+
+  def authorize_read_contribution_analytics!
+    render_403 unless user_has_access_to_feature?
+  end
+
+  def render_promotion
+    render 'shared/promotions/_promote_contribution_analytics'
+  end
+
+  def show_promotions?
+    LicenseHelper.show_promotions?(current_user)
+  end
+
+  def group_has_access_to_feature?
+    @group.feature_available?(:contribution_analytics)
+  end
+
+  def user_has_access_to_feature?
+    can?(current_user, :read_group_contribution_analytics, @group)
   end
 end

ee/app/policies/ee/group_policy.rb

@@ -75,7 +75,7 @@ module EE
       rule { can?(:read_cluster) & cluster_deployments_available }
         .enable :read_cluster_environments
 
-      rule { can?(:read_group) & contribution_analytics_available }
+      rule { has_access & contribution_analytics_available }
         .enable :read_group_contribution_analytics
 
       rule { reporter & cycle_analytics_available }.policy do

ee/changelogs/unreleased/security-ag-contribution-analytics.yml

+---
+title: Don't show Contribution Analytics to users who are not group members
+merge_request:
+author:
+type: security

ee/spec/helpers/ee/groups_helper_spec.rb

@@ -3,14 +3,15 @@
 require 'spec_helper'
 
 describe GroupsHelper do
-  let(:user) { create(:user, group_view: :security_dashboard) }
+  let(:owner) { create(:user, group_view: :security_dashboard) }
+  let(:current_user) { owner }
   let(:group) { create(:group, :private) }
 
   before do
-    allow(helper).to receive(:current_user) { user }
+    allow(helper).to receive(:current_user) { current_user }
     helper.instance_variable_set(:@group, group)
 
-    group.add_owner(user)
+    group.add_owner(owner)
   end
 
   describe '#group_epics_count' do
@@ -49,6 +50,21 @@ describe GroupsHelper do
 
       expect(helper.group_sidebar_links).not_to include(:contribution_analytics, :epics)
     end
+
+    context 'when contribution analytics is available' do
+      before do
+        stub_licensed_features(contribution_analytics: true)
+      end
+
+      context 'signed in user is a project member but not a member of the group' do
+        let(:current_user) { create(:user) }
+        let(:private_project) { create(:project, :private, group: group)}
+
+        it 'hides Contribution Analytics' do
+          expect(helper.group_sidebar_links).not_to include(:contribution_analytics)
+        end
+      end
+    end
   end
 
   describe '#permanent_deletion_date' do
@@ -107,10 +123,10 @@ describe GroupsHelper do
 
     with_them do
       it 'returns the expected value' do
-        allow(helper).to receive(:current_user) { user? ? user : nil }
+        allow(helper).to receive(:current_user) { user? ? owner : nil }
         allow(::Gitlab).to receive(:com?) { gitlab_com? }
-        allow(user).to receive(:ab_feature_enabled?) { ab_feature_enabled? }
-        allow(user).to receive(:created_at) { created_at }
+        allow(owner).to receive(:ab_feature_enabled?) { ab_feature_enabled? }
+        allow(owner).to receive(:created_at) { created_at }
         allow(::Feature).to receive(:enabled?).with(:discover_security) { discover_security_feature_enabled? }
         allow(group).to receive(:feature_available?) { security_dashboard_feature_available? }
         allow(helper).to receive(:can?) { can_admin_group? }

ee/spec/policies/group_policy_spec.rb

@@ -48,7 +48,34 @@ describe GroupPolicy do
       stub_licensed_features(contribution_analytics: true)
     end
 
-    it { is_expected.to be_allowed(:read_group_contribution_analytics) }
+    context 'when signed in user is a member of the group' do
+      it { is_expected.to be_allowed(:read_group_contribution_analytics) }
+    end
+
+    describe 'when user is not a member of the group' do
+      let(:current_user) { non_group_member }
+      let(:private_group) { create(:group, :private) }
+
+      subject { described_class.new(non_group_member, private_group) }
+
+      context 'when user is not invited to any of the group projects' do
+        it do
+          is_expected.not_to be_allowed(:read_group_contribution_analytics)
+        end
+      end
+
+      context 'when user is invited to a group project, but not to the group' do
+        let(:private_project) { create(:project, :private, group: private_group) }
+
+        before do
+          private_project.add_guest(non_group_member)
+        end
+
+        it do
+          is_expected.not_to be_allowed(:read_group_contribution_analytics)
+        end
+      end
+    end
   end
 
   context 'when contribution analytics is not available' do

ee/spec/views/layouts/nav/sidebar/_group.html.haml_spec.rb

@@ -11,23 +11,50 @@ describe 'layouts/nav/sidebar/_group' do
   let(:user) { create(:user) }
 
   describe 'contribution analytics tab' do
-    it 'is not visible when there is no valid license and we dont show promotions' do
-      stub_licensed_features(contribution_analytics: false)
+    let!(:current_user) { create(:user) }
 
-      render
+    before do
+      group.add_guest(current_user)
 
-      expect(rendered).not_to have_text 'Contribution Analytics'
+      allow(view).to receive(:current_user).and_return(current_user)
     end
 
-    context 'no license installed' do
-      let!(:cuser) { create(:admin) }
+    context 'contribution analytics feature is available' do
+      before do
+        stub_licensed_features(contribution_analytics: true)
+      end
+
+      it 'is visible' do
+        render
 
+        expect(rendered).to have_text 'Contribution Analytics'
+      end
+    end
+
+    context 'contribution analytics feature is not available' do
+      before do
+        stub_licensed_features(contribution_analytics: false)
+      end
+
+      context 'we do not show promotions' do
+        before do
+          allow(LicenseHelper).to receive(:show_promotions?).and_return(false)
+        end
+
+        it 'is not visible' do
+          render
+
+          expect(rendered).not_to have_text 'Contribution Analytics'
+        end
+      end
+    end
+
+    context 'no license installed' do
       before do
         allow(License).to receive(:current).and_return(nil)
         stub_application_setting(check_namespace_plan: false)
 
         allow(view).to receive(:can?) { |*args| Ability.allowed?(*args) }
-        allow(view).to receive(:current_user).and_return(cuser)
       end
 
       it 'is visible when there is no valid license but we show promotions' do

spec/support/shared_contexts/policies/group_policy_shared_context.rb

@@ -7,6 +7,7 @@ RSpec.shared_context 'GroupPolicy context' do
   let_it_be(:maintainer) { create(:user) }
   let_it_be(:owner) { create(:user) }
   let_it_be(:admin) { create(:admin) }
+  let_it_be(:non_group_member) { create(:user) }
   let_it_be(:group, refind: true) { create(:group, :private, :owner_subgroup_creation_only) }
 
   let(:guest_permissions) do