Exempt auditor from ip restriction

a5115661 · Małgorzata Ksionek · d4fd5bd2 · a5115661 · a5115661 · a5115661
Commit a5115661 authored Feb 24, 2021 by Małgorzata Ksionek
4 changed files
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -283,7 +283,7 @@ module EE
        prevent :read_group
      end
-      rule { ip_enforcement_prevents_access & ~owner }.policy do
+      rule { ip_enforcement_prevents_access & ~owner & ~auditor }.policy do
        prevent :read_group
      end

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -366,7 +366,7 @@ module EE
        prevent :owner_access
      end
-      rule { ip_enforcement_prevents_access & ~admin }.policy do
+      rule { ip_enforcement_prevents_access & ~admin & ~auditor }.policy do
        prevent :read_project
      end

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -567,6 +567,12 @@ RSpec.describe GroupPolicy do
          it { is_expected.to be_allowed(:read_group) }
        end
+        context 'as auditor' do
+          let(:current_user) { create(:user, :auditor) }
+          it { is_expected.to be_allowed(:read_group) }
+        end
      end
    end
  end

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -439,6 +439,12 @@ RSpec.describe ProjectPolicy do
          context 'with admin disabled' do
            it { is_expected.to be_disallowed(:read_project) }
          end
+          context 'with auditor' do
+            let(:current_user) { create(:user, :auditor) }
+            it { is_expected.to be_allowed(:read_project) }
+          end
        end
      end