Wrap contribution analytics and epics in ability

ad618c2a · Bob Van Landuyt · 3effb9ac · ad618c2a · ad618c2a · ad618c2a
Commit ad618c2a authored Jul 03, 2018 by Bob Van Landuyt
6 changed files
--- a/ee/app/helpers/ee/groups_helper.rb
+++ b/ee/app/helpers/ee/groups_helper.rb
@@ -22,18 +22,12 @@ module EE
    def get_group_sidebar_links
      links = super
-      if can?(current_user, :read_cross_project)
+      if can?(current_user, :read_group_contribution_analytics, @group) || show_promotions?
-        if @group.feature_available?(:contribution_analytics) || show_promotions?
+        links << :contribution_analytics
-          links << :contribution_analytics
+      end
-        end
+      if can?(current_user, :read_epic, @group)
-        if @group.feature_available?(:group_issue_boards)
+        links << :epics
-          links << :boards
-        end
-        if @group.feature_available?(:epics)
-          links << :epics
-        end
      end
      links

--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -5,7 +5,10 @@ module EE
    prepended do
      with_scope :subject
      condition(:ldap_synced) { @subject.ldap_synced? }
-      condition(:epics_disabled) { !@subject.feature_available?(:epics) }
+      condition(:epics_available) { @subject.feature_available?(:epics) }
+      condition(:contribution_analytics_available) do
+        @subject.feature_available?(:contribution_analytics)
+      end
      condition(:project_creation_level_enabled) { @subject.feature_available?(:project_creation_level) }
@@ -17,37 +20,38 @@ module EE
        @subject.project_creation_level == ::EE::Gitlab::Access::DEVELOPER_MASTER_PROJECT_ACCESS
      end
-      rule { reporter }.policy do
-        enable :admin_list
-        enable :admin_board
-      end
      condition(:can_owners_manage_ldap, scope: :global) do
        ::Gitlab::CurrentSettings.current_application_settings
          .allow_group_owners_to_manage_ldap
      end
-      rule { public_group }.enable :read_epic
+      rule { reporter }.policy do
+        enable :admin_list
+        enable :admin_board
+      end
-      rule { logged_in_viewable }.enable :read_epic
+      rule { can?(:read_group) & contribution_analytics_available }
+        .enable :read_group_contribution_analytics
-      rule { guest }.enable :read_epic
+      rule { can?(:read_group) & epics_available }.enable :read_epic
-      rule { reporter }.policy do
+      rule { reporter & epics_available }.policy do
        enable :create_epic
        enable :admin_epic
        enable :update_epic
      end
-      rule { owner }.enable :destroy_epic
+      rule { owner & epics_available }.enable :destroy_epic
-      rule { auditor }.policy do
+      rule { ~can?(:read_cross_project) }.policy do
-        enable  :read_group
+        prevent :read_group_contribution_analytics
-        enable  :read_epic
+        prevent :read_epic
+        prevent :create_epic
+        prevent :admin_epic
+        prevent :update_epic
      end
-      rule { admin }.enable :read_epic
+      rule { auditor }.enable :read_group
-      rule { has_projects }.enable :read_epic
      rule { admin | owner }.enable :admin_group_saml
@@ -59,14 +63,6 @@ module EE
      rule { ldap_synced & (admin | (can_owners_manage_ldap & owner)) }.enable :override_group_member
-      rule { epics_disabled }.policy do
-        prevent :read_epic
-        prevent :create_epic
-        prevent :admin_epic
-        prevent :update_epic
-        prevent :destroy_epic
-      end
      rule { project_creation_level_enabled & developer & developer_master_access }.enable :create_projects
      rule { project_creation_level_enabled & create_projects_disabled }.prevent :create_projects
    end

--- a/ee/spec/finders/epics_finder_spec.rb
+++ b/ee/spec/finders/epics_finder_spec.rb
@@ -27,7 +27,9 @@ describe EpicsFinder do
      end
    end
-    context 'when epics feature is enabled' do
+    # Enabeling the `request_store` for this to avoid counting queries that check
+    # the license.
+    context 'when epics feature is enabled', :request_store do
      before do
        stub_licensed_features(epics: true)
      end

--- a/ee/spec/helpers/ee/groups_helper_spec.rb
+++ b/ee/spec/helpers/ee/groups_helper_spec.rb
@@ -3,21 +3,28 @@ require 'spec_helper'
 describe GroupsHelper do
  describe '#group_sidebar_links' do
    let(:user) { create(:user) }
-    let(:group) { create(:group) }
+    let(:group) { create(:group, :private) }
    before do
      allow(helper).to receive(:current_user) { user }
+      group.add_owner(user)
      helper.instance_variable_set(:@group, group)
-      allow(helper).to receive(:can?).with(user, :admin_group, group) { false }
+      allow(helper).to receive(:can?) { |*args| Ability.allowed?(*args) }
+      allow(helper).to receive(:show_promotions?) { false }
    end
-    it 'shows the licenced cross project features when the user can read cross project' do
+    it 'shows the licensed features when they are available' do
-      expect(helper).to receive(:can?).with(user, :read_cross_project).at_least(1) { true }
      stub_licensed_features(contribution_analytics: true,
-                             group_issue_boards: true,
                             epics: true)
-      expect(helper.group_sidebar_links).to include(:contribution_analytics, :boards, :epics)
+      expect(helper.group_sidebar_links).to include(:contribution_analytics, :epics)
+    end
+    it 'hides the licensed features when they are not available' do
+      stub_licensed_features(contribution_analytics: false,
+                             epics: false)
+      expect(helper.group_sidebar_links).not_to include(:contribution_analytics, :epics)
    end
  end
 end
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -36,6 +36,26 @@ describe GroupPolicy do
    it { is_expected.to be_allowed(:read_epic, :create_epic, :admin_epic, :destroy_epic) }
  end
+  context 'when contribution analytics is available' do
+    let(:current_user) { developer }
+    before do
+      stub_licensed_features(contribution_analytics: true)
+    end
+    it { is_expected.to be_allowed(:read_group_contribution_analytics) }
+  end
+  context 'when contribution analytics is not available' do
+    let(:current_user) { developer }
+    before do
+      stub_licensed_features(contribution_analytics: false)
+    end
+    it { is_expected.not_to be_allowed(:read_group_contribution_analytics) }
+  end
  describe 'per group SAML' do
    let(:current_user) { master }

--- a/ee/spec/views/layouts/nav/sidebar/_group.html.haml_spec.rb
+++ b/ee/spec/views/layouts/nav/sidebar/_group.html.haml_spec.rb
@@ -21,7 +21,7 @@ describe 'layouts/nav/sidebar/_group' do
        allow(License).to receive(:current).and_return(nil)
        stub_application_setting(check_namespace_plan: false)
-        allow(view).to receive(:can?).and_return(true)
+        allow(view).to receive(:can?) { |*args| Ability.allowed?(*args) }
        allow(view).to receive(:current_user).and_return(cuser)
      end