Migrate CE & EE controller specs to consider admin mode

dc1149df · Diego Louzán · Imre Farkas · 3cffcea5 · dc1149df · dc1149df
Commit dc1149df authored Apr 14, 2020 by Diego Louzán Committed by Imre Farkas Apr 14, 2020
22 changed files
--- a/ee/spec/controllers/ee/groups_controller_spec.rb
+++ b/ee/spec/controllers/ee/groups_controller_spec.rb
@@ -267,7 +267,7 @@ describe GroupsController do
        sign_in(user)
      end

-      context 'when user is an admin' do
+      context 'when user is an admin with admin mode enabled', :enable_admin_mode do
        let(:user) { create(:admin) }

        it 'updates max_pages_size' do
@@ -277,6 +277,14 @@ describe GroupsController do
        end
      end

+      context 'when user is an admin with admin mode disabled' do
+        it 'does not update max_pages_size' do
+          request
+
+          expect(group.reload.max_pages_size).to eq(nil)
+        end
+      end
+
      context 'when user is not an admin' do
        it 'does not update max_pages_size' do
          request

--- a/ee/spec/controllers/ee/projects/jobs_controller_spec.rb
+++ b/ee/spec/controllers/ee/projects/jobs_controller_spec.rb
@@ -38,8 +38,16 @@ describe Projects::JobsController do
    context 'with admin' do
      let(:user) { admin }

-      it 'returns 200' do
-        expect(response).to have_gitlab_http_status(:ok)
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it 'returns 200' do
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it 'returns 404' do
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
      end
    end


--- a/ee/spec/controllers/profiles_controller_spec.rb
+++ b/ee/spec/controllers/profiles_controller_spec.rb
@@ -60,8 +60,10 @@ describe ProfilesController, :request_store do
            end
          end

-          it_behaves_like 'a user can update their name' do
-            let(:current_user) { admin }
+          context 'as an admin in admin mode', :enable_admin_mode do
+            it_behaves_like 'a user can update their name' do
+              let(:current_user) { admin }
+            end
          end
        end
      end

--- a/ee/spec/controllers/projects/clusters_controller_spec.rb
+++ b/ee/spec/controllers/projects/clusters_controller_spec.rb
@@ -61,7 +61,12 @@ describe Projects::ClustersController do
        allow(controller).to receive(:prometheus_adapter).and_return(prometheus_adapter)
      end

-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is denied for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(clusterable) }
      it { expect { go }.to be_allowed_for(:maintainer).of(clusterable) }
      it { expect { go }.to be_denied_for(:developer).of(clusterable) }

--- a/ee/spec/controllers/projects/deploy_keys_controller_spec.rb
+++ b/ee/spec/controllers/projects/deploy_keys_controller_spec.rb
@@ -64,7 +64,7 @@ describe Projects::DeployKeysController do
    let(:deploy_key) { create(:deploy_key) }
    let!(:deploy_key_project) { create(:deploy_keys_project, project: project, deploy_key: deploy_key) }

-    context 'with admin' do
+    context 'with admin', :enable_admin_mode do
      before do
        sign_in(create(:admin))
      end

--- a/ee/spec/controllers/projects/mirrors_controller_spec.rb
+++ b/ee/spec/controllers/projects/mirrors_controller_spec.rb
@@ -71,7 +71,7 @@ describe Projects::MirrorsController do
        stub_application_setting(mirror_available: false)
      end

-      context 'when user is admin' do
+      context 'when user is admin', :enable_admin_mode do
        let(:admin) { create(:user, :admin) }

        it 'creates a new mirror' do

--- a/ee/spec/controllers/projects/pages_controller_spec.rb
+++ b/ee/spec/controllers/projects/pages_controller_spec.rb
@@ -30,10 +30,20 @@ describe Projects::PagesController do
        sign_in(admin)
      end

-      it 'updates max_pages_size' do
-        request
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it 'updates max_pages_size' do
+          request
+
+          expect(project.reload.max_pages_size).to eq(100)
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it 'does not update max_pages_size' do
+          request

-        expect(project.reload.max_pages_size).to eq(100)
+          expect(project.reload.max_pages_size).to eq(nil)
+        end
      end
    end


--- a/ee/spec/controllers/projects/push_rules_controller_spec.rb
+++ b/ee/spec/controllers/projects/push_rules_controller_spec.rb
@@ -71,7 +71,7 @@ describe Projects::PushRulesController do

    PushRule::SETTINGS_WITH_GLOBAL_DEFAULT.each do |rule_attr|
      context "Updating #{rule_attr} rule" do
-        context 'as an admin' do
+        context 'as an admin in admin mode', :enable_admin_mode do
          let(:user) { create(:admin) }

          it_behaves_like 'a setting with global default', rule_attr, updates: true

--- a/ee/spec/controllers/projects/web_ide_terminals_controller_spec.rb
+++ b/ee/spec/controllers/projects/web_ide_terminals_controller_spec.rb
@@ -29,8 +29,16 @@ describe Projects::WebIdeTerminalsController do
    context 'with admin' do
      let(:user) { admin }

-      it 'returns 200' do
-        expect(response).to have_gitlab_http_status(:ok)
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it 'returns 200' do
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it 'returns 404' do
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
      end
    end

@@ -124,7 +132,7 @@ describe Projects::WebIdeTerminalsController do
      let(:user) { admin }
      let(:result) { { status: :error } }

-      it 'returns 422' do
+      it 'returns 422', :enable_admin_mode do
        expect(response).to have_gitlab_http_status(:unprocessable_entity)
      end
    end
@@ -160,7 +168,7 @@ describe Projects::WebIdeTerminalsController do
      let(:user) { admin }
      let(:branch) { 'foobar' }

-      it 'returns 400' do
+      it 'returns 400', :enable_admin_mode do
        subject

        expect(response).to have_gitlab_http_status(:bad_request)
@@ -170,7 +178,7 @@ describe Projects::WebIdeTerminalsController do
    context 'when there is an error creating the job' do
      let(:user) { admin }

-      it 'returns 400' do
+      it 'returns 400', :enable_admin_mode do
        allow_next_instance_of(::Ci::CreateWebIdeTerminalService) do |instance|
          allow(instance).to receive(:execute).and_return(status: :error, message: 'foobar')
        end

--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -748,7 +748,7 @@ describe ApplicationController do
    end
  end

-  describe '#current_user_mode', :do_not_mock_admin_mode do
+  describe '#current_user_mode' do
    include_context 'custom session'

    controller(described_class) do

--- a/spec/controllers/concerns/enforces_admin_authentication_spec.rb
+++ b/spec/controllers/concerns/enforces_admin_authentication_spec.rb
@@ -2,7 +2,7 @@

 require 'spec_helper'

-describe EnforcesAdminAuthentication, :do_not_mock_admin_mode do
+describe EnforcesAdminAuthentication do
  include AdminModeHelper

  let(:user) { create(:user) }

--- a/spec/controllers/groups/settings/ci_cd_controller_spec.rb
+++ b/spec/controllers/groups/settings/ci_cd_controller_spec.rb
@@ -180,32 +180,38 @@ describe Groups::Settings::CiCdController do
        group.add_owner(user)
      end

-      it { is_expected.to redirect_to(group_settings_ci_cd_path) }
+      context 'when admin mode is disabled' do
+        it { is_expected.to have_gitlab_http_status(:not_found) }
+      end

-      context 'when service execution went wrong' do
-        let(:update_service) { double }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to redirect_to(group_settings_ci_cd_path) }

-        before do
-          allow(Groups::UpdateService).to receive(:new).and_return(update_service)
-          allow(update_service).to receive(:execute).and_return(false)
-          allow_any_instance_of(Group).to receive_message_chain(:errors, :full_messages)
-            .and_return(['Error 1'])
+        context 'when service execution went wrong' do
+          let(:update_service) { double }

-          subject
-        end
+          before do
+            allow(Groups::UpdateService).to receive(:new).and_return(update_service)
+            allow(update_service).to receive(:execute).and_return(false)
+            allow_any_instance_of(Group).to receive_message_chain(:errors, :full_messages)
+              .and_return(['Error 1'])

-        it 'returns a flash alert' do
-          expect(response).to set_flash[:alert]
-            .to eq("There was a problem updating the pipeline settings: [\"Error 1\"].")
+            subject
+          end
+
+          it 'returns a flash alert' do
+            expect(response).to set_flash[:alert]
+              .to eq("There was a problem updating the pipeline settings: [\"Error 1\"].")
+          end
        end
-      end

-      context 'when service execution was successful' do
-        it 'returns a flash notice' do
-          subject
+        context 'when service execution was successful' do
+          it 'returns a flash notice' do
+            subject

-          expect(response).to set_flash[:notice]
-            .to eq('Pipeline settings was updated for the group')
+            expect(response).to set_flash[:notice]
+              .to eq('Pipeline settings was updated for the group')
+          end
        end
      end
    end

--- a/spec/controllers/projects/clusters/applications_controller_spec.rb
+++ b/spec/controllers/projects/clusters/applications_controller_spec.rb
@@ -10,7 +10,12 @@ describe Projects::Clusters::ApplicationsController do
  end

  shared_examples 'a secure endpoint' do
-    it { expect { subject }.to be_allowed_for(:admin) }
+    it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+      expect { subject }.to be_allowed_for(:admin)
+    end
+    it 'is denied for admin when admin mode disabled' do
+      expect { subject }.to be_denied_for(:admin)
+    end
    it { expect { subject }.to be_allowed_for(:owner).of(project) }
    it { expect { subject }.to be_allowed_for(:maintainer).of(project) }
    it { expect { subject }.to be_denied_for(:developer).of(project) }

--- a/spec/controllers/projects/clusters_controller_spec.rb
+++ b/spec/controllers/projects/clusters_controller_spec.rb
@@ -65,7 +65,12 @@ describe Projects::ClustersController do
    describe 'security' do
      let(:cluster) { create(:cluster, :provided_by_gcp, projects: [project]) }

-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is disabled for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_denied_for(:developer).of(project) }
@@ -151,7 +156,12 @@ describe Projects::ClustersController do
    end

    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is disabled for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_denied_for(:developer).of(project) }
@@ -240,7 +250,12 @@ describe Projects::ClustersController do
        allow(WaitForClusterCreationWorker).to receive(:perform_in).and_return(nil)
      end

-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is disabled for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_denied_for(:developer).of(project) }
@@ -346,7 +361,12 @@ describe Projects::ClustersController do
        stub_kubeclient_get_namespace('https://kubernetes.example.com', namespace: 'my-namespace')
      end

-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is disabled for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_denied_for(:developer).of(project) }
@@ -414,7 +434,12 @@ describe Projects::ClustersController do
        allow(WaitForClusterCreationWorker).to receive(:perform_in)
      end

-      it { expect { post_create_aws }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { post_create_aws }.to be_allowed_for(:admin)
+      end
+      it 'is disabled for admin when admin mode disabled' do
+        expect { post_create_aws }.to be_denied_for(:admin)
+      end
      it { expect { post_create_aws }.to be_allowed_for(:owner).of(project) }
      it { expect { post_create_aws }.to be_allowed_for(:maintainer).of(project) }
      it { expect { post_create_aws }.to be_denied_for(:developer).of(project) }
@@ -469,7 +494,12 @@ describe Projects::ClustersController do
    end

    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is disabled for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_denied_for(:developer).of(project) }
@@ -501,7 +531,12 @@ describe Projects::ClustersController do
    end

    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is disabled for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_denied_for(:developer).of(project) }
@@ -541,7 +576,12 @@ describe Projects::ClustersController do
    end

    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is disabled for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_denied_for(:developer).of(project) }
@@ -574,7 +614,12 @@ describe Projects::ClustersController do
    end

    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is disabled for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_denied_for(:developer).of(project) }
@@ -677,7 +722,12 @@ describe Projects::ClustersController do
    describe 'security' do
      let_it_be(:cluster) { create(:cluster, :provided_by_gcp, projects: [project]) }

-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is disabled for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_denied_for(:developer).of(project) }
@@ -746,7 +796,12 @@ describe Projects::ClustersController do
    describe 'security' do
      let_it_be(:cluster) { create(:cluster, :provided_by_gcp, :production_environment, projects: [project]) }

-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is disabled for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_denied_for(:developer).of(project) }

--- a/spec/controllers/projects/deploy_keys_controller_spec.rb
+++ b/spec/controllers/projects/deploy_keys_controller_spec.rb
@@ -163,7 +163,7 @@ describe Projects::DeployKeysController do
      end
    end

-    context 'with admin' do
+    context 'with admin', :enable_admin_mode do
      before do
        sign_in(admin)
      end
@@ -228,7 +228,7 @@ describe Projects::DeployKeysController do
      end
    end

-    context 'with admin' do
+    context 'with admin', :enable_admin_mode do
      before do
        sign_in(admin)
      end
@@ -284,7 +284,7 @@ describe Projects::DeployKeysController do
      end
    end

-    context 'with admin' do
+    context 'with admin', :enable_admin_mode do
      before do
        sign_in(admin)
      end
@@ -311,8 +311,16 @@ describe Projects::DeployKeysController do
      context 'public deploy key attached to project' do
        let(:extra_params) { deploy_key_params('updated title', '1') }

-        it 'updates the title of the deploy key' do
-          expect { subject }.to change { deploy_key.reload.title }.to('updated title')
+        context 'admin mode disabled' do
+          it 'does not update the title of the deploy key' do
+            expect { subject }.not_to change { deploy_key.reload.title }
+          end
+        end
+
+        context 'admin mode enabled', :enable_admin_mode do
+          it 'updates the title of the deploy key' do
+            expect { subject }.to change { deploy_key.reload.title }.to('updated title')
+          end
        end

        it 'updates can_push of deploy_keys_project' do

--- a/spec/controllers/projects/issues_controller_spec.rb
+++ b/spec/controllers/projects/issues_controller_spec.rb
@@ -586,12 +586,23 @@ describe Projects::IssuesController do
        expect(assigns(:issues)).to include request_forgery_timing_attack
      end

-      it 'lists confidential issues for admin' do
-        sign_in(admin)
-        get_issues
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it 'lists confidential issues for admin' do
+          sign_in(admin)
+          get_issues

-        expect(assigns(:issues)).to include unescaped_parameter_value
-        expect(assigns(:issues)).to include request_forgery_timing_attack
+          expect(assigns(:issues)).to include unescaped_parameter_value
+          expect(assigns(:issues)).to include request_forgery_timing_attack
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it 'does not list confidential issues for admin' do
+          sign_in(admin)
+          get_issues
+
+          expect(assigns(:issues)).to eq [issue]
+        end
      end

      def get_issues
@@ -648,11 +659,22 @@ describe Projects::IssuesController do
        expect(response).to have_gitlab_http_status http_status[:success]
      end

-      it "returns #{http_status[:success]} for admin" do
-        sign_in(admin)
-        go(id: unescaped_parameter_value.to_param)
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it "returns #{http_status[:success]} for admin" do
+          sign_in(admin)
+          go(id: unescaped_parameter_value.to_param)

-        expect(response).to have_gitlab_http_status http_status[:success]
+          expect(response).to have_gitlab_http_status http_status[:success]
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        xit 'returns 404 for admin' do
+          sign_in(admin)
+          go(id: unescaped_parameter_value.to_param)
+
+          expect(response).to have_gitlab_http_status :not_found
+        end
      end
    end


--- a/spec/controllers/projects/jobs_controller_spec.rb
+++ b/spec/controllers/projects/jobs_controller_spec.rb
@@ -391,10 +391,20 @@ describe Projects::JobsController, :clean_gitlab_redis_shared_state do
            sign_in(user)
          end

-          it 'settings_path is available' do
-            expect(response).to have_gitlab_http_status(:ok)
-            expect(response).to match_response_schema('job/job_details')
-            expect(json_response['runners']['settings_path']).to match(/runners/)
+          context 'when admin mode is disabled' do
+            it 'settings_path is not available' do
+              expect(response).to have_gitlab_http_status(:ok)
+              expect(response).to match_response_schema('job/job_details')
+              expect(json_response['runners']).not_to have_key('settings_path')
+            end
+          end
+
+          context 'when admin mode is enabled', :enable_admin_mode do
+            it 'settings_path is available' do
+              expect(response).to have_gitlab_http_status(:ok)
+              expect(response).to match_response_schema('job/job_details')
+              expect(json_response['runners']['settings_path']).to match(/runners/)
+            end
          end
        end
      end

--- a/spec/controllers/projects/mirrors_controller_spec.rb
+++ b/spec/controllers/projects/mirrors_controller_spec.rb
@@ -39,12 +39,24 @@ describe Projects::MirrorsController do
        expect(response).to have_gitlab_http_status(:not_found)
      end

-      it 'allows requests from an admin user' do
-        user.update!(admin: true)
-        sign_in(user)
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it 'allows requests from an admin user' do
+          user.update!(admin: true)
+          sign_in(user)

-        subject_action
-        expect(response).to redirect_to(project_settings_path)
+          subject_action
+          expect(response).to redirect_to(project_settings_path)
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it 'disallows requests from an admin user' do
+          user.update!(admin: true)
+          sign_in(user)
+
+          subject_action
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
      end
    end
  end

--- a/spec/controllers/projects/pipeline_schedules_controller_spec.rb
+++ b/spec/controllers/projects/pipeline_schedules_controller_spec.rb
@@ -127,7 +127,12 @@ describe Projects::PipelineSchedulesController do
    describe 'security' do
      let(:schedule) { attributes_for(:ci_pipeline_schedule) }

-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is denied for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_allowed_for(:developer).of(project) }
@@ -279,7 +284,12 @@ describe Projects::PipelineSchedulesController do
    describe 'security' do
      let(:schedule) { { description: 'updated_desc' } }

-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is denied for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_allowed_for(:developer).of(project).own(pipeline_schedule) }
@@ -343,7 +353,12 @@ describe Projects::PipelineSchedulesController do
    end

    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is denied for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_allowed_for(:developer).of(project).own(pipeline_schedule) }
@@ -361,7 +376,12 @@ describe Projects::PipelineSchedulesController do

  describe 'GET #take_ownership' do
    describe 'security' do
-      it { expect { go }.to be_allowed_for(:admin) }
+      it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
+        expect { go }.to be_allowed_for(:admin)
+      end
+      it 'is denied for admin when admin mode disabled' do
+        expect { go }.to be_denied_for(:admin)
+      end
      it { expect { go }.to be_allowed_for(:owner).of(project) }
      it { expect { go }.to be_allowed_for(:maintainer).of(project) }
      it { expect { go }.to be_allowed_for(:developer).of(project).own(pipeline_schedule) }

--- a/spec/controllers/projects/settings/ci_cd_controller_spec.rb
+++ b/spec/controllers/projects/settings/ci_cd_controller_spec.rb
@@ -245,11 +245,22 @@ describe Projects::Settings::CiCdController do
        context 'and user is an admin' do
          let(:user) { create(:admin)  }

-          it 'sets max_artifacts_size' do
-            subject
+          context 'with admin mode disabled' do
+            it 'does not set max_artifacts_size' do
+              subject

-            project.reload
-            expect(project.max_artifacts_size).to eq(10)
+              project.reload
+              expect(project.max_artifacts_size).to be_nil
+            end
+          end
+
+          context 'with admin mode enabled', :enable_admin_mode do
+            it 'sets max_artifacts_size' do
+              subject
+
+              project.reload
+              expect(project.max_artifacts_size).to eq(10)
+            end
          end
        end
      end

--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -362,7 +362,7 @@ describe ProjectsController do
  end

  describe 'GET edit' do
-    it 'allows an admin user to access the page' do
+    it 'allows an admin user to access the page', :enable_admin_mode do
      sign_in(create(:user, :admin))

      get :edit,
@@ -531,7 +531,7 @@ describe ProjectsController do
    end
  end

-  describe "#update" do
+  describe "#update", :enable_admin_mode do
    render_views

    let(:admin) { create(:admin) }
@@ -672,7 +672,7 @@ describe ProjectsController do
    end
  end

-  describe '#transfer' do
+  describe '#transfer', :enable_admin_mode do
    render_views

    let(:project) { create(:project, :repository) }
@@ -720,7 +720,7 @@ describe ProjectsController do
    end
  end

-  describe "#destroy" do
+  describe "#destroy", :enable_admin_mode do
    let(:admin) { create(:admin) }

    it "redirects to the dashboard", :sidekiq_might_not_need_inline do
@@ -1094,7 +1094,7 @@ describe ProjectsController do
      end
    end

-    context 'for a DELETE request' do
+    context 'for a DELETE request', :enable_admin_mode do
      before do
        sign_in(create(:admin))
      end

--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -91,6 +91,10 @@ RSpec.configure do |config|
      match = location.match(%r{/spec/([^/]+)/})
      metadata[:type] = match[1].singularize.to_sym if match
    end
+
+    # Admin controller specs get auto admin mode enabled since they are
+    # protected by the 'EnforcesAdminAuthentication' concern
+    metadata[:enable_admin_mode] = true if location =~ %r{(ee)?/spec/controllers/admin/}
  end

  config.include LicenseHelpers
@@ -226,7 +230,6 @@ RSpec.configure do |config|
    #
    # context 'some test in mocked dir', :do_not_mock_admin_mode do ... end
    admin_mode_mock_dirs = %w(
-      ./ee/spec/controllers
      ./ee/spec/elastic_integration
      ./ee/spec/features
      ./ee/spec/finders
@@ -238,7 +241,6 @@ RSpec.configure do |config|
      ./ee/spec/services
      ./ee/spec/support/protected_tags
      ./ee/spec/support/shared_examples
-      ./spec/controllers
      ./spec/features
      ./spec/finders
      ./spec/frontend
@@ -270,7 +272,7 @@ RSpec.configure do |config|
    # context 'some test that requires admin mode', :enable_admin_mode do ... end
    #
    # See also spec/support/helpers/admin_mode_helpers.rb
-    if example.metadata[:enable_admin_mode]
+    if example.metadata[:enable_admin_mode] && !example.metadata[:do_not_mock_admin_mode]
      allow_any_instance_of(Gitlab::Auth::CurrentUserMode).to receive(:admin_mode?) do |current_user_mode|
        current_user_mode.send(:user)&.admin?
      end