Merge branch 'bugfix/auditor-permissions' into 'master'

prevent auditors from creating issues and notes

Closes #2833

See merge request !2348

app/policies/ee/project_policy.rb

@@ -62,6 +62,13 @@ module EE
         enable :read_pages
       end
 
+      rule { auditor & ~guest }.policy do
+        prevent :create_project
+        prevent :create_issue
+        prevent :create_note
+        prevent :upload_file
+      end
+
       rule { ~can?(:push_code) }.prevent :push_code_to_protected_branches
     end
   end

spec/policies/project_policy_spec.rb

@@ -242,11 +242,28 @@ describe ProjectPolicy, models: true do
     context 'auditor' do
       let(:current_user) { auditor }
 
-      it do
-        is_expected.to be_disallowed(*developer_permissions)
-        is_expected.to be_disallowed(*master_permissions)
-        is_expected.to be_disallowed(*owner_permissions)
-        is_expected.to be_allowed(*auditor_permissions)
+      context 'not a team member' do
+        it do
+          is_expected.to be_disallowed(*developer_permissions)
+          is_expected.to be_disallowed(*master_permissions)
+          is_expected.to be_disallowed(*owner_permissions)
+          is_expected.to be_disallowed(*(guest_permissions - auditor_permissions))
+          is_expected.to be_allowed(*auditor_permissions)
+        end
+      end
+
+      context 'team member' do
+        before do
+          project.team << [auditor, :guest]
+        end
+
+        it do
+          is_expected.to be_disallowed(*developer_permissions)
+          is_expected.to be_disallowed(*master_permissions)
+          is_expected.to be_disallowed(*owner_permissions)
+          is_expected.to be_allowed(*(guest_permissions - auditor_permissions))
+          is_expected.to be_allowed(*auditor_permissions)
+        end
       end
     end
   end