From bd4f4c6d9bc32adf518aa266821d70de492f1ab5 Mon Sep 17 00:00:00 2001
From: Alishan Ladhani <aladhani@gitlab.com>
Date: Tue, 4 Oct 2022 09:26:46 -0400
Subject: [PATCH] Allow Releases to be published without giving access to
 source code

Changelog: added
---
 app/policies/project_policy.rb          |  1 -
 spec/policies/project_policy_spec.rb    |  2 +-
 spec/requests/api/release/links_spec.rb | 18 +++++++-----------
 3 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index b0818d1de6cf00..cb746db6496f14 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -631,7 +631,6 @@ class ProjectPolicy < BasePolicy
     prevent :read_commit_status
     prevent :read_pipeline
     prevent :read_pipeline_schedule
-    prevent(*create_read_update_admin_destroy(:release))
     prevent(*create_read_update_admin_destroy(:feature_flag))
     prevent(:admin_feature_flags_user_lists)
   end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 0ee9c24ee9b1ab..14ac5f3c503ca9 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -323,7 +323,7 @@ def set_access_level(access_level)
         :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
         :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
         :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
-        :destroy_release, :download_code, :build_download_code
+        :download_code, :build_download_code
       ]
     end
 
diff --git a/spec/requests/api/release/links_spec.rb b/spec/requests/api/release/links_spec.rb
index 57b2e005929604..38166c5ce97bba 100644
--- a/spec/requests/api/release/links_spec.rb
+++ b/spec/requests/api/release/links_spec.rb
@@ -81,24 +81,20 @@
       end
 
       context 'when project is public' do
-        let(:project) { create(:project, :repository, :public) }
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+        end
 
         it 'allows the request' do
           get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member)
 
           expect(response).to have_gitlab_http_status(:ok)
         end
-      end
-
-      context 'when project is public and the repository is private' do
-        let(:project) { create(:project, :repository, :public, :repository_private) }
-
-        it_behaves_like '403 response' do
-          let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
-        end
 
-        context 'when the release does not exists' do
-          let!(:release) {}
+        context 'and the releases are private' do
+          before do
+            project.project_feature.update!(releases_access_level: ProjectFeature::PRIVATE)
+          end
 
           it_behaves_like '403 response' do
             let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
-- 
GitLab