From 2119c10e7a81d01eee5344e4b604e4c3577973e3 Mon Sep 17 00:00:00 2001 From: Darby Frey Date: Wed, 6 Dec 2023 13:13:02 -0600 Subject: [PATCH] Adds project feature availability check for model registry Model registry permissions checks now look at the project feature toggle as well as the user access level. Changelog: added MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138995 --- app/policies/project_policy.rb | 4 ++- spec/policies/project_policy_spec.rb | 47 +++++++++++++++++----------- 2 files changed, 31 insertions(+), 20 deletions(-) diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index bbb0e3df500777..899603664389ab 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -194,7 +194,9 @@ class ProjectPolicy < BasePolicy end with_scope :subject - condition(:model_registry_enabled) { Feature.enabled?(:model_registry, @subject) } + condition(:model_registry_enabled) do + Feature.enabled?(:model_registry, @subject) && @subject.feature_available?(:model_registry, @user) + end with_scope :subject condition(:resource_access_token_feature_available) do diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index fda889ff422b03..853aac9a7d4858 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -3321,37 +3321,46 @@ def permissions_abilities(role) end describe 'read_model_registry' do - let(:project_with_feature) { project } - let(:current_user) { owner } - - before do - stub_feature_flags(model_registry: false) - stub_feature_flags(model_registry: project_with_feature) if project_with_feature - end + using RSpec::Parameterized::TableSyntax - context 'feature flag is enabled' do - specify { is_expected.to be_allowed(:read_model_registry) } + where(:feature_flag_enabled, :current_user, :access_level, :allowed) do + false | ref(:owner) | Featurable::ENABLED | false + true | ref(:guest) | Featurable::ENABLED | true + true | ref(:guest) | Featurable::PRIVATE | true + true | ref(:guest) | Featurable::DISABLED | false + true | ref(:non_member) | Featurable::ENABLED | true + true | ref(:non_member) | Featurable::PRIVATE | false + true | ref(:non_member) | Featurable::DISABLED | false end + with_them do + before do + stub_feature_flags(model_registry: feature_flag_enabled) + project.project_feature.update!(model_registry_access_level: access_level) + end - context 'feature flag is disabled' do - let(:project_with_feature) { nil } - - specify { is_expected.not_to be_allowed(:read_model_registry) } + if params[:allowed] + it { expect_allowed(:read_model_registry) } + else + it { expect_disallowed(:read_model_registry) } + end end end describe 'write_model_registry' do using RSpec::Parameterized::TableSyntax - where(:ff_model_registry_enabled, :current_user, :allowed) do - true | ref(:reporter) | true - true | ref(:guest) | false - false | ref(:owner) | false + where(:feature_flag_enabled, :current_user, :access_level, :allowed) do + false | ref(:owner) | Featurable::ENABLED | false + true | ref(:reporter) | Featurable::ENABLED | true + true | ref(:reporter) | Featurable::PRIVATE | true + true | ref(:reporter) | Featurable::DISABLED | false + true | ref(:guest) | Featurable::ENABLED | false + true | ref(:non_member) | Featurable::ENABLED | false end with_them do before do - stub_feature_flags(model_registry: false) - stub_feature_flags(model_registry: project) if ff_model_registry_enabled + stub_feature_flags(model_registry: feature_flag_enabled) + project.project_feature.update!(model_registry_access_level: access_level) end if params[:allowed] -- GitLab