diff --git a/app/controllers/concerns/enforces_admin_authentication.rb b/app/controllers/concerns/enforces_admin_authentication.rb
index 94c0e98c91a7a594b44dfd2b27cfd007f359bb6b..8d365f3e53d81d00da0f8547e68b3084946c13a0 100644
--- a/app/controllers/concerns/enforces_admin_authentication.rb
+++ b/app/controllers/concerns/enforces_admin_authentication.rb
@@ -11,6 +11,13 @@ module EnforcesAdminAuthentication
included do
before_action :authenticate_admin!
+
+ def self.authorize!(ability, only:)
+ actions = Array(only)
+
+ skip_before_action :authenticate_admin!, only: actions
+ before_action -> { authorize_ability!(ability) }, only: actions
+ end
end
def authenticate_admin!
@@ -27,4 +34,12 @@ def authenticate_admin!
def storable_location?
request.path != new_admin_session_path
end
+
+ private
+
+ def authorize_ability!(ability)
+ return authenticate_admin! if current_user.admin?
+
+ render_404 unless current_user.can?(ability)
+ end
end
diff --git a/app/validators/json_schemas/member_role_permissions.json b/app/validators/json_schemas/member_role_permissions.json
index ea67ed8c1a7dbdb0e6e352055e09a516a61ee2df..94da66e9b2f1606cc04b4b2fc4d44899fa6a7184 100644
--- a/app/validators/json_schemas/member_role_permissions.json
+++ b/app/validators/json_schemas/member_role_permissions.json
@@ -70,6 +70,9 @@
"read_admin_monitoring": {
"type": "boolean"
},
+ "read_admin_subscription": {
+ "type": "boolean"
+ },
"read_code": {
"type": "boolean"
},
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 54fe39da58a9ce42378d6319ec827802ced3391f..cc5dcaf4ee4f4fcf4a98185d8a137d22b4a90853 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -40948,6 +40948,7 @@ Member role admin permission.
| `READ_ADMIN_CICD` | Read CI/CD details including runners and jobs. |
| `READ_ADMIN_DASHBOARD` | Read-only access to admin dashboard. |
| `READ_ADMIN_MONITORING` | Allows read access to system monitoring including system info, background migrations, health checks, audit logs, and gitaly in the Admin Area. |
+| `READ_ADMIN_SUBSCRIPTION` | Read subscription details in the Admin area. |
### `MemberRolePermission`
@@ -40977,6 +40978,7 @@ Member role permission.
| `READ_ADMIN_CICD` | Read CI/CD details including runners and jobs. |
| `READ_ADMIN_DASHBOARD` | Read-only access to admin dashboard. |
| `READ_ADMIN_MONITORING` | Allows read access to system monitoring including system info, background migrations, health checks, audit logs, and gitaly in the Admin Area. |
+| `READ_ADMIN_SUBSCRIPTION` | Read subscription details in the Admin area. |
| `READ_CODE` | Allows read-only access to the source code in the user interface. Does not allow users to edit or download repository archives, clone or pull repositories, view source code in an IDE, or view merge requests for private projects. You can download individual files because read-only access inherently grants the ability to make a local copy of the file. |
| `READ_COMPLIANCE_DASHBOARD` | Read compliance capabilities including adherence, violations, and frameworks for groups and projects. |
| `READ_CRM_CONTACT` | Read CRM contact. |
diff --git a/ee/app/controllers/admin/subscriptions_controller.rb b/ee/app/controllers/admin/subscriptions_controller.rb
index aeb4adb3e25e870058b677b87e23d10e507331a7..f34d4e6139e174902ccf3bbe12e54f4566222396 100644
--- a/ee/app/controllers/admin/subscriptions_controller.rb
+++ b/ee/app/controllers/admin/subscriptions_controller.rb
@@ -6,4 +6,6 @@ class Admin::SubscriptionsController < Admin::ApplicationController
feature_category :plan_provisioning
urgency :low
+
+ authorize! :read_admin_subscription, only: :show
end
diff --git a/ee/app/helpers/ee/sidebars_helper.rb b/ee/app/helpers/ee/sidebars_helper.rb
index 78cfe0b1ca077119e0c769e26a2b254b058f8a35..975253d48b1721298a755ae65241124884940971 100644
--- a/ee/app/helpers/ee/sidebars_helper.rb
+++ b/ee/app/helpers/ee/sidebars_helper.rb
@@ -3,6 +3,7 @@
module EE
module SidebarsHelper
extend ::Gitlab::Utils::Override
+ include ::Gitlab::Utils::StrongMemoize
override :project_sidebar_context_data
def project_sidebar_context_data(project, user, current_ref, **args)
@@ -75,28 +76,34 @@ def super_sidebar_context(user, group:, project:, panel:, panel_type:)
private
+ def custom_role_grants_admin_access?
+ return false unless current_user
+
+ ::Authz::Admin.new(current_user).permitted.any?
+ end
+ strong_memoize_attr :custom_role_grants_admin_access?
+
override :display_admin_area_link?
def display_admin_area_link?
return true if super
- if ::Feature.disabled?(:custom_ability_read_admin_dashboard, current_user) &&
- ::Feature.disabled?(:custom_ability_read_admin_cicd, current_user)
- return false
- end
-
- current_user&.can?(:access_admin_area)
+ custom_role_grants_admin_access?
end
override :admin_area_link
def admin_area_link
- has_access_to_dashboard = ::Feature.enabled?(:custom_ability_read_admin_dashboard, current_user)
-
- # if user does not have access to /admin (dashboard) but has access to /admin/runners then link them there
- if ::Feature.enabled?(:custom_ability_read_admin_cicd, current_user) && !has_access_to_dashboard
- return admin_runners_path
+ return super unless custom_role_grants_admin_access?
+ return super if current_user.can?(:read_admin_dashboard)
+
+ # If user does not have access to /admin (dashboard) but has access to other admin resources
+ # then link them to the first one they have access to
+ if current_user.can?(:read_admin_cicd)
+ admin_runners_path
+ elsif current_user.can?(:read_admin_subscription)
+ admin_subscription_path
+ else
+ super
end
-
- super
end
def super_sidebar_default_pins(panel_type)
diff --git a/ee/app/helpers/license_helper.rb b/ee/app/helpers/license_helper.rb
index 4c3e451f30284382397615d67b9ddbd71b7be90d..67c95dc073694a825aa28124eaeb7bb00dbab601 100644
--- a/ee/app/helpers/license_helper.rb
+++ b/ee/app/helpers/license_helper.rb
@@ -61,7 +61,7 @@ def cloud_license_view_data
customers_portal_url: subscription_portal_manage_url,
free_trial_path: new_trial_url,
has_active_license: (has_active_license? ? 'true' : 'false'),
- license_remove_path: admin_license_path,
+ license_remove_path: (current_user.can?(:destroy_licenses) ? admin_license_path : ''),
subscription_sync_path: sync_seat_link_admin_license_path,
congratulation_svg_path: image_path('illustrations/cloud-check-sm.svg'),
license_usage_file_path: admin_license_usage_export_path(format: :csv)
diff --git a/ee/app/policies/ee/global_policy.rb b/ee/app/policies/ee/global_policy.rb
index 53b4066efc666e48366d1cd56c01219dff041147..a2d8a2d8130c9dc8ca82ff79419c06c34cc8a231 100644
--- a/ee/app/policies/ee/global_policy.rb
+++ b/ee/app/policies/ee/global_policy.rb
@@ -147,14 +147,15 @@ module GlobalPolicy
end
rule { admin }.policy do
- enable :read_licenses
enable :destroy_licenses
+ enable :manage_subscription
+ enable :read_admin_subscription
enable :read_all_geo
enable :read_all_workspaces
- enable :manage_subscription
+ enable :read_cloud_connector_status
enable :read_jobs_statistics
+ enable :read_licenses
enable :read_runner_usage
- enable :read_cloud_connector_status
end
rule { admin & user_allowed_to_manage_self_hosted_models_settings }.policy do
@@ -228,6 +229,12 @@ module GlobalPolicy
enable :access_admin_area
enable :read_admin_cicd
end
+
+ rule { custom_role_enables_read_admin_subscription }.policy do
+ enable :read_admin_subscription
+ enable :read_billable_member
+ enable :read_licenses
+ end
end
def duo_chat
diff --git a/ee/config/custom_abilities/read_admin_subscription.yml b/ee/config/custom_abilities/read_admin_subscription.yml
new file mode 100644
index 0000000000000000000000000000000000000000..84384cf778c746bbab0f7022bd5afff9dfa30b6e
--- /dev/null
+++ b/ee/config/custom_abilities/read_admin_subscription.yml
@@ -0,0 +1,12 @@
+---
+title: View subscription details
+name: read_admin_subscription
+description: Read subscription details in the Admin area.
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/507961
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178230
+feature_category: admin
+milestone: '17.9'
+admin_ability: true
+group_ability: false
+project_ability: false
+requirements: []
diff --git a/ee/config/feature_flags/wip/custom_ability_read_admin_subscription.yml b/ee/config/feature_flags/wip/custom_ability_read_admin_subscription.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f3a494188e0819c896e2653dada5eadcafb17238
--- /dev/null
+++ b/ee/config/feature_flags/wip/custom_ability_read_admin_subscription.yml
@@ -0,0 +1,9 @@
+---
+name: custom_ability_read_admin_subscription
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/507961
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178230
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/514810
+milestone: '17.9'
+group: group::authorization
+type: wip
+default_enabled: false
diff --git a/ee/lib/sidebars/admin/menus/subscription_menu.rb b/ee/lib/sidebars/admin/menus/subscription_menu.rb
index 32ec5f68eab80863648dceeb7af5d38dc6a66c0f..08d1aadd46103b30996ab11a051180ac8a307456 100644
--- a/ee/lib/sidebars/admin/menus/subscription_menu.rb
+++ b/ee/lib/sidebars/admin/menus/subscription_menu.rb
@@ -28,6 +28,11 @@ def extra_container_html_options
def active_routes
{ controller: :subscriptions }
end
+
+ override :render_with_abilities
+ def render_with_abilities
+ super + %i[read_admin_subscription]
+ end
end
end
end
diff --git a/ee/spec/helpers/license_helper_spec.rb b/ee/spec/helpers/license_helper_spec.rb
index bb9d74cb42ac7453de33bcb6490a476434f2d3e6..3ef9b429f242547e9fc45dbb94622872892389eb 100644
--- a/ee/spec/helpers/license_helper_spec.rb
+++ b/ee/spec/helpers/license_helper_spec.rb
@@ -79,10 +79,13 @@ def stub_default_url_options(host: "localhost", protocol: "http", port: nil, scr
end
end
- describe '#cloud_license_view_data' do
+ describe '#cloud_license_view_data', :enable_admin_mode do
+ let(:current_user) { build(:admin) }
+
before do
allow(helper).to receive(:subscription_portal_manage_url).and_return('subscriptions_manage_url')
allow(helper).to receive(:new_trial_url).and_return('new_trial_url')
+ allow(helper).to receive(:current_user).and_return(current_user)
end
context 'when there is a current license' do
@@ -116,6 +119,16 @@ def stub_default_url_options(host: "localhost", protocol: "http", port: nil, scr
license_usage_file_path: admin_license_usage_export_path(format: :csv) })
end
end
+
+ context 'when the current user cannot destroy licenses' do
+ before do
+ allow(current_user).to receive(:can?).with(:destroy_licenses).and_return(false)
+ end
+
+ it 'returns the data for the view without the license_remove_path set' do
+ expect(helper.cloud_license_view_data).to include(license_remove_path: '')
+ end
+ end
end
describe '#show_promotions?' do
diff --git a/ee/spec/helpers/sidebars_helper_spec.rb b/ee/spec/helpers/sidebars_helper_spec.rb
index 7bc1c16fea02613f73693b963509e0f396459064..a75e669d3f0c72f56a0e7ea1f362bce78eee9e39 100644
--- a/ee/spec/helpers/sidebars_helper_spec.rb
+++ b/ee/spec/helpers/sidebars_helper_spec.rb
@@ -292,14 +292,6 @@
]
end
- let_it_be(:link_to_admin_dashboard) do
- { title: s_('Navigation|Admin area'), link: '/admin', icon: 'admin' }
- end
-
- let_it_be(:link_to_admin_cicd) do
- { title: s_('Navigation|Admin area'), link: '/admin/runners', icon: 'admin' }
- end
-
subject(:sidebar_context) do
helper.super_sidebar_context(user, group: nil, project: nil, panel: panel, panel_type: panel_type)
end
@@ -317,30 +309,31 @@
end
context 'when user is allowed to access_admin_area' do
- let(:with_link_to_admin_dashboard) { [*public_links_for_user, link_to_admin_dashboard] }
- let(:with_link_to_admin_cicd) { [*public_links_for_user, link_to_admin_cicd] }
- let(:without_link_to_admin_area) { public_links_for_user }
-
- where(:read_admin_dashboard_ff, :read_admin_cicd_ff, :links) do
- false | false | ref(:without_link_to_admin_area)
- true | false | ref(:with_link_to_admin_dashboard)
- false | true | ref(:with_link_to_admin_cicd)
- true | true | ref(:with_link_to_admin_dashboard)
+ where(:admin_ability, :link) do
+ nil | nil
+ :admin_unknown | '/admin'
+ :read_admin_cicd | '/admin/runners'
+ :read_admin_dashboard | '/admin'
+ :read_admin_subscription | '/admin/subscription'
end
with_them do
before do
- allow(user).to receive(:can?).and_call_original
+ allow_next_instance_of(::Authz::Admin) do |instance|
+ allow(instance).to receive(:permitted).and_return([admin_ability]) if admin_ability
+ end
- allow(user).to receive(:can?).with(:access_admin_area).and_return(true)
+ allow(user).to receive(:can?).and_call_original
+ allow(user).to receive(:can?).with(admin_ability).and_return(true) if admin_ability
allow(user).to receive(:can_admin_all_resources?).and_return(false)
-
- stub_feature_flags(custom_ability_read_admin_dashboard: read_admin_dashboard_ff)
- stub_feature_flags(custom_ability_read_admin_cicd: read_admin_cicd_ff)
end
it 'returns the correct links' do
- expect(sidebar_context[:context_switcher_links]).to eq(links)
+ if link
+ expect(sidebar_context[:context_switcher_links]).to include(hash_including(link: link))
+ else
+ expect(sidebar_context[:context_switcher_links]).not_to include(hash_including(link: '/admin'))
+ end
end
end
end
diff --git a/ee/spec/lib/ee/sidebars/admin/menus/admin_overview_menu_spec.rb b/ee/spec/lib/ee/sidebars/admin/menus/admin_overview_menu_spec.rb
index fecf2d02b66ffebeb70fc5fa603395de1b429df1..69fd697262ae2fa4d7a2d320d7feb505d3f7c686 100644
--- a/ee/spec/lib/ee/sidebars/admin/menus/admin_overview_menu_spec.rb
+++ b/ee/spec/lib/ee/sidebars/admin/menus/admin_overview_menu_spec.rb
@@ -12,8 +12,8 @@
context 'when user is allowed to access_admin_area' do
before do
+ allow(user).to receive(:can?).and_call_original
allow(user).to receive(:can?).with(:access_admin_area).and_return(true)
- allow(user).to receive(:can_admin_all_resources?).and_return(false)
end
context 'when custom_ability_read_admin_dashboard FF is enabled' do
@@ -34,11 +34,6 @@
end
context 'when user can not access admin area' do
- before do
- allow(user).to receive(:can?).with(:access_admin_area).and_return(false)
- allow(user).to receive(:can_admin_all_resources?).and_return(false)
- end
-
it 'does not render' do
expect(admin_overview_menu.render?).to be(false)
end
diff --git a/ee/spec/lib/ee/sidebars/admin/menus/ci_cd_menu_spec.rb b/ee/spec/lib/ee/sidebars/admin/menus/ci_cd_menu_spec.rb
index 0c24a73dbc6ad87409c45968af9be8713e0367a1..35fe1911d213244db9ce6239f77da018b406668b 100644
--- a/ee/spec/lib/ee/sidebars/admin/menus/ci_cd_menu_spec.rb
+++ b/ee/spec/lib/ee/sidebars/admin/menus/ci_cd_menu_spec.rb
@@ -12,7 +12,7 @@
subject(:render?) { menu.render? }
before do
- allow(user).to receive(:can_admin_all_resources?).and_return(false)
+ allow(user).to receive(:can?).and_call_original
allow(user).to receive(:can?).with(:access_admin_area).and_return(can_access_admin_area)
end
diff --git a/ee/spec/lib/sidebars/admin/menus/subscription_menu_spec.rb b/ee/spec/lib/sidebars/admin/menus/subscription_menu_spec.rb
index 972d120f4f88de14dfffec2783b466afb304379a..fc05509a772591319862a227f63976b51e7d1372 100644
--- a/ee/spec/lib/sidebars/admin/menus/subscription_menu_spec.rb
+++ b/ee/spec/lib/sidebars/admin/menus/subscription_menu_spec.rb
@@ -3,10 +3,11 @@
require 'spec_helper'
RSpec.describe Sidebars::Admin::Menus::SubscriptionMenu, feature_category: :navigation do
- it_behaves_like 'Admin menu',
+ it_behaves_like 'Admin menu with custom ability',
link: '/admin/subscription',
title: s_('Admin|Subscription'),
- icon: 'license'
+ icon: 'license',
+ custom_ability: :read_admin_subscription
it_behaves_like 'Admin menu without sub menus', active_routes: { controller: :subscriptions }
end
diff --git a/ee/spec/policies/global_policy_spec.rb b/ee/spec/policies/global_policy_spec.rb
index 5bce129e4196cda3b19122b3d647e60583264933..6109f2959b6d717fe261cdda6c9a291d74e518b7 100644
--- a/ee/spec/policies/global_policy_spec.rb
+++ b/ee/spec/policies/global_policy_spec.rb
@@ -76,6 +76,7 @@
it { is_expected.to be_disallowed(:read_all_workspaces) }
it { is_expected.to be_disallowed(:manage_subscription) }
it { is_expected.to be_disallowed(:read_cloud_connector_status) }
+ it { is_expected.to be_disallowed(:read_admin_subscription) }
context 'when admin mode enabled', :enable_admin_mode do
it { expect(described_class.new(admin, [user])).to be_allowed(:read_licenses) }
@@ -84,6 +85,7 @@
it { expect(described_class.new(admin, [user])).to be_allowed(:read_all_workspaces) }
it { expect(described_class.new(admin, [user])).to be_allowed(:manage_subscription) }
it { expect(described_class.new(admin, [user])).to be_allowed(:read_cloud_connector_status) }
+ it { expect(described_class.new(admin, [user])).to be_allowed(:read_admin_subscription) }
end
context 'when admin mode disabled' do
@@ -93,6 +95,7 @@
it { expect(described_class.new(admin, [user])).to be_disallowed(:read_all_workspaces) }
it { expect(described_class.new(admin, [user])).to be_disallowed(:manage_subscription) }
it { expect(described_class.new(admin, [user])).to be_disallowed(:read_cloud_connector_status) }
+ it { expect(described_class.new(admin, [user])).to be_disallowed(:read_admin_subscription) }
end
shared_examples 'analytics policy' do |action|
@@ -882,8 +885,9 @@
context 'custom permissions' do
where(:custom_ability, :enabled_permissions) do
- :read_admin_dashboard | %i[read_admin_dashboard access_admin_area]
- :read_admin_cicd | %i[read_admin_cicd access_admin_area]
+ :read_admin_cicd | %i[read_admin_cicd access_admin_area]
+ :read_admin_dashboard | %i[read_admin_dashboard access_admin_area]
+ :read_admin_subscription | %i[read_admin_subscription read_billable_member read_licenses]
end
with_them do
diff --git a/ee/spec/requests/custom_roles/read_admin_subscription/request_spec.rb b/ee/spec/requests/custom_roles/read_admin_subscription/request_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..c2b6a2e9a13ae9885e9f48e4cbfd4fcefa19df3e
--- /dev/null
+++ b/ee/spec/requests/custom_roles/read_admin_subscription/request_spec.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'User with read_admin_subscription custom role', feature_category: :system_access do
+ let_it_be(:user) { create(:user) }
+ let_it_be(:role) { create(:member_role, :read_admin_subscription) }
+ let_it_be(:user_member_role) { create(:user_member_role, member_role: role, user: user) }
+
+ before do
+ stub_licensed_features(custom_roles: true)
+
+ sign_in(user)
+ end
+
+ describe Admin::SubscriptionsController do
+ describe "#show" do
+ it 'user has access via a custom role' do
+ get admin_subscription_path
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(response).to render_template(:show)
+ end
+ end
+ end
+end
diff --git a/ee/spec/support/shared_examples/lib/sidebars/admin/menus/admin_menus_shared_examples.rb b/ee/spec/support/shared_examples/lib/sidebars/admin/menus/admin_menus_shared_examples.rb
new file mode 100644
index 0000000000000000000000000000000000000000..90a088460873e16ca6fff703790214768316ee5c
--- /dev/null
+++ b/ee/spec/support/shared_examples/lib/sidebars/admin/menus/admin_menus_shared_examples.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'Admin menu with custom ability' do |link:, title:, icon:, custom_ability:, separated: false|
+ include_examples 'Admin menu', link: link, title: title, icon: icon, separated: separated
+
+ describe '#render?' do
+ let_it_be(:user) { create(:user) }
+ let_it_be(:role) { create(:member_role, custom_ability) }
+ let_it_be(:user_member_role) { create(:user_member_role, member_role: role, user: user) }
+ let(:context) { Sidebars::Context.new(current_user: user, container: nil) }
+
+ subject { described_class.new(context).render? }
+
+ before do
+ stub_licensed_features(custom_roles: true)
+ end
+
+ context 'when a custom ability allows access' do
+ it { is_expected.to be true }
+ end
+ end
+end
diff --git a/lib/sidebars/admin/base_menu.rb b/lib/sidebars/admin/base_menu.rb
index 897a193f67236a9c533a5d5a32873f69555e73d0..c00c248754b9e56b923f705a3f3d317f426f1122 100644
--- a/lib/sidebars/admin/base_menu.rb
+++ b/lib/sidebars/admin/base_menu.rb
@@ -7,7 +7,13 @@ class BaseMenu < ::Sidebars::Menu
def render?
return false unless context.current_user
- context.current_user.can_admin_all_resources?
+ render_with_abilities.any? { |ability| context.current_user.can?(ability) }
+ end
+
+ private
+
+ def render_with_abilities
+ %i[admin_all_resources]
end
end
end
diff --git a/spec/controllers/concerns/enforces_admin_authentication_spec.rb b/spec/controllers/concerns/enforces_admin_authentication_spec.rb
index 106b1d53fd2bd3af78b86cd5bdb4e9a4c7a69b55..331e1ada73b2ab20b4b7bab26778c96ea231b857 100644
--- a/spec/controllers/concerns/enforces_admin_authentication_spec.rb
+++ b/spec/controllers/concerns/enforces_admin_authentication_spec.rb
@@ -3,8 +3,6 @@
require 'spec_helper'
RSpec.describe EnforcesAdminAuthentication do
- include AdminModeHelper
-
let(:user) { create(:user) }
before do
@@ -19,6 +17,49 @@ def index
end
end
+ describe '.authorize!' do
+ controller(ApplicationController) do
+ include EnforcesAdminAuthentication
+
+ authorize! :ability, only: :index
+
+ def index
+ head :ok
+ end
+ end
+
+ context 'when the user is an admin', :enable_admin_mode do
+ let(:user) { create(:admin) }
+
+ it 'renders ok' do
+ get :index
+
+ expect(response).to have_gitlab_http_status(:ok)
+ end
+ end
+
+ context 'when the user is a regular user' do
+ it 'renders a 404' do
+ get :index
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+
+ context 'when an ability grants access' do
+ before do
+ allow(Ability).to receive(:allowed?).and_call_original
+ allow(Ability).to receive(:allowed?).with(user, :ability, :global).and_return(true)
+ end
+
+ it 'renders ok' do
+ get :index
+
+ expect(response).to have_gitlab_http_status(:ok)
+ end
+ end
+ end
+ end
+
context 'application setting :admin_mode is enabled' do
describe 'authenticate_admin!' do
context 'as an admin' do
@@ -31,11 +72,7 @@ def index
expect(assigns(:current_user_mode)&.admin_mode?).to be(false)
end
- context 'when admin mode is active' do
- before do
- enable_admin_mode!(user)
- end
-
+ context 'when admin mode is active', :enable_admin_mode do
it 'renders ok' do
get :index
diff --git a/spec/helpers/sidebars_helper_spec.rb b/spec/helpers/sidebars_helper_spec.rb
index 49e98ad52ac484520b5e8d3ea1e543a532a0f9b9..4381c6e996041a92485ec6b2d75f13b1da43db22 100644
--- a/spec/helpers/sidebars_helper_spec.rb
+++ b/spec/helpers/sidebars_helper_spec.rb
@@ -686,9 +686,9 @@
end
describe 'admin user' do
- it 'returns Admin Panel for admin nav', :aggregate_failures do
- allow(user).to receive(:can_admin_all_resources?).and_return(true)
+ let(:user) { build(:admin) }
+ it 'returns Admin Panel for admin nav', :enable_admin_mode do
expect(helper.super_sidebar_nav_panel(nav: 'admin', user: user)).to be_a(Sidebars::Admin::Panel)
end
end
diff --git a/spec/support/shared_examples/lib/sidebars/admin/menus/admin_menus_shared_examples.rb b/spec/support/shared_examples/lib/sidebars/admin/menus/admin_menus_shared_examples.rb
index 4168d8675356d8f436c6aa1d401baea7187ce01c..9077a70a8984c4e58b8f4ea3a7581b27f12236f6 100644
--- a/spec/support/shared_examples/lib/sidebars/admin/menus/admin_menus_shared_examples.rb
+++ b/spec/support/shared_examples/lib/sidebars/admin/menus/admin_menus_shared_examples.rb
@@ -4,7 +4,7 @@
let_it_be(:user) { build(:user, :admin) }
before do
- allow(user).to receive(:can_admin_all_resources?).and_return(true)
+ stub_application_setting(admin_mode: false)
end
let(:context) { Sidebars::Context.new(current_user: user, container: nil) }