diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index 009fa9d76361a51a3b449c211e7cbe53d36d90c7..168f9580af54aad2182450fc35de60969379a5a7 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -1108,11 +1108,14 @@ module ProjectPolicy end rule { custom_role_enables_admin_protected_branch }.policy do + enable :admin_protected_branch + end + + rule { can?(:admin_protected_branch) }.policy do enable :read_protected_branch enable :create_protected_branch enable :update_protected_branch enable :destroy_protected_branch - enable :admin_protected_branch end rule { can?(:create_issue) & okrs_enabled }.policy do diff --git a/ee/spec/features/projects/protected_branches_spec.rb b/ee/spec/features/projects/protected_branches_spec.rb index da5e010651fbe2d73105c6a28bdc4f206c2f2b0a..f7c98e41102316cbe75ce2bc47aebcbf48e55741 100644 --- a/ee/spec/features/projects/protected_branches_spec.rb +++ b/ee/spec/features/projects/protected_branches_spec.rb @@ -5,21 +5,53 @@ RSpec.describe 'Protected Branches', :js, feature_category: :source_code_management do include ProtectedBranchHelpers - context 'when a guest has custom roles with `admin_protected_branch` assigned' do - let_it_be(:user) { create(:user) } - let_it_be(:admin) { create(:admin) } - let_it_be(:group) { create(:group) } - let_it_be(:project) { create(:project, :repository, group: group) } + let_it_be(:admin) { create(:admin) } + let_it_be(:group) { create(:group) } + let_it_be(:project) { create(:project, :repository, group: group, create_branch: 'protected') } + + context 'when a guest has custom role with `admin_protected_branch` assigned' do + let_it_be(:guest) { create(:user) } + let_it_be(:role) { create(:member_role, :guest, :admin_protected_branch, namespace: group) } - let_it_be(:membership) { create(:group_member, :guest, member_role: role, user: user, group: group) } + let_it_be(:membership) { create(:group_member, :guest, member_role: role, user: guest, group: group) } let(:success_message) { s_('ProtectedBranch|Protected branch was successfully created') } before do stub_licensed_features(custom_roles: true) - sign_in(user) + sign_in(guest) end it_behaves_like 'setting project protected branches' end + + context 'when a developer has custom role with `admin_protected_branch` assigned' do + # Only Developer+ roles can access the project branches page + let_it_be(:developer) { create(:user) } + + let_it_be(:role) { create(:member_role, :developer, :admin_protected_branch, namespace: group) } + let_it_be(:membership) { create(:group_member, :developer, member_role: role, user: developer, group: group) } + + let_it_be(:branch) { create(:protected_branch, project: project, name: 'protected') } + + before do + stub_licensed_features(custom_roles: true) + sign_in(developer) + end + + it 'allows developer to remove protected branch' do + visit project_branches_path(project) + + find('input[data-testid="branch-search"]').set('protected') + find('input[data-testid="branch-search"]').native.send_keys(:enter) + + within('[data-name="protected"]') do + within_testid('branch-more-actions') do + find('.gl-new-dropdown-toggle').click + end + end + + expect(page).to have_button('Delete protected branch') + end + end end diff --git a/ee/spec/lib/gitlab/user_access_spec.rb b/ee/spec/lib/gitlab/user_access_spec.rb index a9869d7f5551cb967787488aa478610558d1d773..3f8d38160cb619280c4cc89c2c9fd182d6c37774 100644 --- a/ee/spec/lib/gitlab/user_access_spec.rb +++ b/ee/spec/lib/gitlab/user_access_spec.rb @@ -2,15 +2,16 @@ require 'spec_helper' -RSpec.describe Gitlab::UserAccess do +RSpec.describe Gitlab::UserAccess, feature_category: :permissions do include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } - let(:access) { described_class.new(user, container: project) } + let_it_be_with_reload(:user) { create(:user) } + + subject(:access) { described_class.new(user, container: project) } describe '#can_push_to_branch?' do describe 'push to empty project' do - let(:project) { create(:project_empty_repo) } + let_it_be(:project) { create(:project_empty_repo) } it 'returns false when the external service denies access' do project.add_maintainer(user) @@ -20,4 +21,39 @@ end end end + + describe '#can_delete_branch?' do + context 'when a user has custom roles with `admin_protected_branch` assigned' do + let_it_be(:project) { create(:project, :repository, :in_group) } + + let_it_be(:role) { create(:member_role, :developer, :admin_protected_branch, namespace: project.group) } + let_it_be(:project_member) do + create(:project_member, :developer, member_role: role, user: user, project: project) + end + + describe 'delete protected branch' do + let_it_be(:branch) { create(:protected_branch, project: project, name: "test") } + + context 'when custom roles is enabled' do + before do + stub_licensed_features(custom_roles: true) + end + + it 'returns true' do + expect(access.can_delete_branch?(branch.name)).to be(true) + end + end + + context 'when custom roles is disabled' do + before do + stub_licensed_features(custom_roles: false) + end + + it 'returns false' do + expect(access.can_delete_branch?(branch.name)).to be(false) + end + end + end + end + end end diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb index a777c727a4aa27ae486bced1807a61057b6f1477..2bde78db022c669e846729752651b19399785bbc 100644 --- a/lib/gitlab/user_access.rb +++ b/lib/gitlab/user_access.rb @@ -55,7 +55,7 @@ def allowed? return false unless can_access_git? if protected?(ProtectedBranch, ref) - user.can?(:push_to_delete_protected_branch, container) + user.can?(:destroy_protected_branch, container) else can_push? end