From 210b3388d6f8595ce9751db3ed5a0dd175fcc38c Mon Sep 17 00:00:00 2001 From: manojmj Date: Mon, 20 Apr 2020 13:07:23 +0530 Subject: [PATCH 1/9] Add licensed feature policies This change adds licensed feature policies --- ee/app/models/license.rb | 2 + ee/app/policies/ee/base_policy.rb | 5 ++ ee/app/policies/ee/global_policy.rb | 4 ++ ee/app/policies/ee/group_policy.rb | 4 ++ ee/spec/policies/global_policy_spec.rb | 98 ++++++++++++++++++++++++++ ee/spec/policies/group_policy_spec.rb | 98 ++++++++++++++++++++++++++ 6 files changed, 211 insertions(+) diff --git a/ee/app/models/license.rb b/ee/app/models/license.rb index cb3c722d011fa0..3b496402d61b96 100644 --- a/ee/app/models/license.rb +++ b/ee/app/models/license.rb @@ -89,6 +89,7 @@ class License < ApplicationRecord operations_dashboard packages pages_size_limit + prevent_group_owners_from_managing_default_branch_protection productivity_analytics project_aliases protected_environments @@ -211,6 +212,7 @@ class License < ApplicationRecord multiple_ldap_servers object_storage pages_size_limit + prevent_group_owners_from_managing_default_branch_protection project_aliases repository_size_limit required_ci_templates diff --git a/ee/app/policies/ee/base_policy.rb b/ee/app/policies/ee/base_policy.rb index 6c64a3a70f32db..5ec05fa441fa20 100644 --- a/ee/app/policies/ee/base_policy.rb +++ b/ee/app/policies/ee/base_policy.rb @@ -18,6 +18,11 @@ module BasePolicy condition(:license_block) { License.block_changes? } rule { auditor }.enable :read_all_resources + + condition(:allow_to_manage_default_branch_protection) do + !License.feature_available?(:prevent_group_owners_from_managing_default_branch_protection) | + ::Gitlab::CurrentSettings.group_owners_can_manage_default_branch_protection + end end end end diff --git a/ee/app/policies/ee/global_policy.rb b/ee/app/policies/ee/global_policy.rb index 7e2b05539eb41a..849333bb616e6d 100644 --- a/ee/app/policies/ee/global_policy.rb +++ b/ee/app/policies/ee/global_policy.rb @@ -26,6 +26,10 @@ module GlobalPolicy rule { ~anonymous }.policy do enable :view_productivity_analytics end + + rule { ~(admin | allow_to_manage_default_branch_protection) }.policy do + prevent :create_group_with_default_branch_protection + end end end end diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb index 58e0795072bf0a..26938081e9cabb 100644 --- a/ee/app/policies/ee/group_policy.rb +++ b/ee/app/policies/ee/group_policy.rb @@ -177,6 +177,10 @@ module GroupPolicy rule { ~group_timelogs_available }.prevent :read_group_timelogs rule { can?(:read_cluster) & cluster_health_available }.enable :read_cluster_health + + rule { ~(admin | allow_to_manage_default_branch_protection) }.policy do + prevent :update_default_branch_protection + end end override :lookup_access_level! diff --git a/ee/spec/policies/global_policy_spec.rb b/ee/spec/policies/global_policy_spec.rb index 2c8410fa4f2e60..78a23a33b2ddf0 100644 --- a/ee/spec/policies/global_policy_spec.rb +++ b/ee/spec/policies/global_policy_spec.rb @@ -74,4 +74,102 @@ it { expect(described_class.new(create(:admin), [user])).to be_disallowed(:update_max_pages_size) } end + + describe 'create_group_with_default_branch_protection' do + context 'for an admin' do + let(:current_user) { create(:admin) } + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it { is_expected.to be_allowed(:create_group_with_default_branch_protection) } + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it { is_expected.to be_allowed(:create_group_with_default_branch_protection) } + end + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it { is_expected.to be_allowed(:create_group_with_default_branch_protection) } + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it { is_expected.to be_allowed(:create_group_with_default_branch_protection) } + end + end + end + + context 'for a normal user' do + let(:current_user) { create(:user) } + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it { is_expected.to be_allowed(:create_group_with_default_branch_protection) } + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it { is_expected.to be_disallowed(:create_group_with_default_branch_protection) } + end + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it { is_expected.to be_allowed(:create_group_with_default_branch_protection) } + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it { is_expected.to be_allowed(:create_group_with_default_branch_protection) } + end + end + end + end end diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index b78b9983c4c78f..f4d6449f5a3dd6 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -739,4 +739,102 @@ end end end + + describe 'update_default_branch_protection' do + context 'for an admin' do + let(:current_user) { admin } + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it { is_expected.to be_allowed(:update_default_branch_protection) } + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it { is_expected.to be_allowed(:update_default_branch_protection) } + end + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it { is_expected.to be_allowed(:update_default_branch_protection) } + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it { is_expected.to be_allowed(:update_default_branch_protection) } + end + end + end + + context 'for an owner' do + let(:current_user) { owner } + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it { is_expected.to be_allowed(:update_default_branch_protection) } + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it { is_expected.to be_disallowed(:update_default_branch_protection) } + end + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it { is_expected.to be_allowed(:update_default_branch_protection) } + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it { is_expected.to be_allowed(:update_default_branch_protection) } + end + end + end + end end -- GitLab From 203e69561de16cdd5cca7517ec8160cb4f8606b0 Mon Sep 17 00:00:00 2001 From: manojmj Date: Mon, 20 Apr 2020 14:22:44 +0530 Subject: [PATCH 2/9] Add changes to ApplicationSettings controller This change adds setting to the controller --- .../application_settings/_visibility_and_access.html.haml | 1 + .../ee/admin/application_settings_controller.rb | 4 ++++ ...can_manage_default_branch_protection_setting.html.haml | 8 ++++++++ .../admin/application_settings_controller_spec.rb | 7 +++++++ 4 files changed, 20 insertions(+) create mode 100644 ee/app/views/admin/application_settings/_group_owners_can_manage_default_branch_protection_setting.html.haml diff --git a/app/views/admin/application_settings/_visibility_and_access.html.haml b/app/views/admin/application_settings/_visibility_and_access.html.haml index a4acbe6c885583..3c4fc75dbeee3f 100644 --- a/app/views/admin/application_settings/_visibility_and_access.html.haml +++ b/app/views/admin/application_settings/_visibility_and_access.html.haml @@ -3,6 +3,7 @@ %fieldset = render 'shared/default_branch_protection', f: f, selected_level: @application_setting.default_branch_protection + = render_if_exists 'admin/application_settings/group_owners_can_manage_default_branch_protection_setting', form: f .form-group = f.label s_('ProjectCreationLevel|Default project creation protection'), class: 'label-bold' diff --git a/ee/app/controllers/ee/admin/application_settings_controller.rb b/ee/app/controllers/ee/admin/application_settings_controller.rb index 8ab66fe22f9c8a..3166cb81a7e91c 100644 --- a/ee/app/controllers/ee/admin/application_settings_controller.rb +++ b/ee/app/controllers/ee/admin/application_settings_controller.rb @@ -58,6 +58,10 @@ def visible_application_setting_attributes attrs << :npm_package_requests_forwarding end + if License.feature_available?(:prevent_group_owners_from_managing_default_branch_protection) + attrs << :group_owners_can_manage_default_branch_protection + end + attrs end diff --git a/ee/app/views/admin/application_settings/_group_owners_can_manage_default_branch_protection_setting.html.haml b/ee/app/views/admin/application_settings/_group_owners_can_manage_default_branch_protection_setting.html.haml new file mode 100644 index 00000000000000..932cac43b2f5e0 --- /dev/null +++ b/ee/app/views/admin/application_settings/_group_owners_can_manage_default_branch_protection_setting.html.haml @@ -0,0 +1,8 @@ +- return unless License.feature_available?(:prevent_group_owners_from_managing_default_branch_protection) + +- f = local_assigns.fetch(:form) + +.form-group.form-check + = f.check_box :group_owners_can_manage_default_branch_protection, class: 'form-check-input' + = f.label :group_owners_can_manage_default_branch_protection, class: 'form-check-label' do + = _('Allow owners to manage default branch protection in groups') diff --git a/ee/spec/controllers/admin/application_settings_controller_spec.rb b/ee/spec/controllers/admin/application_settings_controller_spec.rb index c1faf63eea273e..ea2184789ebb6e 100644 --- a/ee/spec/controllers/admin/application_settings_controller_spec.rb +++ b/ee/spec/controllers/admin/application_settings_controller_spec.rb @@ -111,6 +111,13 @@ it_behaves_like 'settings for licensed features' end + context 'updating `group_owners_can_manage_default_branch_protection` setting' do + let(:settings) { { group_owners_can_manage_default_branch_protection: false } } + let(:feature) { :prevent_group_owners_from_managing_default_branch_protection } + + it_behaves_like 'settings for licensed features' + end + context 'updating npm packages request forwarding setting' do let(:settings) { { npm_package_requests_forwarding: true } } let(:feature) { :packages } -- GitLab From 9f444f087b1ac5e8b7b5b9c784357a1ab2853c58 Mon Sep 17 00:00:00 2001 From: manojmj Date: Mon, 20 Apr 2020 14:32:17 +0530 Subject: [PATCH 3/9] Add API changes This commit adds changes to the API --- ee/app/helpers/ee/application_settings_helper.rb | 1 + ee/lib/ee/api/entities/application_setting.rb | 1 + ee/lib/ee/api/helpers/settings_helpers.rb | 1 + ee/lib/ee/api/settings.rb | 4 ++++ ee/spec/requests/api/settings_spec.rb | 7 +++++++ 5 files changed, 14 insertions(+) diff --git a/ee/app/helpers/ee/application_settings_helper.rb b/ee/app/helpers/ee/application_settings_helper.rb index f96f511dcdeb05..b84dc4407a7651 100644 --- a/ee/app/helpers/ee/application_settings_helper.rb +++ b/ee/app/helpers/ee/application_settings_helper.rb @@ -92,6 +92,7 @@ def self.possible_licensed_attributes %i[ email_additional_text file_template_project_id + group_owners_can_manage_default_branch_protection default_project_deletion_protection deletion_adjourned_period updating_name_disabled_for_users diff --git a/ee/lib/ee/api/entities/application_setting.rb b/ee/lib/ee/api/entities/application_setting.rb index 6ed6cecda844a4..276b5b936070b9 100644 --- a/ee/lib/ee/api/entities/application_setting.rb +++ b/ee/lib/ee/api/entities/application_setting.rb @@ -19,6 +19,7 @@ module ApplicationSetting expose :deletion_adjourned_period, if: ->(_instance, _opts) { ::License.feature_available?(:adjourned_deletion_for_projects_and_groups) } expose :updating_name_disabled_for_users, if: ->(_instance, _opts) { ::License.feature_available?(:disable_name_update_for_users) } expose :npm_package_requests_forwarding, if: ->(_instance, _opts) { ::License.feature_available?(:packages) } + expose :group_owners_can_manage_default_branch_protection, if: ->(_instance, _opts) { ::License.feature_available?(:prevent_group_owners_from_managing_default_branch_protection) } end end end diff --git a/ee/lib/ee/api/helpers/settings_helpers.rb b/ee/lib/ee/api/helpers/settings_helpers.rb index 1857c56cee3f6f..bee0f0f6134758 100644 --- a/ee/lib/ee/api/helpers/settings_helpers.rb +++ b/ee/lib/ee/api/helpers/settings_helpers.rb @@ -42,6 +42,7 @@ module SettingsHelpers optional :prevent_merge_requests_author_approval, type: Grape::API::Boolean, desc: 'Disable Merge request author ability to approve request.' optional :prevent_merge_requests_committers_approval, type: Grape::API::Boolean, desc: 'Disable Merge request committer ability to approve request.' optional :npm_package_requests_forwarding, type: Grape::API::Boolean, desc: 'NPM package requests are forwarded to npmjs.org if not found on GitLab.' + optional :group_owners_can_manage_default_branch_protection, type: Grape::API::Boolean, desc: 'Allow owners to manage default branch protection in groups' end end diff --git a/ee/lib/ee/api/settings.rb b/ee/lib/ee/api/settings.rb index 75422b9d20264b..8f72c12dfcab7a 100644 --- a/ee/lib/ee/api/settings.rb +++ b/ee/lib/ee/api/settings.rb @@ -43,6 +43,10 @@ def filter_attributes_using_license(attrs) attrs = attrs.except(:npm_package_requests_forwarding) end + unless License.feature_available?(:prevent_group_owners_from_managing_default_branch_protection) + attrs = attrs.except(:group_owners_can_manage_default_branch_protection) + end + attrs end end diff --git a/ee/spec/requests/api/settings_spec.rb b/ee/spec/requests/api/settings_spec.rb index bbd6aead92c543..320ffde6e010eb 100644 --- a/ee/spec/requests/api/settings_spec.rb +++ b/ee/spec/requests/api/settings_spec.rb @@ -143,6 +143,13 @@ it_behaves_like 'settings for licensed features' end + context 'group_owners_can_manage_default_branch_protection setting' do + let(:settings) { { group_owners_can_manage_default_branch_protection: false } } + let(:feature) { :prevent_group_owners_from_managing_default_branch_protection } + + it_behaves_like 'settings for licensed features' + end + context 'deletion adjourned period' do let(:settings) { { deletion_adjourned_period: 5 } } let(:feature) { :adjourned_deletion_for_projects_and_groups } -- GitLab From 17e74e31375d30ac6484a96a42a1beae4828131a Mon Sep 17 00:00:00 2001 From: manojmj Date: Mon, 20 Apr 2020 15:32:37 +0530 Subject: [PATCH 4/9] Add translation text --- locale/gitlab.pot | 3 +++ 1 file changed, 3 insertions(+) diff --git a/locale/gitlab.pot b/locale/gitlab.pot index b8c6a824d85c29..dee73334a5afb4 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -1809,6 +1809,9 @@ msgstr "" msgid "Allow only the selected protocols to be used for Git access." msgstr "" +msgid "Allow owners to manage default branch protection in groups" +msgstr "" + msgid "Allow owners to manually add users outside of LDAP" msgstr "" -- GitLab From 3320b51284203f2ef322bea1f1952cc76821b0ab Mon Sep 17 00:00:00 2001 From: manojmj Date: Mon, 20 Apr 2020 16:18:44 +0530 Subject: [PATCH 5/9] Add controller tests --- .../controllers/ee/groups_controller_spec.rb | 241 ++++++++++++++++++ 1 file changed, 241 insertions(+) diff --git a/ee/spec/controllers/ee/groups_controller_spec.rb b/ee/spec/controllers/ee/groups_controller_spec.rb index 4437955857fde1..fe944a73fcf7e2 100644 --- a/ee/spec/controllers/ee/groups_controller_spec.rb +++ b/ee/spec/controllers/ee/groups_controller_spec.rb @@ -247,6 +247,126 @@ expect(response).to have_gitlab_http_status(:found) end end + + context 'when creating a group with `default_branch_protection` attribute' do + subject do + post :create, params: { group: { name: 'new_group', path: 'new_group', default_branch_protection: Gitlab::Access::PROTECTION_NONE } } + end + + shared_examples_for 'creates group with the specified branch protection level' do + it 'creates group with the specified branch protection level' do + subject + + expect(response).to have_gitlab_http_status(:found) + expect(Group.last.default_branch_protection).to eq(Gitlab::Access::PROTECTION_NONE) + end + end + + context 'for an admin', :enable_admin_mode do + before do + sign_in(create(:admin)) + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it_behaves_like 'creates group with the specified branch protection level' + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it_behaves_like 'creates group with the specified branch protection level' + end + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it_behaves_like 'creates group with the specified branch protection level' + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it_behaves_like 'creates group with the specified branch protection level' + end + end + end + + context 'for a normal user' do + before do + sign_in(user) + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it_behaves_like 'creates group with the specified branch protection level' + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it 'does not create the group with the specified branch protection level' do + subject + + expect(response).to have_gitlab_http_status(:found) + expect(Group.last.default_branch_protection).not_to eq(Gitlab::Access::PROTECTION_NONE) + end + end + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it_behaves_like 'creates group with the specified branch protection level' + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it_behaves_like 'creates group with the specified branch protection level' + end + end + end + end end describe 'PUT #update' do @@ -369,5 +489,126 @@ end end end + + context 'when `default_branch_protection` is specified' do + subject do + put :update, params: { id: group.to_param, group: { default_branch_protection: Gitlab::Access::PROTECTION_NONE } } + end + + shared_examples_for 'updates the attribute' do + it 'updates the attribute' do + subject + + expect(response).to have_gitlab_http_status(:found) + expect(group.reload.default_branch_protection).to eq(Gitlab::Access::PROTECTION_NONE) + end + end + + context 'for an admin', :enable_admin_mode do + before do + sign_in(create(:admin)) + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it_behaves_like 'updates the attribute' + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it_behaves_like 'updates the attribute' + end + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it_behaves_like 'updates the attribute' + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it_behaves_like 'updates the attribute' + end + end + end + + context 'for a normal user' do + before do + group.add_owner(user) + sign_in(user) + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it_behaves_like 'updates the attribute' + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it 'does not update the attribute' do + subject + + expect(response).to have_gitlab_http_status(:found) + expect(group.reload.default_branch_protection).not_to eq(Gitlab::Access::PROTECTION_NONE) + end + end + end + + context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) + end + + it_behaves_like 'updates the attribute' + end + + context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do + before do + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) + end + + it_behaves_like 'updates the attribute' + end + end + end + end end end -- GitLab From e4e683386110da33abee0a2d93b7e98d0d97aeac Mon Sep 17 00:00:00 2001 From: manojmj Date: Mon, 20 Apr 2020 16:56:49 +0530 Subject: [PATCH 6/9] Add API tests --- ee/spec/requests/api/groups_spec.rb | 112 ++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) diff --git a/ee/spec/requests/api/groups_spec.rb b/ee/spec/requests/api/groups_spec.rb index 28620236fa1270..ffd50164ac872d 100644 --- a/ee/spec/requests/api/groups_spec.rb +++ b/ee/spec/requests/api/groups_spec.rb @@ -158,6 +158,60 @@ end end end + + context 'default_branch_protection' do + using RSpec::Parameterized::TableSyntax + + let(:params) { { default_branch_protection: Gitlab::Access::PROTECTION_NONE } } + + context 'authenticated as an admin' do + let(:user) { admin } + + where(:feature_enabled, :setting_enabled, :default_branch_protection) do + false | false | Gitlab::Access::PROTECTION_NONE + false | true | Gitlab::Access::PROTECTION_NONE + true | false | Gitlab::Access::PROTECTION_NONE + false | false | Gitlab::Access::PROTECTION_NONE + end + + with_them do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) + end + + it 'updates the attribute as expected' do + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['default_branch_protection']).to eq(default_branch_protection) + end + end + end + + context 'authenticated a normal user' do + where(:feature_enabled, :setting_enabled, :default_branch_protection) do + false | false | Gitlab::Access::PROTECTION_NONE + false | true | Gitlab::Access::PROTECTION_NONE + true | false | Gitlab::Access::PROTECTION_FULL + false | false | Gitlab::Access::PROTECTION_NONE + end + + with_them do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) + end + + it 'updates the attribute as expected' do + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['default_branch_protection']).to eq(default_branch_protection) + end + end + end + end end describe "POST /groups" do @@ -197,6 +251,64 @@ end end end + + context 'when creating a group with `default_branch_protection` attribute' do + using RSpec::Parameterized::TableSyntax + + let(:params) { attributes_for_group_api(default_branch_protection: Gitlab::Access::PROTECTION_NONE) } + + subject do + post api("/groups", user), params: params + end + + context 'authenticated as an admin' do + let(:user) { admin } + + where(:feature_enabled, :setting_enabled, :default_branch_protection) do + false | false | Gitlab::Access::PROTECTION_NONE + false | true | Gitlab::Access::PROTECTION_NONE + true | false | Gitlab::Access::PROTECTION_NONE + false | false | Gitlab::Access::PROTECTION_NONE + end + + with_them do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) + end + + it 'creates the group with the expected `default_branch_protection` value' do + subject + + expect(response).to have_gitlab_http_status(:created) + expect(json_response['default_branch_protection']).to eq(default_branch_protection) + end + end + end + + context 'authenticated a normal user' do + where(:feature_enabled, :setting_enabled, :default_branch_protection) do + false | false | Gitlab::Access::PROTECTION_NONE + false | true | Gitlab::Access::PROTECTION_NONE + true | false | Gitlab::Access::PROTECTION_FULL + false | false | Gitlab::Access::PROTECTION_NONE + end + + with_them do + before do + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) + end + + it 'creates the group with the expected `default_branch_protection` value' do + subject + + expect(response).to have_gitlab_http_status(:created) + expect(json_response['default_branch_protection']).to eq(default_branch_protection) + end + end + end + end end describe 'POST /groups/:id/ldap_sync' do -- GitLab From 8c08ef7d30541a7993bb5c50db4d7bf3f8324e1d Mon Sep 17 00:00:00 2001 From: manojmj Date: Mon, 20 Apr 2020 17:10:15 +0530 Subject: [PATCH 7/9] Add controller specs --- .../controllers/ee/groups_controller_spec.rb | 244 +++++------------- 1 file changed, 63 insertions(+), 181 deletions(-) diff --git a/ee/spec/controllers/ee/groups_controller_spec.rb b/ee/spec/controllers/ee/groups_controller_spec.rb index fe944a73fcf7e2..b855f0098b7d3f 100644 --- a/ee/spec/controllers/ee/groups_controller_spec.rb +++ b/ee/spec/controllers/ee/groups_controller_spec.rb @@ -249,121 +249,62 @@ end context 'when creating a group with `default_branch_protection` attribute' do - subject do - post :create, params: { group: { name: 'new_group', path: 'new_group', default_branch_protection: Gitlab::Access::PROTECTION_NONE } } + using RSpec::Parameterized::TableSyntax + + let(:params) do + { group: { name: 'new_group', path: 'new_group', default_branch_protection: Gitlab::Access::PROTECTION_NONE } } end - shared_examples_for 'creates group with the specified branch protection level' do - it 'creates group with the specified branch protection level' do + subject { post :create, params: params } + + shared_examples_for 'creates the group with the expected `default_branch_protection` value' do + it 'creates the group with the expected `default_branch_protection` value' do subject expect(response).to have_gitlab_http_status(:found) - expect(Group.last.default_branch_protection).to eq(Gitlab::Access::PROTECTION_NONE) + expect(Group.last.default_branch_protection).to eq(default_branch_protection) end end - context 'for an admin', :enable_admin_mode do - before do - sign_in(create(:admin)) - end + context 'authenticated as an admin', :enable_admin_mode do + let_it_be(:user) { create(:admin) } - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do - before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) - end - - context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) - end - - it_behaves_like 'creates group with the specified branch protection level' - end - - context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) - end - - it_behaves_like 'creates group with the specified branch protection level' - end + where(:feature_enabled, :setting_enabled, :default_branch_protection) do + false | false | Gitlab::Access::PROTECTION_NONE + false | true | Gitlab::Access::PROTECTION_NONE + true | false | Gitlab::Access::PROTECTION_NONE + false | false | Gitlab::Access::PROTECTION_NONE end - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + with_them do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) - end + sign_in(user) - context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) - end - - it_behaves_like 'creates group with the specified branch protection level' + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end - context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) - end - - it_behaves_like 'creates group with the specified branch protection level' - end + it_behaves_like 'creates the group with the expected `default_branch_protection` value' end end - context 'for a normal user' do - before do - sign_in(user) + context 'authenticated a normal user' do + where(:feature_enabled, :setting_enabled, :default_branch_protection) do + false | false | Gitlab::Access::PROTECTION_NONE + false | true | Gitlab::Access::PROTECTION_NONE + true | false | Gitlab::Access::PROTECTION_FULL + false | false | Gitlab::Access::PROTECTION_NONE end - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + with_them do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) - end - - context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) - end + sign_in(user) - it_behaves_like 'creates group with the specified branch protection level' + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end - context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) - end - - it 'does not create the group with the specified branch protection level' do - subject - - expect(response).to have_gitlab_http_status(:found) - expect(Group.last.default_branch_protection).not_to eq(Gitlab::Access::PROTECTION_NONE) - end - end - end - - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do - before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) - end - - context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) - end - - it_behaves_like 'creates group with the specified branch protection level' - end - - context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) - end - - it_behaves_like 'creates group with the specified branch protection level' - end + it_behaves_like 'creates the group with the expected `default_branch_protection` value' end end end @@ -491,122 +432,63 @@ end context 'when `default_branch_protection` is specified' do - subject do - put :update, params: { id: group.to_param, group: { default_branch_protection: Gitlab::Access::PROTECTION_NONE } } + using RSpec::Parameterized::TableSyntax + + let(:params) do + { id: group.to_param, group: { default_branch_protection: Gitlab::Access::PROTECTION_NONE } } end + subject { put :update, params: params } + shared_examples_for 'updates the attribute' do it 'updates the attribute' do subject expect(response).to have_gitlab_http_status(:found) - expect(group.reload.default_branch_protection).to eq(Gitlab::Access::PROTECTION_NONE) + expect(group.reload.default_branch_protection).to eq(default_branch_protection) end end - context 'for an admin', :enable_admin_mode do - before do - sign_in(create(:admin)) - end + context 'authenticated as admin', :enable_admin_mode do + let_it_be(:user) { create(:admin) } - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do - before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) - end - - context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) - end - - it_behaves_like 'updates the attribute' - end - - context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) - end - - it_behaves_like 'updates the attribute' - end + where(:feature_enabled, :setting_enabled, :default_branch_protection) do + false | false | Gitlab::Access::PROTECTION_NONE + false | true | Gitlab::Access::PROTECTION_NONE + true | false | Gitlab::Access::PROTECTION_NONE + false | false | Gitlab::Access::PROTECTION_NONE end - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + with_them do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) - end + sign_in(user) - context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) - end - - it_behaves_like 'updates the attribute' + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end - context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) - end - - it_behaves_like 'updates the attribute' - end + it_behaves_like 'updates the attribute' end end - context 'for a normal user' do - before do - group.add_owner(user) - sign_in(user) + context 'authenticated as group owner' do + where(:feature_enabled, :setting_enabled, :default_branch_protection) do + false | false | Gitlab::Access::PROTECTION_NONE + false | true | Gitlab::Access::PROTECTION_NONE + true | false | Gitlab::Access::PROTECTION_FULL + false | false | Gitlab::Access::PROTECTION_NONE end - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + with_them do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) - end - - context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) - end + group.add_owner(user) + sign_in(user) - it_behaves_like 'updates the attribute' + stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end - context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) - end - - it 'does not update the attribute' do - subject - - expect(response).to have_gitlab_http_status(:found) - expect(group.reload.default_branch_protection).not_to eq(Gitlab::Access::PROTECTION_NONE) - end - end - end - - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do - before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) - end - - context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: true) - end - - it_behaves_like 'updates the attribute' - end - - context 'when the setting `group_owners_can_manage_default_branch_protection` is disabled' do - before do - stub_ee_application_setting(group_owners_can_manage_default_branch_protection: false) - end - - it_behaves_like 'updates the attribute' - end + it_behaves_like 'updates the attribute' end end end -- GitLab From 0c1dbe9bf7fc5adcaaad64e291aecdbe7b87d4cd Mon Sep 17 00:00:00 2001 From: manojmj Date: Mon, 20 Apr 2020 17:40:26 +0530 Subject: [PATCH 8/9] Add new changelog --- ...instance-level-setting-for-default-branch-protection.yml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ee/changelogs/unreleased/211944-provide-instance-level-setting-for-default-branch-protection.yml diff --git a/ee/changelogs/unreleased/211944-provide-instance-level-setting-for-default-branch-protection.yml b/ee/changelogs/unreleased/211944-provide-instance-level-setting-for-default-branch-protection.yml new file mode 100644 index 00000000000000..d9cbeacb089851 --- /dev/null +++ b/ee/changelogs/unreleased/211944-provide-instance-level-setting-for-default-branch-protection.yml @@ -0,0 +1,6 @@ +--- +title: Provide instance level setting to enable or disable 'default branch protection' + at the group level for group owners +merge_request: 28997 +author: +type: added -- GitLab From c1957ef1dd1806cc56c562849ec3949fb51393a7 Mon Sep 17 00:00:00 2001 From: manojmj Date: Wed, 22 Apr 2020 14:04:52 +0530 Subject: [PATCH 9/9] Address review comments This change addresses review comments --- .../settings/visibility_and_access_controls.md | 15 +++++++++++++++ doc/user/group/index.md | 3 +++ .../ee/admin/application_settings_controller.rb | 2 +- ee/app/models/license.rb | 4 ++-- ee/app/policies/ee/base_policy.rb | 5 ++++- ...e_default_branch_protection_setting.html.haml | 4 ++-- ee/lib/ee/api/entities/application_setting.rb | 2 +- ee/lib/ee/api/settings.rb | 2 +- .../application_settings_controller_spec.rb | 2 +- ee/spec/controllers/ee/groups_controller_spec.rb | 8 ++++---- ee/spec/policies/global_policy_spec.rb | 16 ++++++++-------- ee/spec/policies/group_policy_spec.rb | 16 ++++++++-------- ee/spec/requests/api/groups_spec.rb | 8 ++++---- ee/spec/requests/api/settings_spec.rb | 2 +- locale/gitlab.pot | 2 +- 15 files changed, 56 insertions(+), 35 deletions(-) diff --git a/doc/user/admin_area/settings/visibility_and_access_controls.md b/doc/user/admin_area/settings/visibility_and_access_controls.md index 322dcfc8b9b436..d38637e2e9eda3 100644 --- a/doc/user/admin_area/settings/visibility_and_access_controls.md +++ b/doc/user/admin_area/settings/visibility_and_access_controls.md @@ -28,6 +28,21 @@ For more details, see [Protected branches](../../project/protected_branches.md). To change this setting for a specific group, see [Default branch protection for groups](../../group/index.md#changing-the-default-branch-protection-of-a-group) +### Disable group owners from updating default branch protection **(PREMIUM ONLY)** + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/211944) in GitLab 13.0. + +By default, group owners are allowed to override the branch protection set at the global level. + +In [GitLab Premium or higher](https://about.gitlab.com/pricing/), GitLab administrators can disable this privilege of group owners. + +To do this: + +1. Uncheck the **Allow owners to manage default branch protection in groups** checkbox. + +NOTE: **Note:** +GitLab administrators can still update the default branch protection of a group. + ## Default project creation protection Project creation protection specifies which roles can create projects. diff --git a/doc/user/group/index.md b/doc/user/group/index.md index 941462f84a0905..19c608915eb2fd 100644 --- a/doc/user/group/index.md +++ b/doc/user/group/index.md @@ -196,6 +196,9 @@ To change this setting for a specific group: To change this setting globally, see [Default branch protection](../admin_area/settings/visibility_and_access_controls.md#default-branch-protection). +NOTE: **Note:** +In [GitLab Premium or higher](https://about.gitlab.com/pricing/), GitLab administrators can choose to [disable group owners from updating the default branch protection](../admin_area/settings/visibility_and_access_controls.md#disable-group-owners-from-updating-default-branch-protection-premium-only). + ## Add projects to a group There are two different ways to add a new project to a group: diff --git a/ee/app/controllers/ee/admin/application_settings_controller.rb b/ee/app/controllers/ee/admin/application_settings_controller.rb index 3166cb81a7e91c..23316d54e52ada 100644 --- a/ee/app/controllers/ee/admin/application_settings_controller.rb +++ b/ee/app/controllers/ee/admin/application_settings_controller.rb @@ -58,7 +58,7 @@ def visible_application_setting_attributes attrs << :npm_package_requests_forwarding end - if License.feature_available?(:prevent_group_owners_from_managing_default_branch_protection) + if License.feature_available?(:default_branch_protection_restriction_in_groups) attrs << :group_owners_can_manage_default_branch_protection end diff --git a/ee/app/models/license.rb b/ee/app/models/license.rb index 3b496402d61b96..535bea87386006 100644 --- a/ee/app/models/license.rb +++ b/ee/app/models/license.rb @@ -59,6 +59,7 @@ class License < ApplicationRecord custom_project_templates cycle_analytics_for_groups db_load_balancing + default_branch_protection_restriction_in_groups default_project_deletion_protection dependency_proxy deploy_board @@ -89,7 +90,6 @@ class License < ApplicationRecord operations_dashboard packages pages_size_limit - prevent_group_owners_from_managing_default_branch_protection productivity_analytics project_aliases protected_environments @@ -202,6 +202,7 @@ class License < ApplicationRecord custom_file_templates custom_project_templates db_load_balancing + default_branch_protection_restriction_in_groups elastic_search enterprise_templates extended_audit_events @@ -212,7 +213,6 @@ class License < ApplicationRecord multiple_ldap_servers object_storage pages_size_limit - prevent_group_owners_from_managing_default_branch_protection project_aliases repository_size_limit required_ci_templates diff --git a/ee/app/policies/ee/base_policy.rb b/ee/app/policies/ee/base_policy.rb index 5ec05fa441fa20..dc1bd1bf1ba59e 100644 --- a/ee/app/policies/ee/base_policy.rb +++ b/ee/app/policies/ee/base_policy.rb @@ -20,7 +20,10 @@ module BasePolicy rule { auditor }.enable :read_all_resources condition(:allow_to_manage_default_branch_protection) do - !License.feature_available?(:prevent_group_owners_from_managing_default_branch_protection) | + # When un-licensed: Always allow access. + # When licensed: Allow or deny access based on the + # `group_owners_can_manage_default_branch_protection` setting. + !License.feature_available?(:default_branch_protection_restriction_in_groups) || ::Gitlab::CurrentSettings.group_owners_can_manage_default_branch_protection end end diff --git a/ee/app/views/admin/application_settings/_group_owners_can_manage_default_branch_protection_setting.html.haml b/ee/app/views/admin/application_settings/_group_owners_can_manage_default_branch_protection_setting.html.haml index 932cac43b2f5e0..27ccec99ab99d9 100644 --- a/ee/app/views/admin/application_settings/_group_owners_can_manage_default_branch_protection_setting.html.haml +++ b/ee/app/views/admin/application_settings/_group_owners_can_manage_default_branch_protection_setting.html.haml @@ -1,8 +1,8 @@ -- return unless License.feature_available?(:prevent_group_owners_from_managing_default_branch_protection) +- return unless License.feature_available?(:default_branch_protection_restriction_in_groups) - f = local_assigns.fetch(:form) .form-group.form-check = f.check_box :group_owners_can_manage_default_branch_protection, class: 'form-check-input' = f.label :group_owners_can_manage_default_branch_protection, class: 'form-check-label' do - = _('Allow owners to manage default branch protection in groups') + = _('Allow owners to manage default branch protection per group') diff --git a/ee/lib/ee/api/entities/application_setting.rb b/ee/lib/ee/api/entities/application_setting.rb index 276b5b936070b9..20cd1f5592b519 100644 --- a/ee/lib/ee/api/entities/application_setting.rb +++ b/ee/lib/ee/api/entities/application_setting.rb @@ -19,7 +19,7 @@ module ApplicationSetting expose :deletion_adjourned_period, if: ->(_instance, _opts) { ::License.feature_available?(:adjourned_deletion_for_projects_and_groups) } expose :updating_name_disabled_for_users, if: ->(_instance, _opts) { ::License.feature_available?(:disable_name_update_for_users) } expose :npm_package_requests_forwarding, if: ->(_instance, _opts) { ::License.feature_available?(:packages) } - expose :group_owners_can_manage_default_branch_protection, if: ->(_instance, _opts) { ::License.feature_available?(:prevent_group_owners_from_managing_default_branch_protection) } + expose :group_owners_can_manage_default_branch_protection, if: ->(_instance, _opts) { ::License.feature_available?(:default_branch_protection_restriction_in_groups) } end end end diff --git a/ee/lib/ee/api/settings.rb b/ee/lib/ee/api/settings.rb index 8f72c12dfcab7a..b10623189935db 100644 --- a/ee/lib/ee/api/settings.rb +++ b/ee/lib/ee/api/settings.rb @@ -43,7 +43,7 @@ def filter_attributes_using_license(attrs) attrs = attrs.except(:npm_package_requests_forwarding) end - unless License.feature_available?(:prevent_group_owners_from_managing_default_branch_protection) + unless License.feature_available?(:default_branch_protection_restriction_in_groups) attrs = attrs.except(:group_owners_can_manage_default_branch_protection) end diff --git a/ee/spec/controllers/admin/application_settings_controller_spec.rb b/ee/spec/controllers/admin/application_settings_controller_spec.rb index ea2184789ebb6e..a36485edc274dd 100644 --- a/ee/spec/controllers/admin/application_settings_controller_spec.rb +++ b/ee/spec/controllers/admin/application_settings_controller_spec.rb @@ -113,7 +113,7 @@ context 'updating `group_owners_can_manage_default_branch_protection` setting' do let(:settings) { { group_owners_can_manage_default_branch_protection: false } } - let(:feature) { :prevent_group_owners_from_managing_default_branch_protection } + let(:feature) { :default_branch_protection_restriction_in_groups } it_behaves_like 'settings for licensed features' end diff --git a/ee/spec/controllers/ee/groups_controller_spec.rb b/ee/spec/controllers/ee/groups_controller_spec.rb index b855f0098b7d3f..68182c1df43455 100644 --- a/ee/spec/controllers/ee/groups_controller_spec.rb +++ b/ee/spec/controllers/ee/groups_controller_spec.rb @@ -280,7 +280,7 @@ before do sign_in(user) - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_licensed_features(default_branch_protection_restriction_in_groups: feature_enabled) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end @@ -300,7 +300,7 @@ before do sign_in(user) - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_licensed_features(default_branch_protection_restriction_in_groups: feature_enabled) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end @@ -463,7 +463,7 @@ before do sign_in(user) - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_licensed_features(default_branch_protection_restriction_in_groups: feature_enabled) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end @@ -484,7 +484,7 @@ group.add_owner(user) sign_in(user) - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_licensed_features(default_branch_protection_restriction_in_groups: feature_enabled) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end diff --git a/ee/spec/policies/global_policy_spec.rb b/ee/spec/policies/global_policy_spec.rb index 78a23a33b2ddf0..3d6242f406efd5 100644 --- a/ee/spec/policies/global_policy_spec.rb +++ b/ee/spec/policies/global_policy_spec.rb @@ -79,9 +79,9 @@ context 'for an admin' do let(:current_user) { create(:admin) } - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + context 'when the `default_branch_protection_restriction_in_groups` feature is available' do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + stub_licensed_features(default_branch_protection_restriction_in_groups: true) end context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do @@ -101,9 +101,9 @@ end end - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + context 'when the `default_branch_protection_restriction_in_groups` feature is not available' do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + stub_licensed_features(default_branch_protection_restriction_in_groups: false) end context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do @@ -127,9 +127,9 @@ context 'for a normal user' do let(:current_user) { create(:user) } - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + context 'when the `default_branch_protection_restriction_in_groups` feature is available' do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + stub_licensed_features(default_branch_protection_restriction_in_groups: true) end context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do @@ -149,9 +149,9 @@ end end - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + context 'when the `default_branch_protection_restriction_in_groups` feature is not available' do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + stub_licensed_features(default_branch_protection_restriction_in_groups: false) end context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index f4d6449f5a3dd6..4e5d865470fbcd 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -744,9 +744,9 @@ context 'for an admin' do let(:current_user) { admin } - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + context 'when the `default_branch_protection_restriction_in_groups` feature is available' do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + stub_licensed_features(default_branch_protection_restriction_in_groups: true) end context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do @@ -766,9 +766,9 @@ end end - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + context 'when the `default_branch_protection_restriction_in_groups` feature is not available' do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + stub_licensed_features(default_branch_protection_restriction_in_groups: false) end context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do @@ -792,9 +792,9 @@ context 'for an owner' do let(:current_user) { owner } - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is available' do + context 'when the `default_branch_protection_restriction_in_groups` feature is available' do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: true) + stub_licensed_features(default_branch_protection_restriction_in_groups: true) end context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do @@ -814,9 +814,9 @@ end end - context 'when the `prevent_group_owners_from_managing_default_branch_protection` feature is not available' do + context 'when the `default_branch_protection_restriction_in_groups` feature is not available' do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: false) + stub_licensed_features(default_branch_protection_restriction_in_groups: false) end context 'when the setting `group_owners_can_manage_default_branch_protection` is enabled' do diff --git a/ee/spec/requests/api/groups_spec.rb b/ee/spec/requests/api/groups_spec.rb index ffd50164ac872d..6d2579239d60d6 100644 --- a/ee/spec/requests/api/groups_spec.rb +++ b/ee/spec/requests/api/groups_spec.rb @@ -176,7 +176,7 @@ with_them do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_licensed_features(default_branch_protection_restriction_in_groups: feature_enabled) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end @@ -199,7 +199,7 @@ with_them do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_licensed_features(default_branch_protection_restriction_in_groups: feature_enabled) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end @@ -273,7 +273,7 @@ with_them do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_licensed_features(default_branch_protection_restriction_in_groups: feature_enabled) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end @@ -296,7 +296,7 @@ with_them do before do - stub_licensed_features(prevent_group_owners_from_managing_default_branch_protection: feature_enabled) + stub_licensed_features(default_branch_protection_restriction_in_groups: feature_enabled) stub_ee_application_setting(group_owners_can_manage_default_branch_protection: setting_enabled) end diff --git a/ee/spec/requests/api/settings_spec.rb b/ee/spec/requests/api/settings_spec.rb index 320ffde6e010eb..4272fa45e8e5e5 100644 --- a/ee/spec/requests/api/settings_spec.rb +++ b/ee/spec/requests/api/settings_spec.rb @@ -145,7 +145,7 @@ context 'group_owners_can_manage_default_branch_protection setting' do let(:settings) { { group_owners_can_manage_default_branch_protection: false } } - let(:feature) { :prevent_group_owners_from_managing_default_branch_protection } + let(:feature) { :default_branch_protection_restriction_in_groups } it_behaves_like 'settings for licensed features' end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index dee73334a5afb4..cfafd624e6f545 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -1809,7 +1809,7 @@ msgstr "" msgid "Allow only the selected protocols to be used for Git access." msgstr "" -msgid "Allow owners to manage default branch protection in groups" +msgid "Allow owners to manage default branch protection per group" msgstr "" msgid "Allow owners to manually add users outside of LDAP" -- GitLab