Add latest changes from gitlab-org/gitlab@15-2-stable-eev15.2.0-rc42

11 files changed, 360 insertions, 41 deletions

diff --git a/spec/policies/environment_policy_spec.rb b/spec/policies/environment_policy_spec.rb
index 649b1a770c0..701fc7ac9ae 100644
--- a/spec/policies/environment_policy_spec.rb
+++ b/spec/policies/environment_policy_spec.rb
@@ -28,7 +28,7 @@ RSpec.describe EnvironmentPolicy do
 
         with_them do
           before do
-            project.add_user(user, access_level) unless access_level.nil?
+            project.add_member(user, access_level) unless access_level.nil?
           end
 
           it { expect(policy.allowed?(:stop_environment)).to be allowed? }
@@ -49,7 +49,7 @@ RSpec.describe EnvironmentPolicy do
         context 'with protected branch' do
           with_them do
             before do
-              project.add_user(user, access_level) unless access_level.nil?
+              project.add_member(user, access_level) unless access_level.nil?
               create(:protected_branch, :no_one_can_push,
                      name: 'master', project: project)
             end
@@ -86,7 +86,7 @@ RSpec.describe EnvironmentPolicy do
 
         with_them do
           before do
-            project.add_user(user, access_level) unless access_level.nil?
+            project.add_member(user, access_level) unless access_level.nil?
           end
 
           it { expect(policy.allowed?(:stop_environment)).to be allowed? }
@@ -120,7 +120,7 @@ RSpec.describe EnvironmentPolicy do
 
         with_them do
           before do
-            project.add_user(user, access_level) unless access_level.nil?
+            project.add_member(user, access_level) unless access_level.nil?
           end
 
           it { expect(policy).to be_disallowed :destroy_environment }
diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb
index 04d7eca6f09..da0427420e4 100644
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -40,7 +40,7 @@ RSpec.describe GlobalPolicy do
     end
 
     context "for an admin" do
-      let(:current_user) { create(:admin) }
+      let_it_be(:current_user) { create(:admin) }
 
       context "when the public level is restricted" do
         before do
@@ -118,7 +118,7 @@ RSpec.describe GlobalPolicy do
     end
 
     context 'admin' do
-      let(:current_user) { create(:user, :admin) }
+      let_it_be(:current_user) { create(:user, :admin) }
 
       context 'when admin mode is enabled', :enable_admin_mode do
         it { is_expected.to be_allowed(:read_custom_attribute) }
@@ -138,7 +138,7 @@ RSpec.describe GlobalPolicy do
     end
 
     context 'admin' do
-      let(:current_user) { create(:admin) }
+      let_it_be(:current_user) { create(:admin) }
 
       context 'when admin mode is enabled', :enable_admin_mode do
         it { is_expected.to be_allowed(:approve_user) }
@@ -156,7 +156,7 @@ RSpec.describe GlobalPolicy do
     end
 
     context 'admin' do
-      let(:current_user) { create(:admin) }
+      let_it_be(:current_user) { create(:admin) }
 
       context 'when admin mode is enabled', :enable_admin_mode do
         it { is_expected.to be_allowed(:reject_user) }
@@ -174,7 +174,7 @@ RSpec.describe GlobalPolicy do
     end
 
     context 'admin' do
-      let(:current_user) { create(:user, :admin) }
+      let_it_be(:current_user) { create(:user, :admin) }
 
       context 'when admin mode is enabled', :enable_admin_mode do
         it { is_expected.to be_allowed(:use_project_statistics_filters) }
@@ -591,4 +591,34 @@ RSpec.describe GlobalPolicy do
       it { is_expected.not_to be_allowed(:log_in) }
     end
   end
+
+  describe 'delete runners' do
+    context 'when anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.not_to be_allowed(:delete_runners) }
+    end
+
+    context 'regular user' do
+      it { is_expected.not_to be_allowed(:delete_runners) }
+    end
+
+    context 'when external' do
+      let(:current_user) { build(:user, :external) }
+
+      it { is_expected.not_to be_allowed(:delete_runners) }
+    end
+
+    context 'admin user' do
+      let_it_be(:current_user) { create(:user, :admin) }
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:delete_runners) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:delete_runners) }
+      end
+    end
+  end
 end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index c513baea517..3ef859376a4 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'
 
 RSpec.describe GroupPolicy do
   include_context 'GroupPolicy context'
+  using RSpec::Parameterized::TableSyntax
 
   context 'public group with no user' do
     let(:group) { create(:group, :public, :crm_enabled) }
@@ -1229,4 +1230,30 @@ RSpec.describe GroupPolicy do
     it { is_expected.to be_disallowed(:admin_crm_contact) }
     it { is_expected.to be_disallowed(:admin_crm_organization) }
   end
+
+  describe 'maintain_namespace' do
+    context 'with non-admin roles' do
+      where(:role, :allowed) do
+        :guest      | false
+        :reporter   | false
+        :developer  | false
+        :maintainer | true
+        :owner      | true
+      end
+
+      with_them do
+        let(:current_user) { public_send(role) }
+
+        it do
+          expect(subject.allowed?(:maintain_namespace)).to eq allowed
+        end
+      end
+    end
+
+    context 'as an admin', :enable_admin_mode do
+      let(:current_user) { admin }
+
+      it { is_expected.to be_allowed(:maintain_namespace) }
+    end
+  end
 end
diff --git a/spec/policies/incident_management/timeline_event_policy_spec.rb b/spec/policies/incident_management/timeline_event_policy_spec.rb
new file mode 100644
index 00000000000..5a659054d7a
--- /dev/null
+++ b/spec/policies/incident_management/timeline_event_policy_spec.rb
@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe IncidentManagement::TimelineEventPolicy, models: true do
+  let_it_be(:project) { create(:project) }
+  let_it_be(:reporter) { create(:user) }
+  let_it_be(:developer) { create(:user) }
+  let_it_be(:user) { developer }
+  let_it_be(:incident) { create(:incident, project: project, author: user) }
+
+  let_it_be(:editable_timeline_event) do
+    create(:incident_management_timeline_event, :editable, project: project, author: user, incident: incident)
+  end
+
+  let_it_be(:non_editable_timeline_event) do
+    create(:incident_management_timeline_event, :non_editable, project: project, author: user, incident: incident)
+  end
+
+  before do
+    project.add_developer(developer)
+    project.add_reporter(reporter)
+  end
+
+  describe '#rules' do
+    subject(:policies) { described_class.new(user, timeline_event) }
+
+    context 'when a user is not able to manage timeline events' do
+      let_it_be(:user) { reporter }
+
+      context 'when timeline event is editable' do
+        let(:timeline_event) { editable_timeline_event }
+
+        it 'does not allow to edit the timeline event' do
+          is_expected.not_to be_allowed(:edit_incident_management_timeline_event)
+        end
+      end
+    end
+
+    context 'when a user is able to manage timeline events' do
+      let_it_be(:user) { developer }
+
+      context 'when timeline event is editable' do
+        let(:timeline_event) { editable_timeline_event }
+
+        it 'allows to edit the timeline event' do
+          is_expected.to be_allowed(:edit_incident_management_timeline_event)
+        end
+      end
+
+      context 'when timeline event is not editable' do
+        let(:timeline_event) { non_editable_timeline_event }
+
+        it 'does not allow to edit the timeline event' do
+          is_expected.not_to be_allowed(:edit_incident_management_timeline_event)
+        end
+      end
+    end
+  end
+end
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index 557bda985af..fefbb59a830 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -13,6 +13,7 @@ RSpec.describe IssuePolicy do
   let(:reporter_from_group_link) { create(:user) }
   let(:non_member) { create(:user) }
   let(:support_bot) { User.support_bot }
+  let(:alert_bot) { User.alert_bot }
 
   def permissions(user, issue)
     described_class.new(user, issue)
@@ -41,6 +42,14 @@ RSpec.describe IssuePolicy do
     end
   end
 
+  shared_examples 'alert bot' do
+    it 'allows alert_bot to read and set metadata on issues' do
+      expect(permissions(alert_bot, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+      expect(permissions(alert_bot, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+      expect(permissions(alert_bot, new_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+    end
+  end
+
   context 'a private project' do
     let(:project) { create(:project, :private) }
     let(:issue) { create(:issue, project: project, assignees: [assignee], author: author) }
@@ -106,6 +115,7 @@ RSpec.describe IssuePolicy do
       expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality)
     end
 
+    it_behaves_like 'alert bot'
     it_behaves_like 'support bot with service desk disabled'
     it_behaves_like 'support bot with service desk enabled'
 
@@ -270,6 +280,7 @@ RSpec.describe IssuePolicy do
       expect(permissions(support_bot, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality)
     end
 
+    it_behaves_like 'alert bot'
     it_behaves_like 'support bot with service desk enabled'
 
     context 'when issues are private' do
@@ -326,6 +337,7 @@ RSpec.describe IssuePolicy do
         expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality)
       end
 
+      it_behaves_like 'alert bot'
       it_behaves_like 'support bot with service desk disabled'
       it_behaves_like 'support bot with service desk enabled'
     end
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index e05de25f182..dd42e1b9313 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -51,7 +51,8 @@ RSpec.describe MergeRequestPolicy do
   end
 
   context 'when merge request is public' do
-    let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
+    let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) }
+    let(:user) { author }
 
     context 'and user is anonymous' do
       subject { permissions(nil, merge_request) }
@@ -61,19 +62,62 @@ RSpec.describe MergeRequestPolicy do
       end
     end
 
-    describe 'the author, who became a guest' do
-      subject { permissions(author, merge_request) }
+    context 'and user is author' do
+      subject { permissions(user, merge_request) }
 
-      it do
-        is_expected.to be_allowed(:update_merge_request)
+      context 'and the user is a guest' do
+        let(:user) { guest }
+
+        it do
+          is_expected.to be_allowed(:update_merge_request)
+        end
+
+        it do
+          is_expected.to be_allowed(:reopen_merge_request)
+        end
+
+        it do
+          is_expected.to be_allowed(:approve_merge_request)
+        end
       end
 
-      it do
-        is_expected.to be_allowed(:reopen_merge_request)
+      context 'and the user is a group member' do
+        let(:project) { create(:project, :public, group: group) }
+        let(:group) { create(:group) }
+        let(:user) { non_team_member }
+
+        before do
+          group.add_guest(non_team_member)
+        end
+
+        it do
+          is_expected.to be_allowed(:approve_merge_request)
+        end
       end
 
-      it do
-        is_expected.to be_allowed(:approve_merge_request)
+      context 'and the user is a member of a shared group' do
+        let(:user) { non_team_member }
+
+        before do
+          group = create(:group)
+          project.project_group_links.create!(
+            group: group,
+            group_access: Gitlab::Access::DEVELOPER)
+
+          group.add_guest(non_team_member)
+        end
+
+        it do
+          is_expected.to be_allowed(:approve_merge_request)
+        end
+      end
+
+      context 'and the user is not a project member' do
+        let(:user) { non_team_member }
+
+        it do
+          is_expected.not_to be_allowed(:approve_merge_request)
+        end
       end
     end
   end
diff --git a/spec/policies/namespace/root_storage_statistics_policy_spec.rb b/spec/policies/namespace/root_storage_statistics_policy_spec.rb
index e6b58bca4a8..89875f83c9b 100644
--- a/spec/policies/namespace/root_storage_statistics_policy_spec.rb
+++ b/spec/policies/namespace/root_storage_statistics_policy_spec.rb
@@ -59,7 +59,7 @@ RSpec.describe Namespace::RootStorageStatisticsPolicy do
 
         with_them do
           before do
-            group.add_user(user, user_type) unless user_type == :non_member
+            group.add_member(user, user_type) unless user_type == :non_member
           end
 
           it { is_expected.to eq(outcome) }
diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb
index 22c3f6a6d67..e8a3c9b828d 100644
--- a/spec/policies/namespaces/user_namespace_policy_spec.rb
+++ b/spec/policies/namespaces/user_namespace_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe Namespaces::UserNamespacePolicy do
   let_it_be(:admin) { create(:admin) }
   let_it_be(:namespace) { create(:user_namespace, owner: owner) }
 
-  let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package] }
+  let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package, :maintain_namespace] }
 
   subject { described_class.new(current_user, namespace) }
 
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index d363a822d18..c041c72a0be 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -612,6 +612,24 @@ RSpec.describe ProjectPolicy do
     end
   end
 
+  describe 'create_task' do
+    context 'when user is member of the project' do
+      let(:current_user) { developer }
+
+      context 'when work_items feature flag is enabled' do
+        it { expect_allowed(:create_task) }
+      end
+
+      context 'when work_items feature flag is disabled' do
+        before do
+          stub_feature_flags(work_items: false)
+        end
+
+        it { expect_disallowed(:create_task) }
+      end
+    end
+  end
+
   describe 'update_max_artifacts_size' do
     context 'when no user' do
       let(:current_user) { anonymous }
@@ -1462,43 +1480,142 @@ RSpec.describe ProjectPolicy do
   end
 
   describe 'view_package_registry_project_settings' do
-    context 'with registry enabled' do
+    context 'with packages disabled and' do
       before do
-        stub_config(registry: { enabled: true })
+        stub_config(packages: { enabled: false })
       end
 
-      context 'with an admin user' do
-        let(:current_user) { admin }
+      context 'with registry enabled' do
+        before do
+          stub_config(registry: { enabled: true })
+        end
 
-        context 'when admin mode enabled', :enable_admin_mode do
-          it { is_expected.to be_allowed(:view_package_registry_project_settings) }
+        context 'with an admin user' do
+          let(:current_user) { admin }
+
+          context 'when admin mode enabled', :enable_admin_mode do
+            it { is_expected.to be_allowed(:view_package_registry_project_settings) }
+          end
+
+          context 'when admin mode disabled' do
+            it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+          end
         end
 
-        context 'when admin mode disabled' do
-          it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+        %i[owner maintainer].each do |role|
+          context "with #{role}" do
+            let(:current_user) { public_send(role) }
+
+            it { is_expected.to be_allowed(:view_package_registry_project_settings) }
+          end
+        end
+
+        %i[developer reporter guest non_member anonymous].each do |role|
+          context "with #{role}" do
+            let(:current_user) { public_send(role) }
+
+            it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+          end
         end
       end
 
-      %i[owner maintainer].each do |role|
-        context "with #{role}" do
-          let(:current_user) { public_send(role) }
+      context 'with registry disabled' do
+        before do
+          stub_config(registry: { enabled: false })
+        end
+
+        context 'with admin user' do
+          let(:current_user) { admin }
+
+          context 'when admin mode enabled', :enable_admin_mode do
+            it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+          end
 
-          it { is_expected.to be_allowed(:view_package_registry_project_settings) }
+          context 'when admin mode disabled' do
+            it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+          end
+        end
+
+        %i[owner maintainer developer reporter guest non_member anonymous].each do |role|
+          context "with #{role}" do
+            let(:current_user) { public_send(role) }
+
+            it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+          end
         end
       end
+    end
 
-      %i[developer reporter guest non_member anonymous].each do |role|
-        context "with #{role}" do
-          let(:current_user) { public_send(role) }
+    context 'with registry disabled and' do
+      before do
+        stub_config(registry: { enabled: false })
+      end
 
-          it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+      context 'with packages enabled' do
+        before do
+          stub_config(packages: { enabled: true })
+        end
+
+        context 'with an admin user' do
+          let(:current_user) { admin }
+
+          context 'when admin mode enabled', :enable_admin_mode do
+            it { is_expected.to be_allowed(:view_package_registry_project_settings) }
+          end
+
+          context 'when admin mode disabled' do
+            it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+          end
+        end
+
+        %i[owner maintainer].each do |role|
+          context "with #{role}" do
+            let(:current_user) { public_send(role) }
+
+            it { is_expected.to be_allowed(:view_package_registry_project_settings) }
+          end
+        end
+
+        %i[developer reporter guest non_member anonymous].each do |role|
+          context "with #{role}" do
+            let(:current_user) { public_send(role) }
+
+            it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+          end
+        end
+      end
+
+      context 'with packages disabled' do
+        before do
+          stub_config(packages: { enabled: false })
+        end
+
+        context 'with admin user' do
+          let(:current_user) { admin }
+
+          context 'when admin mode enabled', :enable_admin_mode do
+            it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+          end
+
+          context 'when admin mode disabled' do
+            it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+          end
+        end
+
+        %i[owner maintainer developer reporter guest non_member anonymous].each do |role|
+          context "with #{role}" do
+            let(:current_user) { public_send(role) }
+
+            it { is_expected.to be_disallowed(:view_package_registry_project_settings) }
+          end
         end
       end
     end
 
-    context 'with registry disabled' do
+    context 'with registry & packages both disabled' do
       before do
         stub_config(registry: { enabled: false })
+        stub_config(packages: { enabled: false })
       end
 
       context 'with admin user' do
@@ -1718,7 +1835,7 @@ RSpec.describe ProjectPolicy do
           %w(guest reporter developer maintainer).each do |role|
             context role do
               before do
-                project.add_user(current_user, role.to_sym)
+                project.add_member(current_user, role.to_sym)
               end
 
               if role == 'guest'
@@ -1752,7 +1869,7 @@ RSpec.describe ProjectPolicy do
           %w(guest reporter developer maintainer).each do |role|
             context role do
               before do
-                project.add_user(current_user, role.to_sym)
+                project.add_member(current_user, role.to_sym)
               end
 
               it { is_expected.to be_allowed(:read_ci_cd_analytics) }
@@ -1782,7 +1899,7 @@ RSpec.describe ProjectPolicy do
         %w(guest reporter developer maintainer).each do |role|
           context role do
             before do
-              project.add_user(current_user, role.to_sym)
+              project.add_member(current_user, role.to_sym)
             end
 
             if role == 'guest'
diff --git a/spec/policies/project_statistics_policy_spec.rb b/spec/policies/project_statistics_policy_spec.rb
index 74630dc38ad..56e6161a264 100644
--- a/spec/policies/project_statistics_policy_spec.rb
+++ b/spec/policies/project_statistics_policy_spec.rb
@@ -72,7 +72,7 @@ RSpec.describe ProjectStatisticsPolicy do
 
         before do
           unless [:unauthenticated, :non_member].include?(user_type)
-            project.add_user(external, user_type)
+            project.add_member(external, user_type)
           end
         end
 
diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb
index 9cfc4455979..f8ec7d9f9bc 100644
--- a/spec/policies/work_item_policy_spec.rb
+++ b/spec/policies/work_item_policy_spec.rb
@@ -131,4 +131,33 @@ RSpec.describe WorkItemPolicy do
       end
     end
   end
+
+  describe 'admin_parent_link' do
+    context 'when user is reporter' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_allowed(:admin_parent_link) }
+    end
+
+    context 'when user is guest' do
+      let(:current_user) { guest }
+
+      it { is_expected.to be_disallowed(:admin_parent_link) }
+
+      context 'when guest authored the work item' do
+        let(:work_item_subject) { authored_work_item }
+        let(:current_user) { guest_author }
+
+        it { is_expected.to be_disallowed(:admin_parent_link) }
+      end
+
+      context 'when guest is assigned to the work item' do
+        before do
+          work_item.assignees = [guest]
+        end
+
+        it { is_expected.to be_disallowed(:admin_parent_link) }
+      end
+    end
+  end
 end