1 files changed, 104 insertions, 2 deletions

diff --git a/spec/features/projects/settings/access_tokens_spec.rb b/spec/features/projects/settings/access_tokens_spec.rb
index 45fe19deb8e..8083c851bb7 100644
--- a/spec/features/projects/settings/access_tokens_spec.rb
+++ b/spec/features/projects/settings/access_tokens_spec.rb
@@ -5,7 +5,8 @@ require 'spec_helper'
 RSpec.describe 'Project > Settings > Access Tokens', :js do
   let_it_be(:user) { create(:user) }
   let_it_be(:bot_user) { create(:user, :project_bot) }
-  let_it_be(:project) { create(:project) }
+  let_it_be(:group) { create(:group) }
+  let_it_be(:project) { create(:project, group: group) }
 
   before_all do
     project.add_maintainer(user)
@@ -33,6 +34,18 @@ RSpec.describe 'Project > Settings > Access Tokens', :js do
     find('#created-personal-access-token').value
   end
 
+  context 'when user is not a project maintainer' do
+    before do
+      project.add_developer(user)
+    end
+
+    it 'does not show project access token page' do
+      visit project_settings_access_tokens_path(project)
+
+      expect(page).to have_content("Page Not Found")
+    end
+  end
+
   describe 'token creation' do
     it 'allows creation of a project access token' do
       name = 'My project access token'
@@ -57,6 +70,81 @@ RSpec.describe 'Project > Settings > Access Tokens', :js do
       expect(active_project_access_tokens).to have_text('read_api')
       expect(created_project_access_token).not_to be_empty
     end
+
+    context 'when token creation is not allowed' do
+      before do
+        group.namespace_settings.update_column(:resource_access_token_creation_allowed, false)
+      end
+
+      it 'does not show project access token creation form' do
+        visit project_settings_access_tokens_path(project)
+
+        expect(page).not_to have_selector('#new_project_access_token')
+      end
+
+      it 'shows project access token creation disabled text' do
+        visit project_settings_access_tokens_path(project)
+
+        expect(page).to have_text('Project access token creation is disabled in this group. You can still use and manage existing tokens.')
+      end
+
+      context 'with a project in a personal namespace' do
+        let(:personal_project) { create(:project) }
+
+        before do
+          personal_project.add_maintainer(user)
+        end
+
+        it 'shows project access token creation form and text' do
+          visit project_settings_access_tokens_path(personal_project)
+
+          expect(page).to have_selector('#new_project_access_token')
+          expect(page).to have_text('You can generate an access token scoped to this project for each application to use the GitLab API.')
+        end
+      end
+
+      context 'group settings link' do
+        context 'when user is not a group owner' do
+          before do
+            group.add_developer(user)
+          end
+
+          it 'does not show group settings link' do
+            visit project_settings_access_tokens_path(project)
+
+            expect(page).not_to have_link('group settings', href: edit_group_path(group))
+          end
+        end
+
+        context 'with nested groups' do
+          let(:subgroup) { create(:group, parent: group) }
+
+          context 'when user is not a top level group owner' do
+            before do
+              subgroup.add_owner(user)
+            end
+
+            it 'does not show group settings link' do
+              visit project_settings_access_tokens_path(project)
+
+              expect(page).not_to have_link('group settings', href: edit_group_path(group))
+            end
+          end
+        end
+
+        context 'when user is a group owner' do
+          before do
+            group.add_owner(user)
+          end
+
+          it 'shows group settings link' do
+            visit project_settings_access_tokens_path(project)
+
+            expect(page).to have_link('group settings', href: edit_group_path(group))
+          end
+        end
+      end
+    end
   end
 
   describe 'active tokens' do
@@ -83,11 +171,25 @@ RSpec.describe 'Project > Settings > Access Tokens', :js do
     end
 
     it 'removes expired tokens from active section' do
-      project_access_token.update(expires_at: 5.days.ago)
+      project_access_token.update!(expires_at: 5.days.ago)
       visit project_settings_access_tokens_path(project)
 
       expect(page).to have_selector('.settings-message')
       expect(no_project_access_tokens_message).to have_text(no_active_tokens_text)
     end
+
+    context 'when resource access token creation is not allowed' do
+      before do
+        group.namespace_settings.update_column(:resource_access_token_creation_allowed, false)
+      end
+
+      it 'allows revocation of an active token' do
+        visit project_settings_access_tokens_path(project)
+        accept_confirm { click_on 'Revoke' }
+
+        expect(page).to have_selector('.settings-message')
+        expect(no_project_access_tokens_message).to have_text(no_active_tokens_text)
+      end
+    end
   end
 end