1 files changed, 22 insertions, 7 deletions

diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb
index ec3b3fde719..6ab89daff82 100644
--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Ci::BuildPolicy do
+RSpec.describe Ci::BuildPolicy, feature_category: :continuous_integration do
   let(:user) { create(:user) }
   let(:build) { create(:ci_build, pipeline: pipeline) }
   let(:pipeline) { create(:ci_empty_pipeline, project: project) }
@@ -11,6 +11,8 @@ RSpec.describe Ci::BuildPolicy do
     described_class.new(user, build)
   end
 
+  it_behaves_like 'a deployable job policy', :ci_build
+
   shared_context 'public pipelines disabled' do
     before do
       project.update_attribute(:public_builds, false)
@@ -99,12 +101,15 @@ RSpec.describe Ci::BuildPolicy do
 
       context 'when maintainer is allowed to push to pipeline branch' do
         let(:project) { create(:project, :public) }
-        let(:owner) { user }
 
-        it 'enables update_build if user is maintainer' do
-          allow_any_instance_of(Project).to receive(:empty_repo?).and_return(false)
-          allow_any_instance_of(Project).to receive(:branch_allows_collaboration?).and_return(true)
+        before do
+          project.add_maintainer(user)
 
+          allow(project).to receive(:empty_repo?).and_return(false)
+          allow(project).to receive(:branch_allows_collaboration?).and_return(true)
+        end
+
+        it 'enables update_build if user is maintainer' do
           expect(policy).to be_allowed :update_build
           expect(policy).to be_allowed :update_commit_status
         end
@@ -127,6 +132,16 @@ RSpec.describe Ci::BuildPolicy do
         it 'does not include ability to update build' do
           expect(policy).to be_disallowed :update_build
         end
+
+        context 'when the user is admin', :enable_admin_mode do
+          before do
+            user.update!(admin: true)
+          end
+
+          it 'does not include ability to update build' do
+            expect(policy).to be_disallowed :update_build
+          end
+        end
       end
 
       context 'when developers can push to the branch' do
@@ -252,7 +267,7 @@ RSpec.describe Ci::BuildPolicy do
             create(:protected_branch, :developers_can_push, name: build.ref, project: project)
           end
 
-          it { expect(policy).to be_allowed :erase_build }
+          it { expect(policy).to be_disallowed :erase_build }
         end
 
         context 'when the build was created for a protected tag' do
@@ -262,7 +277,7 @@ RSpec.describe Ci::BuildPolicy do
             build.update!(tag: true)
           end
 
-          it { expect(policy).to be_allowed :erase_build }
+          it { expect(policy).to be_disallowed :erase_build }
         end
 
         context 'when the build was created for an unprotected ref' do