1 files changed, 51 insertions, 7 deletions

diff --git a/spec/requests/api/maven_packages_spec.rb b/spec/requests/api/maven_packages_spec.rb
index 578a4821b5e..2110e4a077d 100644
--- a/spec/requests/api/maven_packages_spec.rb
+++ b/spec/requests/api/maven_packages_spec.rb
@@ -43,7 +43,7 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do
     project.add_developer(user)
   end
 
-  shared_examples 'handling groups and subgroups for' do |shared_example_name, visibilities: { public: :redirect }|
+  shared_examples 'handling groups and subgroups for' do |shared_example_name, shared_example_args = {}, visibilities: { public: :redirect }|
     context 'within a group' do
       visibilities.each do |visibility, not_found_response|
         context "that is #{visibility}" do
@@ -51,7 +51,7 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do
             group.update!(visibility_level: Gitlab::VisibilityLevel.level_value(visibility.to_s))
           end
 
-          it_behaves_like shared_example_name, not_found_response
+          it_behaves_like shared_example_name, not_found_response, shared_example_args
         end
       end
     end
@@ -70,7 +70,7 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do
             group.update!(visibility_level: Gitlab::VisibilityLevel.level_value(visibility.to_s))
           end
 
-          it_behaves_like shared_example_name, not_found_response
+          it_behaves_like shared_example_name, not_found_response, shared_example_args
         end
       end
     end
@@ -621,7 +621,15 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do
 
       it_behaves_like 'rejecting request with invalid params'
 
-      it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: { internal: :unauthorized, public: :redirect }
+      it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: { internal: :unauthorized, public: :unauthorized }
+
+      context 'when the FF maven_remove_permissions_check_from_finder disabled' do
+        before do
+          stub_feature_flags(maven_remove_permissions_check_from_finder: false)
+        end
+
+        it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: { internal: :unauthorized, public: :redirect }
+      end
     end
 
     context 'private project' do
@@ -631,7 +639,7 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do
 
       subject { download_file_with_token(file_name: package_file.file_name) }
 
-      shared_examples 'getting a file for a group' do |not_found_response|
+      shared_examples 'getting a file for a group' do |not_found_response, download_denied_status: :forbidden|
         it_behaves_like 'tracking the file download event'
         it_behaves_like 'bumping the package last downloaded at field'
         it_behaves_like 'successfully returning the file'
@@ -641,7 +649,7 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do
 
           subject
 
-          expect(response).to have_gitlab_http_status(:redirect)
+          expect(response).to have_gitlab_http_status(download_denied_status)
         end
 
         it 'denies download when no private token' do
@@ -682,7 +690,43 @@ RSpec.describe API::MavenPackages, feature_category: :package_registry do
         end
       end
 
-      it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: { private: :unauthorized, internal: :unauthorized, public: :redirect }
+      context 'with the duplicate packages in the two projects' do
+        let_it_be(:recent_project) { create(:project, :private, namespace: group) }
+
+        let!(:package_dup) { create(:maven_package, project: recent_project, name: package.name, version: package.version) }
+
+        before do
+          group.add_guest(user)
+          project.add_developer(user)
+        end
+
+        context 'when user does not have enough permission for the recent project' do
+          it 'tries to download the recent package' do
+            subject
+
+            expect(response).to have_gitlab_http_status(:forbidden)
+          end
+        end
+
+        context 'when the FF maven_remove_permissions_check_from_finder disabled' do
+          before do
+            stub_feature_flags(maven_remove_permissions_check_from_finder: false)
+          end
+
+          it_behaves_like 'bumping the package last downloaded at field'
+          it_behaves_like 'successfully returning the file'
+        end
+      end
+
+      it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: { private: :unauthorized, internal: :unauthorized, public: :unauthorized }
+
+      context 'when the FF maven_remove_permissions_check_from_finder disabled' do
+        before do
+          stub_feature_flags(maven_remove_permissions_check_from_finder: false)
+        end
+
+        it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', { download_denied_status: :redirect }, visibilities: { private: :unauthorized, internal: :unauthorized, public: :redirect }
+      end
 
       context 'with a reporter from a subgroup accessing the root group' do
         let_it_be(:root_group) { create(:group, :private) }