Merge branch...

Merge branch '455557-follow-up-from-hide-new-subgroup-button-if-visibility-is-restricted' into 'master' 

Follow-up from "Hide `New subgroup` button if visibility is restricted"

See merge request !157794



Merged-by: Tetiana Chupryna <tchupryna@gitlab.com>
Approved-by: Alex Buijs <abuijs@gitlab.com>
Approved-by: Tetiana Chupryna <tchupryna@gitlab.com>
Reviewed-by: Tetiana Chupryna <tchupryna@gitlab.com>
Reviewed-by: Matias Alvarez <matias.alvarez@live.de>
Co-authored-by: Matias Alvarez <matias.alvarez@phrase.com>

app/policies/group_policy.rb

@@ -60,21 +60,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   end
 
   condition(:create_subgroup_disabled, scope: :subject) do
-    next true if @user.nil?
-
-    visibility_levels = if @user.can_admin_all_resources?
-                          # admin can create groups even with restricted visibility levels
-                          Gitlab::VisibilityLevel.values
-                        else
-                          Gitlab::VisibilityLevel.allowed_levels
-                        end
-
-    # visibility_level_allowed? is not supporting root-groups, so we have to create a dummy sub-group.
-    subgroup = Group.new(parent_id: @subject.id)
-
-    # if a subgroup with none of the remaining visibility levels can be allowed by the group,
-    # then it means that the `Create subgroup` button must be disabled.
-    visibility_levels.none? { |level| subgroup.visibility_level_allowed?(level) }
+    Gitlab::VisibilityLevel.allowed_levels_for_user(@user, @subject).empty?
   end
 
   condition(:developer_maintainer_access, scope: :subject) do

lib/gitlab/visibility_level.rb

@@ -84,6 +84,23 @@ def allowed_level?(level)
         valid_level?(level) && non_restricted_level?(level)
       end
 
+      def allowed_levels_for_user(user, subject)
+        return [] if user.nil?
+
+        visibility_levels = if user.can_admin_all_resources?
+                              # admin can create groups even with restricted visibility levels
+                              self.values
+                            else
+                              self.allowed_levels
+                            end
+
+        # visibility_level_allowed? is not supporting root-groups, so we have to create a dummy sub-group.
+        subgroup = Group.new(parent_id: subject.id)
+
+        # return the allowed visibility levels for the subject
+        visibility_levels.select { |level| subgroup.visibility_level_allowed?(level) }
+      end
+
       def non_restricted_level?(level)
         !restricted_level?(level)
       end

spec/lib/gitlab/visibility_level_spec.rb

@@ -132,6 +132,40 @@
     end
   end
 
+  describe '.allowed_levels_for_user' do
+    let_it_be(:group) { create(:group) }
+
+    subject { described_class.allowed_levels_for_user(user, group) }
+
+    context 'when user is not present' do
+      let(:user) { nil }
+
+      it 'returns an empty array' do
+        is_expected.to be_empty
+      end
+    end
+
+    context 'when user is present' do
+      let(:user) { build(:user) }
+
+      before do
+        allow(Gitlab::CurrentSettings).to receive(:restricted_visibility_levels).and_return([0])
+      end
+
+      it 'returns an array with correct allowed levels for a user' do
+        is_expected.to match_array([described_class::PUBLIC, described_class::INTERNAL])
+      end
+    end
+
+    context 'when admin mode is enabled', :enable_admin_mode do
+      let(:user) { build(:user, :admin) }
+
+      it 'returns an array with correct allowed levels for admin user' do
+        is_expected.to match_array([described_class::PUBLIC, described_class::INTERNAL, described_class::PRIVATE])
+      end
+    end
+  end
+
   describe '.valid_level?' do
     it 'returns true when visibility is valid' do
       expect(described_class.valid_level?(described_class::PRIVATE)).to be_truthy