Use correct roles for each alert task

Updates roles for alert management tasks. Developers+
can read and update alerts. Maintainers+ can enable
alert management. Ensures the AlertManagementController
respects these roles.

app/controllers/projects/alert_management_controller.rb

@@ -3,6 +3,7 @@
 class Projects::AlertManagementController < Projects::ApplicationController
   before_action :ensure_list_feature_enabled, only: :index
   before_action :ensure_detail_feature_enabled, only: :details
+  before_action :authorize_read_alert_management_alert!
   before_action do
     push_frontend_feature_flag(:alert_list_status_filtering_enabled)
   end

app/finders/alert_management/alerts_finder.rb

@@ -31,7 +31,7 @@ def sort(collection)
     end
 
     def authorized?
-      Ability.allowed?(current_user, :read_alert_management_alerts, project)
+      Ability.allowed?(current_user, :read_alert_management_alert, project)
     end
   end
 end

app/graphql/mutations/alert_management/base.rb

@@ -18,7 +18,7 @@ class Base < BaseMutation
             null: true,
             description: "The alert after mutation"
 
-      authorize :update_alert_management_alerts
+      authorize :update_alert_management_alert
 
       private
 

app/graphql/types/alert_management/alert_type.rb

@@ -6,7 +6,7 @@ class AlertType < BaseObject
       graphql_name 'AlertManagementAlert'
       description "Describes an alert from the project's Alert Management"
 
-      authorize :read_alert_management_alerts
+      authorize :read_alert_management_alert
 
       field :iid,
             GraphQL::ID_TYPE,

app/helpers/projects_helper.rb

@@ -448,7 +448,7 @@ def tab_ability_map
       clusters:         :read_cluster,
       serverless:       :read_cluster,
       error_tracking:   :read_sentry_issue,
-      alert_management:   :read_alert_management,
+      alert_management: :read_alert_management_alert,
       labels:           :read_label,
       issues:           :read_issue,
       project_members:  :read_project_member,

app/policies/project_policy.rb

@@ -236,11 +236,8 @@ class ProjectPolicy < BasePolicy
     enable :read_merge_request
     enable :read_sentry_issue
     enable :update_sentry_issue
-    enable :read_alert_management
     enable :read_prometheus
     enable :read_metrics_dashboard_annotation
-    enable :read_alert_management_alerts
-    enable :update_alert_management_alerts
     enable :metrics_dashboard
   end
 
@@ -306,6 +303,8 @@ class ProjectPolicy < BasePolicy
     enable :create_metrics_dashboard_annotation
     enable :delete_metrics_dashboard_annotation
     enable :update_metrics_dashboard_annotation
+    enable :read_alert_management_alert
+    enable :update_alert_management_alert
     enable :create_design
     enable :destroy_design
   end

spec/controllers/projects/alert_management_controller_spec.rb

@@ -4,7 +4,7 @@
 
 describe Projects::AlertManagementController do
   let_it_be(:project) { create(:project) }
-  let_it_be(:role) { :reporter }
+  let_it_be(:role) { :developer }
   let_it_be(:user) { create(:user) }
   let_it_be(:id) { 1 }
 
@@ -24,6 +24,16 @@
 
         expect(response).to have_gitlab_http_status(:ok)
       end
+
+      context 'when user is unauthorized' do
+        let(:role) { :reporter }
+
+        it 'shows 404' do
+          get :index, params: { namespace_id: project.namespace, project_id: project }
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
     end
 
     context 'when alert_management_minimal is disabled' do
@@ -50,6 +60,16 @@
 
         expect(response).to have_gitlab_http_status(:ok)
       end
+
+      context 'when user is unauthorized' do
+        let(:role) { :reporter }
+
+        it 'shows 404' do
+          get :index, params: { namespace_id: project.namespace, project_id: project }
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
     end
 
     context 'when alert_management_detail is disabled' do

spec/graphql/mutations/alert_management/update_alert_status_spec.rb

@@ -9,7 +9,7 @@
   let(:new_status) { 'acknowledged' }
   let(:args) { { status: new_status, project_path: project.full_path, iid: alert.iid } }
 
-  specify { expect(described_class).to require_graphql_authorizations(:update_alert_management_alerts) }
+  specify { expect(described_class).to require_graphql_authorizations(:update_alert_management_alert) }
 
   describe '#resolve' do
     subject(:resolve) { mutation_for(project, current_user).resolve(args) }

spec/graphql/types/alert_management/alert_type_spec.rb

@@ -5,7 +5,7 @@
 describe GitlabSchema.types['AlertManagementAlert'] do
   specify { expect(described_class.graphql_name).to eq('AlertManagementAlert') }
 
-  specify { expect(described_class).to require_graphql_authorizations(:read_alert_management_alerts) }
+  specify { expect(described_class).to require_graphql_authorizations(:read_alert_management_alert) }
 
   it 'exposes the expected fields' do
     expected_fields = %i[

spec/policies/alert_management/alert_policy_spec.rb

@@ -10,16 +10,16 @@
   subject(:policy) { described_class.new(user, alert) }
 
   describe 'rules' do
-    it { is_expected.to be_disallowed :read_alert_management_alerts }
-    it { is_expected.to be_disallowed :update_alert_management_alerts }
+    it { is_expected.to be_disallowed :read_alert_management_alert }
+    it { is_expected.to be_disallowed :update_alert_management_alert }
 
     context 'when developer' do
       before do
         project.add_developer(user)
       end
 
-      it { is_expected.to be_allowed :read_alert_management_alerts }
-      it { is_expected.to be_allowed :update_alert_management_alerts }
+      it { is_expected.to be_allowed :read_alert_management_alert }
+      it { is_expected.to be_allowed :update_alert_management_alert }
     end
   end
 end