Added permissions check for Duo Code review feature

#499798

Added permissions check for Duo Code review feature
87d6f24b · Phil Hughes · 4acad49f · 87d6f24b · 87d6f24b · 87d6f24b
Verified Commit 87d6f24b authored 3 months ago by Phil Hughes
--- a/app/graphql/types/merge_requests/interacts_with_merge_request.rb
+++ b/app/graphql/types/merge_requests/interacts_with_merge_request.rb
@@ -16,7 +16,7 @@ module InteractsWithMergeRequest
      def merge_request_interaction(parent:, id: nil)
        # need the connection parent if called from a connection node:
        parent = parent.parent if parent.try(:field)&.connection?
-        ::Users::MergeRequestInteraction.new(user: object, merge_request: parent)
+        ::Users::MergeRequestInteraction.new(user: object, merge_request: parent, current_user: current_user)
      end
    end
  end

--- a/app/models/users/merge_request_interaction.rb
+++ b/app/models/users/merge_request_interaction.rb
@@ -2,9 +2,10 @@

 module Users
  class MergeRequestInteraction
-    def initialize(user:, merge_request:)
+    def initialize(user:, merge_request:, current_user: nil)
      @user = user
      @merge_request = merge_request
+      @current_user = current_user
    end

    def declarative_policy_subject
@@ -37,7 +38,7 @@ def reviewer
      @reviewer ||= merge_request.merge_request_reviewers.find { |r| r.user_id == user.id }
    end

-    attr_reader :user, :merge_request
+    attr_reader :user, :merge_request, :current_user
  end
 end


--- a/ee/app/models/ee/users/merge_request_interaction.rb
+++ b/ee/app/models/ee/users/merge_request_interaction.rb
@@ -3,6 +3,17 @@
 module EE
  module Users
    module MergeRequestInteraction
+      extend ::Gitlab::Utils::Override
+
+      override :can_update?
+      def can_update?
+        if current_user && user.duo_code_review_bot?
+          return merge_request.project.ai_review_merge_request_allowed?(current_user)
+        end
+
+        super
+      end
+
      def applicable_approval_rules
        return [] unless merge_request.project.licensed_feature_available?(:merge_request_approvers)


--- a/ee/app/models/projects/ai_features.rb
+++ b/ee/app/models/projects/ai_features.rb
@@ -9,8 +9,8 @@ def initialize(project)
    end

    def review_merge_request_allowed?(user)
-      ::Feature.enabled?(:ai_review_merge_request, user) &&
-        project.licensed_feature_available?(:ai_review_mr) &&
+      user.can?(:access_ai_review_mr, project) &&
+        ::Feature.enabled?(:ai_review_merge_request, user) &&
        ::Gitlab::Llm::FeatureAuthorizer.new(
          container: project,
          feature_name: :review_merge_request,

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -1045,6 +1045,19 @@ module ProjectPolicy
      rule { can?(:owner_access) }.policy do
        enable :admin_project_secrets_manager
      end
+
+      condition(:ai_review_mr_enabled) do
+        @subject.duo_features_enabled
+      end
+
+      condition(:user_allowed_to_use_ai_review_mr) do
+        @user.allowed_to_use?(:review_merge_request, licensed_feature: :ai_review_mr)
+      end
+
+      rule do
+        ai_review_mr_enabled &
+          user_allowed_to_use_ai_review_mr
+      end.enable :access_ai_review_mr
    end

    override :lookup_access_level!

--- a/ee/spec/models/projects/ai_features_spec.rb
+++ b/ee/spec/models/projects/ai_features_spec.rb
@@ -24,7 +24,15 @@
        allow(authorizer).to receive(:allowed?).and_return(true)
      end

-      it { is_expected.to be(true) }
+      it { is_expected.to be(false) }
+
+      context 'when user has permission' do
+        before do
+          allow(current_user).to receive(:can?).with(:access_ai_review_mr, project).and_return(true)
+        end
+
+        it { is_expected.to be(true) }
+      end

      context 'when ai_review_merge_request feature flag is disabled' do
        before do

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -4538,4 +4538,25 @@ def create_member_role(member, abilities = member_role_abilities)
      end
    end
  end
+
+  describe 'access_ai_review_mr' do
+    let(:current_user) { owner }
+
+    where(:duo_features_enabled, :allowed_to_use, :enabled_for_user) do
+      true  | false | be_disallowed(:access_ai_review_mr)
+      false | true  | be_disallowed(:access_ai_review_mr)
+      true  | true  | be_allowed(:access_ai_review_mr)
+    end
+
+    with_them do
+      before do
+        allow(project).to receive(:duo_features_enabled).and_return(duo_features_enabled)
+
+        allow(current_user).to receive(:allowed_to_use?)
+          .with(:review_merge_request, licensed_feature: :ai_review_mr).and_return(allowed_to_use)
+      end
+
+      it { is_expected.to enabled_for_user }
+    end
+  end
 end