Updated read project and group comment templates permissions

Updates the permissions to read project and group comment templates to be for report level and above. Changelog: changed EE: true #506775

Updated read project and group comment templates permissions
aeec9b76 · Phil Hughes · GitLab · 106cd7d2 · aeec9b76 · aeec9b76
Verified Commit aeec9b76 authored 2 months ago by Phil Hughes Committed by GitLab 2 months ago
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -815,8 +815,9 @@ module GroupPolicy
        enable :read_saml_user
      end

+      rule { supports_saved_replies & guest }.enable :read_saved_replies
+
      rule { supports_saved_replies & developer }.policy do
-        enable :read_saved_replies
        enable :create_saved_replies
        enable :destroy_saved_replies
        enable :update_saved_replies

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -981,13 +981,14 @@ module ProjectPolicy

      rule { can?(:read_project) & duo_features_enabled }.enable :access_duo_features

-      desc "Group has saved replies support"
+      desc "Project has saved replies support"
      condition(:supports_saved_replies) do
        @subject.supports_saved_replies?
      end

+      rule { supports_saved_replies & guest }.enable :read_saved_replies
+
      rule { supports_saved_replies & developer }.policy do
-        enable :read_saved_replies
        enable :create_saved_replies
        enable :destroy_saved_replies
        enable :update_saved_replies

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -4090,6 +4090,22 @@ def create_member_role(member, abilities = member_role_abilities)

      it { is_expected.to be_allowed(:read_saved_replies, :create_saved_replies, :update_saved_replies, :destroy_saved_replies) }

+      context 'when the user is a guest' do
+        let(:current_user) { guest }
+
+        it { is_expected.to be_allowed(:read_saved_replies) }
+
+        it { is_expected.to be_disallowed(:create_saved_replies, :update_saved_replies, :destroy_saved_replies) }
+      end
+
+      context 'when the user is a reporter' do
+        let(:current_user) { reporter }
+
+        it { is_expected.to be_allowed(:read_saved_replies) }
+
+        it { is_expected.to be_disallowed(:create_saved_replies, :update_saved_replies, :destroy_saved_replies) }
+      end
+
      context 'when the user is a developer' do
        let(:current_user) { developer }

@@ -4099,13 +4115,13 @@ def create_member_role(member, abilities = member_role_abilities)
      context 'when the user is a planner' do
        let(:current_user) { planner }

-        it { is_expected.to be_disallowed(:read_saved_replies, :create_saved_replies, :update_saved_replies, :destroy_saved_replies) }
+        it { is_expected.to be_disallowed(:create_saved_replies, :update_saved_replies, :destroy_saved_replies) }
      end

      context 'when the user is a guest member of the group' do
        let(:current_user) { guest }

-        it { is_expected.to be_disallowed(:read_saved_replies, :create_saved_replies, :update_saved_replies, :destroy_saved_replies) }
+        it { is_expected.to be_disallowed(:create_saved_replies, :update_saved_replies, :destroy_saved_replies) }
      end
    end
  end

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -4259,6 +4259,22 @@ def create_member_role(member, abilities = member_role_abilities)

      it { is_expected.to be_allowed(:read_saved_replies, :create_saved_replies, :update_saved_replies, :destroy_saved_replies) }

+      context 'when the user is a guest' do
+        let(:current_user) { guest }
+
+        it { is_expected.to be_allowed(:read_saved_replies) }
+
+        it { is_expected.to be_disallowed(:create_saved_replies, :update_saved_replies, :destroy_saved_replies) }
+      end
+
+      context 'when the user is a reporter' do
+        let(:current_user) { reporter }
+
+        it { is_expected.to be_allowed(:read_saved_replies) }
+
+        it { is_expected.to be_disallowed(:create_saved_replies, :update_saved_replies, :destroy_saved_replies) }
+      end
+
      context 'when the user is a developer' do
        let(:current_user) { developer }

@@ -4268,7 +4284,7 @@ def create_member_role(member, abilities = member_role_abilities)
      context 'when the user is a guest member of the project' do
        let(:current_user) { guest }

-        it { is_expected.to be_disallowed(:read_saved_replies, :create_saved_replies, :update_saved_replies, :destroy_saved_replies) }
+        it { is_expected.to be_disallowed(:create_saved_replies, :update_saved_replies, :destroy_saved_replies) }
      end
    end
  end