Follow-up from "Remove validity_checks_security_finding_status FF"

The following discussion from !213223 (merged) should be addressed:

@pedropombeiro started a discussion: (+1 comment)

suggestion (non-blocking): the context is called when user does not have project access but we're not setting up a user that does not have project access inside. Should we just move the test (without the surrounding context) to line 17 and make it the default case?

diff --git a/ee/spec/policies/security/finding_token_status_policy_spec.rb b/ee/spec/policies/security/finding_token_status_policy_spec.rb
index 5da9e029deaa..0ebe30bc6dde 100644
--- a/ee/spec/policies/security/finding_token_status_policy_spec.rb
+++ b/ee/spec/policies/security/finding_token_status_policy_spec.rb
@@ -15,6 +15,8 @@
     stub_licensed_features(security_dashboard: true)
   end
 
+  it { is_expected.to be_disallowed(:read_finding_token_status) }
+
   context 'when user has project access' do
     before_all do
       project.add_developer(user)
@@ -30,8 +32,4 @@
       it { is_expected.to be_disallowed(:read_finding_token_status) }
     end
   end
-
-  context 'when user does not have project access' do
-    it { is_expected.to be_disallowed(:read_finding_token_status) }
-  end
 end

Edited Dec 11, 2025 by 🤖 GitLab Bot 🤖