Expose project settings in REST API only for maintainer+ users

What does this MR do and why?

Expose project settings in REST API only for maintainer+ users

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

1. Add a user to as a Guest to a project.
2. Create a personal access token as that user and then query the REST API curl --header "Authorization: Bearer <ACCESS-TOKEN>" "http://127.0.0.1:3000/api/v4/projects/<PROJECT_ID>"
3. You shouldn't see any project settings.
4. However, if you upgraded that user to the Maintainer of the project, you should see all the project settings

Related to #442899 (closed)

ee/lib/ee/api/entities/project.rb

@@ -16,49 +16,59 @@ def preload_relation(projects_relation, options = {})
         end
 
         prepended do
-          expose :approvals_before_merge, if: ->(project, _) { project.feature_available?(:merge_request_approvers) }
-          expose :mirror, if: ->(project, _) { project.feature_available?(:repository_mirrors) }
-          expose :mirror_user_id, if: ->(project, _) { project.mirror? }
-          expose :mirror_trigger_builds, if: ->(project, _) { project.mirror? }
-          expose :only_mirror_protected_branches, if: ->(project, _) { project.mirror? }
-          expose :mirror_overwrites_diverged_branches, if: ->(project, _) { project.mirror? }
-          expose :external_authorization_classification_label,
-            if: ->(_, _) { License.feature_available?(:external_authorization_service_api_management) }
-          expose :marked_for_deletion_at, if: ->(project, _) { project.feature_available?(:adjourned_deletion_for_projects_and_groups) }
-          expose :marked_for_deletion_on, if: ->(project, _) { project.feature_available?(:adjourned_deletion_for_projects_and_groups) } do |project, _|
-            project.marked_for_deletion_at
-          end
-          # Expose old field names with the new permissions methods to keep API compatible
-          # TODO: remove in API v5, replaced by *_access_level
-          expose :requirements_enabled do |project, options|
-            project.feature_available?(:requirements, options[:current_user])
-          end
-          expose(:requirements_access_level) { |project, _| project_feature_string_access_level(project, :requirements) }
+          expose :issues_template,
+            if: ->(project, options) {
+              project.feature_available?(:issuable_default_templates) &&
+                Ability.allowed?(options[:current_user], :read_issue, project)
+            }
 
-          expose :security_and_compliance_enabled do |project, options|
-            project.feature_available?(:security_and_compliance, options[:current_user])
-          end
-          expose :compliance_frameworks do |project, _|
-            [project.compliance_framework_setting&.compliance_management_framework&.name].compact
-          end
-          expose :issues_template, if: ->(project, options) do
-            project.feature_available?(:issuable_default_templates) &&
-              Ability.allowed?(options[:current_user], :read_issue, project)
-          end
-          expose :merge_requests_template, if: ->(project, options) do
-            project.feature_available?(:issuable_default_templates) &&
-              Ability.allowed?(options[:current_user], :read_merge_request, project)
+          expose :merge_requests_template,
+            if: ->(project, options) {
+              project.feature_available?(:issuable_default_templates) &&
+                Ability.allowed?(options[:current_user], :read_merge_request, project)
+            }
+
+          with_options if: ->(project, options) { Ability.allowed?(options[:current_user], :admin_project, project) } do
+            expose :approvals_before_merge, if: ->(project, _) { project.feature_available?(:merge_request_approvers) }
+            expose :mirror, if: ->(project, _) { project.feature_available?(:repository_mirrors) }
+            expose :mirror_user_id, if: ->(project, _) { project.mirror? }
+            expose :mirror_trigger_builds, if: ->(project, _) { project.mirror? }
+            expose :only_mirror_protected_branches, if: ->(project, _) { project.mirror? }
+            expose :mirror_overwrites_diverged_branches, if: ->(project, _) { project.mirror? }
+            expose :external_authorization_classification_label,
+              if: ->(_, _) { License.feature_available?(:external_authorization_service_api_management) }
+            expose :marked_for_deletion_at, if: ->(project, _) { project.feature_available?(:adjourned_deletion_for_projects_and_groups) }
+            expose :marked_for_deletion_on, if: ->(project, _) { project.feature_available?(:adjourned_deletion_for_projects_and_groups) } do |project, _|
+              project.marked_for_deletion_at
+            end
+
+            # Expose old field names with the new permissions methods to keep API compatible
+            # TODO: remove in API v5, replaced by *_access_level
+            expose :requirements_enabled do |project, options|
+              project.feature_available?(:requirements, options[:current_user])
+            end
+
+            expose :security_and_compliance_enabled do |project, options|
+              project.feature_available?(:security_and_compliance, options[:current_user])
+            end
+
+            expose :requirements_access_level do |project, _|
+              project_feature_string_access_level(project, :requirements)
+            end
+
+            expose :compliance_frameworks do |project, _|
+              [project.compliance_framework_setting&.compliance_management_framework&.name].compact
+            end
+
+            expose :merge_pipelines_enabled?, as: :merge_pipelines_enabled, if: ->(project, _) { project.feature_available?(:merge_pipelines) }
+            expose :merge_trains_enabled?, as: :merge_trains_enabled, if: ->(project, _) { project.feature_available?(:merge_pipelines) }
+            expose :merge_trains_skip_train_allowed?, as: :merge_trains_skip_train_allowed, if: ->(project, _) { project.feature_available?(:merge_pipelines) }
+            expose :only_allow_merge_if_all_status_checks_passed, if: ->(project, _) { project.feature_available?(:external_status_checks) }
+            expose :allow_pipeline_trigger_approve_deployment, documentation: { type: 'boolean' }, if: ->(project, _) { project.feature_available?(:protected_environments) }
+            expose :prevent_merge_without_jira_issue, if: ->(project, _) { project.feature_available?(:jira_issue_association_enforcement) }
+
+            expose :restrict_pipeline_cancellation_role, as: :ci_restrict_pipeline_cancellation_role, if: ->(project, _) { project.ci_cancellation_restriction.feature_available? }
           end
-          expose :restrict_pipeline_cancellation_role, as: :ci_restrict_pipeline_cancellation_role, if: ->(project, options) {
-            project.ci_cancellation_restriction.feature_available? &&
-              Ability.allowed?(options[:current_user], :admin_project, project)
-          }
-          expose :merge_pipelines_enabled?, as: :merge_pipelines_enabled, if: ->(project, _) { project.feature_available?(:merge_pipelines) }
-          expose :merge_trains_enabled?, as: :merge_trains_enabled, if: ->(project, _) { project.feature_available?(:merge_pipelines) }
-          expose :merge_trains_skip_train_allowed?, as: :merge_trains_skip_train_allowed, if: ->(project, _) { project.feature_available?(:merge_pipelines) }
-          expose :only_allow_merge_if_all_status_checks_passed, if: ->(project, _) { project.feature_available?(:external_status_checks) }
-          expose :allow_pipeline_trigger_approve_deployment, documentation: { type: 'boolean' }, if: ->(project, _) { project.feature_available?(:protected_environments) }
-          expose :prevent_merge_without_jira_issue, if: ->(project, _) { project.feature_available?(:jira_issue_association_enforcement) }
         end
       end
     end