From 1ae2476bd224e7edd71e8a591c794e8124602160 Mon Sep 17 00:00:00 2001
From: Hinam Mehra <hmehra@gitlab.com>
Date: Sat, 21 Dec 2024 17:55:47 +1100
Subject: [PATCH] Remove unused feature flags from custom abilities

Custom ability definitions contain feature flags
that have already been rolled out & removed.
This MR cleans up those definitions
---
 doc/development/permissions/custom_roles.md            | 10 +++++++---
 doc/user/custom_roles/abilities.md                     |  8 ++++----
 ee/config/custom_abilities/admin_group_member.yml      |  3 ---
 ee/config/custom_abilities/archive_project.yml         |  3 ---
 .../custom_abilities/manage_project_access_tokens.yml  |  3 ---
 ee/config/custom_abilities/read_code.yml               |  3 ---
 6 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/doc/development/permissions/custom_roles.md b/doc/development/permissions/custom_roles.md
index 882d02edc92e75..bb6b2baee51e21 100644
--- a/doc/development/permissions/custom_roles.md
+++ b/doc/development/permissions/custom_roles.md
@@ -193,7 +193,11 @@ before in a separate merge request, before completing the below.
 
 - Run `bundle exec rails generate gitlab:custom_roles:code --ability <ABILITY_NAME>` which will update the permissions validation schema file and create an empty spec file.
 
-### Step 3: Update policies
+### Step 3: Create a feature flag (optional)
+
+- If you would like to toggle the custom ability using a [feature flag](../feature_flags/index.md), create a feature flag with name `custom_ability_<name>`. Such as, for ability `read_code`, the feature flag will be `custom_ability_read_code`. When this feature flag is disabled, the custom ability will be hidden when creating a new custom role, or when fetching custom abilities for a user. 
+
+### Step 4: Update policies
 
 - If the ability is checked on a group level, add rule(s) to GroupPolicy to enable the ability.
 - For example: if the ability we would like to add is `read_dependency`, then an update to `ee/app/policies/ee/group_policy.rb` would look like as follows:
@@ -211,7 +215,7 @@ rule { custom_role_enables_read_dependency }.enable(:read_dependency)
 
 - Not all abilities need to be enabled on both levels, for instance `admin_terraform_state` allows users to manage a project's terraform state. It only needs to be enabled on the project level and not the group level, and thus only needs to be configured in `ee/app/policies/ee/project_policy.rb`.
 
-### Step 4: Verify
+### Step 5: Verify
 
 - Ensure SaaS mode is enabled with `GITLAB_SIMULATE_SAAS=1`.
 - Go to any Group that you are an owner of, then go to `Settings -> Roles and permissions`.
@@ -219,7 +223,7 @@ rule { custom_role_enables_read_dependency }.enable(:read_dependency)
 - Go to the Group's `Manage -> Members` page and assign a member to this newly created custom role.
 - Next, sign in as that member and ensure that you are able to access the page that the custom ability is intended for.
 
-### Step 5: Add specs
+### Step 6: Add specs
 
 - Add the ability as a trait in the `MemberRoles` factory, `ee/spec/factories/member_roles.rb`.
 - Add tests to `ee/spec/requests/custom_roles/<ABILITY_NAME>/request_spec.rb` to ensure that once the user has been assigned the custom ability, they can successfully access the controllers, REST API endpoints and GraphQL API endpoints.
diff --git a/doc/user/custom_roles/abilities.md b/doc/user/custom_roles/abilities.md
index c1d2480c4fda93..efb9e1ab773a22 100644
--- a/doc/user/custom_roles/abilities.md
+++ b/doc/user/custom_roles/abilities.md
@@ -51,8 +51,8 @@ These requirements are documented in the `Required permission` column in the fol
 
 | Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
 |:-----|:------------|:------------------|:---------|:--------------|:---------|
-| [`admin_group_member`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131914) |  | Add or remove users in a group, and assign roles to users. When assigning a role, users with this custom permission must select a role that has the same or fewer permissions as the default role used as the base for their custom role. | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/17364) | `admin_group_member` | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136247) |
-| [`archive_project`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134998) |  | Allows archiving of projects. | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/425957) | `archive_project` | GitLab [16.7](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/139260) |
+| [`admin_group_member`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131914) |  | Add or remove users in a group, and assign roles to users. When assigning a role, users with this custom permission must select a role that has the same or fewer permissions as the default role used as the base for their custom role. | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/17364) |  |  |
+| [`archive_project`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134998) |  | Allows archiving of projects. | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/425957) |  |  |
 | [`remove_group`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145166) |  | Ability to delete or restore a group. This ability does not allow deleting top-level groups. Review the Retention period settings to prevent accidental deletion. | GitLab [16.10](https://gitlab.com/gitlab-org/gitlab/-/issues/425962) |  |  |
 | [`remove_project`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/139696) |  | Allows deletion of projects. | GitLab [16.8](https://gitlab.com/gitlab-org/gitlab/-/issues/425959) |  |  |
 
@@ -94,14 +94,14 @@ These requirements are documented in the `Required permission` column in the fol
 | [`admin_merge_request`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128302) |  | Allows approval of merge requests. | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/412708) |  |  |
 | [`admin_protected_branch`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162208) |  | Create, read, update, and delete protected branches for a project. | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/448823) |  |  |
 | [`admin_push_rules`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147872) |  | Configure push rules for repositories at the group or project level. | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/421786) |  |  |
-| [`read_code`](https://gitlab.com/gitlab-org/gitlab/-/issues/376180) |  | Allows read-only access to the source code in the user interface. Does not allow users to edit or download repository archives, clone or pull repositories, view source code in an IDE, or view merge requests for private projects. You can download individual files because read-only access inherently grants the ability to make a local copy of the file. | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/20277) | `customizable_roles` | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/110810) |
+| [`read_code`](https://gitlab.com/gitlab-org/gitlab/-/issues/376180) |  | Allows read-only access to the source code in the user interface. Does not allow users to edit or download repository archives, clone or pull repositories, view source code in an IDE, or view merge requests for private projects. You can download individual files because read-only access inherently grants the ability to make a local copy of the file. | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/20277) |  |  |
 
 ## System access
 
 | Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
 |:-----|:------------|:------------------|:---------|:--------------|:---------|
 | [`manage_group_access_tokens`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140115) |  | Create, read, update, and delete group access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role. | GitLab [16.8](https://gitlab.com/gitlab-org/gitlab/-/issues/428353) |  |  |
-| [`manage_project_access_tokens`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132342) |  | Create, read, update, and delete project access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role. | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/421778) | `manage_project_access_tokens` | GitLab [16.8](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141294) |
+| [`manage_project_access_tokens`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132342) |  | Create, read, update, and delete project access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role. | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/421778) |  |  |
 
 ## Team planning
 
diff --git a/ee/config/custom_abilities/admin_group_member.yml b/ee/config/custom_abilities/admin_group_member.yml
index f58c108bbeeaab..f08b98345c9390 100644
--- a/ee/config/custom_abilities/admin_group_member.yml
+++ b/ee/config/custom_abilities/admin_group_member.yml
@@ -8,7 +8,4 @@ feature_category: groups_and_projects
 milestone: '16.5'
 group_ability: true
 project_ability: false
-feature_flag: admin_group_member
-feature_flag_enabled_milestone: '16.6'
-feature_flag_enabled_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136247
 available_from_access_level: 50
diff --git a/ee/config/custom_abilities/archive_project.yml b/ee/config/custom_abilities/archive_project.yml
index 8df4f05041ad9f..3ecd1efd236cb5 100644
--- a/ee/config/custom_abilities/archive_project.yml
+++ b/ee/config/custom_abilities/archive_project.yml
@@ -8,7 +8,4 @@ feature_category: groups_and_projects
 milestone: '16.6'
 group_ability: false
 project_ability: true
-feature_flag: archive_project
-feature_flag_enabled_milestone: '16.7'
-feature_flag_enabled_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/139260
 available_from_access_level: 50
diff --git a/ee/config/custom_abilities/manage_project_access_tokens.yml b/ee/config/custom_abilities/manage_project_access_tokens.yml
index 3dd6ef3f8f9fa0..9390cfd5c7cc34 100644
--- a/ee/config/custom_abilities/manage_project_access_tokens.yml
+++ b/ee/config/custom_abilities/manage_project_access_tokens.yml
@@ -8,6 +8,3 @@ feature_category: system_access
 milestone: '16.5'
 group_ability: false
 project_ability: true
-feature_flag: manage_project_access_tokens
-feature_flag_enabled_milestone: '16.8'
-feature_flag_enabled_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141294
diff --git a/ee/config/custom_abilities/read_code.yml b/ee/config/custom_abilities/read_code.yml
index 6e44451c65016f..1b7b3e8602c49c 100644
--- a/ee/config/custom_abilities/read_code.yml
+++ b/ee/config/custom_abilities/read_code.yml
@@ -9,7 +9,4 @@ milestone: '15.7'
 group_ability: true
 project_ability: true
 skip_seat_consumption: true
-feature_flag: customizable_roles
-feature_flag_enabled_milestone: '15.9'
-feature_flag_enabled_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/110810
 available_from_access_level: 20
-- 
GitLab