Allow read-only access to alerts for auditors
What does this MR do and why?
This MR enables read-only access for auditors to alerts.
See https://docs.gitlab.com/ee/administration/auditor_users.html
Users with auditor access have read-only access to all groups, projects, and other resources except:
Note that this MR also takes the feature flag split_operations_visibility_permissions
into account. See #364240 (closed).
Screenshots or screen recordings
As an auditor:
feature flag split_operations_visibility_permissions
|
Alerts Overview | Alerts Details |
---|---|---|
Enabled |
||
Disabled |
Read-only
It seems that action buttons are visible for auditors but have no effect or fail with an error message.
Changing Alert Status | Creating an incident |
---|---|
|
|
See #375590 as a follow-up.
How to set up and validate locally
Visually
With feature flag split_operations_visibility_permissions
disabled
- In Rails console:
Feature.remove(:split_operations_visibility_permissions)
- Create an auditor
- Impersonate as an auditor
- Visit http://localhost:3000/gitlab-org/gitlab-test
- See Monitor > Alerts item in the navigation bar
- Visit http://localhost:3000/gitlab-org/gitlab-test/-/alert_management
- See screenshots above
With feature flag split_operations_visibility_permissions
enabled
- In Rails console:
Feature.enable(:split_operations_visibility_permissions)
- Create an auditor
- Impersonate as an auditor
- Visit http://localhost:3000/gitlab-org/gitlab-test
- See Monitor > Alerts item in the navigation bar
- Visit http://localhost:3000/gitlab-org/gitlab-test/-/alert_management
- See screenshots above
Via specs
# Rollback production code changes
git checkout master -- ee/app/policies/ee/project_policy.rb
# Watch specs fail
bin/rspec ee/spec/policies/project_policy_spec.rb
...
Finished in 1 minute 36.48 seconds (files took 8.56 seconds to load)
650 examples, 14 failures
RSpec output
Failures:
1) ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :private, access_level: 10, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/104)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:153
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
2) ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :internal, access_level: 10, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/105)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:153
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
3) ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :public, access_level: 20, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/106)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:153
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
4) ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :public, access_level: 10, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/106)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:153
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
5) ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :private, access_level: 20, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/104)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:153
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
6) ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :internal, access_level: 20, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/105)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:153
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
7) ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :private, access_level: 20, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/104)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:142
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
8) ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :public, access_level: 20, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/106)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:142
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
9) ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :public, access_level: 10, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/106)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:142
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
10) ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :internal, access_level: 20, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/105)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:142
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
11) ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :internal, access_level: 10, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/105)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:142
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
12) ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :private, access_level: 10, allowed: true always allows permissions except when feature disabled
Failure/Error: permissions.each { |p| is_expected.to be_allowed(p) }
expected `#<ProjectPolicy (@user14 : Project/104)>.allowed?(:read_alert_management_alert)` to be truthy, got false
Shared Example Group: "project feature visibility" called from ./ee/spec/policies/project_policy_spec.rb:142
# ./spec/support/helpers/policy_helpers.rb:5:in `block in expect_allowed'
# ./spec/support/helpers/policy_helpers.rb:5:in `each'
# ./spec/support/helpers/policy_helpers.rb:5:in `expect_allowed'
# ./ee/spec/policies/project_policy_spec.rb:132:in `block (9 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
13) ProjectPolicy basic permissions auditor who is a team member is expected to be allowed :download_code, :download_wiki_code, :read_project, :read_issue_board, :read_issue_board_list, :read_project_for_iids, :read_issue_iid, :read_merge_request_iid, :read_wiki, :read_issue, :read_label, :read_planning_hierarchy, :read_issue_link, :read_milestone, :read_snippet, :read_project_member, :read_note, :read_cycle_analytics, :read_pipeline, :read_build, :read_commit_status, :read_container_image, :read_environment, :read_deployment, :read_merge_request, :read_pages, :create_merge_request_in, :award_emoji, :read_project_security_dashboard, :read_security_resource, :read_vulnerability_scanner, :read_software_license_policy, :read_merge_train, :read_release, :read_project_audit_events, :read_cluster, :read_terraform_state, :read_project_merge_request_analytics, :read_on_demand_dast_scan, and :read_alert_management_alert
Failure/Error: is_expected.to be_allowed(*auditor_permissions)
expected `#<ProjectPolicy (@user14 : Project/106)>.allowed?(:download_code, :download_wiki_code, :read_project, :read_issue_board, :read_issue_board_list, :read_project_for_iids, :read_issue_iid, :read_merge_request_iid, :read_wiki, :read_issue, :read_label, :read_planning_hierarchy, :read_issue_link, :read_milestone, :read_snippet, :read_project_member, :read_note, :read_cycle_analytics, :read_pipeline, :read_build, :read_commit_status, :read_container_image, :read_environment, :read_deployment, :read_merge_request, :read_pages, :create_merge_request_in, :award_emoji, :read_project_security_dashboard, :read_security_resource, :read_vulnerability_scanner, :read_software_license_policy, :read_merge_train, :read_release, :read_project_audit_events, :read_cluster, :read_terraform_state, :read_project_merge_request_analytics, :read_on_demand_dast_scan, :read_alert_management_alert)` to be truthy, got false
# ./ee/spec/policies/project_policy_spec.rb:95:in `block (5 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
14) ProjectPolicy basic permissions auditor who is not a team member is expected to be allowed :download_code, :download_wiki_code, :read_project, :read_issue_board, :read_issue_board_list, :read_project_for_iids, :read_issue_iid, :read_merge_request_iid, :read_wiki, :read_issue, :read_label, :read_planning_hierarchy, :read_issue_link, :read_milestone, :read_snippet, :read_project_member, :read_note, :read_cycle_analytics, :read_pipeline, :read_build, :read_commit_status, :read_container_image, :read_environment, :read_deployment, :read_merge_request, :read_pages, :create_merge_request_in, :award_emoji, :read_project_security_dashboard, :read_security_resource, :read_vulnerability_scanner, :read_software_license_policy, :read_merge_train, :read_release, :read_project_audit_events, :read_cluster, :read_terraform_state, :read_project_merge_request_analytics, :read_on_demand_dast_scan, and :read_alert_management_alert
Failure/Error: is_expected.to be_allowed(*auditor_permissions)
expected `#<ProjectPolicy (@user14 : Project/106)>.allowed?(:download_code, :download_wiki_code, :read_project, :read_issue_board, :read_issue_board_list, :read_project_for_iids, :read_issue_iid, :read_merge_request_iid, :read_wiki, :read_issue, :read_label, :read_planning_hierarchy, :read_issue_link, :read_milestone, :read_snippet, :read_project_member, :read_note, :read_cycle_analytics, :read_pipeline, :read_build, :read_commit_status, :read_container_image, :read_environment, :read_deployment, :read_merge_request, :read_pages, :create_merge_request_in, :award_emoji, :read_project_security_dashboard, :read_security_resource, :read_vulnerability_scanner, :read_software_license_policy, :read_merge_train, :read_release, :read_project_audit_events, :read_cluster, :read_terraform_state, :read_project_merge_request_analytics, :read_on_demand_dast_scan, :read_alert_management_alert)` to be truthy, got false
# ./ee/spec/policies/project_policy_spec.rb:81:in `block (5 levels) in <top (required)>'
# ./spec/spec_helper.rb:417:in `block (3 levels) in <top (required)>'
# ./spec/support/sidekiq_middleware.rb:9:in `with_sidekiq_server_middleware'
# ./spec/spec_helper.rb:409:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:405:in `block (3 levels) in <top (required)>'
# ./lib/gitlab/application_context.rb:58:in `with_raw_context'
# ./spec/spec_helper.rb:405:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:242:in `block (2 levels) in <top (required)>'
# ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
# ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
# ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'
Finished in 1 minute 36.48 seconds (files took 8.56 seconds to load)
650 examples, 14 failures
Failed examples:
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:4:1:8:1] # ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :private, access_level: 10, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:4:1:5:1] # ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :internal, access_level: 10, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:4:1:1:1] # ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :public, access_level: 20, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:4:1:2:1] # ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :public, access_level: 10, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:4:1:7:1] # ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :private, access_level: 20, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:4:1:4:1] # ProjectPolicy basic permissions auditor with project feature related policies with disabled feature flag split_operations_visibility_permissions with project feature operations_access_level project_visibility: :internal, access_level: 20, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:3:7:1] # ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :private, access_level: 20, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:3:1:1] # ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :public, access_level: 20, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:3:2:1] # ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :public, access_level: 10, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:3:4:1] # ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :internal, access_level: 20, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:3:5:1] # ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :internal, access_level: 10, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb[1:1:9:4:3:8:1] # ProjectPolicy basic permissions auditor with project feature related policies with project feature monitor_access_level project_visibility: :private, access_level: 10, allowed: true always allows permissions except when feature disabled
rspec ./ee/spec/policies/project_policy_spec.rb:90 # ProjectPolicy basic permissions auditor who is a team member is expected to be allowed :download_code, :download_wiki_code, :read_project, :read_issue_board, :read_issue_board_list, :read_project_for_iids, :read_issue_iid, :read_merge_request_iid, :read_wiki, :read_issue, :read_label, :read_planning_hierarchy, :read_issue_link, :read_milestone, :read_snippet, :read_project_member, :read_note, :read_cycle_analytics, :read_pipeline, :read_build, :read_commit_status, :read_container_image, :read_environment, :read_deployment, :read_merge_request, :read_pages, :create_merge_request_in, :award_emoji, :read_project_security_dashboard, :read_security_resource, :read_vulnerability_scanner, :read_software_license_policy, :read_merge_train, :read_release, :read_project_audit_events, :read_cluster, :read_terraform_state, :read_project_merge_request_analytics, :read_on_demand_dast_scan, and :read_alert_management_alert
rspec ./ee/spec/policies/project_policy_spec.rb:76 # ProjectPolicy basic permissions auditor who is not a team member is expected to be allowed :download_code, :download_wiki_code, :read_project, :read_issue_board, :read_issue_board_list, :read_project_for_iids, :read_issue_iid, :read_merge_request_iid, :read_wiki, :read_issue, :read_label, :read_planning_hierarchy, :read_issue_link, :read_milestone, :read_snippet, :read_project_member, :read_note, :read_cycle_analytics, :read_pipeline, :read_build, :read_commit_status, :read_container_image, :read_environment, :read_deployment, :read_merge_request, :read_pages, :create_merge_request_in, :award_emoji, :read_project_security_dashboard, :read_security_resource, :read_vulnerability_scanner, :read_software_license_policy, :read_merge_train, :read_release, :read_project_audit_events, :read_cluster, :read_terraform_state, :read_project_merge_request_analytics, :read_on_demand_dast_scan, and :read_alert_management_alert
Randomized with seed 43519
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #358631 (closed)