In https://gitlab.com/gitlab-org/gitlab-ee/issues/12787#note_193244051 we noticed that making some changes to the `ProjectPolicy` didn't cause failures in `project_policy_spec.rb`. We would need to ensure that the following tests are explicitly added to `project_policy_spec.rb`. ## When project access level is PRIVATE ```ruby > p = Project.first > p.public_builds => true # project has PRIVATE access level (10) for all features > p.project_feature => #<ProjectFeature:0x00007fa1cd564728 id: 1, project_id: 1, merge_requests_access_level: 10, issues_access_level: 10, wiki_access_level: 10, snippets_access_level: 10, builds_access_level: 10, created_at: Thu, 06 Jun 2019 14:09:11 UTC +00:00, updated_at: Tue, 16 Jul 2019 14:32:51 UTC +00:00, repository_access_level: 10, pages_access_level: 10> # unauthenticated user > ProjectPolicy.new(nil, p).allowed?(:read_build) => false # user logged in but no access to the project > ProjectPolicy.new(u, p).allowed?(:read_build) => false # guest user > guest = User.last > p.add_guest(guest) > ProjectPolicy.new(guest, p).allowed?(:read_build) => true ``` Unless we add a user as `guest` we don't allow `:read_build` even if `public_builds = true`. ## When project access level is INTERNAL ```ruby > p.project_feature.update!(merge_requests_access_level: 20, issues_access_level: 20, wiki_access_level: 20, snippets_access_level: 20, builds_access_level: 20, repository_access_level: 20) # allows guest users > ProjectPolicy.new(guest, p).allowed?(:read_build) => true # prevents unauthenticated users > ProjectPolicy.new(nil, p).allowed?(:read_build) => false ``` ## When project access level is PUBLIC ```ruby > p.visibility_level = Project::PUBLIC => 20 > p.save! => true > p.project_feature.update!(merge_requests_access_level: 20, builds_access_level: 20, repository_access_level: 20) # unauthenticated user is allowed > ProjectPolicy.new(nil, p).allowed?(:read_build) => true # any user logged in > ProjectPolicy.new(u, p).allowed?(:read_build) => true ``` These seem to match exactly the expectations when `public builds` are enabled. However it would be good to see more exhaustive testing around these permissions because the ProjectPolicy specs don't cover well these scenarios with `public builds`. That's why after changing the policy, none of the tests failed.