Add latest changes from gitlab-org/gitlab@14-6-stable-eev14.6.0-rc42

4 files changed, 139 insertions, 6 deletions

diff --git a/spec/policies/clusters/agents/activity_event_policy_spec.rb b/spec/policies/clusters/agents/activity_event_policy_spec.rb
new file mode 100644
index 00000000000..1262fcfd9f2
--- /dev/null
+++ b/spec/policies/clusters/agents/activity_event_policy_spec.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Clusters::Agents::ActivityEventPolicy do
+  let_it_be(:event) { create(:agent_activity_event) }
+
+  let(:user) { create(:user) }
+  let(:policy) { described_class.new(user, event) }
+  let(:project) { event.agent.project }
+
+  describe 'rules' do
+    context 'developer' do
+      before do
+        project.add_developer(user)
+      end
+
+      it { expect(policy).to be_disallowed :admin_cluster }
+      it { expect(policy).to be_disallowed :read_cluster }
+    end
+
+    context 'maintainer' do
+      before do
+        project.add_maintainer(user)
+      end
+
+      it { expect(policy).to be_allowed :admin_cluster }
+      it { expect(policy).to be_allowed :read_cluster }
+    end
+  end
+end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index fc4fbace790..7822ee2b92e 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -1033,6 +1033,86 @@ RSpec.describe GroupPolicy do
     end
   end
 
+  describe 'register_group_runners' do
+    shared_examples 'expected outcome based on runner registration control' do
+      context 'with runner_registration_control FF disabled' do
+        before do
+          stub_feature_flags(runner_registration_control: false)
+        end
+
+        it { is_expected.to be_allowed(:register_group_runners) }
+      end
+
+      context 'with runner_registration_control FF enabled' do
+        before do
+          stub_feature_flags(runner_registration_control: true)
+        end
+
+        context 'with group runner registration disabled' do
+          before do
+            stub_application_setting(valid_runner_registrars: ['project'])
+          end
+
+          it { is_expected.to be_disallowed(:register_group_runners) }
+        end
+      end
+    end
+
+    context 'admin' do
+      let(:current_user) { admin }
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:register_group_runners) }
+
+        it_behaves_like 'expected outcome based on runner registration control'
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:register_group_runners) }
+      end
+    end
+
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_allowed(:register_group_runners) }
+
+      it_behaves_like 'expected outcome based on runner registration control'
+    end
+
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+
+      it { is_expected.to be_allowed(:register_group_runners) }
+
+      it_behaves_like 'expected outcome based on runner registration control'
+    end
+
+    context 'with reporter' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_disallowed(:register_group_runners) }
+    end
+
+    context 'with guest' do
+      let(:current_user) { guest }
+
+      it { is_expected.to be_disallowed(:register_group_runners) }
+    end
+
+    context 'with non member' do
+      let(:current_user) { create(:user) }
+
+      it { is_expected.to be_disallowed(:register_group_runners) }
+    end
+
+    context 'with anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.to be_disallowed(:register_group_runners) }
+    end
+  end
+
   context 'with customer_relations feature flag disabled' do
     let(:current_user) { owner }
 
diff --git a/spec/policies/namespaces/project_namespace_policy_spec.rb b/spec/policies/namespaces/project_namespace_policy_spec.rb
index 5bb38deb498..f6fe4ae552a 100644
--- a/spec/policies/namespaces/project_namespace_policy_spec.rb
+++ b/spec/policies/namespaces/project_namespace_policy_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe NamespacePolicy do
+RSpec.describe Namespaces::ProjectNamespacePolicy do
   let_it_be(:parent) { create(:namespace) }
   let_it_be(:project) { create(:project, namespace: parent) }
   let_it_be(:namespace) { project.project_namespace }
@@ -37,7 +37,7 @@ RSpec.describe NamespacePolicy do
     let_it_be(:current_user) { create(:admin) }
 
     context 'when admin mode is enabled', :enable_admin_mode do
-      it { is_expected.to be_allowed(*permissions) }
+      it { is_expected.to be_disallowed(*permissions) }
     end
 
     context 'when admin mode is disabled' do
diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb
index 02eda31bfa7..06db2f6e243 100644
--- a/spec/policies/namespaces/user_namespace_policy_spec.rb
+++ b/spec/policies/namespaces/user_namespace_policy_spec.rb
@@ -3,10 +3,10 @@
 require 'spec_helper'
 
 RSpec.describe Namespaces::UserNamespacePolicy do
-  let(:user) { create(:user) }
-  let(:owner) { create(:user) }
-  let(:admin) { create(:admin) }
-  let(:namespace) { create(:namespace, owner: owner) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:owner) { create(:user) }
+  let_it_be(:admin) { create(:admin) }
+  let_it_be(:namespace) { create(:user_namespace, owner: owner) }
 
   let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :create_package_settings, :read_package_settings] }
 
@@ -74,4 +74,26 @@ RSpec.describe Namespaces::UserNamespacePolicy do
       it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
     end
   end
+
+  describe 'create projects' do
+    using RSpec::Parameterized::TableSyntax
+
+    let(:current_user) { owner }
+
+    context 'when user can create projects' do
+      before do
+        allow(current_user).to receive(:can_create_project?).and_return(true)
+      end
+
+      it { is_expected.to be_allowed(:create_projects) }
+    end
+
+    context 'when user cannot create projects' do
+      before do
+        allow(current_user).to receive(:can_create_project?).and_return(false)
+      end
+
+      it { is_expected.to be_disallowed(:create_projects) }
+    end
+  end
 end