1 files changed, 28 insertions, 0 deletions

diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
index 1cc3581ebdd..d7338622c86 100644
--- a/spec/policies/user_policy_spec.rb
+++ b/spec/policies/user_policy_spec.rb
@@ -12,6 +12,34 @@ RSpec.describe UserPolicy do
     it { is_expected.to be_allowed(:read_user) }
   end
 
+  describe "reading a different user's Personal Access Tokens" do
+    let(:token) { create(:personal_access_token, user: user) }
+
+    context 'when user is admin' do
+      let(:current_user) { create(:user, :admin) }
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:read_user_personal_access_tokens) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.not_to be_allowed(:read_user_personal_access_tokens) }
+      end
+    end
+
+    context 'when user is not an admin' do
+      context 'requesting their own personal access tokens' do
+        subject { described_class.new(current_user, current_user) }
+
+        it { is_expected.to be_allowed(:read_user_personal_access_tokens) }
+      end
+
+      context "requesting a different user's personal access tokens" do
+        it { is_expected.not_to be_allowed(:read_user_personal_access_tokens) }
+      end
+    end
+  end
+
   shared_examples 'changing a user' do |ability|
     context "when a regular user tries to destroy another regular user" do
       it { is_expected.not_to be_allowed(ability) }