From 40900669b3bde03468d709c479794a758b431d8c Mon Sep 17 00:00:00 2001
From: Patrick Bajao <ebajao@gitlab.com>
Date: Thu, 24 Jan 2019 12:44:46 +0000
Subject: Allow admins/auditors to read private personal snippets

---
 app/policies/personal_snippet_policy.rb                       |  2 ++
 .../unreleased/51754-admin-view-private-personal-snippets.yml |  5 +++++
 spec/models/event_spec.rb                                     |  5 +----
 spec/policies/personal_snippet_policy_spec.rb                 | 11 +++++++++++
 4 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/unreleased/51754-admin-view-private-personal-snippets.yml

diff --git a/app/policies/personal_snippet_policy.rb b/app/policies/personal_snippet_policy.rb
index 777f933cdcd..040b5a73415 100644
--- a/app/policies/personal_snippet_policy.rb
+++ b/app/policies/personal_snippet_policy.rb
@@ -29,4 +29,6 @@ class PersonalSnippetPolicy < BasePolicy
   rule { anonymous }.prevent :comment_personal_snippet
 
   rule { can?(:comment_personal_snippet) }.enable :award_emoji
+
+  rule { full_private_access }.enable :read_personal_snippet
 end
diff --git a/changelogs/unreleased/51754-admin-view-private-personal-snippets.yml b/changelogs/unreleased/51754-admin-view-private-personal-snippets.yml
new file mode 100644
index 00000000000..cf3d73fce0c
--- /dev/null
+++ b/changelogs/unreleased/51754-admin-view-private-personal-snippets.yml
@@ -0,0 +1,5 @@
+---
+title: Allow users with full private access to read private personal snippets.
+merge_request: 24560
+author:
+type: fixed
diff --git a/spec/models/event_spec.rb b/spec/models/event_spec.rb
index a64720f1876..ce4f8ee4705 100644
--- a/spec/models/event_spec.rb
+++ b/spec/models/event_spec.rb
@@ -399,10 +399,7 @@ describe Event do
           expect(event.visible_to_user?(nil)).to be_falsy
           expect(event.visible_to_user?(non_member)).to be_falsy
           expect(event.visible_to_user?(author)).to be_truthy
-
-          # It is very unexpected that a private personal snippet is not visible
-          # to an instance administrator. This should be fixed in the future.
-          expect(event.visible_to_user?(admin)).to be_falsy
+          expect(event.visible_to_user?(admin)).to be_truthy
         end
       end
     end
diff --git a/spec/policies/personal_snippet_policy_spec.rb b/spec/policies/personal_snippet_policy_spec.rb
index 3809692b373..397eaee068c 100644
--- a/spec/policies/personal_snippet_policy_spec.rb
+++ b/spec/policies/personal_snippet_policy_spec.rb
@@ -128,6 +128,17 @@ describe PersonalSnippetPolicy do
       end
     end
 
+    context 'admin user' do
+      subject { permissions(admin_user) }
+
+      it do
+        is_expected.to be_allowed(:read_personal_snippet)
+        is_expected.to be_disallowed(:comment_personal_snippet)
+        is_expected.to be_disallowed(:award_emoji)
+        is_expected.to be_disallowed(*author_permissions)
+      end
+    end
+
     context 'external user' do
       subject { permissions(external_user) }
 
-- 
cgit v1.2.1