From 805221e0e59644dfa04e3352ca76b03605e5d552 Mon Sep 17 00:00:00 2001 From: vjain-gl Date: Thu, 17 Jul 2025 14:37:47 +0530 Subject: [PATCH 1/3] Allow planner role read_code access on private projects Grant read_code permissions to planner role users on private projects to enable them to better understand project context and make informed planning decisions. This change allows planners to access code repositories while maintaining their existing planning and project management capabilities. Changelog: added EE: true --- ee/app/policies/ee/project_policy.rb | 5 ++++- ee/spec/policies/project_policy_spec.rb | 10 ++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index dd4efbdc1efe35..98b83eae647b09 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -862,7 +862,10 @@ module ProjectPolicy rule { can?(:read_merge_request) & code_review_analytics_enabled }.enable :read_code_review_analytics - rule { private_project & planner }.prevent :read_code_review_analytics + rule { private_project & planner }.policy do + prevent :read_code_review_analytics + enable :read_code + end rule { (admin | reporter) & dora4_analytics_available } .enable :read_dora4_analytics diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index 5487c0630ee877..fd411ecefedb53 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -1697,6 +1697,16 @@ end end + describe 'for planner role in private project' do + context 'when policy is :read_code' do + let(:policy) { :read_code } + let(:current_user) { planner } + let(:project) { private_project } + + it { is_expected.to be_allowed(policy) } + end + end + describe ':read_code_review_analytics' do let(:policy) { :read_code_review_analytics } -- GitLab From a7af3a945a34d75aa05d9acc19ad9522032501a0 Mon Sep 17 00:00:00 2001 From: vjain-gl Date: Thu, 17 Jul 2025 15:12:04 +0530 Subject: [PATCH 2/3] Allow doanload_code and fix failing tests --- ee/app/policies/ee/project_policy.rb | 1 + ee/spec/policies/project_policy_spec.rb | 4 ++-- spec/policies/project_policy_spec.rb | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index 98b83eae647b09..7dfa8df78a62be 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -865,6 +865,7 @@ module ProjectPolicy rule { private_project & planner }.policy do prevent :read_code_review_analytics enable :read_code + enable :download_code end rule { (admin | reporter) & dora4_analytics_available } diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index fd411ecefedb53..51fa5ccd738c38 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -1699,11 +1699,11 @@ describe 'for planner role in private project' do context 'when policy is :read_code' do - let(:policy) { :read_code } let(:current_user) { planner } let(:project) { private_project } - it { is_expected.to be_allowed(policy) } + it { is_expected.to be_allowed(:read_code) } + it { is_expected.to be_allowed(:download_code) } end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index b1fa674865a332..a1b280c6b9b41e 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -3706,7 +3706,7 @@ def permissions_abilities(role) :maintainer | true :developer | true :reporter | true - :planner | false + :planner | true :guest | false end -- GitLab From 2ab7f2a5a0d34ded3f1ab972e87fb0ed379175f4 Mon Sep 17 00:00:00 2001 From: vjain-gl Date: Mon, 28 Jul 2025 17:34:55 +0530 Subject: [PATCH 3/3] Remove download_code permissions for planner role --- ee/app/policies/ee/project_policy.rb | 1 - ee/spec/policies/project_policy_spec.rb | 1 - spec/policies/project_policy_spec.rb | 40 ++++++++++++++++++------- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index 7dfa8df78a62be..98b83eae647b09 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -865,7 +865,6 @@ module ProjectPolicy rule { private_project & planner }.policy do prevent :read_code_review_analytics enable :read_code - enable :download_code end rule { (admin | reporter) & dora4_analytics_available } diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index 51fa5ccd738c38..14f5593bd9df82 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -1703,7 +1703,6 @@ let(:project) { private_project } it { is_expected.to be_allowed(:read_code) } - it { is_expected.to be_allowed(:download_code) } end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index a1b280c6b9b41e..d2668e3c64a1a9 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -3701,19 +3701,37 @@ def permissions_abilities(role) context 'private project' do let(:project) { private_project } - where(:role, :allowed) do - :owner | true - :maintainer | true - :developer | true - :reporter | true - :planner | true - :guest | false + context 'download_code access' do + where(:role, :allowed) do + :owner | true + :maintainer | true + :developer | true + :reporter | true + :planner | false + :guest | false + end + + with_them do + it do + expect(subject.can?(:download_code)).to be(allowed) + end + end end - with_them do - it do - expect(subject.can?(:download_code)).to be(allowed) - expect(subject.can?(:read_code)).to be(allowed) + context 'read_code access' do + where(:role, :allowed) do + :owner | true + :maintainer | true + :developer | true + :reporter | true + :planner | true + :guest | false + end + + with_them do + it do + expect(subject.can?(:read_code)).to be(allowed) + end end end end -- GitLab