From ba8afa13b9ae6d8fa6327e1ea77156a984b9a757 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jarka=20Ko=C5=A1anov=C3=A1?= <jarka@gitlab.com>
Date: Fri, 18 Jul 2025 17:54:22 +0200
Subject: [PATCH] Prepare reading admin general settings as custom permission

---
 app/validators/json_schemas/admin_role_permissions.json   | 3 +++
 app/validators/json_schemas/member_role_permissions.json  | 3 +++
 doc/api/graphql/reference/_index.md                       | 2 ++
 doc/api/openapi/openapi_v2.yaml                           | 2 ++
 doc/user/custom_roles/abilities.md                        | 1 +
 ee/app/policies/ee/global_policy.rb                       | 4 ++++
 .../admin/read_admin_general_settings.yml                 | 8 ++++++++
 ee/spec/policies/global_policy_spec.rb                    | 1 +
 8 files changed, 24 insertions(+)
 create mode 100644 ee/config/custom_abilities/admin/read_admin_general_settings.yml

diff --git a/app/validators/json_schemas/admin_role_permissions.json b/app/validators/json_schemas/admin_role_permissions.json
index a1fd6f37f76eb0..f41a02fbf314c7 100644
--- a/app/validators/json_schemas/admin_role_permissions.json
+++ b/app/validators/json_schemas/admin_role_permissions.json
@@ -21,6 +21,9 @@
     },
     "read_admin_projects": {
       "type": "boolean"
+    },
+    "read_admin_general_settings": {
+      "type": "boolean"
     }
   }
 }
diff --git a/app/validators/json_schemas/member_role_permissions.json b/app/validators/json_schemas/member_role_permissions.json
index 805a44425c8cc6..280f07a4356cc3 100644
--- a/app/validators/json_schemas/member_role_permissions.json
+++ b/app/validators/json_schemas/member_role_permissions.json
@@ -85,6 +85,9 @@
     "read_admin_projects": {
       "type": "boolean"
     },
+    "read_admin_general_settings": {
+      "type": "boolean"
+    },
     "read_code": {
       "type": "boolean"
     },
diff --git a/doc/api/graphql/reference/_index.md b/doc/api/graphql/reference/_index.md
index 5cc204ddef6ef4..083d936a631dd6 100644
--- a/doc/api/graphql/reference/_index.md
+++ b/doc/api/graphql/reference/_index.md
@@ -46952,6 +46952,7 @@ Member role admin permission.
 | Value | Description |
 | ----- | ----------- |
 | <a id="memberroleadminpermissionread_admin_cicd"></a>`READ_ADMIN_CICD` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 17.9. **Status**: Experiment. Read CI/CD details for runners and jobs in the Admin Area. |
+| <a id="memberroleadminpermissionread_admin_general_settings"></a>`READ_ADMIN_GENERAL_SETTINGS` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 18.3. **Status**: Experiment. Read general settings of an instance in the Admin Area. |
 | <a id="memberroleadminpermissionread_admin_groups"></a>`READ_ADMIN_GROUPS` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 18.3. **Status**: Experiment. Read group details in the Admin Area. |
 | <a id="memberroleadminpermissionread_admin_monitoring"></a>`READ_ADMIN_MONITORING` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 17.9. **Status**: Experiment. Read system information such as background migrations, health checks, audit logs, and Gitaly in the Admin Area. |
 | <a id="memberroleadminpermissionread_admin_projects"></a>`READ_ADMIN_PROJECTS` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 18.3. **Status**: Experiment. Read project details in the Admin Area. |
@@ -46986,6 +46987,7 @@ Member role permission.
 | <a id="memberrolepermissionmanage_protected_tags"></a>`MANAGE_PROTECTED_TAGS` | Create, read, update, and delete protected tags. |
 | <a id="memberrolepermissionmanage_security_policy_link"></a>`MANAGE_SECURITY_POLICY_LINK` | Allows linking security policy projects. |
 | <a id="memberrolepermissionread_admin_cicd"></a>`READ_ADMIN_CICD` | Read CI/CD details for runners and jobs in the Admin Area. |
+| <a id="memberrolepermissionread_admin_general_settings"></a>`READ_ADMIN_GENERAL_SETTINGS` | Read general settings of an instance in the Admin Area. |
 | <a id="memberrolepermissionread_admin_groups"></a>`READ_ADMIN_GROUPS` | Read group details in the Admin Area. |
 | <a id="memberrolepermissionread_admin_monitoring"></a>`READ_ADMIN_MONITORING` | Read system information such as background migrations, health checks, audit logs, and Gitaly in the Admin Area. |
 | <a id="memberrolepermissionread_admin_projects"></a>`READ_ADMIN_PROJECTS` | Read project details in the Admin Area. |
diff --git a/doc/api/openapi/openapi_v2.yaml b/doc/api/openapi/openapi_v2.yaml
index 2eec9b62c22ab9..dde5aec4e2c882 100644
--- a/doc/api/openapi/openapi_v2.yaml
+++ b/doc/api/openapi/openapi_v2.yaml
@@ -48986,6 +48986,8 @@ definitions:
         type: boolean
       admin_web_hook:
         type: boolean
+      read_admin_general_settings:
+        type: boolean
       read_compliance_dashboard:
         type: boolean
       read_admin_cicd:
diff --git a/doc/user/custom_roles/abilities.md b/doc/user/custom_roles/abilities.md
index b32d7555c4a4aa..4b86ac31ad3bd0 100644
--- a/doc/user/custom_roles/abilities.md
+++ b/doc/user/custom_roles/abilities.md
@@ -34,6 +34,7 @@ Any dependencies are noted in the `Description` column for each permission.
 
 | Permission | Description | API Attribute | Scope | Introduced |
 |:-----------|:------------|:--------------|:------|:-----------|
+| Read admin general settings | Read general settings of an instance in the Admin Area. | [`read_admin_general_settings`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198095) | Instance | GitLab [18.3](https://gitlab.com/gitlab-org/gitlab/-/issues/527112) |
 | View CI/CD | Read CI/CD details for runners and jobs in the Admin Area. | [`read_admin_cicd`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/177233) | Instance | GitLab [17.9](https://gitlab.com/gitlab-org/gitlab/-/issues/507960) |
 | View Groups | Read group details in the Admin Area. | [`read_admin_groups`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197777) | Instance | GitLab [18.3](https://gitlab.com/gitlab-org/gitlab/-/issues/534449) |
 | View Projects | Read project details in the Admin Area. | [`read_admin_projects`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197777) | Instance | GitLab [18.3](https://gitlab.com/gitlab-org/gitlab/-/issues/534449) |
diff --git a/ee/app/policies/ee/global_policy.rb b/ee/app/policies/ee/global_policy.rb
index 1b94ec6eb5993e..e72b2ef8543330 100644
--- a/ee/app/policies/ee/global_policy.rb
+++ b/ee/app/policies/ee/global_policy.rb
@@ -255,6 +255,10 @@ module GlobalPolicy
         enable :read_licenses
       end
 
+      rule { custom_role_enables_read_admin_general_settings }.policy do
+        enable :read_admin_general_settings
+      end
+
       rule { custom_role_enables_read_admin_users }.policy do
         enable :read_admin_users
       end
diff --git a/ee/config/custom_abilities/admin/read_admin_general_settings.yml b/ee/config/custom_abilities/admin/read_admin_general_settings.yml
new file mode 100644
index 00000000000000..2d64949ba115a0
--- /dev/null
+++ b/ee/config/custom_abilities/admin/read_admin_general_settings.yml
@@ -0,0 +1,8 @@
+---
+title: Read admin general settings
+name: read_admin_general_settings
+description: Read general settings of an instance in the Admin Area.
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/527112
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198095
+feature_category: admin
+milestone: '18.3'
diff --git a/ee/spec/policies/global_policy_spec.rb b/ee/spec/policies/global_policy_spec.rb
index 8527d488bfe366..1219273176089e 100644
--- a/ee/spec/policies/global_policy_spec.rb
+++ b/ee/spec/policies/global_policy_spec.rb
@@ -925,6 +925,7 @@
       :read_admin_users        | %i[read_admin_users]
       :read_admin_groups       | %i[read_admin_groups]
       :read_admin_projects     | %i[read_admin_projects]
+      :read_admin_general_settings | %i[read_admin_general_settings]
     end
 
     with_them do
-- 
GitLab