From 1f9b20f19c9d14a32e2c3349d3d067b1dd2d001c Mon Sep 17 00:00:00 2001
From: Keeyan Nejad <knejad@gitlab.com>
Date: Mon, 20 Oct 2025 11:58:03 +0100
Subject: [PATCH 1/2] Fix automate/agents path when not logged in

If the project was public, this would cause an exception

Changelog: fixed
EE: true
---
 .../duo_agents_platform_controller.rb         |  2 +-
 .../duo_agents_platform_controller_spec.rb    | 35 ++++++++++---------
 2 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/ee/app/controllers/projects/duo_agents_platform_controller.rb b/ee/app/controllers/projects/duo_agents_platform_controller.rb
index 351b42ef3acbde..736b5629c01dfd 100644
--- a/ee/app/controllers/projects/duo_agents_platform_controller.rb
+++ b/ee/app/controllers/projects/duo_agents_platform_controller.rb
@@ -15,7 +15,7 @@ def show; end
     private
 
     def check_access
-      return render_404 unless project&.duo_features_enabled && current_user.can?(:duo_workflow, project)
+      return render_404 unless Ability.allowed?(current_user, :duo_workflow, project)
 
       if specific_vueroute?
         render_404 unless authorized_for_route?
diff --git a/ee/spec/requests/projects/duo_agents_platform_controller_spec.rb b/ee/spec/requests/projects/duo_agents_platform_controller_spec.rb
index f3083960b31132..6b3c41b6511a5a 100644
--- a/ee/spec/requests/projects/duo_agents_platform_controller_spec.rb
+++ b/ee/spec/requests/projects/duo_agents_platform_controller_spec.rb
@@ -11,8 +11,8 @@
     project.project_setting.update!(duo_remote_flows_enabled: true, duo_features_enabled: true)
 
     sign_in(user)
-    allow(user).to receive(:can?).and_return(true)
-    allow(user).to receive(:can?).with(:duo_workflow, project).and_return(true)
+    allow(Ability).to receive(:allowed?).and_call_original
+    allow(Ability).to receive(:allowed?).with(user, anything, anything).and_return(true)
   end
 
   describe 'GET /:namespace/:project/-/automate' do
@@ -35,7 +35,7 @@
 
       context 'and the user does not have access to duo_workflow' do
         before do
-          allow(user).to receive(:can?).with(:duo_workflow, project).and_return(false)
+          allow(Ability).to receive(:allowed?).with(user, :duo_workflow, project).and_return(false)
         end
 
         it 'does not render' do
@@ -84,19 +84,6 @@
       end
     end
 
-    context 'when duo_features_enabled setting is disabled for the project' do
-      before do
-        allow(::Ai::DuoWorkflow).to receive(:enabled?).and_return(true)
-        project.project_setting.update!(duo_features_enabled: false)
-      end
-
-      it 'returns 404' do
-        get project_automate_agent_sessions_path(project)
-
-        expect(response).to have_gitlab_http_status(:not_found)
-      end
-    end
-
     context 'when vueroute is agents' do
       context 'when global_ai_catalog feature is enabled' do
         before do
@@ -108,6 +95,20 @@
 
           expect(response).to have_gitlab_http_status(:ok)
         end
+
+        context 'when the user is not signed in and the project is public' do
+          let_it_be(:project) { create(:project, :public) }
+
+          before do
+            sign_out(user)
+          end
+
+          it 'returns a 404' do
+            get project_automate_agents_path(project)
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
       end
 
       context 'when global_ai_catalog feature is disabled' do
@@ -147,7 +148,7 @@
 
       context 'when user cannot manage ai flow triggers' do
         before do
-          allow(user).to receive(:can?).with(:manage_ai_flow_triggers, project).and_return(false)
+          allow(Ability).to receive(:allowed?).with(user, :manage_ai_flow_triggers, project).and_return(false)
         end
 
         it 'returns 404' do
-- 
GitLab


From 68afeeae4ca90a17c024c5005b6d0157917af324 Mon Sep 17 00:00:00 2001
From: Keeyan Nejad <knejad@gitlab.com>
Date: Wed, 22 Oct 2025 12:03:33 +0100
Subject: [PATCH 2/2] Fix broken spec in features automate sessions

---
 ee/spec/features/projects/automate/sessions_spec.rb | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/ee/spec/features/projects/automate/sessions_spec.rb b/ee/spec/features/projects/automate/sessions_spec.rb
index 1490d9ad2bd63d..358a0b8b0a39fc 100644
--- a/ee/spec/features/projects/automate/sessions_spec.rb
+++ b/ee/spec/features/projects/automate/sessions_spec.rb
@@ -104,14 +104,6 @@
       end
     end
 
-    context 'when duo features are disabled' do
-      before do
-        project.project_setting.update!(duo_features_enabled: false)
-      end
-
-      include_examples 'returns 404 page'
-    end
-
     context 'when duo remote flows are disabled' do
       before do
         project.project_setting.update!(duo_remote_flows_enabled: false)
@@ -138,8 +130,7 @@
 
     context 'when user does not have duo_workflow permission' do
       before do
-        allow(user).to receive(:can?).and_call_original
-        allow(user).to receive(:can?).with(:duo_workflow, project).and_return(false)
+        allow(Ability).to receive(:allowed?).with(user, :duo_workflow, anything).and_return(false)
       end
 
       include_examples 'returns 404 page'
-- 
GitLab