diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index c395a24550fb591c3e230da8a595a1b0c490d357..02e4d997c2064e500241b3d29f06b044332e63c3 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -1178,11 +1178,11 @@ module ProjectPolicy ::Feature.enabled?(:ai_flow_triggers, @user) end - rule { ai_flow_triggers_enabled & (amazon_q_enabled | assigned_to_duo_enterprise) & can?(:admin_project) }.policy do + rule { ai_flow_triggers_enabled & (amazon_q_enabled | assigned_to_duo_pro | assigned_to_duo_enterprise) & can?(:admin_project) }.policy do enable :manage_ai_flow_triggers end - rule { ai_flow_triggers_enabled & (amazon_q_enabled | assigned_to_duo_enterprise) & can?(:developer_access) & can?(:create_pipeline) }.policy do + rule { ai_flow_triggers_enabled & (amazon_q_enabled | assigned_to_duo_pro | assigned_to_duo_enterprise) & can?(:developer_access) & can?(:create_pipeline) }.policy do enable :trigger_ai_flow end diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index e8e54f1b221bb8bd32f6240d506a35722d517618..c886883973253aeb980921d026a26e826e57c656 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -5642,6 +5642,81 @@ def create_member_role(member, abilities = member_role_abilities) end end + context 'with duo pro subscription' do + let_it_be(:subscription_purchase) { create(:gitlab_subscription_add_on_purchase, :duo_pro, :self_managed) } + + let!(:subscription_assignment) do + create(:gitlab_subscription_user_add_on_assignment, user: current_user, add_on_purchase: subscription_purchase) + end + + describe 'manage_ai_flow_triggers permission' do + where(:role, :allowed) do + :guest | false + :planner | false + :reporter | false + :developer | false + :maintainer | true + :owner | true + :admin | true + end + + with_them do + let(:current_user) { public_send(role) } + + before do + enable_admin_mode!(current_user) if role == :admin + end + + it { is_expected.to(allowed ? be_allowed(:manage_ai_flow_triggers) : be_disallowed(:manage_ai_flow_triggers)) } + end + end + + describe 'trigger_ai_flow permission' do + context 'with general roles' do + where(:role, :allowed) do + :guest | false + :planner | false + :reporter | false + :developer | true + :maintainer | true + :owner | true + :admin | true + end + + with_them do + let(:current_user) { public_send(role) } + + before do + enable_admin_mode!(current_user) if role == :admin + end + + it { is_expected.to(allowed ? be_allowed(:trigger_ai_flow) : be_disallowed(:trigger_ai_flow)) } + end + end + + context 'with project that allows collaboration' do + let(:project) { public_project } + + where(:role, :allowed) do + :reporter | false + :developer | true + end + + with_them do + let(:current_user) { public_send(role) } + + before do + allow(project).to receive(:merge_requests_allowing_push_to_user).and_return( + [instance_double(MergeRequest)] + ) + end + + it { is_expected.to(allowed ? be_allowed(:trigger_ai_flow) : be_disallowed(:trigger_ai_flow)) } + end + end + end + end + context 'without duo enterprise subscription' do where(:role) do [:guest, :planner, :reporter, :developer, :maintainer, :owner, :admin]