From 911bbc54127c94496b3d4bd455c72279f3747c7d Mon Sep 17 00:00:00 2001 From: Shekhar Patnaik Date: Wed, 22 Oct 2025 12:14:56 +0100 Subject: [PATCH] Add Triggers to Duo Core This MR updates the project policy so that triggers are available with the Duo Core license. Changelog: changed EE: true --- ee/app/policies/ee/project_policy.rb | 4 +- ee/spec/policies/project_policy_spec.rb | 75 +++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 2 deletions(-) diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index c395a24550fb59..02e4d997c2064e 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -1178,11 +1178,11 @@ module ProjectPolicy ::Feature.enabled?(:ai_flow_triggers, @user) end - rule { ai_flow_triggers_enabled & (amazon_q_enabled | assigned_to_duo_enterprise) & can?(:admin_project) }.policy do + rule { ai_flow_triggers_enabled & (amazon_q_enabled | assigned_to_duo_pro | assigned_to_duo_enterprise) & can?(:admin_project) }.policy do enable :manage_ai_flow_triggers end - rule { ai_flow_triggers_enabled & (amazon_q_enabled | assigned_to_duo_enterprise) & can?(:developer_access) & can?(:create_pipeline) }.policy do + rule { ai_flow_triggers_enabled & (amazon_q_enabled | assigned_to_duo_pro | assigned_to_duo_enterprise) & can?(:developer_access) & can?(:create_pipeline) }.policy do enable :trigger_ai_flow end diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index e8e54f1b221bb8..c886883973253a 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -5642,6 +5642,81 @@ def create_member_role(member, abilities = member_role_abilities) end end + context 'with duo pro subscription' do + let_it_be(:subscription_purchase) { create(:gitlab_subscription_add_on_purchase, :duo_pro, :self_managed) } + + let!(:subscription_assignment) do + create(:gitlab_subscription_user_add_on_assignment, user: current_user, add_on_purchase: subscription_purchase) + end + + describe 'manage_ai_flow_triggers permission' do + where(:role, :allowed) do + :guest | false + :planner | false + :reporter | false + :developer | false + :maintainer | true + :owner | true + :admin | true + end + + with_them do + let(:current_user) { public_send(role) } + + before do + enable_admin_mode!(current_user) if role == :admin + end + + it { is_expected.to(allowed ? be_allowed(:manage_ai_flow_triggers) : be_disallowed(:manage_ai_flow_triggers)) } + end + end + + describe 'trigger_ai_flow permission' do + context 'with general roles' do + where(:role, :allowed) do + :guest | false + :planner | false + :reporter | false + :developer | true + :maintainer | true + :owner | true + :admin | true + end + + with_them do + let(:current_user) { public_send(role) } + + before do + enable_admin_mode!(current_user) if role == :admin + end + + it { is_expected.to(allowed ? be_allowed(:trigger_ai_flow) : be_disallowed(:trigger_ai_flow)) } + end + end + + context 'with project that allows collaboration' do + let(:project) { public_project } + + where(:role, :allowed) do + :reporter | false + :developer | true + end + + with_them do + let(:current_user) { public_send(role) } + + before do + allow(project).to receive(:merge_requests_allowing_push_to_user).and_return( + [instance_double(MergeRequest)] + ) + end + + it { is_expected.to(allowed ? be_allowed(:trigger_ai_flow) : be_disallowed(:trigger_ai_flow)) } + end + end + end + end + context 'without duo enterprise subscription' do where(:role) do [:guest, :planner, :reporter, :developer, :maintainer, :owner, :admin] -- GitLab