Use GroupHook policies in controller

The policies got introduced in: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88245 but they were not used in controllers to check access. To avoid confusion, this makes use of the policies.

Use GroupHook policies in controller
01722975 · Andy Soiron · Bojan Marjanovic · 2df0a29f · 01722975 · 01722975
--- a/ee/app/controllers/groups/hooks_controller.rb
+++ b/ee/app/controllers/groups/hooks_controller.rb
@@ -5,9 +5,10 @@ class Groups::HooksController < Groups::ApplicationController
  # Authorize
  before_action :group
-  before_action :authorize_admin_group!
+  before_action :authorize_admin_group!, except: :destroy
  before_action :check_group_webhooks_available!
  before_action :hook, only: [:edit, :update, :test, :destroy]
+  before_action :authorize_destroy_group_hook!, only: :destroy
  before_action :hook_logs, only: :edit
  before_action -> { check_rate_limit!(:group_testing_hook, scope: [@group, current_user]) }, only: :test
@@ -53,4 +54,8 @@ def trigger_values
  def check_group_webhooks_available!
    render_404 unless @group.licensed_feature_available?(:group_webhooks) || LicenseHelper.show_promotions?(current_user)
  end
+  def authorize_destroy_group_hook!
+    render_404 unless can?(current_user, :destroy_web_hook, @hook)
+  end
 end
--- a/ee/app/policies/group_hook_policy.rb
+++ b/ee/app/policies/group_hook_policy.rb
 # frozen_string_literal: true
 class GroupHookPolicy < ::BasePolicy
-  delegate(:group)
+  delegate { @subject.group }
  rule { can?(:admin_group) }.policy do
-    enable :read_web_hook
    enable :destroy_web_hook
  end
 end
--- a/ee/spec/controllers/groups/hooks_controller_spec.rb
+++ b/ee/spec/controllers/groups/hooks_controller_spec.rb
@@ -3,11 +3,18 @@
 require 'spec_helper'
 RSpec.describe Groups::HooksController, feature_category: :integrations do
-  let_it_be(:user)  { create(:user) }
+  let_it_be(:group_owner) { create(:user) }
+  let_it_be(:group_maintainer) { create(:user) }
  let_it_be(:group) { create(:group) }
+  let(:user) { group_owner }
+  before_all do
+    group.add_owner(group_owner)
+    group.add_maintainer(group_maintainer)
+  end
  before do
-    group.add_owner(user)
    sign_in(user)
  end
@@ -274,6 +281,16 @@ def it_renders_correctly
    let(:params) { { group_id: group.to_param, id: hook } }
    it_behaves_like 'Web hook destroyer'
+    context 'When user is not logged in' do
+      let(:user) { group_maintainer }
+      it 'renders a 404' do
+        delete :destroy, params: params
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
  end
  context 'with group_webhooks disabled' do

--- a/ee/spec/policies/group_hook_policy_spec.rb
+++ b/ee/spec/policies/group_hook_policy_spec.rb
@@ -14,8 +14,8 @@
      hook.group.add_maintainer(user)
    end
-    it "cannot read and destroy web-hooks" do
+    it "cannot destroy web-hooks" do
-      expect(policy).to be_disallowed(:read_web_hook, :destroy_web_hook)
+      expect(policy).to be_disallowed(:destroy_web_hook)
    end
  end
@@ -24,8 +24,8 @@
      hook.group.add_owner(user)
    end
-    it "can read and destroy web-hooks" do
+    it "can destroy web-hooks" do
-      expect(policy).to be_allowed(:read_web_hook, :destroy_web_hook)
+      expect(policy).to be_allowed(:destroy_web_hook)
    end
  end
 end