Merge branch 'mokhax/441183/allow-org-admins' into 'master'

Allow organization owners to view explore dependency list page See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144269 Merged-by: Joe Woodward <jwoodward@gitlab.com> Approved-by: Joe Woodward <jwoodward@gitlab.com> Approved-by: Hinam Mehra <hmehra@gitlab.com> Co-authored-by: mo khan <mo@mokhan.ca>

Merge branch 'mokhax/441183/allow-org-admins' into 'master'
12cb6ff9 · Joe Woodward · GitLab · 1ce53731 · 8c315c66 · 12cb6ff9
--- a/ee/app/policies/ee/organizations/organization_policy.rb
+++ b/ee/app/policies/ee/organizations/organization_policy.rb
@@ -15,8 +15,8 @@ module OrganizationPolicy
          License.feature_available?(:license_scanning)
        end
-        rule { admin & dependency_scanning_enabled }.enable :read_dependency
+        rule { (admin | organization_owner) & dependency_scanning_enabled }.enable :read_dependency
-        rule { admin & license_scanning_enabled }.enable :read_licenses
+        rule { (admin | organization_owner) & license_scanning_enabled }.enable :read_licenses
      end
    end
  end

--- a/ee/spec/policies/organizations/organization_policy_spec.rb
+++ b/ee/spec/policies/organizations/organization_policy_spec.rb
@@ -8,41 +8,30 @@
  subject(:policy) { described_class.new(current_user, organization) }
+  RSpec.shared_context 'with licensed features' do |features|
+    before do
+      stub_licensed_features(features)
+    end
+  end
  context 'when the user is an admin' do
    let_it_be(:current_user) { create(:user, :admin) }
    context 'when admin mode is enabled', :enable_admin_mode do
      context 'when dependency scanning is enabled' do
-        before do
+        include_context 'with licensed features', dependency_scanning: true
-          stub_licensed_features(dependency_scanning: true)
-        end
        it { is_expected.to be_allowed(:read_dependency) }
      end
-      context 'when dependency scanning is disabled' do
-        before do
-          stub_licensed_features(dependency_scanning: false)
-        end
-        it { is_expected.to be_disallowed(:read_dependency) }
-      end
      context 'when license scanning is enabled' do
-        before do
+        include_context 'with licensed features', license_scanning: true
-          stub_licensed_features(license_scanning: true)
-        end
        it { is_expected.to be_allowed(:read_licenses) }
      end
-      context 'when license scanning is disabled' do
+      it { is_expected.to be_disallowed(:read_dependency) }
-        before do
+      it { is_expected.to be_disallowed(:read_licenses) }
-          stub_licensed_features(license_scanning: false)
-        end
-        it { is_expected.to be_disallowed(:read_licenses) }
-      end
    end
    context 'when admin mode is disabled' do
@@ -50,4 +39,49 @@
      it { is_expected.to be_disallowed(:read_licenses) }
    end
  end
+  context 'when the user is an organization owner' do
+    let_it_be(:organization_user) { create(:organization_user, :owner, organization: organization, user: current_user) }
+    context 'when dependency scanning is enabled' do
+      include_context 'with licensed features', dependency_scanning: true
+      it { is_expected.to be_allowed(:read_dependency) }
+    end
+    context 'when license scanning is enabled' do
+      include_context 'with licensed features', license_scanning: true
+      it { is_expected.to be_allowed(:read_licenses) }
+    end
+    it { is_expected.to be_disallowed(:read_dependency) }
+    it { is_expected.to be_disallowed(:read_licenses) }
+  end
+  context 'when the user is an organization guest' do
+    let_it_be(:organization_user) do
+      create(:organization_user, organization: organization, user: current_user, access_level: :default)
+    end
+    context 'when dependency scanning is enabled' do
+      include_context 'with licensed features', dependency_scanning: true
+      it { is_expected.to be_disallowed(:read_dependency) }
+    end
+    context 'when license scanning is enabled' do
+      include_context 'with licensed features', license_scanning: true
+      it { is_expected.to be_disallowed(:read_licenses) }
+    end
+    it { is_expected.to be_disallowed(:read_dependency) }
+    it { is_expected.to be_disallowed(:read_licenses) }
+  end
+  context 'when the user is not a member of the organization' do
+    it { is_expected.to be_disallowed(:read_dependency) }
+    it { is_expected.to be_disallowed(:read_licenses) }
+  end
 end