diff --git a/ee/app/policies/ee/organizations/organization_policy.rb b/ee/app/policies/ee/organizations/organization_policy.rb
index 80d2fc0bd522d9aca2dd13587ec426e39c9aac28..0a90e38701ee0f9cd785cbfabbee10b4a9ccdb11 100644
--- a/ee/app/policies/ee/organizations/organization_policy.rb
+++ b/ee/app/policies/ee/organizations/organization_policy.rb
@@ -15,8 +15,8 @@ module OrganizationPolicy
License.feature_available?(:license_scanning)
end
- rule { admin & dependency_scanning_enabled }.enable :read_dependency
- rule { admin & license_scanning_enabled }.enable :read_licenses
+ rule { (admin | organization_owner) & dependency_scanning_enabled }.enable :read_dependency
+ rule { (admin | organization_owner) & license_scanning_enabled }.enable :read_licenses
end
end
end
diff --git a/ee/spec/policies/organizations/organization_policy_spec.rb b/ee/spec/policies/organizations/organization_policy_spec.rb
index 5db5b43bf4fccfa9a036e379d9dd755d341cdb03..831aaa212fd34e567454d152c1e7a19bba6e142f 100644
--- a/ee/spec/policies/organizations/organization_policy_spec.rb
+++ b/ee/spec/policies/organizations/organization_policy_spec.rb
@@ -8,41 +8,30 @@
subject(:policy) { described_class.new(current_user, organization) }
+ RSpec.shared_context 'with licensed features' do |features|
+ before do
+ stub_licensed_features(features)
+ end
+ end
+
context 'when the user is an admin' do
let_it_be(:current_user) { create(:user, :admin) }
context 'when admin mode is enabled', :enable_admin_mode do
context 'when dependency scanning is enabled' do
- before do
- stub_licensed_features(dependency_scanning: true)
- end
+ include_context 'with licensed features', dependency_scanning: true
it { is_expected.to be_allowed(:read_dependency) }
end
- context 'when dependency scanning is disabled' do
- before do
- stub_licensed_features(dependency_scanning: false)
- end
-
- it { is_expected.to be_disallowed(:read_dependency) }
- end
-
context 'when license scanning is enabled' do
- before do
- stub_licensed_features(license_scanning: true)
- end
+ include_context 'with licensed features', license_scanning: true
it { is_expected.to be_allowed(:read_licenses) }
end
- context 'when license scanning is disabled' do
- before do
- stub_licensed_features(license_scanning: false)
- end
-
- it { is_expected.to be_disallowed(:read_licenses) }
- end
+ it { is_expected.to be_disallowed(:read_dependency) }
+ it { is_expected.to be_disallowed(:read_licenses) }
end
context 'when admin mode is disabled' do
@@ -50,4 +39,49 @@
it { is_expected.to be_disallowed(:read_licenses) }
end
end
+
+ context 'when the user is an organization owner' do
+ let_it_be(:organization_user) { create(:organization_user, :owner, organization: organization, user: current_user) }
+
+ context 'when dependency scanning is enabled' do
+ include_context 'with licensed features', dependency_scanning: true
+
+ it { is_expected.to be_allowed(:read_dependency) }
+ end
+
+ context 'when license scanning is enabled' do
+ include_context 'with licensed features', license_scanning: true
+
+ it { is_expected.to be_allowed(:read_licenses) }
+ end
+
+ it { is_expected.to be_disallowed(:read_dependency) }
+ it { is_expected.to be_disallowed(:read_licenses) }
+ end
+
+ context 'when the user is an organization guest' do
+ let_it_be(:organization_user) do
+ create(:organization_user, organization: organization, user: current_user, access_level: :default)
+ end
+
+ context 'when dependency scanning is enabled' do
+ include_context 'with licensed features', dependency_scanning: true
+
+ it { is_expected.to be_disallowed(:read_dependency) }
+ end
+
+ context 'when license scanning is enabled' do
+ include_context 'with licensed features', license_scanning: true
+
+ it { is_expected.to be_disallowed(:read_licenses) }
+ end
+
+ it { is_expected.to be_disallowed(:read_dependency) }
+ it { is_expected.to be_disallowed(:read_licenses) }
+ end
+
+ context 'when the user is not a member of the organization' do
+ it { is_expected.to be_disallowed(:read_dependency) }
+ it { is_expected.to be_disallowed(:read_licenses) }
+ end
end