From 205fd8ff21ac213681bdadedb035d5ef7e81cba7 Mon Sep 17 00:00:00 2001
From: Ian Anderson <ianderson@gitlab.com>
Date: Wed, 12 Mar 2025 20:56:54 +0000
Subject: [PATCH] Exempt ::Users::Internal.admin_bot from admin mode

---
 app/policies/base_policy.rb                                 | 1 +
 .../pipl/block_non_compliant_user_service_spec.rb           | 4 ++--
 .../pipl/delete_non_compliant_user_service_spec.rb          | 2 +-
 spec/policies/base_policy_spec.rb                           | 6 ++++++
 spec/policies/group_policy_spec.rb                          | 2 +-
 .../packages/policies/dependency_proxy/group_policy_spec.rb | 4 +++-
 6 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index ef15569c16c7b..21ada3bb99ff1 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -5,6 +5,7 @@ class BasePolicy < DeclarativePolicy::Base
   with_options scope: :user, score: 0
   condition(:admin) do
     next false if @user&.from_ci_job_token?
+    next true if user_is_user? && @user.admin_bot?
 
     if Gitlab::CurrentSettings.admin_mode
       Gitlab::Auth::CurrentUserMode.new(@user).admin_mode?
diff --git a/ee/spec/services/compliance_management/pipl/block_non_compliant_user_service_spec.rb b/ee/spec/services/compliance_management/pipl/block_non_compliant_user_service_spec.rb
index 05c122b141ced..35c912d294167 100644
--- a/ee/spec/services/compliance_management/pipl/block_non_compliant_user_service_spec.rb
+++ b/ee/spec/services/compliance_management/pipl/block_non_compliant_user_service_spec.rb
@@ -8,7 +8,7 @@
   subject(:execute) { described_class.new(pipl_user: pipl_user, current_user: blocking_user).execute }
 
   let(:pipl_user) { create(:pipl_user) }
-  let(:blocking_user) { Users::Internal.admin_bot }
+  let(:blocking_user) { create(:user, :admin) }
 
   shared_examples 'does not block the user' do
     it 'does not change the user status and note' do
@@ -94,7 +94,7 @@
       end
 
       context 'when the block operation fails' do
-        let(:pipl_user) { create(:pipl_user, user: blocking_user, initial_email_sent_at: 60.days.ago) }
+        let(:pipl_user) { create(:pipl_user, user: Users::Internal.admin_bot, initial_email_sent_at: 60.days.ago) }
 
         it_behaves_like 'does not block the user'
         it_behaves_like 'has a validation error',
diff --git a/ee/spec/services/compliance_management/pipl/delete_non_compliant_user_service_spec.rb b/ee/spec/services/compliance_management/pipl/delete_non_compliant_user_service_spec.rb
index c0aa1016f3426..f73b525c589b7 100644
--- a/ee/spec/services/compliance_management/pipl/delete_non_compliant_user_service_spec.rb
+++ b/ee/spec/services/compliance_management/pipl/delete_non_compliant_user_service_spec.rb
@@ -9,7 +9,7 @@
 
   let_it_be_with_reload(:pipl_user) { create(:pipl_user, :deletable) }
   let_it_be_with_reload(:user) { pipl_user.user }
-  let(:deleting_user) { Users::Internal.admin_bot }
+  let(:deleting_user) { create(:user, :admin) }
 
   shared_examples 'does not delete the user' do
     it 'does not schedule a deletion migration' do
diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb
index 5512484d4c335..d5e95625c9fed 100644
--- a/spec/policies/base_policy_spec.rb
+++ b/spec/policies/base_policy_spec.rb
@@ -65,6 +65,12 @@ def policy
       end
     end
 
+    context 'with the admin bot user' do
+      let(:current_user) { ::Users::Internal.admin_bot }
+
+      it { is_expected.to be_allowed(ability) }
+    end
+
     context 'with anonymous' do
       let(:current_user) { nil }
 
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index e89fff842e518..6471e3d8cfb2b 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -1298,7 +1298,7 @@
       end
 
       context 'all other user types' do
-        User::USER_TYPES.except(:human, :project_bot, :placeholder, :import_user).each_value do |user_type|
+        User::USER_TYPES.except(:human, :project_bot, :admin_bot, :placeholder, :import_user).each_value do |user_type|
           context "with user_type #{user_type}" do
             before do
               current_user.update!(user_type: user_type)
diff --git a/spec/policies/packages/policies/dependency_proxy/group_policy_spec.rb b/spec/policies/packages/policies/dependency_proxy/group_policy_spec.rb
index 62e5e6b9d2b84..e772212b7c220 100644
--- a/spec/policies/packages/policies/dependency_proxy/group_policy_spec.rb
+++ b/spec/policies/packages/policies/dependency_proxy/group_policy_spec.rb
@@ -92,7 +92,9 @@
       end
 
       context 'with all other user types' do
-        User::USER_TYPES.except(:human, :project_bot, :security_policy_bot, :placeholder).each_value do |user_type|
+        excluded_types = %i[human project_bot security_policy_bot admin_bot placeholder]
+
+        User::USER_TYPES.except(*excluded_types).each_value do |user_type|
           context "with user_type #{user_type}" do
             let_it_be(:auth_token) { create(:personal_access_token, user: non_group_member) }
 
-- 
GitLab