Group visibility levels: Show all radio button with correct attributes

- Shows all visibility levels with radio buttons
- Checks only the radio button with the current visibility level
- Disables disallowed and restricted radio buttons
  in order to make them not selectable

Changelog: fixed

app/helpers/visibility_level_helper.rb

@@ -53,6 +53,24 @@ def disallowed_visibility_level?(form_model, level)
     !form_model.visibility_level_allowed?(level)
   end
 
+  def disallowed_visibility_level_by_parent?(form_model, level)
+    return false unless form_model.respond_to?(:visibility_level_allowed_by_parent?)
+
+    !form_model.visibility_level_allowed_by_parent?(level)
+  end
+
+  def disallowed_visibility_level_by_projects?(form_model, level)
+    return false unless form_model.respond_to?(:visibility_level_allowed_by_projects?)
+
+    !form_model.visibility_level_allowed_by_projects?(level)
+  end
+
+  def disallowed_visibility_level_by_sub_groups?(form_model, level)
+    return false unless form_model.respond_to?(:visibility_level_allowed_by_sub_groups?)
+
+    !form_model.visibility_level_allowed_by_sub_groups?(level)
+  end
+
   # Visibility level can be restricted in two ways:
   #
   # 1. The group permissions (e.g. a subgroup is private, which requires
@@ -69,6 +87,10 @@ def selected_visibility_level(form_model, requested_level)
     [requested_level, max_allowed_visibility_level(form_model)].min
   end
 
+  def all_visibility_levels
+    Gitlab::VisibilityLevel.values
+  end
+
   def available_visibility_levels(form_model)
     Gitlab::VisibilityLevel.values.reject do |level|
       disallowed_visibility_level?(form_model, level) ||
@@ -76,6 +98,15 @@ def available_visibility_levels(form_model)
     end
   end
 
+  def disabled_visibility_level?(form_model, level)
+    disallowed_visibility_level?(form_model, level) ||
+      restricted_visibility_level?(level)
+  end
+
+  def restricted_visibility_level?(level)
+    restricted_visibility_levels.include?(level)
+  end
+
   def snippets_selected_visibility_level(visibility_levels, selected)
     visibility_levels.find { |level| level == selected } || visibility_levels.min
   end

app/views/shared/_visibility_radios.html.haml

-- available_visibility_levels = available_visibility_levels(form_model)
-- selected_level = snippets_selected_visibility_level(available_visibility_levels, selected_level)
+- all_visibility_levels.each do |level|
+  - disabled_visibility_level_icon_with_popover = capture do
+    - if disabled_visibility_level?(form_model, level)
+      - popover_content = capture do
+        - if restricted_visibility_level?(level)
+          = s_('VisibilityLevel|This visibility level has been restricted by your administrator.')
+        - elsif disallowed_visibility_level_by_parent?(form_model, level)
+          = s_('VisibilityLevel|This visibility level is not allowed because the parent group has a more restrictive visibility level.')
+        - elsif disallowed_visibility_level_by_projects?(form_model, level) || disallowed_visibility_level_by_sub_groups?(form_model, level)
+          - learn_more_link_start = '<a href="https://docs.gitlab.com/ee/user/public_access" target="_blank" rel="noopener noreferrer">'.html_safe # rubocop:disable Gitlab/DocUrl -- Not referencing this rails application; it is referencing another doc
+          - learn_more_link_end = '</a>'.html_safe
+          = s_('VisibilityLevel|This visibility level is not allowed because a child of %{group_name} has a less restrictive visibility level. %{learn_more_link_start}Learn more%{learn_more_link_end}.').html_safe % { group_name: form_model.name, learn_more_link_start: learn_more_link_start, learn_more_link_end: learn_more_link_end }
 
-- available_visibility_levels.each do |level|
+      %span{
+        data: {
+          testid: 'visibility-level-not-allowed-popover',
+          container: 'body',
+          content: popover_content,
+          html: 'true',
+          title: _('Visibility level not allowed'),
+          toggle: 'popover',
+          triggers: 'hover' }
+        }
+        = sprite_icon('lock')
 
   = form.gitlab_ui_radio_component model_method, level,
-     "#{visibility_level_icon(level)} #{visibility_level_label(level)}".html_safe,
-     help_text: '<span class="option-description">%{visibility_level_description}</span><span class="option-disabled-reason"></span>'.html_safe % { visibility_level_description: visibility_level_description(level, form_model)},
-     radio_options: { checked: (selected_level == level), data: { track_label: "blank_project", track_action: "activate_form_input", track_property: "#{model_method}_#{level}", track_value: "" } },
+     "#{visibility_level_icon(level)} #{visibility_level_label(level)} #{disabled_visibility_level_icon_with_popover}".html_safe,
+     help_text: '<span class="option-description text-muted">%{visibility_level_description}</span><span class="option-disabled-reason">%{option_disabled_reason}</span>'.html_safe % { visibility_level_description: visibility_level_description(level, form_model), option_disabled_reason: 'Not allowed by administrators' },
+     radio_options: { checked: (selected_level == level), disabled: disabled_visibility_level?(form_model, level), data: { track_label: "blank_project", track_action: "activate_form_input", track_property: "#{model_method}_#{level}", track_value: "" } },
      label_options: { class: 'js-visibility-level-radio' }
-
-
-.text-muted
-  - if all_visibility_levels_restricted?
-    = _('Visibility settings have been disabled by the administrator.')
-  - elsif multiple_visibility_levels_restricted?
-    = _('Other visibility settings have been disabled by the administrator.')

locale/gitlab.pot

@@ -57618,6 +57618,9 @@ msgstr ""
 msgid "Visibility level"
 msgstr ""
+msgid "Visibility level not allowed"
+msgstr ""
+
 msgid "Visibility level:"
 msgstr ""
@@ -57660,6 +57663,15 @@ msgstr ""
 msgid "VisibilityLevel|The project can be accessed without any authentication."
 msgstr ""
+msgid "VisibilityLevel|This visibility level has been restricted by your administrator."
+msgstr ""
+
+msgid "VisibilityLevel|This visibility level is not allowed because a child of %{group_name} has a less restrictive visibility level. %{learn_more_link_start}Learn more%{learn_more_link_end}."
+msgstr ""
+
+msgid "VisibilityLevel|This visibility level is not allowed because the parent group has a more restrictive visibility level."
+msgstr ""
+
 msgid "VisibilityLevel|Unknown"
 msgstr ""

spec/features/groups/settings/general_visibility_levels_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'General settings visibility levels', :js, :aggregate_failures, feature_category: :groups_and_projects do
+  let_it_be(:group) { create(:group, :public) }
+  let_it_be(:user) { create(:user).tap { |user| group.add_owner(user) } }
+
+  before do
+    sign_in(user)
+  end
+
+  context 'with parent group internal' do
+    let_it_be(:parent_group) { create(:group, :internal) }
+    let_it_be(:group) { create(:group, :internal, parent: parent_group) }
+    let_it_be(:user) { create(:user).tap { |user| group.add_owner(user) } }
+
+    it 'shows each visibility level in correct field state' do
+      visit edit_group_path(group)
+
+      expect(page).to have_content('Visibility level')
+
+      expect(page).to have_field("Private",  checked: false, disabled: false)
+      expect(page).to have_field("Internal", checked: true,  disabled: false)
+      expect(page).to have_field("Public",   checked: false, disabled: true)
+
+      expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Private')
+      expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Internal')
+      expect_popover_for_disallowed_visibility_level(
+        visibility_level_label_text: 'Public',
+        popover_content: 'This visibility level is not allowed ' \
+          'because the parent group has a more restrictive visibility level.'
+      )
+    end
+  end
+
+  context 'with internal child project in group' do
+    let_it_be(:project) { create(:project, :internal, group: group) }
+
+    it 'shows each visibility level in correct field state' do
+      visit edit_group_path(group)
+
+      expect(page).to have_field("Private",  checked: false, disabled: true)
+      expect(page).to have_field("Internal", checked: false, disabled: false)
+      expect(page).to have_field("Public",   checked: true,  disabled: false)
+
+      expect_popover_for_disallowed_visibility_level(
+        visibility_level_label_text: 'Private',
+        popover_content: "This visibility level is not allowed " \
+          "because a child of #{group.name} has a less restrictive visibility level. Learn more."
+      )
+      expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Internal')
+      expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Public')
+    end
+  end
+
+  context 'without restricted visibility levels' do
+    it 'shows each visibility level in correct field state' do
+      visit edit_group_path(group)
+
+      expect(page).to have_content('Visibility level')
+
+      expect(page).to have_field("Private",  checked: false, disabled: false)
+      expect(page).to have_field("Internal", checked: false, disabled: false)
+      expect(page).to have_field("Public",   checked: true,  disabled: false)
+
+      expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Private')
+      expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Internal')
+      expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Public')
+    end
+  end
+
+  context 'with restricted visibility level public' do
+    before do
+      stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+    end
+
+    it 'shows each visibility level in correct field state' do
+      visit edit_group_path(group)
+
+      expect(page).to have_field("Private",  checked: false, disabled: false)
+      expect(page).to have_field("Internal", checked: false, disabled: false)
+      expect(page).to have_field("Public",   checked: true,  disabled: true)
+
+      expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Private')
+      expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Internal')
+      expect_popover_for_disallowed_visibility_level(
+        visibility_level_label_text: 'Public',
+        popover_content: 'This visibility level has been restricted by your administrator.'
+      )
+    end
+
+    context 'with private project in group' do
+      let_it_be(:project) { create(:project, :private, group: group) }
+
+      it 'shows each visibility level in correct field state' do
+        visit edit_group_path(group)
+
+        expect(page).to have_field("Private",  checked: false, disabled: false)
+        expect(page).to have_field("Internal", checked: false, disabled: false)
+        expect(page).to have_field("Public",   checked: true,  disabled: true)
+
+        expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Private')
+        expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Internal')
+        expect_popover_for_disallowed_visibility_level(
+          visibility_level_label_text: 'Public',
+          popover_content: 'This visibility level has been restricted by your administrator.'
+        )
+      end
+    end
+
+    context 'with public project in group' do
+      let_it_be(:project) { create(:project, :public, group: group) }
+
+      it 'shows each visibility level in correct field state' do
+        visit edit_group_path(group)
+
+        expect(page).to have_field("Private",  checked: false, disabled: true)
+        expect(page).to have_field("Internal", checked: false, disabled: true)
+        expect(page).to have_field("Public",   checked: true,  disabled: true)
+
+        expect_popover_for_disallowed_visibility_level(
+          visibility_level_label_text: 'Private',
+          popover_content: "This visibility level is not allowed " \
+            "because a child of #{group.name} has a less restrictive visibility level. Learn more."
+        )
+
+        expect_popover_for_disallowed_visibility_level(
+          visibility_level_label_text: 'Internal',
+          popover_content: "This visibility level is not allowed " \
+            "because a child of #{group.name} has a less restrictive visibility level. Learn more."
+        )
+
+        expect_popover_for_disallowed_visibility_level(
+          visibility_level_label_text: 'Public',
+          popover_content: 'This visibility level has been restricted by your administrator.'
+        )
+      end
+    end
+  end
+
+  context 'with multiple restricted visibility levels "Public" and "Private"' do
+    let_it_be(:project) { create(:project, :internal, group: group) }
+
+    before do
+      stub_application_setting(
+        restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC, Gitlab::VisibilityLevel::PRIVATE]
+      )
+    end
+
+    it 'shows each visibility level in correct field state' do
+      visit edit_group_path(group)
+
+      expect(page).to have_field("Private",  checked: false, disabled: true)
+      expect(page).to have_field("Internal", checked: false, disabled: false)
+      expect(page).to have_field("Public",   checked: true,  disabled: true)
+
+      expect_popover_for_disallowed_visibility_level(
+        visibility_level_label_text: 'Private',
+        popover_content: 'This visibility level has been restricted by your administrator.'
+      )
+
+      expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text: 'Internal')
+
+      expect_popover_for_disallowed_visibility_level(
+        visibility_level_label_text: 'Public',
+        popover_content: 'This visibility level has been restricted by your administrator.'
+      )
+    end
+  end
+
+  def expect_popover_for_disallowed_visibility_level(visibility_level_label_text:, popover_content:)
+    # Checking that a popover content is not visible before hovering
+    expect(page).not_to have_content(popover_content)
+
+    within('label', text: visibility_level_label_text) do
+      find('[data-testid=visibility-level-not-allowed-popover]').hover
+    end
+
+    page.within('.gl-popover') do
+      expect(page).to have_content('Visibility level not allowed')
+      expect(page).to have_content(popover_content)
+    end
+
+    # Move cursor to another element to hide the popover
+    find('label', text: visibility_level_label_text).hover
+  end
+
+  def expect_no_popover_for_disallowed_visibility_level(visibility_level_label_text:)
+    within('label', text: visibility_level_label_text) do
+      expect(page).not_to have_selector('[data-testid=visibility-level-not-allowed-popover]')
+    end
+
+    expect(page).not_to have_selector('.gl-popover')
+  end
+end

spec/features/projects/new_project_spec.rb

@@ -69,7 +69,7 @@
       end
     end
 
-    it 'shows a message if multiple levels are restricted' do
+    it 'disables the radio button for visibility levels "Private" and "Internal"' do
       stub_application_setting(default_project_visibility: Gitlab::VisibilityLevel::PUBLIC)
       stub_application_setting(
         restricted_visibility_levels: [Gitlab::VisibilityLevel::PRIVATE, Gitlab::VisibilityLevel::INTERNAL]
@@ -78,16 +78,20 @@
       visit new_project_path
       click_link 'Create blank project'
 
-      expect(page).to have_content 'Other visibility settings have been disabled by the administrator.'
+      expect(page).to have_field("Private",  checked: false, disabled: true)
+      expect(page).to have_field("Internal", checked: false, disabled: true)
+      expect(page).to have_field("Public",   checked: true,  disabled: false)
     end
 
-    it 'shows a message if all levels are restricted' do
+    it 'disables all radio button for visibility levels' do
       stub_application_setting(restricted_visibility_levels: Gitlab::VisibilityLevel.values)
 
       visit new_project_path
       click_link 'Create blank project'
 
-      expect(page).to have_content 'Visibility settings have been disabled by the administrator.'
+      expect(page).to have_field("Private",  checked: true, disabled: true)
+      expect(page).to have_field("Internal", checked: false, disabled: true)
+      expect(page).to have_field("Public",   checked: false, disabled: true)
     end
   end
 

spec/helpers/visibility_level_helper_spec.rb

@@ -152,6 +152,75 @@
     end
   end
 
+  describe '#disallowed_visibility_level_by_parent?' do
+    using RSpec::Parameterized::TableSyntax
+
+    let(:parent_group) { create(:group, parent_group_visibility_level) }
+    let(:group) { build(:group, :private, parent: parent_group) }
+
+    subject { helper.disallowed_visibility_level_by_parent?(group, visibility_level) }
+
+    where(:parent_group_visibility_level, :visibility_level, :expected) do
+      :public   | Gitlab::VisibilityLevel::PUBLIC   | false
+      :public   | Gitlab::VisibilityLevel::INTERNAL | false
+      :public   | Gitlab::VisibilityLevel::PRIVATE  | false
+      :internal | Gitlab::VisibilityLevel::PUBLIC   | true
+      :internal | Gitlab::VisibilityLevel::INTERNAL | false
+      :internal | Gitlab::VisibilityLevel::PRIVATE  | false
+      :private  | Gitlab::VisibilityLevel::PUBLIC   | true
+      :private  | Gitlab::VisibilityLevel::INTERNAL | true
+      :private  | Gitlab::VisibilityLevel::PRIVATE  | false
+    end
+
+    with_them do
+      it { is_expected.to eq expected }
+    end
+  end
+
+  shared_examples_for 'disallowed visibility level by child' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:child_visibility_level, :visibility_level, :expected) do
+      Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::PUBLIC   | false
+      Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::INTERNAL | true
+      Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::PRIVATE  | true
+      Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::PUBLIC   | false
+      Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::INTERNAL | false
+      Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::PRIVATE  | true
+      Gitlab::VisibilityLevel::PRIVATE  | Gitlab::VisibilityLevel::PUBLIC   | false
+      Gitlab::VisibilityLevel::PRIVATE  | Gitlab::VisibilityLevel::INTERNAL | false
+      Gitlab::VisibilityLevel::PRIVATE  | Gitlab::VisibilityLevel::PRIVATE  | false
+    end
+
+    with_them do
+      before do
+        child.update!(visibility_level: child_visibility_level)
+      end
+
+      it { is_expected.to eq expected }
+    end
+  end
+
+  describe '#disallowed_visibility_level_by_projects?' do
+    let_it_be(:group) { create(:group, :public) }
+
+    let_it_be_with_reload(:child) { create(:project, group: group) }
+
+    subject { helper.disallowed_visibility_level_by_projects?(group, visibility_level) }
+
+    it_behaves_like 'disallowed visibility level by child'
+  end
+
+  describe '#disallowed_visibility_level_by_sub_groups?' do
+    let_it_be(:group) { create(:group, :public) }
+
+    let_it_be_with_reload(:child) { create(:group, parent: group) }
+
+    subject { helper.disallowed_visibility_level_by_sub_groups?(group, visibility_level) }
+
+    it_behaves_like 'disallowed visibility level by child'
+  end
+
   describe "selected_visibility_level" do
     let(:group) { create(:group, :public) }
     let!(:project) { create(:project, :internal, group: group) }
@@ -323,4 +392,102 @@
       it { is_expected.to eq(expected) }
     end
   end
+
+  describe '#all_visibility_levels' do
+    subject { helper.all_visibility_levels }
+
+    it 'returns all visibility levels' do
+      is_expected.to eq [
+        Gitlab::VisibilityLevel::PRIVATE,
+        Gitlab::VisibilityLevel::INTERNAL,
+        Gitlab::VisibilityLevel::PUBLIC
+      ]
+    end
+  end
+
+  describe '#disabled_visibility_level?' do
+    using RSpec::Parameterized::TableSyntax
+
+    let_it_be(:user) { create(:user) }
+    let_it_be(:group) { create(:group, :public) }
+    let_it_be_with_reload(:child) { create(:project, group: group) }
+
+    subject { helper.disabled_visibility_level?(group, visibility_level) }
+
+    where(:restricted_visibility_levels, :child_visibility_level, :visibility_level, :expected) do
+      []                                                                   | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::PUBLIC   | false
+      []                                                                   | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::INTERNAL | true
+      []                                                                   | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::PRIVATE  | true
+      []                                                                   | Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::PUBLIC   | false
+      []                                                                   | Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::INTERNAL | false
+      []                                                                   | Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::PRIVATE  | true
+      []                                                                   | Gitlab::VisibilityLevel::PRIVATE  | Gitlab::VisibilityLevel::PUBLIC   | false
+      []                                                                   | Gitlab::VisibilityLevel::PRIVATE  | Gitlab::VisibilityLevel::INTERNAL | false
+      []                                                                   | Gitlab::VisibilityLevel::PRIVATE  | Gitlab::VisibilityLevel::PRIVATE  | false
+
+      [Gitlab::VisibilityLevel::PUBLIC]                                    | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::PUBLIC   | true
+      [Gitlab::VisibilityLevel::PUBLIC]                                    | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::INTERNAL | true
+      [Gitlab::VisibilityLevel::PUBLIC]                                    | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::PRIVATE  | true
+      [Gitlab::VisibilityLevel::PUBLIC]                                    | Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::PUBLIC   | true
+      [Gitlab::VisibilityLevel::PUBLIC]                                    | Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::INTERNAL | false
+      [Gitlab::VisibilityLevel::PUBLIC]                                    | Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::PRIVATE  | true
+
+      [Gitlab::VisibilityLevel::INTERNAL]                                  | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::PUBLIC   | false
+      [Gitlab::VisibilityLevel::INTERNAL]                                  | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::INTERNAL | true
+      [Gitlab::VisibilityLevel::INTERNAL]                                  | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::PRIVATE  | true
+      [Gitlab::VisibilityLevel::INTERNAL]                                  | Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::PUBLIC   | false
+      [Gitlab::VisibilityLevel::INTERNAL]                                  | Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::INTERNAL | true
+      [Gitlab::VisibilityLevel::INTERNAL]                                  | Gitlab::VisibilityLevel::INTERNAL | Gitlab::VisibilityLevel::PRIVATE  | true
+
+      [Gitlab::VisibilityLevel::PUBLIC, Gitlab::VisibilityLevel::INTERNAL] | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::PUBLIC   | true
+      [Gitlab::VisibilityLevel::PUBLIC, Gitlab::VisibilityLevel::INTERNAL] | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::INTERNAL | true
+      [Gitlab::VisibilityLevel::PUBLIC, Gitlab::VisibilityLevel::INTERNAL] | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::INTERNAL | true
+
+      Gitlab::VisibilityLevel.values                                       | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::PUBLIC   | true
+      Gitlab::VisibilityLevel.values                                       | Gitlab::VisibilityLevel::PUBLIC   | Gitlab::VisibilityLevel::INTERNAL | true
+    end
+
+    with_them do
+      before do
+        allow(helper).to receive(:current_user) { user }
+        stub_application_setting(restricted_visibility_levels: restricted_visibility_levels)
+
+        child.update!(visibility_level: child_visibility_level)
+      end
+
+      it { is_expected.to eq expected }
+    end
+  end
+
+  describe '#restricted_visibility_level?' do
+    using RSpec::Parameterized::TableSyntax
+
+    let(:user) { create(:user) }
+
+    subject { helper.restricted_visibility_level?(visibility_level) }
+
+    where(:restricted_visibility_levels, :visibility_level, :expected) do
+      []                                                                   | Gitlab::VisibilityLevel::PUBLIC   | false
+      []                                                                   | Gitlab::VisibilityLevel::INTERNAL | false
+      []                                                                   | Gitlab::VisibilityLevel::PRIVATE  | false
+      [Gitlab::VisibilityLevel::PUBLIC]                                    | Gitlab::VisibilityLevel::PUBLIC   | true
+      [Gitlab::VisibilityLevel::PUBLIC]                                    | Gitlab::VisibilityLevel::INTERNAL | false
+      [Gitlab::VisibilityLevel::PUBLIC]                                    | Gitlab::VisibilityLevel::PRIVATE  | false
+      [Gitlab::VisibilityLevel::PUBLIC, Gitlab::VisibilityLevel::INTERNAL] | Gitlab::VisibilityLevel::PUBLIC   | true
+      [Gitlab::VisibilityLevel::PUBLIC, Gitlab::VisibilityLevel::INTERNAL] | Gitlab::VisibilityLevel::INTERNAL | true
+      [Gitlab::VisibilityLevel::PUBLIC, Gitlab::VisibilityLevel::INTERNAL] | Gitlab::VisibilityLevel::PRIVATE  | false
+      Gitlab::VisibilityLevel.values                                       | Gitlab::VisibilityLevel::PUBLIC   | true
+      Gitlab::VisibilityLevel.values                                       | Gitlab::VisibilityLevel::INTERNAL | true
+      Gitlab::VisibilityLevel.values                                       | Gitlab::VisibilityLevel::PRIVATE  | true
+    end
+
+    with_them do
+      before do
+        allow(helper).to receive(:current_user) { user }
+        stub_application_setting(restricted_visibility_levels: restricted_visibility_levels)
+      end
+
+      it { is_expected.to eq expected }
+    end
+  end
 end