Merge branch '480910-impersonation-ui-api-fix' into 'master'

Separate UI and API checks for user impersonation See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166639 Merged-by: Mireya Andres <mandres@gitlab.com> Approved-by: Drew Blessing <drew@gitlab.com> Approved-by: Vanessa Otto <votto@gitlab.com> Approved-by: Mireya Andres <mandres@gitlab.com> Reviewed-by: Drew Blessing <drew@gitlab.com> Co-authored-by: habdul-razak <habdul-razak@gitlab.com> Co-authored-by: Hakeem Abdul-Razak <hakeem@hakeems-mbp.lan>

Merge branch '480910-impersonation-ui-api-fix' into 'master'
5afde560 · Mireya Andres · GitLab · 88020ce3 · 51c66951 · 5afde560
--- a/app/controllers/admin/impersonation_tokens_controller.rb
+++ b/app/controllers/admin/impersonation_tokens_controller.rb
@@ -45,7 +45,7 @@ def user
  # rubocop: enable CodeReuse/ActiveRecord

  def verify_impersonation_enabled!
-    access_denied! unless helpers.impersonation_enabled?
+    access_denied! unless helpers.impersonation_tokens_enabled?
  end

  def finder(options = {})

--- a/app/helpers/users_helper.rb
+++ b/app/helpers/users_helper.rb
@@ -102,6 +102,10 @@ def impersonation_enabled?
    Gitlab.config.gitlab.impersonation_enabled
  end

+  def impersonation_tokens_enabled?
+    impersonation_enabled?
+  end
+
  def can_impersonate_user(user, impersonation_in_progress)
    can?(user, :log_in) && !user.password_expired? && !impersonation_in_progress
  end

--- a/app/views/admin/users/_head.html.haml
+++ b/app/views/admin/users/_head.html.haml
@@ -40,6 +40,6 @@
  = gl_tab_link_to _("Groups and projects"), projects_admin_user_path(@user)
  = gl_tab_link_to _("SSH keys"), keys_admin_user_path(@user)
  = gl_tab_link_to _("Identities"), admin_user_identities_path(@user)
-  - if impersonation_enabled?
+  - if impersonation_tokens_enabled?
    = gl_tab_link_to _("Impersonation Tokens"), admin_user_impersonation_tokens_path(@user), data: { testid: 'impersonation-tokens-tab' }
 .gl-mb-3
--- a/ee/app/helpers/ee/users_helper.rb
+++ b/ee/app/helpers/ee/users_helper.rb
@@ -12,8 +12,8 @@ def display_public_email?(user)
      !::Feature.enabled?(:hide_public_email_on_profile, user.provisioned_by_group)
    end

-    override :impersonation_enabled?
-    def impersonation_enabled?
+    override :impersonation_tokens_enabled?
+    def impersonation_tokens_enabled?
      super && !::Gitlab::CurrentSettings.personal_access_tokens_disabled?
    end


--- a/ee/spec/helpers/users_helper_spec.rb
+++ b/ee/spec/helpers/users_helper_spec.rb
@@ -182,7 +182,13 @@
          stub_ee_application_setting(personal_access_tokens_disabled?: true)
        end

-        it { is_expected.to eq(false) }
+        it 'allows the admin to impersonate the user' do
+          expect(helper.impersonation_enabled?).to eq(true)
+        end
+
+        it 'disables impersonation_tokens' do
+          expect(helper.impersonation_tokens_enabled?).to eq(false)
+        end
      end
    end


--- a/spec/helpers/users_helper_spec.rb
+++ b/spec/helpers/users_helper_spec.rb
@@ -183,6 +183,22 @@ def filter_ee_badges(badges)
    end
  end

+  describe '#impersonation_enabled' do
+    context 'when impersonation is enabled' do
+      before do
+        stub_config_setting(impersonation_enabled: true)
+      end
+
+      it 'allows the admin to impersonate a  user' do
+        expect(helper.impersonation_enabled?).to eq(true)
+      end
+
+      it 'allows impersonation tokens' do
+        expect(helper.impersonation_tokens_enabled?).to eq(true)
+      end
+    end
+  end
+
  describe '#can_impersonate_user' do
    let(:user) { create(:user) }
    let(:impersonation_in_progress) { false }