Add examples specing the setting to choose who can create subgroups

This setting is at the group level only. The default is specified to be maintainers and owners. **Specs only**, all failing.

Add examples specing the setting to choose who can create subgroups
This setting is at the group level only. The default is specified to be maintainers and owners. **Specs only**, all failing.
7d061212 · Fabio Papa · e6e672f0 · 7d061212 · 7d061212 · 7d061212
6 changed file
--- a/spec/controllers/admin/groups_controller_spec.rb
+++ b/spec/controllers/admin/groups_controller_spec.rb
@@ -68,5 +68,11 @@ describe Admin::GroupsController do
        post :update, params: { id: group.to_param, group: { project_creation_level: ::Gitlab::Access::NO_ONE_PROJECT_ACCESS } }
      end.to change { group.reload.project_creation_level }.to(::Gitlab::Access::NO_ONE_PROJECT_ACCESS)
    end
+
+    it 'updates the subgroup_creation_level successfully' do
+      expect do
+        post :update, params: { id: group.to_param, group: { subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS } }
+      end.to change { group.reload.subgroup_creation_level }.to(::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
+    end
  end
 end
--- a/spec/factories/groups.rb
+++ b/spec/factories/groups.rb
@@ -5,6 +5,7 @@ FactoryBot.define do
    type 'Group'
    owner nil
    project_creation_level ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS
+    subgroup_creation_level ::Gitlab::Access::OWNER_SUBGROUP_ACCESS

    after(:create) do |group|
      if group.owner

--- a/spec/features/groups/group_settings_spec.rb
+++ b/spec/features/groups/group_settings_spec.rb
@@ -85,6 +85,14 @@ describe 'Edit group settings' do
    end
  end

+  describe 'subgroup creation level menu' do
+    it 'shows the selection menu' do
+      visit edit_group_path(group)
+
+      expect(page).to have_content('Allowed to create subgroups')
+    end
+  end
+  
  describe 'edit group avatar' do
    before do
      visit edit_group_path(group)

--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -994,4 +994,12 @@ describe Group do
      expect(group.project_creation_level).to eq(Gitlab::CurrentSettings.default_project_creation)
    end
  end
+
+  describe 'subgroup_creation_level' do
+    it 'outputs the default one if it is nil' do
+      group = create(:group, subgroup_creation_level: nil)
+
+      expect(group.subgroup_creation_level).to eq(::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
+    end
+  end
 end
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -163,6 +163,18 @@ describe GroupPolicy do
        expect_allowed(*updated_owner_permissions)
      end
    end
+
+    context 'maintainer' do
+      let(:current_user) { maintainer }
+
+      it 'allows every maintainer permission except creating subgroups' do
+        create_subgroup_permission = [:create_subgroup]
+        updated_maintainer_permissions = maintainer_permissions - create_subgroup_permission
+
+        expect_disallowed(*create_subgroup_permission)
+        expect_allowed(*updated_maintainer_permissions)
+      end
+    end
  end

  describe 'private nested group use the highest access level from the group and inherited permissions', :nested_groups do
@@ -461,6 +473,64 @@ describe GroupPolicy do
    end
  end

+  context "create_subgroup" do
+    context 'when group has subgroup creation level set to owner' do
+      let(:group) { create(:group, subgroup_creation_level: ::Gitlab::Access::OWNER_SUBGROUP_ACCESS) }
+
+      context 'reporter' do
+        let(:current_user) { reporter }
+
+        it { is_expected.to be_disallowed(:create_subgroup) }
+      end
+
+      context 'developer' do
+        let(:current_user) { developer }
+
+        it { is_expected.to be_disallowed(:create_subgroup) }
+      end
+
+      context 'maintainer' do
+        let(:current_user) { maintainer }
+
+        it { is_expected.to be_disallowed(:create_subgroup) }
+      end
+
+      context 'owner' do
+        let(:current_user) { owner }
+
+        it { is_expected.to be_allowed(:create_subgroup) }
+      end
+    end
+
+    context 'when group has subgroup creation level set to maintainer' do
+      let(:group) { create(:group, subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS) }
+
+      context 'reporter' do
+        let(:current_user) { reporter }
+
+        it { is_expected.to be_disallowed(:create_subgroup) }
+      end
+
+      context 'developer' do
+        let(:current_user) { developer }
+
+        it { is_expected.to be_disallowed(:create_subgroup) }
+      end
+
+      context 'maintainer' do
+        let(:current_user) { maintainer }
+
+        it { is_expected.to be_allowed(:create_subgroup) }
+      end
+
+      context 'owner' do
+        let(:current_user) { owner }
+
+        it { is_expected.to be_allowed(:create_subgroup) }
+      end
+    end
+  end
+
  it_behaves_like 'clusterable policies' do
    let(:clusterable) { create(:group) }
    let(:cluster) do

--- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
@@ -19,15 +19,10 @@ RSpec.shared_context 'GroupPolicy context' do
  let(:reporter_permissions) { [:admin_label] }
  let(:developer_permissions) { [:admin_milestone] }
  let(:maintainer_permissions) do
-    [
-      :create_projects,
-      :read_cluster,
-      :create_cluster,
-      :update_cluster,
-      :admin_cluster,
-      :add_cluster,
-      (Gitlab::Database.postgresql? ? :create_subgroup : nil)
-    ].compact
+    %i[
+      create_projects
+      read_cluster create_cluster update_cluster admin_cluster add_cluster
+    ]
  end
  let(:owner_permissions) do
    [
@@ -35,7 +30,8 @@ RSpec.shared_context 'GroupPolicy context' do
      :admin_namespace,
      :admin_group_member,
      :change_visibility_level,
-      :set_note_created_at
+      :set_note_created_at,
+      (Gitlab::Database.postgresql? ? :create_subgroup : nil)
    ].compact
  end