Check for group admin permissions

app/controllers/groups/settings/ci_cd_controller.rb

@@ -4,7 +4,7 @@ module Groups
   module Settings
     class CiCdController < Groups::ApplicationController
       skip_cross_project_access_check :show
-      before_action :authorize_admin_pipeline!
+      before_action :authorize_admin_group!
       def show
         define_ci_variables
@@ -26,8 +26,8 @@ module Groups
           .map { |variable| variable.present(current_user: current_user) }
       end
-      def authorize_admin_pipeline!
-        return render_404 unless can?(current_user, :admin_pipeline, group)
+      def authorize_admin_group!
+        return render_404 unless can?(current_user, :admin_group, group)
       end
     end
   end

spec/controllers/groups/settings/ci_cd_controller_spec.rb

@@ -5,30 +5,65 @@ describe Groups::Settings::CiCdController do
   let(:user) { create(:user) }
   before do
-    group.add_maintainer(user)
     sign_in(user)
   end
   describe 'GET #show' do
-    it 'renders show with 200 status code' do
-      get :show, params: { group_id: group }
-      expect(response).to have_gitlab_http_status(200)
-      expect(response).to render_template(:show)
+    context 'when user is owner' do
+      before do
+        group.add_owner(user)
+      end
+      it 'renders show with 200 status code' do
+        get :show, params: { group_id: group }
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to render_template(:show)
+      end
+    end
+
+    context 'when user is not owner' do
+      before do
+        group.add_maintainer(user)
+      end
+
+      it 'renders a 404' do
+        get :show, params: { group_id: group }
+
+        expect(response).to have_gitlab_http_status(404)
+      end
     end
   end
   describe 'PUT #reset_registration_token' do
     subject { put :reset_registration_token, params: { group_id: group } }
-    it 'resets runner registration token' do
-      expect { subject }.to change { group.reload.runners_token }
+    context 'when user is owner' do
+      before do
+        group.add_owner(user)
+      end
+
+      it 'resets runner registration token' do
+        expect { subject }.to change { group.reload.runners_token }
+      end
+
+      it 'redirects the user to admin runners page' do
+        subject
+
+        expect(response).to redirect_to(group_settings_ci_cd_path)
+      end
     end
-    it 'redirects the user to admin runners page' do
-      subject
-      expect(response).to redirect_to(group_settings_ci_cd_path)
+    context 'when user is not owner' do
+      before do
+        group.add_maintainer(user)
+      end
+
+      it 'renders a 404' do
+        subject
+        expect(response).to have_gitlab_http_status(404)
+      end
     end
   end
 end

spec/features/group_variables_spec.rb

@@ -7,7 +7,7 @@ describe 'Group variables', :js do
   let(:page_path) { group_settings_ci_cd_path(group) }
   before do
-    group.add_maintainer(user)
+    group.add_owner(user)
     gitlab_sign_in(user)
     visit page_path

spec/features/runners_spec.rb

@@ -259,8 +259,9 @@ describe 'Runners' do
   context 'group runners in group settings' do
     let(:group) { create(:group) }
+
     before do
-      group.add_maintainer(user)
+      group.add_owner(user)
     end
     context 'group with no runners' do