Tweaks, refactoring, and specs

8db12921 · Douwe Maan · 2eb19ea3 · 8db12921 · 8db12921 · 8db12921
Commit 8db12921 authored 8 years ago by Douwe Maan
--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -31,7 +31,7 @@ module API
        authorize! :create_group, current_user
        required_attributes! [:name, :path]
  
-        attrs = attributes_for_keys [:name, :path, :description]
+        attrs = attributes_for_keys [:name, :path, :description, :visibility_level]
        @group = Group.new(attrs)
  
        if @group.save

--- a/lib/gitlab/visibility_level.rb
+++ b/lib/gitlab/visibility_level.rb
@@ -11,6 +11,8 @@ module Gitlab
    included do
      scope :public_only,               -> { where(visibility_level: PUBLIC) }
      scope :public_and_internal_only,  -> { where(visibility_level: [PUBLIC, INTERNAL] ) }
+
+      scope :public_to_user, -> (user) { user && !user.external ? public_and_internal_only : public_only }
    end
  
    PRIVATE  = 0 unless const_defined?(:PRIVATE)

--- a/spec/controllers/groups_controller_spec.rb
+++ b/spec/controllers/groups_controller_spec.rb
@@ -20,43 +20,4 @@ describe GroupsController do
      end
    end
  end
-
-  describe 'GET show' do
-    let(:group) { create(:group, visibility_level: 20) }
-
-    it 'checks if group can be read' do
-      expect(controller).to receive(:authorize_read_group!)
-      get :show, id: group.path
-    end
-  end
-
-  describe 'POST create' do
-    before { sign_in(create(:user)) }
-
-    it 'checks if group can be created' do
-      expect(controller).to receive(:authorize_create_group!)
-      post :create, { group: { name: "any params" } }
-    end
-  end
-
-  describe 'DELETE destroy' do
-    before { sign_in(create(:user)) }
-    let(:group) { create(:group, visibility_level: 20) }
-
-    it 'checks if group can be deleted' do
-      expect(controller).to receive(:authorize_admin_group!)
-      delete :destroy, id: group.path
-    end
-  end
-
-  describe 'PUT update' do
-    before { sign_in(create(:user)) }
-    let(:group) { create(:group, visibility_level: 20) }
-
-    it 'checks if group can be updated' do
-      expect_any_instance_of(Groups::UpdateService).to receive(:execute)
-      expect(controller).to receive(:authorize_admin_group!)
-      put :update, id: group.path, group: { name: 'test' }
-    end
-  end
 end
--- a/spec/controllers/namespaces_controller_spec.rb
+++ b/spec/controllers/namespaces_controller_spec.rb
@@ -15,12 +15,11 @@ describe NamespacesController do
    end
  
    context "when the namespace belongs to a group" do
-      let!(:group)   { create(:group, visibility_level: Gitlab::VisibilityLevel::PUBLIC) }
-      let!(:project) { create(:project, namespace: group) }
+      let!(:group)   { create(:group) }
  
-      context "when the group has public projects" do
+      context "when the group is public" do
        before do
-          project.update_attribute(:visibility_level, Project::PUBLIC)
+          group.update_attribute(:visibility_level, Group::PUBLIC)
        end
  
        context "when not signed in" do
@@ -44,27 +43,27 @@ describe NamespacesController do
        end
      end
  
-      context "when the project doesn't have public projects" do
+      context "when the group is private" do
        context "when not signed in" do
          it "does not redirect to the sign in page" do
            get :show, id: group.path
            expect(response).not_to redirect_to(new_user_session_path)
          end
        end
+
        context "when signed in" do
          before do
            sign_in(user)
          end
  
-          context "when the user has access to the project" do
+          context "when the user has access to the group" do
            before do
-              project.team << [user, :master]
+              group.add_developer(user)
            end
  
            context "when the user is blocked" do
              before do
                user.block
-                project.team << [user, :master]
              end
  
              it "redirects to the sign in page" do
@@ -83,11 +82,11 @@ describe NamespacesController do
            end
          end
  
-          context "when the user doesn't have access to the project" do
-            it "redirects to the group's page" do
+          context "when the user doesn't have access to the group" do
+            it "responds with status 404" do
              get :show, id: group.path
  
-              expect(response).to redirect_to(group_path(group))
+              expect(response.status).to eq(404)
            end
          end
        end

--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@@ -127,12 +127,10 @@ describe UploadsController do
  
    context "when viewing a group avatar" do
      let!(:group)   { create(:group, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
-      let!(:project) { create(:project, namespace: group) }
  
-      context "when the group has public projects" do
+      context "when the group is public" do
        before do
          group.update_attribute(:visibility_level, Gitlab::VisibilityLevel::PUBLIC)
-          project.update_attribute(:visibility_level, Project::PUBLIC)
        end
  
        context "when not signed in" do
@@ -156,7 +154,7 @@ describe UploadsController do
        end
      end
  
-      context "when the project doesn't have public projects" do
+      context "when the group is private" do
        context "when signed in" do
          before do
            sign_in(user)
@@ -164,13 +162,12 @@ describe UploadsController do
  
          context "when the user has access to the project" do
            before do
-              project.team << [user, :master]
+              project.add_developer(user)
            end
  
            context "when the user is blocked" do
              before do
                user.block
-                project.team << [user, :master]
              end
  
              it "redirects to the sign in page" do

--- a/spec/features/projects_spec.rb
+++ b/spec/features/projects_spec.rb
@@ -12,25 +12,25 @@ feature 'Project', feature: true do
    it 'parses Markdown' do
      project.update_attribute(:description, 'This is **my** project')
      visit path
-      expect(page).to have_css('.cover-title > p > strong')
+      expect(page).to have_css('.project-home-desc > p > strong')
    end
  
    it 'passes through html-pipeline' do
      project.update_attribute(:description, 'This project is the :poop:')
      visit path
-      expect(page).to have_css('.cover-title > p > img')
+      expect(page).to have_css('.project-home-desc > p > img')
    end
  
    it 'sanitizes unwanted tags' do
      project.update_attribute(:description, "```\ncode\n```")
      visit path
-      expect(page).not_to have_css('.cover-title code')
+      expect(page).not_to have_css('.project-home-desc code')
    end
  
    it 'permits `rel` attribute on links' do
      project.update_attribute(:description, 'https://google.com/')
      visit path
-      expect(page).to have_css('.cover-title a[rel]')
+      expect(page).to have_css('.project-home-desc a[rel]')
    end
  end
  

--- a/spec/features/security/group/internal_access_spec.rb
+++ b/spec/features/security/group/internal_access_spec.rb
 require 'rails_helper'
  
-describe 'Internal group access', feature: true do
+describe 'Internal Group access', feature: true do
  include AccessMatchers
-  include GroupAccessHelper
  
-  describe 'GET /groups/:path' do
-    subject { group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_denied_for :visitor }
-      it { is_expected.to be_denied_for :external }
+  let(:group) { create(:group, :internal) }
+  let(:project) { create(:project, :internal, group: group) }
  
-    end
+  let(:owner)     { create(:user) }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
  
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to_not be_allowed_for :visitor }
-    end
+  let(:project_guest) { create(:user) }
+
+  before do
+    group.add_user(owner, Gitlab::Access::OWNER)
+    group.add_user(master, Gitlab::Access::MASTER)
+    group.add_user(developer, Gitlab::Access::DEVELOPER)
+    group.add_user(reporter, Gitlab::Access::REPORTER)
+    group.add_user(guest, Gitlab::Access::GUEST)
+
+    project.team << [project_guest, :guest]
  end
  
-  describe 'GET /groups/:path/issues' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_denied_for :visitor }
-      it { is_expected.to be_denied_for :external }
+  describe "Group should be internal" do
+    describe '#internal?' do
+      subject { group.internal? }
+      it { is_expected.to be_truthy }
    end
+  end
  
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to_not be_allowed_for :visitor }
-    end
+  describe 'GET /groups/:path' do
+    subject { group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
  end
  
-  describe 'GET /groups/:path/merge_requests' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_denied_for :visitor }
-      it { is_expected.to be_denied_for :external }
-    end
+  describe 'GET /groups/:path/issues' do
+    subject { issues_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
+  end
  
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to_not be_allowed_for :visitor }
-    end
+  describe 'GET /groups/:path/merge_requests' do
+    subject { merge_requests_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
  end
  
  
  describe 'GET /groups/:path/group_members' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_denied_for :visitor }
-      it { is_expected.to be_denied_for :external }
-    end
-
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to_not be_allowed_for :visitor }
-    end
+    subject { group_group_members_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
  end
  
  describe 'GET /groups/:path/edit' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::INTERNAL)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_denied_for :visitor }
-      it { is_expected.to be_denied_for :external }
-    end
-
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to_not be_allowed_for :visitor }
-    end
+    subject { edit_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_denied_for master }
+    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :external }
  end
 end
--- a/spec/features/security/group/private_access_spec.rb
+++ b/spec/features/security/group/private_access_spec.rb
 require 'rails_helper'
  
-describe 'Private group access', feature: true do
+describe 'Private Group access', feature: true do
  include AccessMatchers
-  include GroupAccessHelper
  
+  let(:group) { create(:group, :private) }
+  let(:project) { create(:project, :private, group: group) }
  
+  let(:owner)     { create(:user) }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
  
-  describe 'GET /groups/:path' do
-    subject { group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-      it { is_expected.to be_denied_for :external }
-    end
+  let(:project_guest) { create(:user) }
  
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to_not be_allowed_for :visitor }
-    end
+  before do
+    group.add_user(owner, Gitlab::Access::OWNER)
+    group.add_user(master, Gitlab::Access::MASTER)
+    group.add_user(developer, Gitlab::Access::DEVELOPER)
+    group.add_user(reporter, Gitlab::Access::REPORTER)
+    group.add_user(guest, Gitlab::Access::GUEST)
+
+    project.team << [project_guest, :guest]
  end
  
-  describe 'GET /groups/:path/issues' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-      it { is_expected.to be_denied_for :external }
+  describe "Group should be private" do
+    describe '#private?' do
+      subject { group.private? }
+      it { is_expected.to be_truthy }
    end
+  end
  
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to_not be_allowed_for :visitor }
-    end
+  describe 'GET /groups/:path' do
+    subject { group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
  end
  
-  describe 'GET /groups/:path/merge_requests' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-      it { is_expected.to be_denied_for :external }
-    end
+  describe 'GET /groups/:path/issues' do
+    subject { issues_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
+  end
  
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to_not be_allowed_for :visitor }
-    end
+  describe 'GET /groups/:path/merge_requests' do
+    subject { merge_requests_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
  end
  
  
  describe 'GET /groups/:path/group_members' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-      it { is_expected.to be_denied_for :external }
-    end
-
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to_not be_allowed_for :visitor }
-    end
+    subject { group_group_members_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
  end
  
  describe 'GET /groups/:path/edit' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::PRIVATE)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-      it { is_expected.to be_denied_for :external }
-    end
-
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to_not be_allowed_for :visitor }
-    end
+    subject { edit_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_denied_for master }
+    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :external }
  end
 end
--- a/spec/features/security/group/public_access_spec.rb
+++ b/spec/features/security/group/public_access_spec.rb
 require 'rails_helper'
  
-describe 'Public group access', feature: true do
+describe 'Public Group access', feature: true do
  include AccessMatchers
-  include GroupAccessHelper
  
+  let(:group) { create(:group, :public) }
+  let(:project) { create(:project, :public, group: group) }
  
+  let(:owner)     { create(:user) }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
  
-  describe 'GET /groups/:path' do
-    subject { group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-      it { is_expected.to be_allowed_for :external }
-    end
+  let(:project_guest) { create(:user) }
  
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to be_allowed_for :visitor }
-    end
+  before do
+    group.add_user(owner, Gitlab::Access::OWNER)
+    group.add_user(master, Gitlab::Access::MASTER)
+    group.add_user(developer, Gitlab::Access::DEVELOPER)
+    group.add_user(reporter, Gitlab::Access::REPORTER)
+    group.add_user(guest, Gitlab::Access::GUEST)
+
+    project.team << [project_guest, :guest]
  end
  
-  describe 'GET /groups/:path/issues' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-      it { is_expected.to be_allowed_for :external }
+  describe "Group should be public" do
+    describe '#public?' do
+      subject { group.public? }
+      it { is_expected.to be_truthy }
    end
+  end
  
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to be_allowed_for :visitor }
-    end
+  describe 'GET /groups/:path' do
+    subject { group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for :visitor }
  end
  
-  describe 'GET /groups/:path/merge_requests' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-      it { is_expected.to be_allowed_for :external }
-    end
+  describe 'GET /groups/:path/issues' do
+    subject { issues_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for :visitor }
+  end
  
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to be_allowed_for :visitor }
-    end
+  describe 'GET /groups/:path/merge_requests' do
+    subject { merge_requests_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for :visitor }
  end
  
  
  describe 'GET /groups/:path/group_members' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-      it { is_expected.to be_allowed_for :external }
-    end
-
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to be_allowed_for :visitor }
-    end
+    subject { group_group_members_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for :visitor }
  end
  
  describe 'GET /groups/:path/edit' do
-    subject { issues_group_path(group(Gitlab::VisibilityLevel::PUBLIC)) }
-
-    context "when user not in group project" do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for external_guest }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-      it { is_expected.to be_allowed_for :external }
-    end
-
-    context "when user in group project" do
-      it { is_expected.to be_allowed_for project_group_member(:user) }
-      it { is_expected.to be_allowed_for :visitor }
-    end
+    subject { edit_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_denied_for master }
+    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :external }
  end
 end
--- a/spec/features/security/group_access_spec.rb
+++ b/spec/features/security/group_access_spec.rb
-require 'rails_helper'
-
-describe 'Group access', feature: true do
-  include AccessMatchers
-
-  def group
-    @group ||= create(:group, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
-  end
-
-  def create_project(access_level)
-    if access_level == :mixed
-      create(:empty_project, :public, group: group)
-      create(:empty_project, :internal, group: group)
-    else
-      create(:empty_project, access_level, group: group)
-    end
-  end
-
-  def group_member(access_level, grp = group())
-    level = Object.const_get("Gitlab::Access::#{access_level.upcase}")
-
-    create(:user).tap do |user|
-      grp.add_user(user, level)
-    end
-  end
-
-  describe 'GET /groups/new' do
-    subject { new_group_path }
-
-    it { is_expected.to be_allowed_for :admin }
-    it { is_expected.to be_allowed_for :user }
-    it { is_expected.to be_denied_for :visitor }
-  end
-
-  describe 'GET /groups/:path' do
-    subject { group_path(group) }
-
-    context 'with public projects' do
-      let!(:project) { create_project(:public) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with mixed projects' do
-      let!(:project) { create_project(:mixed) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with internal projects' do
-      let!(:project) { create_project(:internal) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with no projects' do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-  end
-
-  describe 'GET /groups/:path/issues' do
-    subject { issues_group_path(group) }
-
-    context 'with public projects' do
-      let!(:project) { create_project(:public) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with mixed projects' do
-      let!(:project) { create_project(:mixed) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with internal projects' do
-      let!(:project) { create_project(:internal) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with no projects' do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-  end
-
-  describe 'GET /groups/:path/merge_requests' do
-    subject { merge_requests_group_path(group) }
-
-    context 'with public projects' do
-      let!(:project) { create_project(:public) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with mixed projects' do
-      let!(:project) { create_project(:mixed) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with internal projects' do
-      let!(:project) { create_project(:internal) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with no projects' do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-  end
-
-  describe 'GET /groups/:path/group_members' do
-    subject { group_group_members_path(group) }
-
-    context 'with public projects' do
-      let!(:project) { create_project(:public) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with mixed projects' do
-      let!(:project) { create_project(:mixed) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with internal projects' do
-      let!(:project) { create_project(:internal) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with no projects' do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-  end
-
-  describe 'GET /groups/:path/edit' do
-    subject { edit_group_path(group) }
-
-    context 'with public projects' do
-      let!(:project) { create_project(:public) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_denied_for group_member(:master) }
-      it { is_expected.to be_denied_for group_member(:reporter) }
-      it { is_expected.to be_denied_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with mixed projects' do
-      let!(:project) { create_project(:mixed) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_denied_for group_member(:master) }
-      it { is_expected.to be_denied_for group_member(:reporter) }
-      it { is_expected.to be_denied_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with internal projects' do
-      let!(:project) { create_project(:internal) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_denied_for group_member(:master) }
-      it { is_expected.to be_denied_for group_member(:reporter) }
-      it { is_expected.to be_denied_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-
-    context 'with no projects' do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_denied_for group_member(:master) }
-      it { is_expected.to be_denied_for group_member(:reporter) }
-      it { is_expected.to be_denied_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-    end
-  end
-end
--- a/spec/features/security/project/internal_access_spec.rb
+++ b/spec/features/security/project/internal_access_spec.rb
@@ -5,25 +5,22 @@ describe "Internal Project Access", feature: true  do
  
  let(:project) { create(:project, :internal) }
  
-  let(:master) { create(:user) }
-  let(:guest) { create(:user) }
-  let(:reporter) { create(:user) }
-  let(:external_team_member) { create(:user, external: true) }
+  let(:owner)     { project.owner }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
  
  before do
-    # full access
    project.team << [master, :master]
-    project.team << [external_team_member, :master]
-
-    # readonly
+    project.team << [developer, :developer]
    project.team << [reporter, :reporter]
+    project.team << [guest, :guest]
  end
  
  describe "Project should be internal" do
-    subject { project }
-
    describe '#internal?' do
-      subject { super().internal? }
+      subject { project.internal? }
      it { is_expected.to be_truthy }
    end
  end
@@ -31,78 +28,84 @@ describe "Internal Project Access", feature: true  do
  describe "GET /:project_path" do
    subject { namespace_project_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/tree/master" do
    subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/commits/master" do
    subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/commit/:sha" do
    subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/compare" do
    subject { namespace_project_compare_index_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/project_members" do
    subject { namespace_project_project_members_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
@@ -110,52 +113,56 @@ describe "Internal Project Access", feature: true  do
    let(:commit) { project.repository.commit }
    subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/edit" do
    subject { edit_namespace_project_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/deploy_keys" do
    subject { namespace_project_deploy_keys_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/issues" do
    subject { namespace_project_issues_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
@@ -163,65 +170,70 @@ describe "Internal Project Access", feature: true  do
    let(:issue) { create(:issue, project: project) }
    subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/snippets" do
    subject { namespace_project_snippets_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/snippets/new" do
    subject { new_namespace_project_snippet_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/merge_requests" do
    subject { namespace_project_merge_requests_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/merge_requests/new" do
    subject { new_namespace_project_merge_request_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
@@ -233,13 +245,14 @@ describe "Internal Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:branches).and_return([])
    end
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
@@ -251,26 +264,28 @@ describe "Internal Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:tags).and_return([])
    end
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/hooks" do
    subject { namespace_project_hooks_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
 end
--- a/spec/features/security/project/private_access_spec.rb
+++ b/spec/features/security/project/private_access_spec.rb
@@ -3,27 +3,24 @@ require 'spec_helper'
 describe "Private Project Access", feature: true  do
  include AccessMatchers
  
-  let(:project) { create(:project) }
+  let(:project) { create(:project, :private) }
  
-  let(:master)   { create(:user) }
-  let(:guest)    { create(:user) }
-  let(:reporter) { create(:user) }
-  let(:external_team_member) { create(:user, external: true) }
+  let(:owner)     { project.owner }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
  
  before do
-    # full access
    project.team << [master, :master]
-    project.team << [external_team_member, :master]
-
-    # readonly
+    project.team << [developer, :developer]
    project.team << [reporter, :reporter]
+    project.team << [guest, :guest]
  end
  
  describe "Project should be private" do
-    subject { project }
-
    describe '#private?' do
-      subject { super().private? }
+      subject { project.private? }
      it { is_expected.to be_truthy }
    end
  end
@@ -31,77 +28,84 @@ describe "Private Project Access", feature: true  do
  describe "GET /:project_path" do
    subject { namespace_project_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/tree/master" do
    subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/commits/master" do
    subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/commit/:sha" do
    subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
-    it { is_expected.to be_allowed_for external_team_member }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/compare" do
    subject { namespace_project_compare_index_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/project_members" do
    subject { namespace_project_project_members_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
@@ -109,52 +113,56 @@ describe "Private Project Access", feature: true  do
    let(:commit) { project.repository.commit }
    subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore'))}
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/edit" do
    subject { edit_namespace_project_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/deploy_keys" do
    subject { namespace_project_deploy_keys_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/issues" do
    subject { namespace_project_issues_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
@@ -162,39 +170,42 @@ describe "Private Project Access", feature: true  do
    let(:issue) { create(:issue, project: project) }
    subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/snippets" do
    subject { namespace_project_snippets_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/merge_requests" do
    subject { namespace_project_merge_requests_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
@@ -206,13 +217,14 @@ describe "Private Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:branches).and_return([])
    end
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
@@ -224,26 +236,28 @@ describe "Private Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:tags).and_return([])
    end
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
  
  describe "GET /:project_path/hooks" do
    subject { namespace_project_hooks_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
    it { is_expected.to be_denied_for :visitor }
  end
 end
--- a/spec/features/security/project/public_access_spec.rb
+++ b/spec/features/security/project/public_access_spec.rb
@@ -3,29 +3,24 @@ require 'spec_helper'
 describe "Public Project Access", feature: true  do
  include AccessMatchers
  
-  let(:project) { create(:project) }
+  let(:project) { create(:project, :public) }
  
-  let(:master) { create(:user) }
-  let(:guest) { create(:user) }
-  let(:reporter) { create(:user) }
+  let(:owner)     { project.owner }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
  
  before do
-    # public project
-    project.visibility_level = Gitlab::VisibilityLevel::PUBLIC
-    project.save!
-
-    # full access
    project.team << [master, :master]
-
-    # readonly
+    project.team << [developer, :developer]
    project.team << [reporter, :reporter]
+    project.team << [guest, :guest]
  end
  
  describe "Project should be public" do
-    subject { project }
-
    describe '#public?' do
-      subject { super().public? }
+      subject { project.public? }
      it { is_expected.to be_truthy }
    end
  end
@@ -33,9 +28,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path" do
    subject { namespace_project_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_allowed_for :external }
@@ -45,9 +42,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/tree/master" do
    subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_allowed_for :external }
@@ -57,9 +56,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/commits/master" do
    subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_allowed_for :external }
@@ -69,9 +70,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/commit/:sha" do
    subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_allowed_for :external }
@@ -81,9 +84,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/compare" do
    subject { namespace_project_compare_index_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_allowed_for :external }
@@ -93,9 +98,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/project_members" do
    subject { namespace_project_project_members_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
@@ -108,9 +115,11 @@ describe "Public Project Access", feature: true  do
    context "when allowed for public" do
      before { project.update(public_builds: true) }
  
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for owner }
      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for developer }
      it { is_expected.to be_allowed_for reporter }
-      it { is_expected.to be_allowed_for :admin }
      it { is_expected.to be_allowed_for guest }
      it { is_expected.to be_allowed_for :user }
      it { is_expected.to be_allowed_for :external }
@@ -120,9 +129,11 @@ describe "Public Project Access", feature: true  do
    context "when disallowed for public" do
      before { project.update(public_builds: false) }
  
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for owner }
      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for developer }
      it { is_expected.to be_allowed_for reporter }
-      it { is_expected.to be_allowed_for :admin }
      it { is_expected.to be_denied_for guest }
      it { is_expected.to be_denied_for :user }
      it { is_expected.to be_denied_for :external }
@@ -138,9 +149,11 @@ describe "Public Project Access", feature: true  do
    context "when allowed for public" do
      before { project.update(public_builds: true) }
  
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for owner }
      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for developer }
      it { is_expected.to be_allowed_for reporter }
-      it { is_expected.to be_allowed_for :admin }
      it { is_expected.to be_allowed_for guest }
      it { is_expected.to be_allowed_for :user }
      it { is_expected.to be_allowed_for :external }
@@ -150,9 +163,11 @@ describe "Public Project Access", feature: true  do
    context "when disallowed for public" do
      before { project.update(public_builds: false) }
  
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for owner }
      it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for developer }
      it { is_expected.to be_allowed_for reporter }
-      it { is_expected.to be_allowed_for :admin }
      it { is_expected.to be_denied_for guest }
      it { is_expected.to be_denied_for :user }
      it { is_expected.to be_denied_for :external }
@@ -165,9 +180,11 @@ describe "Public Project Access", feature: true  do
  
    subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_allowed_for :visitor }
@@ -176,9 +193,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/edit" do
    subject { edit_namespace_project_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
@@ -188,9 +207,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/deploy_keys" do
    subject { namespace_project_deploy_keys_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
@@ -200,9 +221,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/issues" do
    subject { namespace_project_issues_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_allowed_for :external }
@@ -213,9 +236,11 @@ describe "Public Project Access", feature: true  do
    let(:issue) { create(:issue, project: project) }
    subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
@@ -225,9 +250,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/snippets" do
    subject { namespace_project_snippets_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_allowed_for :external }
@@ -237,9 +264,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/snippets/new" do
    subject { new_namespace_project_snippet_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
@@ -249,9 +278,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/merge_requests" do
    subject { namespace_project_merge_requests_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_allowed_for :external }
@@ -261,9 +292,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/merge_requests/new" do
    subject { new_namespace_project_merge_request_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }
@@ -278,9 +311,11 @@ describe "Public Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:branches).and_return([])
    end
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_allowed_for :external }
@@ -295,9 +330,11 @@ describe "Public Project Access", feature: true  do
      allow_any_instance_of(Project).to receive(:tags).and_return([])
    end
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
    it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
    it { is_expected.to be_allowed_for :external }
@@ -307,9 +344,11 @@ describe "Public Project Access", feature: true  do
  describe "GET /:project_path/hooks" do
    subject { namespace_project_hooks_path(project.namespace, project) }
  
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
    it { is_expected.to be_denied_for :external }

--- a/spec/helpers/groups_helper.rb
+++ b/spec/helpers/groups_helper.rb
@@ -18,19 +18,4 @@ describe GroupsHelper do
      expect(group_icon(group.path)).to match('group_avatar.png')
    end
  end
-
-  describe 'permissions' do
-    let(:group) { create(:group) }
-    let!(:user)  { create(:user) }
-
-    before do
-      allow(self).to receive(:current_user).and_return(user)
-      allow(self).to receive(:can?) { true }
-    end
-
-    it 'checks user ability to change permissions' do
-      expect(self).to receive(:can?).with(user, :change_visibility_level, group)
-      can_change_group_visibility_level?(group)
-    end
-  end
 end
--- a/spec/support/group_access_helper.rb
+++ b/spec/support/group_access_helper.rb
-module GroupAccessHelper
-  def group(visibility_level=0)
-    @group ||= create(:group, visibility_level: visibility_level)
-  end
-
-  def project_group_member(access_level)
-    project = create(:project, visibility_level: group.visibility_level, group: group, name: 'B', path: 'B')
-
-    create(:user).tap { |user| project.team.add_user(user, Gitlab::Access::DEVELOPER) }
-  end
-
-  def group_member(access_level, grp=group())
-    level = Object.const_get("Gitlab::Access::#{access_level.upcase}")
-
-    create(:user).tap { |user| grp.add_user(user, level) }
-  end
-
-  def external_guest(grp=group())
-    create(:user, external: true).tap { |user| grp.add_user(user, Gitlab::Access::GUEST) }
-  end
-end
--- a/spec/support/matchers/access_matchers.rb
+++ b/spec/support/matchers/access_matchers.rb
@@ -28,7 +28,7 @@ module AccessMatchers
    if user.kind_of?(User)
      # User#inspect displays too much information for RSpec's description
      # messages
-      "be #{type} for supplied User"
+      "be #{type} for the specified user"
    else
      "be #{type} for #{user}"
    end